Active mode Pure-ftpd dont work

Discussion in 'Installation/Configuration' started by Captain, Jun 14, 2012.

  1. Captain

    Captain New Member

    Hello!

    I have ISPConfig 3 final, Ubuntu 12.04 LTS.
    Today I restart server (after kernel updates) and now pure-ftpd
    dont want to work in active mode.
    passive mode work ok.

    pure-ftpd start:
    Code:
     Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -H -u 1000 -d -b -Y 1 -A -8 UTF-8 -p 40110:40210 -L 5000:500 -D -O clf:/var/log/pure-ftpd/transfer.log -E -B
    
    Verbose mode:
    Code:
    Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] New connection from 12.12.12.12
    Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [user] [inf2ftp2]
    Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [DEBUG] Command [pass] [<*>]
    Jun 14 13:22:49 in pure-ftpd: (?@12.12.12.12) [INFO] inf2ftp2 is now logged in
    Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [opts] [UTF8 ON]
    Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [pwd] []
    Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [type] [I]
    Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [port] [12,12,12,12,19,138]
    Jun 14 13:22:49 in pure-ftpd: (inf2ftp2@12.12.12.12) [DEBUG] Command [mlsd] []
    
    
    12.12.12.12 is client internal IP.

    Thank you.
     
  2. falko

    falko Super Moderator

    Looks like a firewall issue. What's the output of
    Code:
    iptables -L
    ?
     
  3. Captain

    Captain New Member

    Hello Falko!

    Thank you for your reply.
    Output:
    Code:
    root@in:~# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    fail2ban-courierauth  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    fail2ban-couriersmtp  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp
    fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp
    fail2ban-apache-overflows  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-apache-noscript  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-apache-multiport  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-ssh-ddos  tcp  --  anywhere             anywhere             multiport dports ssh
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    DROP       tcp  --  anywhere             127.0.0.0/8
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  base-address.mcast.net/4  anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    DROP       all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PAROLE (14 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PUB_IN (5 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ftp
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ssh
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:smtp
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:domain
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:http
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:pop3
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:imap2
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:https
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:imaps
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:pop3s
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:mysql
    PAROLE     tcp  --  anywhere             anywhere             tcp dpt:http-alt
    PAROLE     tcp  --  anywhere             anywhere             tcp dpts:40110:40210
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:mysql
    DROP       icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain PUB_OUT (5 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain fail2ban-apache (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-multiport (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-noscript (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-overflows (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-courierauth (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-couriersmtp (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-postfix (1 references)
    target     prot opt source               destination
    DROP       all  --  84-55-108-33.customers.ownit.se  anywhere
    DROP       all  --  85-130-25-203.2073795190.shumen.cablebg.net  anywhere
    DROP       all  --  c935b135.virtua.com.br  anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-pureftpd (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-sasl (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh-ddos (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    
     
  4. falko

    falko Super Moderator

    Have you tried to disable the firewall for testing purposes?
     
  5. Captain

    Captain New Member

    Yes I tried to off ISPConfig firewall.

    But result is the same.

    Iptables after firewall off:
    Code:
    root@in:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-apache (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-multiport (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-noscript (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-overflows (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-courierauth (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-couriersmtp (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-dovecot-pop3imap (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-postfix (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-pureftpd (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-sasl (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh-ddos (0 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    
     
  6. falko

    falko Super Moderator

    Are there any firewalls between you and the server (routers, etc.)?
     
  7. Captain

    Captain New Member

    Thank you Falko that dont forget about me.

    Yes we have MikroTik router.
    But all work with this router configurations until server was rebooted.

    Firewall config is:

    Code:
    0   ;;; Ping Allow/Drop
         chain=input action=drop protocol=icmp 
    
     1   ;;; default configuration
         chain=input action=accept connection-state=established 
    
     2   ;;; default configuration
         chain=input action=accept connection-state=related 
    
     4   ;;; Drop  Invalid  connections 
         chain=input action=drop connection-state=invalid 
    
     5   ;;; Allow  Established  connections
         chain=input action=accept connection-state=established 
    
     6   ;;; Allow  UDP
         chain=input action=accept protocol=udp 
    
     7   ;;; Allow  access  to  router  from  known  network
         chain=input action=accept src-address=192.168.0.0/24 
    
     8   ;;; deny TFTP
         chain=tcp action=drop protocol=tcp dst-port=69 
    
     9   ;;; deny RPC portmapper
         chain=tcp action=drop protocol=tcp dst-port=111 
    
    10   ;;; deny RPC portmapper
         chain=tcp action=drop protocol=tcp dst-port=135 
    
    11   ;;; deny NBT
         chain=tcp action=drop protocol=tcp dst-port=137-139 
    
    12   ;;; deny cifs
         chain=tcp action=drop protocol=tcp dst-port=445 
    
    13   ;;; deny NFS
         chain=tcp action=drop protocol=tcp dst-port=2049 
    
    14   ;;; deny NetBus
         chain=tcp action=drop protocol=tcp dst-port=12345-12346 
    
    15   ;;; deny NetBus
         chain=tcp action=drop protocol=tcp dst-port=20034 
    
    16   ;;; deny BackOriffice
         chain=tcp action=drop protocol=tcp dst-port=3133 
    
    17   ;;; deny DHCP
         chain=tcp action=drop protocol=tcp dst-port=67-68 
    
    18   ;;; deny TFTP
         chain=udp action=drop protocol=udp dst-port=69 
    
    19   ;;; deny PRC portmapper
         chain=udp action=drop protocol=udp dst-port=111 
    
    20   ;;; deny PRC portmapper
         chain=udp action=drop protocol=udp dst-port=135 
    
    21   ;;; deny NBT
         chain=udp action=drop protocol=udp dst-port=137-139 
    
    22   ;;; deny NFS
         chain=udp action=drop protocol=udp dst-port=2049 
    
    23   ;;; deny BackOriffice
         chain=udp action=drop protocol=udp dst-port=3133 
    
    24   chain=forward action=drop src-address=0.0.0.0/8 
    
    25   chain=forward action=drop dst-address=0.0.0.0/8 
    
    26   chain=forward action=drop src-address=127.0.0.0/8 
    
    27   chain=forward action=drop dst-address=127.0.0.0/8 
    
    28   chain=forward action=drop src-address=224.0.0.0/3 
    
    29   chain=forward action=drop dst-address=224.0.0.0/3 
    
    
     
  8. falko

    falko Super Moderator

    Is it possible you ran iptables rules on the command line (without putting them in some configuration file)? Those iptables rules are lost on reboot.
     
  9. Captain

    Captain New Member

    Thank you Falko.

    No there are no iptables that runs via command line.

    We restart server at other time when active mode worked, and after restart it was ok.

    I think it was some updates, and after restart active mode goes down.
    it was dh-apparmor, but I delete it after that by apt-get remove.

    Any ideas?
     

Share This Page