FTP Not working

Discussion in 'General' started by mphayesuk, May 5, 2006.

  1. mphayesuk

    mphayesuk New Member

    I can ftp to the server fine in my internal network but external it wont work. Plus I cant find the log for the ftp server. And when my server starts I get a warning about there is another ftp server running. Here are the two proftpd config files. # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Server" ServerIdent on "FTP Server Ready" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 20 # Set the user and group under which the server will run. User nobody Group nogroup # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on # Bar use of SITE CHMOD by default #<Limit SITE_CHMOD> # DenyAll #</Limit> # A basic anonymous configuration, no upload directories. If you do not # want anonymous users, simply delete this entire <Anonymous> section. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 5 "Sorry, max %m users -- try again later" # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> DefaultRoot ~ IdentLookups off Include /etc/proftpd_ispconfig.conf *********************************************************** ################################### # # ISPConfig proftpd Configuration File # Version 1.0 # ################################### <VirtualHost xxx.xxx.xxx.3> DefaultRoot ~ AllowOverwrite on Umask 002 </VirtualHost> <VirtualHost xxx.xxx.xxx.4> DefaultRoot ~ AllowOverwrite on Umask 002 <Anonymous /srv/www/web4/ftp> User web4_anonftp Group web4_anonftp UserAlias anonymous web4_anonftp UserAlias guest web4_anonftp MaxClients 10 <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> <Directory /srv/www/web4/ftp/incoming> Umask 002 <Limit STOR> AllowAll </Limit> <Limit READ> DenyAll </Limit> </Directory> </Anon Thanks for any help
     
  2. till

    till Super Moderator

    You can ignore the warning.

    If you cant FTP from otside, it is in most caeses a firewall issue. have you tried both, active and passive FTP?
     
  3. mphayesuk

    mphayesuk New Member

    My router firewall is not on, and the default one for suse is not on either. But I will check all of them anyway, it does sound like the router because it will work inside my network

    Thanks
     
  4. mphayesuk

    mphayesuk New Member

    I am 98% certain that my router is not the problem any ideas where to start on the server, ssh wont work either outside my network but pop mail and web pages are working ok (except for perl scripts).... So where do I start.

    Thanks
     
  5. falko

    falko Super Moderator

    Ask your ISP if they block certain ports like 21 and 22.
     
  6. mphayesuk

    mphayesuk New Member

    Checked with the ISP and they do not block any ports.

    Thanks
     
  7. falko

    falko Super Moderator

    Did you forward ports 21 and 22 from your router to your ISPConfig box? Maybe also port 20 for FTP.
    Did you try both active and passive mode in your FTP client?
     
  8. mphayesuk

    mphayesuk New Member

    I have turned off the firewall on the router so that my server is public. At the moment port 80 and 81 and 110 and 25 work fine... so I am guessing that something on the server is stopping the ftp and ssh from working seeing as though everything else works fine through the router.

    Thanks
     
  9. mphayesuk

    mphayesuk New Member

    Ok so I can ftp from my internal network using the public addresses.

    BUT I cant ftp from the outside and also I cant ssh from internal or external.

    The firewall on my router is not on, ISPC's firewall is not on, but when it is nothing works and as far as I can tell there are no other firewalls turned on including the default suse one.

    Web (port 80) https (port 81) and mail (port 25 and 110) are working fine so can anyone shed some light as to why ftp and ssh will not work.

    When I try and ftp I get a connected to "address" and then after a minute or so I get "connection closed by remote host"

    When I am trying ssh and use telnet from windows (or putty) after typing telnet "address" 22 I the screen gets cleared and I am left with "SSH-1.99-OpenSSH_4.1 with a blinking cursor underneath and then after a while I get a message saying "Connection to host lost"

    My ISP does not block any ports.

    Can anyone help with this one.

    Thanks
     
  10. mphayesuk

    mphayesuk New Member

    Quick note on ssh, when looking at the config files /etc/ssh/ssh_config and sshd_config why are most of the option commented out, I would expect to see more options enabled here is the file.

    ssh:
    # $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $

    # This is the ssh client system-wide configuration file. See
    # ssh_config(5) for more information. This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.

    # Configuration data is parsed as follows:
    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for some commonly used options. For a comprehensive
    # list of available options, their meanings and defaults, please see the
    # ssh_config(5) man page.

    Host *
    # ForwardAgent no
    # ForwardX11 no

    # If you do not trust your remote host (or its administrator), you
    # should not forward X11 connections to your local X11-display for
    # security reasons: Someone stealing the authentification data on the
    # remote side (the "spoofed" X-server by the remote sshd) can read your
    # keystrokes as you type, just like any other X11 client could do.
    # Set this to "no" here for global effect or in your own ~/.ssh/config
    # file if you want to have the remote X11 authentification data to
    # expire after two minutes after remote login.
    ForwardX11Trusted yes

    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # AddressFamily any
    # ConnectTimeout 0
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    # EscapeChar ~
    # GSSAPIAuthentication no
    # GSSAPIDelegateCredentials no

    # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
    # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
    # in this release. The use of 'gssapi' is deprecated due to the presence of
    # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
    # GSSAPIEnableMITMAttack no

    # This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL

    Thanks
     
  11. falko

    falko Super Moderator

    Have you tried both active and passive mode with your FTP client?
    What's the output of
    Code:
    netstat -tap
    ?

    Your sshd_config doesn't look ok. Did you install your distribution's SSH package?
    Try this one instead:

    Code:
    # Package generated configuration file
    # See the sshd(8) manpage for defails
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # ...but breaks Pam auth via kbdint, so we have to turn it off
    # Use PAM authentication via keyboard-interactive so PAM modules can
    # properly interface with the user (off due to PrivSep)
    PAMAuthenticationViaKbdInt no
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 600
    PermitRootLogin yes
    StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    
    # rhosts authentication should not be used
    RhostsAuthentication no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Uncomment to disable s/key passwords
    #ChallengeResponseAuthentication no
    
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication yes
    
    
    # To change Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #AFSTokenPassing no
    #KerberosTicketCleanup no
    
    # Kerberos TGT Passing does only work with the AFS kaserver
    #KerberosTgtPassing yes
    
    X11Forwarding no
    X11DisplayOffset 10
    PrintMotd no
    #PrintLastLog no
    KeepAlive yes
    #UseLogin no
    
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    #ReverseMappingCheck yes
    
    Subsystem       sftp    /usr/lib/sftp-server
     
  12. mphayesuk

    mphayesuk New Member

    server1:~ # netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:mysql *:* LISTEN 5202/mysqld
    tcp 0 0 *:7402 *:* LISTEN 4032/hptsvr
    tcp 0 0 *:7403 *:* LISTEN 4032/hptsvr
    tcp 0 0 *:pop3 *:* LISTEN 5113/couriertcpd
    tcp 0 0 *:imap *:* LISTEN 5068/couriertcpd
    tcp 0 0 *:sunrpc *:* LISTEN 4912/portmap
    tcp 0 0 *:www-http *:* LISTEN 5691/httpd2-prefork
    tcp 0 0 *:hosts2-ns *:* LISTEN 5350/ispconfig_http
    tcp 0 0 *:ftp *:* LISTEN 6060/proftpd: (acce
    tcp 0 0 server1.touchone:domain *:* LISTEN 5993/named
    tcp 0 0 server1.touchone:domain *:* LISTEN 5993/named
    tcp 0 0 localhost:domain *:* LISTEN 5993/named
    tcp 0 0 server1.touchonehos:ssh *:* LISTEN 7735/sshd
    tcp 0 0 *:ipp *:* LISTEN 6310/cupsd
    tcp 0 0 localhost:953 *:* LISTEN 5993/named
    tcp 0 0 *:smtp *:* LISTEN 5895/master
    tcp 0 0 localhost:922 *:* LISTEN 5410/fam
    tcp 0 0 *:https *:* LISTEN 5691/httpd2-prefork
    tcp 0 0 server1.touchoneh:35467 a.as:www-http TIME_WAIT -
    tcp 0 0 server1.touchoneh:37692 pagead2.google:www-http TIME_WAIT -
    tcp 0 0 server1.touchoneh:37691 pagead2.google:www-http ESTABLISHED 9763/konquerorfnFTW
    tcp 0 0 server1.touchoneh:37689 pagead2.google:www-http TIME_WAIT -
    tcp 0 0 server1.touchoneh:37677 pagead2.google:www-http TIME_WAIT -
    tcp 0 0 server1.touchoneh:58864 anrtx.tacoda.n:www-http TIME_WAIT -
    tcp 0 0 server1.touchoneh:60293 www.howtoforge:www-http TIME_WAIT -
    server1:~ #
     
  13. falko

    falko Super Moderator

    FTP is up, but SSH is not. Try the SSH configuration I posted above.
     
  14. mphayesuk

    mphayesuk New Member

    Thanks I will try the config file, but also I noticed that in ISPC management panel FTP was not up.... I will check this and post back any results
     
  15. mphayesuk

    mphayesuk New Member

    Used your script but I get this warning

    server1:~ # /etc/init.d/sshd start
    Starting SSH daemon/etc/ssh/sshd_config line 32: Deprecated option PAMAuthenticationViaKbdInt
    /etc/ssh/sshd_config line 65: Deprecated option RhostsAuthentication
    done
    server1:~ #

    But it now works as long as you use Putty and not the windows telnet program... Thanks Falko...

    Just one other point I did a basic install of everything as per you guide on my laptop so I can test scripts I am writting ect... and the sshd config file on the latop was not configured.... so perhaps something you should look into incase it is never configured by default.

    Thanks again.......

    I still think the ftp server is not working is there anything I can take a look at... perhaps the config file for this is wrong as well..... is there a setting for allowing public access because on my network the ftp works.
     
  16. falko

    falko Super Moderator

    You seem to have another SSH version that doesn't support these directives. You can comment them out then.

    The tutorial is working for me (at least it was at the time I wrote it...).

    I'm still thinking this is a router problem. However, please post your /etc/proftpd.conf here.
     
  17. mphayesuk

    mphayesuk New Member

    I think you might have been right just to make sure I have swapped my router twice and on the second time everything is working, so I am going to flash the firmware on the other two and see what happens.

    Sorry for wasting your time on this and thanks for getting the ssh working.

    Thanks
     

Share This Page