Pure-FTPd: port 21 definitely closed...

Discussion in 'Installation/Configuration' started by Fluotonic, Jan 23, 2013.

  1. Fluotonic

    Fluotonic Member

    Pure-FTPd (on Debian 6.0.2): port 21 desperately closed...

    Hi there,

    I just got a preinstalled server (Debian Squeeze with ISPConfig 3) and
    I spent about 2 days searching for a solution but I just can't seem to find it...

    Here is my problem...
    On ISPConfig, I created a site, and then an FTP account butwhen I try to use it, the connection is refused. I'm not surprised now because the port 21 seems to be closed!

    If I do netstat -tap | grep ftp, I got NOTHING!

    If I do dpkg -l | grep -i "ftp", I get this :

    Code:
    ii  ftp                                 0.17-23                      The FTP client
    ii  pure-ftpd-common                    1.0.28-3                     Pure-FTPd FTP server (Common Files)
    ii  pure-ftpd-mysql                     1.0.28-3+b1                  Secure and efficient FTP server with MySQL user authentication
    
    So the FTP seems to be there, right?

    I don't know if you have everything to help me but don't hesitate to ask. This problem is driving me nuts!

    Thanks in advance!

    Vincent


    EDIT 1:
    I forgot to say I can access the server through FTP with the root account (SFTP on port 22) only.
     
    Last edited: Jan 23, 2013
  2. Fluotonic

    Fluotonic Member

    For information, my jail.local (/etc/fail2ban/jail.local) looks like this:

    Code:
    [pureftpd]
    
    enabled  = true
    port     = ftp
    filter   = pureftpd
    logpath  = /var/log/syslog
    maxretry = 3
    
    
    [dovecot-pop3imap]
    
    enabled = true
    filter = dovecot-pop3imap
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 5
    
    
    And when I do this iptables -L -n, I get this...
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    fail2ban-dovecot-pop3imap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110,995,143,993 
    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination         
    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination         
    RETURN     all  --  0.0.0.0/0            0.0.0.0/0 
    
    I hope this is relevant and it will help :)

    Thanks!
     
    Last edited: Jan 23, 2013
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a virtual server? Ifyes, please post the output of:

    cat /proc/user_beancounters

    Did you try to restart pure ftpd?

    SFTP is a ssh protocol, so not ftp even if the name might imply this :) so sftp is provided by the openssh daemon.
     
  4. Fluotonic

    Fluotonic Member

    Thanks for your answer Till!

    cat /proc/user_beancounters sends this output:

    Code:
    cat: /proc/user_beancounters: Aucun fichier ou dossier de ce type
    ...means "no such file or directory"

    Sorry for my error, I didn't know this about SFTP :)
    So I suppose no FTP is working....

    Also, I tried o restart pure-ftpd this way :
    Code:
    /etc/init.d/pure-ftpd-mysql restart
    ...but it doesn't change anything.

    Thank you VERY MUCH for your kind help!

    Vincent
     
  5. Fluotonic

    Fluotonic Member

    Sorry I forgot to mention I'm on a dedicated server. So I suppose it's not a "virtual" server. Am I correct?

    Sorry my ignorance, I'm really willing to learn though. The more I discover it, the more I love Linux and ISPConfig!

    Thanks again!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    No problem at all :) Thats a common confusion and what it makes even worse is that "FTPS" (with the S at the end) is FTP again.

    Yes. Thats my guess too. According to your netstat output, there must be a startup error.

    Please check /var/log/syslog and the logs in /var/log/pure-ftpd/ for pureftpd errors. e.g. with:

    grep ftp /var/log/syslog
     
  7. Fluotonic

    Fluotonic Member

    Oh waw, I think we've got something?!

    grep ftp /var/log/syslog
    Code:
     
    Jan 22 19:25:56 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    Jan 22 19:36:08 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    Jan 22 19:45:20 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    Jan 22 21:21:43 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    Jan 22 21:22:34 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    Jan 22 21:47:48 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
     
  8. Fluotonic

    Fluotonic Member

  9. Fluotonic

    Fluotonic Member

    OK so I just checked and the file does exist but it's a symlink. When I open it, I have the complete certificate. So I'm not sure the problem is coming from there...

    Any idea?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    The ssl cert issue is most likely the reason. Please post the output of:

    ls -la /usr/local/ispconfig/interface/ssl/
    ls -la /etc/ssl/private/
     
  11. Fluotonic

    Fluotonic Member

    OK sure:

    ls -la /usr/local/ispconfig/interface/ssl/
    Code:
    total 56
    drwxr-s--- 2 ispconfig ispconfig  4096 20 janv. 17:50 .
    drwxr-s--- 7 ispconfig ispconfig  4096  7 sept.  2011 ..
    -rw-r--r-- 1 root      ispconfig  2609 20 janv. 17:43 ispserver.crt
    -rwxr-x--- 1 ispconfig ispconfig  2399 20 janv. 16:15 ispserver.crt_bak
    -rwxr-x--- 1 ispconfig ispconfig  1858 20 janv. 16:15 ispserver.csr
    -rwxr-x--- 1 ispconfig ispconfig  3243 20 janv. 16:15 ispserver.key
    -rwxr-x--- 1 ispconfig ispconfig  3311 20 janv. 16:11 ispserver.key.secure
    -rw------- 1 root      ispconfig 10824 20 janv. 17:50 ispserver.pem
    -rw-r--r-- 1 root      ispconfig  2760  6 mai    2008 startssl.ca.crt
    -rw-r--r-- 1 root      ispconfig  4972 20 janv. 17:50 startssl.chain.class1.server.crt
    -rw-r--r-- 1 root      ispconfig  2212 17 avril  2010 startssl.sub.class1.server.ca.crt
    
    ls -la /etc/ssl/private/
    Code:
    total 24
    drwx--x--- 2 root ssl-cert 4096 20 janv. 18:07 .
    drwxr-xr-x 4 root root     4096 21 f?vr.  2011 ..
    -rw------- 1 root dovecot   891 16 janv. 11:27 dovecot.pem
    -rw------- 1 root root      891 16 janv. 11:27 ks4003865.ip-142-4-212.net.key
    lrwxrwxrwx 1 root root       48 20 janv. 18:07 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    -rw------- 1 root root     2266 16 janv. 11:27 pure-ftpd.pem_bak
    -rw-r----- 1 root ssl-cert 1679  7 sept.  2011 ssl-cert-snakeoil.key
     
  12. Fluotonic

    Fluotonic Member

    is it possible that the symlink breaks the access to the ssl certificate?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally not. But you can try to replace the symlink with the cert:

    Try this:

    rm /etc/ssl/private/pure-ftpd.pem
    cp -pf /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/ssl/private/pure-ftpd.pem

    and restart pure-ftpd.
     
  14. Fluotonic

    Fluotonic Member

    I did this but nothing changed apparently...

    With grep ftp /var/log/syslog I still get this:

    Code:
    Jan 23 12:07:13 ks4003865 pure-ftpd: (?@?) [ERROR] Sorry, but that file doesn't exist: [/etc/ssl/private/pure-ftpd.pem]
    I don't get it :-/
     
  15. Fluotonic

    Fluotonic Member

    By the way, I restart with this command:
    /etc/init.d/pure-ftpd-mysql restart

    Is it correct?

    I get this output when doing so:

    Code:
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -u 1000 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -b -A -8 UTF-8 -4 -H -D -E -S *,21 -B
     
    Last edited: Jan 23, 2013
  16. Fluotonic

    Fluotonic Member

    Maybe I need to update PureFTPd to the latest version?
    My version is 1.0.28 and I see the latest release is 1.0.36.

    Do you think it could solve my problem?
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    It is unlikely that its related to the pure-ftpd version. Did pure-ftpd work before you installed the new ssl cert? in this case, it might be that the pem file content is wrong: try to renme the .pem file to a different name and rename the pem_bak file to .pem and restart pure-ftpd to test if it works with the old file.
     
  18. Fluotonic

    Fluotonic Member

    OMG! You got it!!!

    OK, so everything's OK now, everything's good but what can I do to correct this SSL certificate. I just noticed I had 3 certificates stacked on each other in this file, just after the RSA key, which seems very strange to me. Could it be the problem?

    Thank you very much for your help again! You're saving me so much time and pain finding this. I bought the ISPConfig documentation but couldn't figure out a solution for this problem...

    Any idea to fix this certificate?
     
  19. Fluotonic

    Fluotonic Member

    Holly cow!!! Forget my last message, I finally found the problem!

    For some reason, there was a mistake in the pile of certificates in the generated pure-ftpd.pem

    After the first or second certificate, a line break was missing, which was creating a problem to read the rest of certificates insite the file, obviously :-D

    Instead of

    Code:
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    
    I had

    Code:
    -----END CERTIFICATE----------BEGIN CERTIFICATE-----
    
    I guess it,s something to let users know about. I hope my fixing will help others!

    Anyway, a big big thank you Till, you saved my life!

    Cheers and hail to ISPConfig ;-)
     

Share This Page