LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-23-2011, 10:53 AM   #1
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 122

Rep: Reputation: 15
Thumbs down local ftp login OK - remote ftp login failure


Hello all!

Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server.

I am working with a centos 5.6 server on i386.

Here~s some information on the version of proftpd that I~m working with.

Code:
  
  ProFTPD Version: 1.3.3e (maint)
  Scoreboard Version: 01040003
  Built: Thu Apr 7 2011 14:41:56 UTC

Loaded modules:
  mod_lang/0.9
  mod_ctrls/0.9.4
  mod_cap/1.0
  mod_vroot/0.8.5
  mod_tls/2.4.2
  mod_auth_pam/1.1
  mod_readme.c
  mod_ident/1.0
  mod_dso/0.5
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c
I believe I have the passive mode issue that I was expereriencing last time mostly worked out. But there are still a couple of things going on with this config that I would like to run by you in hopes of finding a solution.

If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory. Passive mode is working!

Code:
[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,183,201).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> quit
221 Goodbye.
However if I log into the external address of the FTP server the login fails. It does connect however so it does not appear to be a firewall issue.

Code:
Name (example.net:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
There is no activity in the logs when I log in remotely. I dont believe it to be a firewall issue because iptables on the local ftp server has been disabled by stopping that service (temporarily for troubleshooting purposes) and the router has been configured to open port 21 and the passive ports I have selected (60000-65535).

Just to be sure its not a firewall issue I have verified that port 21 is open with nmap:

Code:
[root@VIRTCENT29:~] #nmap -p 21 example.net

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-22 20:39 EDT
Interesting ports on pool-71-187-203-194.nwrknj.fios.verizon.net (xx.xx.xx.xx):
PORT   STATE SERVICE
21/tcp open  ftp

Nmap finished: 1 IP address (1 host up) scanned in 0.371 seconds
And it looks like the system is prompting for a password, but authentication fails. But why it only fails when I attempt this remotely and it works when I do this locally is a bit puzzling.


The other issue I would like to address is if I mount an NFS directory login fails on localhost too:

Code:
[root@VIRTCENT29:~] #mount nas2:/mnt/home /home

[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
421 Service not available, remote server has closed connection
ftp>
This is what happens in the extended log when I have the NFS partition mounted:

Code:
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:42:49 -0400] "USER bluethundr" 331 -
And if I unmount the NFS partition, I am able to log in again:

Code:
[root@VIRTCENT29:~] #umount /home


[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,205,137).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>
And this is what happens in the logs once I am able to log in again

Code:
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:45:31 -0400] "USER bluethundr" 331 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "PASS (hidden)" 230 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "SYST" 215 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "PASV" 227 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "LIST" 226 0
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:37 -0500] "QUIT" 221 -

Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards!


tim
Attached Files
File Type: txt proftpd.txt (11.4 KB, 8 views)
File Type: txt debug.txt (3.0 KB, 0 views)

Last edited by bluethundr; 08-23-2011 at 02:17 PM. Reason: include debug information
 
Old 08-23-2011, 06:43 PM   #2
allwimb
Member
 
Registered: Aug 2011
Posts: 47

Rep: Reputation: Disabled
Do your user got a valid shell ? check that in /etc/passwd

spring logout

Last edited by allwimb; 12-12-2011 at 05:47 AM.
 
0 members found this post helpful.
Old 08-24-2011, 10:12 AM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,456

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Quote:
Originally Posted by allwimb View Post
Do your user got a valid shell ? check that in /etc/passwd
Well, since the OP said that it worked by connecting LOCALLY, and since FTP doesn't really use a 'shell' per-se, why would that matter?

OP, since you can log in locally, it would seem that it may be a firewall/network issue..maybe. To let FTP go via IPTables:
Code:
vi /etc/sysconfig/iptables

# Append following line to open ftp port 21 before REJECT line:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
and see if that makes a difference. I know you said you turned off IPTables for troubleshooting, but is there anything else in between your two machines, or are you just trying it from the one box, to a different address? It also looks like you're trying to do virtual users/hosting. Have you tried leaving those things out, and just running a 'stock' proftpd service with a default config file, to see if you can narrow down the problem?

And I'll go ahead and say it: FTP is insecure...is there a reason you're going for it, rather than SFTP?

Last edited by TB0ne; 08-24-2011 at 10:15 AM.
 
Old 08-24-2011, 11:13 AM   #4
mike-ocs
LQ Newbie
 
Registered: Jul 2011
Posts: 6

Rep: Reputation: Disabled
Here are a couple more things that you might do/check:
1. Open /etc/sysconfig/iptables-config and see if ftp connection tracking modules have been loaded. The line you are looking for is:
IPTABLES_MODULES=""
You might change this line to read: IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
There are more ftp connection tracking modules. To view them, you might run: modprobe -l | grep ftp

2. Make sure you have a firewall rule that allows packets from ESTABLISHED and RELATED connections. You can view the firewall rules for your filter table by running: iptables -nvL --line-numbers
If you don't have a rule allowing ESTABLISHED and RELATED packets, you can add it with:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Don't forget to save your iptables rules: service iptables save
If you modified /etc/sysconfig/iptables-config, apply that change with: service iptables restart

3. If it isn't a firewall issue, it could be an SELinux issue. A quick way to test this is to put SELinux into permissive mode. To check your current SELinux mode, run: getenforce
If your mode is Enforcing, you can change to permissive with: setenforce 0
You can run getenforce again to verify this change and if you were Enforcing to begin with, you'll eventually want to enable SELinux again with: setenforce 1
With SELinux in permissive mode, you might attempt to login through ftp again. If it works this time, then it is an SELinux issue. There is an SELinux boolean that prevents users from accessing their home directories. The man page ftpd_selinux has more information about this. You can view SELinux booleans that relate to ftp with: getsebool -a | grep ftp
The boolean that might be giving you problems is ftp_home_dir. If it's set to off, you might enable this boolean with: setsebool -P ftp_home_dir on
Make sure SELinux is enforcing again (setenforce 1) and try again. SELinux can be frustrating because it can override your configuration file. Your configuration file might indicate that it is allowing some piece of functionality, but SELinux might ultimately prevent it.

Mike

Last edited by colucix; 08-24-2011 at 01:06 PM. Reason: Link to commercial site removed, advertising not allowed here.
 
  


Reply

Tags
centos55, proftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp local user login dragon88 Linux - Newbie 3 10-22-2007 02:31 AM
FTP - remote login (automatic?) claudiascotti Linux - Networking 4 05-23-2005 03:14 PM
FTP Server Up and running... how do I hide ftp users from local login screen? joe1031 Mandriva 2 03-18-2005 04:24 PM
newbee seeks help for remote ftp login tarak4u Linux - Security 3 10-22-2003 01:06 PM
WU-FTP root login remote adme Linux - Networking 2 02-07-2003 02:58 AM


All times are GMT -5. The time now is 08:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration