LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   proftpd 500 illegal port command (http://www.linuxquestions.org/questions/linux-server-73/proftpd-500-illegal-port-command-858641/)

kgalbraith 01-25-2011 05:16 PM

proftpd 500 illegal port command
 
OK, so I am having an odd issue I have no idea how to fix.

I set up a FTP server for a client. Running Ubuntu 10.10 server and proftpd. While setting it up, I was able to log into FTP from filezilla from in my office no problems. Now suddenly I cannot access it from inside, but I can still access it like normal from outside my network.

I am getting 500 illegal port command when using active
And when I use passive, I get fail to retrieve directory.
The server is on a DMZ, so ports should not be a problem, and according to our admin nothing has changed within our firewall.

Any ideas?

Thanks in advance.

xeleema 01-25-2011 05:32 PM

Greetingz!

Well, since the server's in a DMZ, and you already asked about the firewall, I would ask "your admin" about is "Has anything changed on the Switch ACLs?". Aside from that, are you running iptables on the server?

Are you using MasqueradeAddress?

Please post your proftpd configuration file. Be sure to wrap it in [code] and [/code] tags.
You can retreive a simplified output of your configuration file with the following command;
grep -v "^#" /path/to/your/configfile | grep .

kgalbraith 01-25-2011 05:44 PM

Actually i am running a Masquerading address on the server. It was the only way I could get outside clients to connect. However, I thought I could access the site since then, from inside.

Will a Masquerading address completely sink my ability to connect from anywhere but outside?

EDIT
I can connect to the machine through firefox "ftp" inside my network.

xeleema 01-25-2011 05:53 PM

If you're using MasqueradeAddress, then these threads might help you out (especially that last one there).
Otherwise, we're going to need to see your proftpd configuration file (as I mentioned earlier).
Feel free to redact any sensitive information (there shouldn't be passwords in that file, and you could replace IP addresses with #'s)

kgalbraith 01-25-2011 05:56 PM

Sorry, I did not see the request for my .conf.
I took the ip info, and my email out of the file.

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
# Server info and contact
#
ServerName "********"
ServerType standalone
ServerAdmin mailto:**@**
IdentLookups off
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 1200
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"

DenyFilter \*.*/

# Use this to jail all users in their homes
DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 21 20 22

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 4000 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
MasqueradeAddress **.***.**.***

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User proftpd
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?pag...LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

xeleema 01-25-2011 06:17 PM

Ah, yes. Thank you for the (gigantic) post. With the recommendations I made, you're post would have looked like this;
Code:

Include /etc/proftpd/modules.conf
UseIPv6 on
IdentLookups off
ServerName "********"
ServerType standalone
ServerAdmin mailto:**@**
IdentLookups off
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 1200
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
DefaultRoot ~
Port 21 20 22
MasqueradeAddress **.***.**.***
<IfModule mod_dynmasq.c>
</IfModule>
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

Now, if your DMZ is NAT'd (which I'm assuming it is, because you're using the MasqueradeAddress option), then you're going to need to do two things;

1) Specify which passive ports you want/can have ProFTPd use;
PassivePorts start_port end_port
2) Make sure you're firewall/switch administrator lets passive ftp data out those ports.
3) Your firewall/switch must allow "related" passive ftp ports. If this is a Linux firewall we're talking about, remove your MasqueradeAddress option and add the following to the firewall's iptables config;
Code:

iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT

As always, Your Mileage May Vary and keep this rule in mind;
"We would like to stress that you should fully understand what a recommended change may do to your system. You should not give anyone you do not know login information to your system. LinuxQuestions.org cannot be held liable for anything you do as a result of information obtained at this site."

Have a radical day!


All times are GMT -5. The time now is 08:04 AM.