LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-25-2011, 05:16 PM   #1
kgalbraith
LQ Newbie
 
Registered: Oct 2009
Posts: 9

Rep: Reputation: 0
proftpd 500 illegal port command


OK, so I am having an odd issue I have no idea how to fix.

I set up a FTP server for a client. Running Ubuntu 10.10 server and proftpd. While setting it up, I was able to log into FTP from filezilla from in my office no problems. Now suddenly I cannot access it from inside, but I can still access it like normal from outside my network.

I am getting 500 illegal port command when using active
And when I use passive, I get fail to retrieve directory.
The server is on a DMZ, so ports should not be a problem, and according to our admin nothing has changed within our firewall.

Any ideas?

Thanks in advance.
 
Old 01-25-2011, 05:32 PM   #2
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Greetingz!

Well, since the server's in a DMZ, and you already asked about the firewall, I would ask "your admin" about is "Has anything changed on the Switch ACLs?". Aside from that, are you running iptables on the server?

Are you using MasqueradeAddress?

Please post your proftpd configuration file. Be sure to wrap it in [code] and [/code] tags.
You can retreive a simplified output of your configuration file with the following command;
grep -v "^#" /path/to/your/configfile | grep .
 
Old 01-25-2011, 05:44 PM   #3
kgalbraith
LQ Newbie
 
Registered: Oct 2009
Posts: 9

Original Poster
Rep: Reputation: 0
Actually i am running a Masquerading address on the server. It was the only way I could get outside clients to connect. However, I thought I could access the site since then, from inside.

Will a Masquerading address completely sink my ability to connect from anywhere but outside?

EDIT
I can connect to the machine through firefox "ftp" inside my network.
 
Old 01-25-2011, 05:53 PM   #4
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
If you're using MasqueradeAddress, then these threads might help you out (especially that last one there).
Otherwise, we're going to need to see your proftpd configuration file (as I mentioned earlier).
Feel free to redact any sensitive information (there shouldn't be passwords in that file, and you could replace IP addresses with #'s)
 
Old 01-25-2011, 05:56 PM   #5
kgalbraith
LQ Newbie
 
Registered: Oct 2009
Posts: 9

Original Poster
Rep: Reputation: 0
Sorry, I did not see the request for my .conf.
I took the ip info, and my email out of the file.

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
# Server info and contact
#
ServerName "********"
ServerType standalone
ServerAdmin mailto:**@**
IdentLookups off
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 1200
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"

DenyFilter \*.*/

# Use this to jail all users in their homes
DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 21 20 22

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 4000 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
MasqueradeAddress **.***.**.***

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User proftpd
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?pag...LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
 
Old 01-25-2011, 06:17 PM   #6
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Ah, yes. Thank you for the (gigantic) post. With the recommendations I made, you're post would have looked like this;
Code:
Include /etc/proftpd/modules.conf
UseIPv6 on
IdentLookups off
ServerName "********"
ServerType standalone
ServerAdmin mailto:**@**
IdentLookups off
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 1200
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
DefaultRoot ~
Port 21 20 22
MasqueradeAddress **.***.**.***
<IfModule mod_dynmasq.c>
</IfModule>
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Now, if your DMZ is NAT'd (which I'm assuming it is, because you're using the MasqueradeAddress option), then you're going to need to do two things;

1) Specify which passive ports you want/can have ProFTPd use;
PassivePorts start_port end_port
2) Make sure you're firewall/switch administrator lets passive ftp data out those ports.
3) Your firewall/switch must allow "related" passive ftp ports. If this is a Linux firewall we're talking about, remove your MasqueradeAddress option and add the following to the firewall's iptables config;
Code:
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
As always, Your Mileage May Vary and keep this rule in mind;
"We would like to stress that you should fully understand what a recommended change may do to your system. You should not give anyone you do not know login information to your system. LinuxQuestions.org cannot be held liable for anything you do as a result of information obtained at this site."

Have a radical day!

Last edited by xeleema; 01-25-2011 at 06:18 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd ls error: 500 Illegal port command ftp : bind : Adress allready in use shorun Linux - Server 3 11-17-2007 04:35 PM
Ftp Problem (500 Illegal Port Command) Palula Linux - Networking 3 05-08-2006 08:49 AM
iptables / FTP masquerading: Port command illegal radiowhiz Linux - Networking 1 03-23-2005 06:15 PM
ProFTPd- "Illegal PORT Command" JCdude2525 Linux - Networking 5 12-06-2004 06:42 AM
vsftpd 500 illegal port command jglazner Linux - Software 3 09-30-2003 05:53 PM


All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration