proftpd - can't connect from outside lan
 

Hi all
I'm running ProFTPd version 1.25 on Mandrake 8.2 behind a network anywhere linksys router. I 'm also using a dynamic ip from noip.com. I can connect from inside the lan with that computers name, but when I try from outside, with the dynamic name, I get the message
"Socket connected, waiting for welcome message "
"SSH-1.99-OpenSSH_3.1p1"
and then it just hangs there

This is my conf file

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
ServerType standalone
DefaultServer on
MasqueradeAddress davidh.no-ip.com
PassivePorts 60000 65535

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User ftp
Group ftp

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>



# A basic anonymous configuration, no upload directories.
<Anonymous /var/ftp/pub>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
RequireValidShell off

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>

</Anonymous>


# Needed for NIS.
PersistentPasswd off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
DefaultRoot ~

<Global>
</Global>
SystemLog /var/log/proftpd/info

Thanks for any help
David

Do you have your router set up to forward the proper ports to the FTP server?

looks like you're forwarding ftp connections to port 22 on the destination machine on your LAN.

you should be forwarding them to ports 20 and 21 I think.

ftp-data 20/tcp
ftp-data 20/udp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol

I have port forwarding going to port 21 on my router

Really?

if its working fine on your LAN, but not from an external network, then all fingers really do point to the port forwarding on your router being incorrect.

On the router admin page it sats that port 21 is being forwarded, and at grc.com it shows that port 21 is open. When I do try to connect with my dynamic addy this shows up in /var/log/messages

Oct 5 13:43:48 bart sshd[9115]: Did not receive identification string from 65.95.xxx.xx

but nothing shows up in the /var/proftpd/info file except internal connections

OK, maybe I'm just being thick, but if you are connecting using FTP, why are you geting an SSH return string? To me, that suggests that your router is mixing up the ports.

I'm using a network everywhere router from linksys. How would I check to see if it is mixing up ports? Or should I be using SSH anyways?

I'm going to do a little guessing based on my own Linksys router since I've never heard of a "Network Everywhere" router. Usually Linksys' stuff has a wierd alphanumeric name, not an English one. For example, my router is a BEFW11S4...

Anyway, Linksys usually accesses their stuff through a web browser, so point your browser at the router and connect. There should be an Advanced tab on the far right of the screen. Click on that. That brings up a new set of tabs, one of which is Forwarding. Click on that to see what external ports are being forwarded to what IP. If you have a uPnP forwarding button, also click on that. This is the place where you can mix up your ports. For example, on my router, I forward external port 23 to port 22 on my linux box. Normally port 23 is telnet, but since I forward it to 22 on my linux box, SSH answers instead of telnet. Now if you scan my router, you would see port 23 is open, but you couldn't connect via telnet.

I suspect that this is where your router is goofed up. If you are hitting port 21, and SSH is answering, I suspect external port 21 is being forwarded to port 22 on your linux box.

As for your other question, ssh and ftp are used for different purposes. If you need console (or graphical) access to your computer, you should be using ssh. If you are transferring files between computers, ftp is the one to use. That said, I only use ftp from within my LAN. If I'm outside my LAN, I use sftp, which transfers files across an ssh connection. That way any passwords (and traffic) are encrypted.

"network everywhere" is the brand name ( the number name is NR041), but down in the corner linksys has it's logo. I'm assuming it's an offshoot of linksys for the home networker. For ftp both Internal and external ports are listed as 21
In the SSH conf file I uncommented the line to listen on port 22 and restarted SSH. In the /var log/messages file it shows that SSH is listening on port 22, but it still intercepts the ftp requests

OK, to solve this you're going to have to separate what is happening on your linux box from what is happening on your router.

On your linux box, the best thing to do would be run nmap localhost (if you have nmap installed). That will tell you what is listening on what ports. You could also run netstat -l to see what protocols are listening. These should give you a clear picture of what protocols are listening on what ports. Feel free to post the results of these if you have questions.

Now if I understand your previous posts correctly, from within your LAN, you can successfully use both FTP and SSH. Please verify that this is true.

From outside your LAN, FTP seems to be connecting to SSH. What does SSH connect to? These last two items are where you need to get into the guts of your router and figure out what ports it is sending where.

This is the result from nmap. It looks like port 21 is not open.

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1533 ports scanned but not shown below are in state: closed)
Port State Service
19/tcp open chargen
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open sunrpc
139/tcp open netbios-ssn
443/tcp open https
665/tcp open unknown
760/tcp open krbupdate
901/tcp open samba-swat
953/tcp open rndc
1024/tcp open kdm
1025/tcp open listen
3128/tcp open squid-http
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt


Nmap run completed -- 1 IP address (1 host up) scanned in 1 second


the result from netstat -l

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:1025 *:* LISTEN
tcp 0 0 *:swat *:* LISTEN
tcp 0 0 *:8200 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:chargen *:* LISTEN
tcp 0 0 bart.example.com:domain *:* LISTEN
tcp 0 0 localhost.locald:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:squid *:* LISTEN
tcp 0 0 *:krbupdate *:* LISTEN
tcp 0 0 localhost.localdom:rndc *:* LISTEN
tcp 0 0 *:665 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:nfs *:*
udp 0 0 *:1025 *:*
udp 0 0 *:1026 *:*
udp 0 0 *:1027 *:*
udp 0 0 bart.example:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 bart.exampl:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:10000 *:*
udp 0 0 *:662 *:*
udp 0 0 bart.example.com:domain *:*
udp 0 0 localhost.locald:domain *:*
udp 0 0 *:icpv2 *:*
udp 0 0 *:3401 *:*
udp 0 0 *:971 *:*
udp 0 0 *:4827 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:758 *:*
udp 0 0 *:635 *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 4016 /tmp/.s.PGSQL.5432
unix 2 [ ACC ] STREAM LISTENING 4001 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 4482 /tmp/.font-unix/fs-1

I went into webmin under servers -> openSSH -> user SSH key set up and set key up for new unix users restarted it then I installed Core FTP and set it up to connect on port 21 using SSH , it works.

On the router admin page internal and external ports are listed at 21 ( I tried setting internal port to 22 but then core ftp wouldn't work) so I don't know what's going on.

btw
Thanks for everyones replies , I'm learning lots

I can ftp and SSH from inside. I can't get the router to let me setup to port 22
Failure: No space to add Virtual Server or have a duplication port:ssh

OK, you've officially lost me. Setting up SSH to generate new keys automatically is fine, but it doesn't really have any bearing on your problem. And isn't Core FTP a FTP client, not a server?

So here is my understanding of your problem. Please correct what isn't right.

1) You have multiple computers connected via a router
2) Your linux box is running an ssh server, but not an ftp server
3) From within your LAN, you can SSH
4) From within your LAN you can FTP? (via SSH?)
5) Your router has port 21 forwarded to port 21 your linux box
6) Your router won't let you forward port 22 to your linux box
7) There are NO ports other than 21 forwarded from your router to anywhere.
8) From the Internet, if you try to connect via FTP, you get an SSH message
9) From the Internet, you cannot connect using SSH.

Now, in your router's admin page for forwarding, on the FTP line, the INTERNAL port is 21, the IP address is the correct IP for your linux box and ENABLE is checked. Right?

For SSH, have you had to create a custom entry in the form? In other words, in the section that lets you forward any port, have you forwarded external 22 to internal 22 and the IP address is correct for the Linux box?

I apologize for all the questions, but you really have lost me.

I' m kind of lost myself. I use webmin because the computer I'm trying to set up is headless. Since SSH seemed to be involved I went to the SSH server section of webmin just to have a look around and made that change for user SSH key set up, then restarted the SSH server.

I did a search on download.com for sftp clients and came up with core ftp. there is an option in the site manager for which port to connect to (port 21 seems to be the only one I' ve been able to use) and a checkbox to enable/disable SSH(I've enabled), this setup along with a valid user account lets me access my computer. In /var/log/messages there are a bunch of entries from sshd about accepting password for the user and subsystem requests for sftp.


1)yes
2)the linux box is running both SSH server and ftp server
3)yes I can SSh
4)from within I can ftp. I don't think via ssh, I was using ftp from the commandline
5)the router has internal and external port 21 being forwarded to the linux box. When I change the internal to port 22 , core ftp won't connect from the internet.
6)the router won't allow me to create a customized port forwarding to port 22. It responds with this line
"Failure: No space to add Virtual Server or have a duplication port:ssh"
7)When I try to connect from the internet with straight ftp I get this message
"Socket connected, waiting for welcome message "
"SSH-1.99-OpenSSH_3.1p1"
and then it just hangs there

On the routers admin page ftp port forwarding is being sent to the right computer and to port 21
I haven't been able to make a custom entry to port forward SSH because of the earlier failure notice

I hope this helps clear things up. Something seems to be working but I sure would like to know what and why

OK, I get this bit. What is strange to me is that it is working over port 21. When I use sftp, I am definitely using port 22 because that is where sshd is listening. From your nmap post, that is where sshd is listening on your computer as well. If you shut down sshd, does Core FTP still work? What happens if you have sshd running but your FTP server shut down? What happens if both are shut down?

As for the rest of it, either there is some port settings on your router that you aren't seeing it or your router is faulty. When you try to forward 22, you shouldn't get an error message unless port 22 was already being forwarded, and you say you see no indication of that. And if 21 is the only port being forwarded, there is no way it can be a memory space issue. Add to that the fact that your various FTP clients, which are all pointed to port 21, keep connecting with sshd, which is on port 22, and again, you may have something seriously screwed up in the router. I suppose one other thing you could try would be to reset the router to its factory defaults and then try to forward ports 21 and 22. It is possible that it is the router firmware that is screwed up, not the hardware. This happened to me once, and resetting the router to the factory defaults and then flashing a new firmware was the only way to get the router to behave properly.

I'd also be tempted to have a chat with Network Everywhere and see if they could shed any light on the subject. At very least, they ought to be able to explain the error message in a bit more detail.