LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   local ftp login OK - remote ftp login failure (https://www.linuxquestions.org/questions/linux-newbie-8/local-ftp-login-ok-remote-ftp-login-failure-898978/)

bluethundr 08-23-2011 10:53 AM

local ftp login OK - remote ftp login failure
 
2 Attachment(s)
Hello all!

Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server. :)

I am working with a centos 5.6 server on i386.

Here~s some information on the version of proftpd that I~m working with.

Code:

 
  ProFTPD Version: 1.3.3e (maint)
  Scoreboard Version: 01040003
  Built: Thu Apr 7 2011 14:41:56 UTC

Loaded modules:
  mod_lang/0.9
  mod_ctrls/0.9.4
  mod_cap/1.0
  mod_vroot/0.8.5
  mod_tls/2.4.2
  mod_auth_pam/1.1
  mod_readme.c
  mod_ident/1.0
  mod_dso/0.5
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c

I believe I have the passive mode issue that I was expereriencing last time mostly worked out. But there are still a couple of things going on with this config that I would like to run by you in hopes of finding a solution.

If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory. Passive mode is working! :)

Code:

[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,183,201).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> quit
221 Goodbye.

However if I log into the external address of the FTP server the login fails. It does connect however so it does not appear to be a firewall issue.

Code:

Name (example.net:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

There is no activity in the logs when I log in remotely. I dont believe it to be a firewall issue because iptables on the local ftp server has been disabled by stopping that service (temporarily for troubleshooting purposes) and the router has been configured to open port 21 and the passive ports I have selected (60000-65535).

Just to be sure its not a firewall issue I have verified that port 21 is open with nmap:

Code:

[root@VIRTCENT29:~] #nmap -p 21 example.net

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-22 20:39 EDT
Interesting ports on pool-71-187-203-194.nwrknj.fios.verizon.net (xx.xx.xx.xx):
PORT  STATE SERVICE
21/tcp open  ftp

Nmap finished: 1 IP address (1 host up) scanned in 0.371 seconds

And it looks like the system is prompting for a password, but authentication fails. But why it only fails when I attempt this remotely and it works when I do this locally is a bit puzzling.


The other issue I would like to address is if I mount an NFS directory login fails on localhost too:

Code:

[root@VIRTCENT29:~] #mount nas2:/mnt/home /home

[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
530 Login incorrect.
Login failed.
421 Service not available, remote server has closed connection
ftp>

This is what happens in the extended log when I have the NFS partition mounted:

Code:

[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:42:49 -0400] "USER bluethundr" 331 -

And if I unmount the NFS partition, I am able to log in again:

Code:

[root@VIRTCENT29:~] #umount /home


[root@VIRTCENT29:~] #/usr/bin/ftp localhost
Connected to localhost (127.0.0.1).
220 FTP Server ready.
Name (localhost:root): bluethundr
331 Password required for bluethundr
Password:
230 User bluethundr logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,205,137).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>

And this is what happens in the logs once I am able to log in again

Code:

[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log
::ffff:127.0.0.1 UNKNOWN nobody [22/Aug/2011:20:45:31 -0400] "USER bluethundr" 331 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "PASS (hidden)" 230 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:33 -0500] "SYST" 215 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "PASV" 227 -
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:36 -0500] "LIST" 226 0
::ffff:127.0.0.1 UNKNOWN bluethundr [22/Aug/2011:19:45:37 -0500] "QUIT" 221 -


Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards!


tim

allwimb 08-23-2011 06:43 PM

Do your user got a valid shell ? check that in /etc/passwd

spring logout

TB0ne 08-24-2011 10:12 AM

Quote:

Originally Posted by allwimb (Post 4451526)
Do your user got a valid shell ? check that in /etc/passwd

Well, since the OP said that it worked by connecting LOCALLY, and since FTP doesn't really use a 'shell' per-se, why would that matter?

OP, since you can log in locally, it would seem that it may be a firewall/network issue..maybe. :) To let FTP go via IPTables:
Code:

vi /etc/sysconfig/iptables

# Append following line to open ftp port 21 before REJECT line:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

and see if that makes a difference. I know you said you turned off IPTables for troubleshooting, but is there anything else in between your two machines, or are you just trying it from the one box, to a different address? It also looks like you're trying to do virtual users/hosting. Have you tried leaving those things out, and just running a 'stock' proftpd service with a default config file, to see if you can narrow down the problem?

And I'll go ahead and say it: FTP is insecure...is there a reason you're going for it, rather than SFTP? :)

mike-ocs 08-24-2011 11:13 AM

Here are a couple more things that you might do/check:
1. Open /etc/sysconfig/iptables-config and see if ftp connection tracking modules have been loaded. The line you are looking for is:
IPTABLES_MODULES=""
You might change this line to read: IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
There are more ftp connection tracking modules. To view them, you might run: modprobe -l | grep ftp

2. Make sure you have a firewall rule that allows packets from ESTABLISHED and RELATED connections. You can view the firewall rules for your filter table by running: iptables -nvL --line-numbers
If you don't have a rule allowing ESTABLISHED and RELATED packets, you can add it with:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Don't forget to save your iptables rules: service iptables save
If you modified /etc/sysconfig/iptables-config, apply that change with: service iptables restart

3. If it isn't a firewall issue, it could be an SELinux issue. A quick way to test this is to put SELinux into permissive mode. To check your current SELinux mode, run: getenforce
If your mode is Enforcing, you can change to permissive with: setenforce 0
You can run getenforce again to verify this change and if you were Enforcing to begin with, you'll eventually want to enable SELinux again with: setenforce 1
With SELinux in permissive mode, you might attempt to login through ftp again. If it works this time, then it is an SELinux issue. There is an SELinux boolean that prevents users from accessing their home directories. The man page ftpd_selinux has more information about this. You can view SELinux booleans that relate to ftp with: getsebool -a | grep ftp
The boolean that might be giving you problems is ftp_home_dir. If it's set to off, you might enable this boolean with: setsebool -P ftp_home_dir on
Make sure SELinux is enforcing again (setenforce 1) and try again. SELinux can be frustrating because it can override your configuration file. Your configuration file might indicate that it is allowing some piece of functionality, but SELinux might ultimately prevent it.

Mike


All times are GMT -5. The time now is 11:39 PM.