local ftp login OK - remote ftp login failure
2 Attachment(s)
Hello all!
Well I have delved back into my proftpd config in the hopes of resolving my issues and having a working server. :) I am working with a centos 5.6 server on i386. Here~s some information on the version of proftpd that I~m working with. Code:
If I execute an ftp session on localhost from the ftp server itself, I can log in and the ftp client does not complain when I try to list a directory. Passive mode is working! :) Code:
[root@VIRTCENT29:~] #/usr/bin/ftp localhost Code:
Name (example.net:root): bluethundr Just to be sure its not a firewall issue I have verified that port 21 is open with nmap: Code:
[root@VIRTCENT29:~] #nmap -p 21 example.net The other issue I would like to address is if I mount an NFS directory login fails on localhost too: Code:
[root@VIRTCENT29:~] #mount nas2:/mnt/home /home Code:
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log Code:
[root@VIRTCENT29:~] #umount /home Code:
[root@VIRTCENT29:~] #tail -f /var/log/proftpd/pftpd-extended.log Im including my config below.. I was hoping someone could provide a clue as to why this is hapening! thank you very much in advance and best regards! tim |
|
Quote:
OP, since you can log in locally, it would seem that it may be a firewall/network issue..maybe. :) To let FTP go via IPTables: Code:
vi /etc/sysconfig/iptables And I'll go ahead and say it: FTP is insecure...is there a reason you're going for it, rather than SFTP? :) |
Here are a couple more things that you might do/check:
1. Open /etc/sysconfig/iptables-config and see if ftp connection tracking modules have been loaded. The line you are looking for is: IPTABLES_MODULES="" You might change this line to read: IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp" There are more ftp connection tracking modules. To view them, you might run: modprobe -l | grep ftp 2. Make sure you have a firewall rule that allows packets from ESTABLISHED and RELATED connections. You can view the firewall rules for your filter table by running: iptables -nvL --line-numbers If you don't have a rule allowing ESTABLISHED and RELATED packets, you can add it with: iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Don't forget to save your iptables rules: service iptables save If you modified /etc/sysconfig/iptables-config, apply that change with: service iptables restart 3. If it isn't a firewall issue, it could be an SELinux issue. A quick way to test this is to put SELinux into permissive mode. To check your current SELinux mode, run: getenforce If your mode is Enforcing, you can change to permissive with: setenforce 0 You can run getenforce again to verify this change and if you were Enforcing to begin with, you'll eventually want to enable SELinux again with: setenforce 1 With SELinux in permissive mode, you might attempt to login through ftp again. If it works this time, then it is an SELinux issue. There is an SELinux boolean that prevents users from accessing their home directories. The man page ftpd_selinux has more information about this. You can view SELinux booleans that relate to ftp with: getsebool -a | grep ftp The boolean that might be giving you problems is ftp_home_dir. If it's set to off, you might enable this boolean with: setsebool -P ftp_home_dir on Make sure SELinux is enforcing again (setenforce 1) and try again. SELinux can be frustrating because it can override your configuration file. Your configuration file might indicate that it is allowing some piece of functionality, but SELinux might ultimately prevent it. Mike |
All times are GMT -5. The time now is 04:54 PM. |