Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Protftpd - problem with MLSD
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
najkon
n00b
n00b


Joined: 14 Aug 2016
Posts: 13

PostPosted: Mon Jul 10, 2017 7:24 pm    Post subject: Protftpd - problem with MLSD Reply with quote

Hi,

It seems so easy to install ftp server by choosing Proftpd with basic configuration.
Unfortunately, all the calls are trying to get around MLSD and after PASV and all connection ends with a timeout error

Can someone help him bite to get it started as it should? :(


my config

Code:

### /etc/proftpd/proftpd.conf

ServerName              "ProFTPD  Server"
ServerType              standalone
DefaultServer           on
MultilineRFC2228        on
RequireValidShell       off
AuthPAM                 off
AuthPAMConfig           ftp
UseIPv6                 on
UseReverseDNS           off

PassivePorts            57000 58000

# Listen on the standard FTP port 21.
Port 21

# New directories and files should not be group or world writable.
Umask 022

# To prevent DoS attacks set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once simply increase this value.
MaxInstances 30

# The server will run under ftp/ftp.
User ftp
Group ftp

# Every FTP sessions is "jailed" into the user's home directory.
DefaultRoot ~ !ftp-special

# Generally files are overwritable.
AllowOverwrite on

# Disallow the use of the SITE CHMOD command.
<Limit SITE_CHMOD>
  DenyAll
</Limit>

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

<IfModule mod_facts.c>
FactsAdvertise off
</IfModule>



version: ProFTPD Version 1.3.5e

loaded modules ProFTPD
Code:

/usr/sbin/proftpd -l
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_rlimit.c
  mod_auth_unix.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_facts.c
  mod_dso.c
  mod_auth_pam.c
  mod_facl.c
  mod_case.c
  mod_sql.c
  mod_sql_passwd.c
  mod_sql_mysql.c
  mod_sftp.c
  mod_sftp_pam.c
  mod_sftp_sql.c
  mod_tls.c
  mod_tls_shmcache.c
  mod_wrap2.c
  mod_wrap2_file.c
  mod_wrap2_sql.c
  mod_cap.c
  mod_lang.c


emerge proftpd -pv
Code:

[ebuild   R    ] net-ftp/proftpd-1.3.5e::gentoo  USE="acl caps case dso ipv6 mysql ncurses nls pam pcre sftp ssl tcpd -authfile -ban -clamav -copy -ctrls -deflate -diskuse -doc -dynmasq -exec -ident -ifsession -ifversion -kerberos -ldap (-libressl) -log_forensic -memcache -msg -postgres -qos -radius -ratio -readme -rewrite (-selinux) -shaper -sitemisc -snmp -softquota -sqlite {-test} -trace -unique_id -vroot -xinetd" LINGUAS="-bg_BG -en_US -fr_FR -it_IT -ja_JP -ko_KR -ru_RU -zh_CN -zh_TW" 0 KiB


iptables
Code:

-A INPUT -p tcp -m multiport --dports 57000:58000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

The same thing happens even if I remove all iptables rules

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
Back to top
View user's profile Send private message
Quincy
Apprentice
Apprentice


Joined: 02 Jun 2005
Posts: 201
Location: Germany

PostPosted: Wed Jul 12, 2017 9:19 pm    Post subject: Reply with quote

Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?
What are the default policies, are there other rules in effect (give us a "iptables -L")?
What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13842

PostPosted: Thu Jul 13, 2017 12:48 am    Post subject: Reply with quote

If you need to show iptables rules for public review, always use iptables-save, never iptables -L.
Back to top
View user's profile Send private message
najkon
n00b
n00b


Joined: 14 Aug 2016
Posts: 13

PostPosted: Thu Jul 13, 2017 9:29 am    Post subject: Reply with quote

Quincy wrote:
Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?
What are the default policies, are there other rules in effect (give us a "iptables -L")?
What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)?


Default policies are ACCEPT for all CHAINS when i remove all rules of iptables.
but if I have attached the all rule, default policies are DENY for INPUT, and FORWARD - ACCEPT for OUTPUT

relationship between client and server is a server on internet.

There is a log from trying connect to the FTP server
Code:

----------
Connect to: (13.07.2017 11:21:51)
hostname=domain.com
username=najkon
startdir=
domain.com=xx.xx.xx.xxx
220 ProFTPD 1.3.5e Server (ProFTPD  Server) [::ffff:xx.xx.xx.xxx]
USER najkon
331 Password required for najkon
PASS ***********
230 User najkon logged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
 MDTM
 SIZE
 LANG pl-PL.utf8*
 REST STREAM
 UTF8
 EPRT
 EPSV
211 End
HELP SITE
214-HELP
214-CHGRP
214 CHMOD
OPTS UTF8 ON
200 UTF8 set to on
Connect ok!
PWD
257 "/home/najkon" is the current directory
Download catalog
TYPE A
200 Type set to A
PORT 192,168,1,100,225,72
200 PORT command successful
MLSD - PORT failed,
try PASV mode!
PASV - PORT failed
QUIT
Back to top
View user's profile Send private message
Quincy
Apprentice
Apprentice


Joined: 02 Jun 2005
Posts: 201
Location: Germany

PostPosted: Sun Jul 16, 2017 9:48 am    Post subject: Reply with quote

Currently I'm curios that your session log reports:

Code:
PORT 192,168,1,100,225,72
200 PORT command successful


This is a LAN IP (192.168.1.100) and not an official IP for an internet connection.

Which client software are you using?
Can you connect and change dirs/download something on e.g. ftp://ftp5.gwdg.de/pub/ (a public German FTP)?

@Hu: Why "iptables-save" instead of "iptables -L"?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Sun Jul 16, 2017 1:09 pm    Post subject: Reply with quote

iptables-save provides some informations that are omitted by iptables -L
iptables -L is still useful in some other scenarios though, like iptables -nvL
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13842

PostPosted: Sun Jul 16, 2017 3:39 pm    Post subject: Reply with quote

szatox is correct that iptables-save shows information not shown by iptables -L, which is one reason it is preferable. However, I disagree that iptables -L is ever more useful for forum posts. If hit counters are needed, use iptables-save -c. When posting to the forum, we have no ability to inspect your rules other than what is shown. For us to model how a packet will traverse the rules, we need to know all the relevant rules. Showing all rules, as done by iptables-save, serves that purpose most readily. Other advantages:
  • iptables-save defaults to showing all tables. iptables shows only one table, and by default shows table filter.
  • iptables-save defaults to numeric-only resolution; iptables without -n tries to pretty-print some data, which can make it harder for us to understand, particularly when hostnames are substituted.
  • As a machine-readable format, iptables-save must print everything necessary for a later iptables-restore to reconstruct the rules. By default, iptables omits some information to conserve screen space. Sometimes this information is relevant to the problem at hand.
Back to top
View user's profile Send private message
najkon
n00b
n00b


Joined: 14 Aug 2016
Posts: 13

PostPosted: Sun Jul 16, 2017 5:33 pm    Post subject: Reply with quote

Quincy wrote:
Currently I'm curios that your session log reports:

Code:
PORT 192,168,1,100,225,72
200 PORT command successful


This is a LAN IP (192.168.1.100) and not an official IP for an internet connection.

Which client software are you using?
Can you connect and change dirs/download something on e.g. ftp://ftp5.gwdg.de/pub/ (a public German FTP)?


Yep, IP 192.168.1.100 - it's my Lan IP of computer what i trying connect to the FTP server.
I dont know why it's showed there.. :)

I used a Total Commander 64 bit client but the same problem is if i use ftp client console on Linux
Code:

ftp> open domain.com
Connected to domain.com.
220 ProFTPD 1.3.5e Server (ProFTPD  Server) [::ffff:xx.xxx.xxx.xx]
Name (domain.com:najkon):
331 Password required for najkon
Password:
230 User najkon logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Exceeded time waiting on connection
ftp> dir
450 LIST: Exceeded time waiting on connection



about trying connect and download/change dir on that public FTP on Germany - with no problem, always work
Code:

----------
Connect to: (16.07.2017 19:25:53)
hostname=ftp5.gwdg.de
username=anonymous
startdir=
ftp5.gwdg.de=134.76.12.6
220-Welcome to ftp.gwdg.de
220-
220-Dear user of ftp.gwdg.de, we will have a scheduled downtime for FTP
220-at July, 22nd from 7am approx. till 4pm
220-
220
USER anonymous
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
 EPRT
 EPSV
 MDTM
 PASV
 REST STREAM
 SIZE
 TVFS
 UTF8
211 End
HELP SITE
214-The following commands are recognized.
 ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD
 MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR
 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
 XPWD XRMD
214 Help OK.
OPTS UTF8 ON
200 Always in UTF8 mode.
Connect ok!
CWD /pub/
250 Directory successfully changed.
PWD
257 "/pub"
Download directory
TYPE A
200 Switching to ASCII mode.
PORT 192,168,1,100,229,210
500 Illegal PORT command.
PASV
227 Entering Passive Mode (134,76,12,6,120,161).
LIST
150 Here comes the directory listing.
Downloading
Waiting on server...
226 Directory send OK.
Back to top
View user's profile Send private message
Quincy
Apprentice
Apprentice


Joined: 02 Jun 2005
Posts: 201
Location: Germany

PostPosted: Mon Jul 17, 2017 6:00 am    Post subject: Reply with quote

Thanks for the iptables clarification!

Back on real topic:
Connection to gwdg.de just succeeds because it denies the PORT command and then the client continues with trying PASV:

Code:
PORT 192,168,1,100,229,210
500 Illegal PORT command.
PASV
227 Entering Passive Mode (134,76,12,6,120,161).


This is exactly what I wanted to see. So the problem is that the client issues a port command with a private IP that the server doesn't deny (deeper explanation see e.g. http://www.raidenftpd.com/kb/kb000000010.html - first good hit when searching).

So either you can force your client not to use the wrong PORT command (see https://www.ghisler.com/efaqftp.htm#NoDownload) or you tell the server not to accept the PORT command at all:

Code:

  <Limit EPRT PORT>
    DenyAll
  </Limit>
Back to top
View user's profile Send private message
najkon
n00b
n00b


Joined: 14 Aug 2016
Posts: 13

PostPosted: Mon Jul 17, 2017 9:39 am    Post subject: Reply with quote

And that was my problem! I choise setup server too not to accept the PORT command at all because never know (as RaidenFTPD TEAM In every line write) what will bring in the future ;)
I admit that I did not know about these "problems" of the PORT command

Thanks very much @Quincy Beer for you ! :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum