I got everything working except any localhost connections from within the server. I’ve tried to connect using localhost, 127.0.0.1, and dedicated IP from within the server and several CMS sites I have moved over to the server and all the local host connections fail. Know what might be causing this? I asked this on their forums yesterday and haven’t gotten any solutions. Attached is my .conf file for proftpd. Thanks in advance.
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
PassivePorts 49152 65534
DefaultTransferMode binary
UseFtpUsers on
TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd/scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /usr/local/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /srv/www/vhosts>
GroupOwner psacln
</Directory>
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
IdentLookups off
UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.include
When I telnet I get “connection timed out”. I do not see a entry in either hosts.allow or hosts.deny. So I am assuming there needs to be an entry in hosts.allow to allow local host connections. but I am a bit confused on what syntax needs to be added in the hosts.allow…
Recommending another configuration option…
ProFTP is one of the FTP daemons supported by YAST.
Once ProFTP is installed, you’ll find an “FTP Server” icon in the YAST “Network Services” section. YAST should support any “typical” configuration.
According to docs I read, it’s also possible to edit the config file directly (and in non-typical setups necessary), and those edits shouldn’t be over-written automatically by YAST like many other configs.
Worked for me, I setup ProFTP in seconds a couple months ago.
When I look in yast I don’t see it at all. I just show the reference in the xinetd services where the config file is located. One reason might be that my web host has a set of images from Parallel Plesk that I can choose from and it runs a default install for an image they have setup, they won’t let me load Opensuse on my own which would allow me better configuration. I did find out that if I were to uninstall proftpd and install another ftp server it breaks my server somehow and I just ended up re-imaging it and reconfiguring everything back again. So with all that I am back to square one on this can use ftp everywhere except localhost which is needed for my e-com and CMS sites. Any ideas?
Where are the INPUT chain rules? FORWARD and OUTPUT are of no interest. It’s not a gateway so FORWARD rules are not relevant, and generally OUTPUT is set to allow all legit connections. It’s the INPUT rules that matter.
Sorry thought I had posted everything the first time. Here is the rest of the iptables. I have to do it in 2 parts as i keep getting an error I am posting too many images.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5423 2880K ACCEPT all – any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp – any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
0 0 DROP all – any any anywhere anywhere state INVALID
27 1620 ACCEPT all – lo any anywhere anywhere
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpts:49152:65534
14 672 ACCEPT tcp – any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:12443
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:11443
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:11444
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:8447
49 2352 ACCEPT tcp – any any anywhere anywhere tcp dpt:pcsync-https
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:cddbp-alt
58 3192 ACCEPT tcp – any any anywhere anywhere tcp dpt:http
3 144 ACCEPT tcp – any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp – any any anywhere anywhere tcp dpt:ftp
Thought it had posted the whole iptable in the first part. Sorry about that.
u15434060:~ # iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5423 2880K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
0 0 DROP all -- any any anywhere anywhere state INVALID
27 1620 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:49152:65534
14 672 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:12443
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:11443
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:11444
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8447
49 2352 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pcsync-https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:cddbp-alt
58 3192 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
3 144 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtps
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:poppassd
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:postgresql
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9008
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:glrpc
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
12 528 ACCEPT icmp -- any any anywhere anywhere icmp type 8 code 0
350 114K DROP all -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- lo lo anywhere anywhere
246 18356 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5662 2015K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
139 5680 REJECT tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
0 0 DROP all -- any any anywhere anywhere state INVALID
27 1620 ACCEPT all -- any lo anywhere anywhere
218 13168 ACCEPT all -- any any anywhere anywhere
u15434060:~ #
I need you to paste the INPUT section of a run of iptables -L -v to show which interfaces that ftp rule is restricted to. Although one would have thought that the rule for lo above would have allowed everything. You may have to do some iptables debugging. And/or break out wireshark. BTW you a have a useless ftp rule at the bottom, it’s just a repeat of the first ftp rule.
Did you do these rules yourself or are you using SuSEfirewall2? Because SuSEfirewall2 would have taken care of the input rules if you install proftpd from an openSUSE package.
Another thing, show us your ifconfig output. What is the IP address bound to lo?
ifconfig below. Isn’t the INPUT the first part of what I posted before. OR should I be adding something else to get just the FTP part of the INPUT? Sorry for the noob questions, it’s been quite some time since i did anything with Linux, been a windows engineer for some time. So please forgive some of my questions.
No the config that you see if the default from the web host Opensuse image that was installed on the server when it was delivered and installed. They won’t let me install a system from scratch.