Ubuntu 10.10 server 32-bit
Установил сабж из репов, вот конфиг:
Папки /home/ftp, /home/ftp/public, /home/ftp/upload сделал, дал им права:
$ ls -l /home
drwxr-xr-x 4 ftp ftp 4096 2010-11-11 11:47 ftp
$ ls -l /home/ftp
drwxr-xr-x 2 ftp ftp 4096 2010-11-10 11:53 public
drwxrwxrwx 2 ftp ftp 4096 2010-11-10 11:54 upload
-rw-r--r-- 1 ftp ftp 170 2010-06-15 14:24 welcome.msg
Юзер ftp входит в группу ftp
$ cat /etc/passwd
ftp:x:105:65534::/home/ftp:/bin/sh
$ cat /etc/group
ftp:x:1003:ftp
Юзеру ftp дан пароль больше 6-ти символов.
Юзера ftp в файле /etc/ftpusers нет.
Стартую сервер
$ sudo /etc/init.d/proftpd start
* Starting ftp server proftpd [ OK ]
При попытке коннекта к серверу получаю следующее:
Статус: Соединяюсь с 1.2.3.4:21...Причем не важно, что юзером ftp, что ftp_user — результат одинаков.
Статус: Соединение установлено, ожидание приглашения...
Ответ: 220 Сервер FTP
Команда: USER ftp_user
Ответ: 331 Необходим пароль для пользователя ftp_user
Команда: PASS ********
Ответ: 530 Некорректные данные аутентификации.
Ошибка: Критическая ошибка
Ошибка: Невозможно подключиться к серверу
Уже весь мозг себе проел. В гугл ходил. Маны читал. Но видать от переизбытка инфы решить проблему не могу 
Требуется совет специалиста 
P.S. Вот лог
$ cat /var/log/ftp.log
5.6.7.8 UNKNOWN ftp [11/нояб./2010:17:56:41 +0300] "USER ftp_user" 331 -
5.6.7.8 UNKNOWN ftp [11/нояб./2010:17:56:44 +0300] "PASS (hidden)" 530 -
$ cat /var/log/syslog.log
нояб. 11 17:56:28 server proftpd[4102] server: ProFTPD 1.3.2e (maint) (built Tue Jun 15 10:22:54 UTC 2010) standalone mode STARTUP
нояб. 11 17:56:41 server proftpd[4104] server (5.6.7.8[5.6.7.8]): FTP session opened.
нояб. 11 17:56:44 server proftpd[4104] server (5.6.7.8[5.6.7.8]): USER ftp_user (Login failed): Incorrect password.
нояб. 11 17:56:44 server proftpd[4104] server (5.6.7.8[5.6.7.8]): FTP session closed.
нояб. 11 17:56:51 server proftpd[4102] server: ProFTPD killed (signal 15)
нояб. 11 17:56:51 server proftpd[4102] server: ProFTPD 1.3.2e standalone mode SHUTDOWN
$ cat /var/log/auth.log
Nov 11 17:56:41 server proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd4104 ruser=ftp rhost=5.6.7.8 user=ftp
Upd: Пока писал, обратил внимание, что IP по которому я стучусь на FTP-сервер, совсем не тот, который отражается в логах. Тут вот какая штука. У нас два внешних IP, на двух разных машинах. Эти машины объединены локалкой. Получается так, что когда я из локалки набираю внешний IP 1.2.3.4 (который мне и нужен), то (судя по логам) я попадаю с другой машины, у которой внешний IP 5.6.7.8! Как такое возможно, мне не понять…
На искомой машине порты открыты так:
# Открываем FTP
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 20 -m state --state ESTABLISHED -j ACCEPT
Upd2: Совсем уже затупил к вечеру Все правильно, я же выхожу в интернет через вторую машину, поэтому в логах и появляется ее IP 5.6.7.8, как источника. Тут все верно.
И тем не менее, вопрос остается открытым — что я делаю не так?
Managing FTP servers – Proftpd and Pure-ftpd – is a task we perform as a part of our role as Outsourced Tech Support engineers for web hosting companies.
“530 Login incorrect” is a common error noted in Proftpd servers when users try to establish an FTP connection to the server. 530 login error means that the Proftpd server is unable to authenticate the user with the login details provided.
The error message usually shows when FTP users try to establish a session with the server by submitting their username and password in FTP clients such as Filezilla.
Name (server:root): username 331 Password required for username Password: 530 Login incorrect. Login failed.
Here, we’ll see the main reasons why Proftpd ‘530 login incorrect’ error happens and how we resolve it.
[ Use your time to build your business. We’ll take care of your customers. Hire Our Hosting Support Specialists at $9.99/hr. ]
What causes “530 Login incorrect” error in Proftpd
While debugging 530 login incorrect errors, we’ve seen that the error mainly happens due to these reasons:
1. Incorrect login details used
Login details used by users for FTP access include their username and password. Any of these entered wrong can give a 530 login error in FTP. If the user account is non-existing or expired, Proftpd will not allow login.
In cPanel, there is a default user account and additional FTP accounts associated with each domain. For default user account, the ‘username’ is the FTP login name.
But for additional FTP accounts, the FTP login name is of the format ‘username@domain.com’. If the FTP username entered is not in this specific format, login failures happen.
“530 Login incorrect” also happens due to usage of wrong or mis-spelled password. Even a single additional space in the password can cause a login failure.
2. User account settings
If the user account belongs to the list of accounts that are banned from accessing FTP (listed in ‘/etc/ftpusers’), then Proftpd would return a ‘530 login incorrect’ message.
The ‘login shell’ that is assigned for the FTP user should be a valid one and present in the server, otherwise the user would be unable to establish an FTP session.
Other user account specific issues that we’ve encountered are, the absence of home directory, improper permissions and ownership of the directory, the group of the ftp user is not listed in the config file, etc.
3. Server configuration issues
At times, any server wide setting can also lead to login failures for Proftpd users. This can include filters or restrictions set in the Proftpd configuration file.
Server security settings such as SELinux or PAM authentication module configuration settings, can prevent establishing successful FTP sessions and give “530 Login incorrect” failures.
[ Running a hosting business doesn’t have to be hard, or costly. Get world class Hosting Support Specialists at $9.99/hour (bulk discounts available) ]
How to fix “530 Login incorrect” error in Proftpd
To debug the reason for the ‘530 login incorrect’ error, we launch proftpd in debug mode and try connecting to FTP in that mode.
From the FTP log files and the FTP session details, our expert engineers pinpoint the issue and fix it promptly. Some of the fixes we perform include:
- Confirming that the user account exists and the password is valid. If password is wrong, we reset it to fix the error.
- Ensuring that the user account is not listed in ‘/etc/ftpusers’ file, which contains users that are not allowed FTP login.
- Verifying the login shell, group privileges and other account specific settings for the FTP user.
- Fixing the user home directory permission and ownership for FTP.
- Ensuring that the FTP user or group is not blocked from accessing FTP, in the configuration file.
- Debugging and resolving the configuration errors, if any, in the Proftpd config file.
- Checking and correcting the SELinux and PAM module settings that could be tampering with FTP sessions.
- Inspecting the firewall and port blocks and removing the ones that hinder FTP connections.
- Reinstalling Proftpd server in case there are too many configuration errors or corruptions.
- Guiding FTP users with the information to successfully setup FTP in their FTP clients.
Our experience resolving the different issues helps us to restore customers’ FTP service in no time. Asking the right questions upfront, and giving the solution in a few minutes reduces customer hold time and enhances customer delight.
[ Want to know how we handle FTP errors and other security incidents in lightning speed? Click here to know more.. ]
To add on..
To FTP to user accounts, the FTP hostname given is the domain name, which should resolve properly for the session to be established. If this domain name is not resolving correctly, it would give 530 errors.
In addition to username/password validation and server setting checks, we confirm that there are no DNS errors for the domain, as part of our FTP error trouble-shooting process.
We also update and patch the FTP servers with the latest secure version to avoid exploits or hacks. Since FTP is not a secure protocol, we encrypt Proftpd with TLS to ensure data security.
Our Dedicated Support Specialists routinely help server owners ensure seamless web services for their customers. If you’d like to know how you can better support your users, we’d be happy to talk to you.
STOP SPENDING TIME ON SUPPORT!
Do you spend all day answering technical support queries?
Wish you had more time to focus on your business? Let us help you.
We free up your time by taking care of your customers and servers. Our engineers monitor your servers 24/7, and support your customers over help desk, live chat and phone.
HIRE SUPPORT SPECIALISTS AT $9.99/HR
var google_conversion_label = «Blp0CLCojHIQ0aD71QM»;
There are some weeks that I don’t use the FTP server, and now I have tried to connect but it’s returning this error. I did some «yum update», but I don’t know what else has changed since then.
When I use the «proftpd -nd10» command, it returns:
...
2018-12-07 03:22:37,259 server.example.com proftpd[5938] 127.0.0.1: Failed binding to ::, port 21: Address already in use
2018-12-07 03:22:37,259 server.example.com proftpd[5938] 127.0.0.1: Check the ServerType directive to ensure you are configured correctly
2018-12-07 03:22:37,259 server.example.com proftpd[5938] 127.0.0.1: Check to see if inetd/xinetd, or another proftpd instance, is already using ::, port 21
2018-12-07 03:22:37,259 server.example.com proftpd[5938] 127.0.0.1: Unable to start proftpd; check logs for more details
When I use the «netstat -putan | grep :21» command, it returns:
tcp6 0 0 :::21 :::* LISTEN 5937/proftpd: (acce
If I stop the proftpd service, the port 21 becomes available. If I start again, the port became used again.
Here my config:
ServerType standalone
ServerName "server.example.com"
ServerIdent on "FTP Server ready."
ServerAdmin hostmaster@example.com
DefaultServer on
# VRootEngine on
DefaultRoot ~ !adm
# VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
Port 21
PassivePorts 30000 35000
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User nobody
Group nobody
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ExtendedLog /var/log/proftpd/auth.log AUTH auth
#<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd/server.example.com.crt
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd/server.example.com.key
TLSCertificateChainFile /etc/pki/tls/certs/proftpd/server.example.com-intermediate.crt
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest NoSessionReuseRequired
TLSProtocol SSLv23
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
#</IfDefine>
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
BanControlsACLs all allow user ftpadm
</IfDefine>
<Global>
Umask 022
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
To be sure, I’ve changed my user’s password, but nothing has changed.
Решено: Помогите с Proftpd (anonymous) (постоянная ошибка 530 login incorrect)
Модератор: SLEDopit
-
Renai
- Сообщения: 100
- ОС: Arch/Debian
Решено: Помогите с Proftpd (anonymous)
Решил поднять фтп сервер на домашней тачке. Сначала пользовался pure-ftpd, решил теперь перейти на ProFTPd
и тут возникла проблема. Настраивал демон по докам с opennet.ru / unixdoc.ru
и все казалось бы работает. Но НИКАК не хочет пускать на фтп анонимуса (ну т.е. без логина и пароля как в Pure-ftp). При логине anonymous выскакивает ошибка 530 login incorrect
логи пишут
Код: Выделить всё
> Сен 16 17:13:31 noir proftpd[6204] localhost (<IP>): ftp: Directory /home/ftp/ is not accessible.
> Сен 16 17:13:31 noir proftpd[6204] localhost (<IP>): FTP session closed./home/ftp принадлежит юзеру ftp, права 755, делал 777 — не помогло
конфиг демона
Код:
ServerName "True Noir"
ServerAdmin user@host.com
ServerType standalone
DefaultServer on
ServerIdent on
#"dalone"
Port 21
Umask 022
MaxClients 10 "sorry, %m users - try again later"
MaxClientsPerHost 3 "sorry, limit connections per host"
MaxInstances 10
MaxLoginAttempts 10
User nobody
Group nogroup
DenyFilter \*.*/
SyslogLevel notice
UseReverseDNS off
IdentLookups off
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/proftpd-tranfer.log
ExtendedLog /var/log/proftpd/proftpd-extended.log read,write
ExtendedLog /var/log/proftpd/proftpd-auth.log AUTH auth
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
TimeoutIdle 60
TimeoutLogin 60
TimeoutNoTransfer 60
TimeoutStalled 60
#DefaultTransferMode binary
#AllowForeignAddress off
DisplayConnect /etc/ftp_connect.msg
#DisplayLogin /etc/ftp_login.msg
AccessDenyMsg "incorrect login, all connections logged"
AccessGrantMsg "Now upload/download files"
DisplayGoAway "Go away"
RequireValidShell off
DefaultRoot / wheel
DefaultRoot /home/ftp users
<Directory />
AllowOverwrite on
</Directory>
<Anonymous /home/ftp/>
User ftp
Group ftp
RequireValidShell no
UserAlias anonymous ftp
WtmpLog off
<Directory /home/ftp/>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
помогите пожалуйста советом. Гугл не выручил..
-__-
-
mczim
- Сообщения: 665
- ОС: Debian/Ubuntu
- Контактная информация:
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
mczim »
вот такими должны быть прова!
Код: Выделить всё
gateway:~# cd /home
gateway:/home# ls -l
итого 12
dr-xrwxr-- 5 ftp mczim 4096 2007-08-31 00:16 ftp
drwxr-xr-x 5 mczim mczim 4096 2007-08-30 01:11 mczim
drwxr-xr-x 3 upload upload 4096 2003-05-14 11:08 upload
gateway:/home#
gateway:/home# cd ftp
gateway:/home/ftp# ls -l
итого 16
drwxr--r-- 6 ftp mczim 8192 2007-08-28 23:58 foto
drwxrwxrwx 2 upload upload 4096 2007-08-31 00:15 test
drwxr--r-- 11 ftp mczim 4096 2007-09-05 02:36 videoЯ странный…
-
mczim
- Сообщения: 665
- ОС: Debian/Ubuntu
- Контактная информация:
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
mczim »
у вас должны быть права на папки
/home/ftp = 744
/home/ftp/foto = 744
/home/ftp/и так далее = 744
владелец папки ftp должен фигурировать или во владельце или в состоять в группе, у меня так:
/home/ftp = ftp:mczim
/home/ftp/foto = ftp:mczim
/home/ftp/и так далее = ftp:mczim
т.е. папки принадлежат группе ftp и пользователю mczim.
Я странный…
-
mczim
- Сообщения: 665
- ОС: Debian/Ubuntu
- Контактная информация:
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
mczim »
у меня все прекрасно работает!
Код:
gateway:/etc/proftpd# cat proftpd.conf
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off
ServerName "Debian"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
# Port 21 is the standard FTP port.
Port 21
#TransferRate RETR,STOR,APPE 4000 user ftp
AllowStoreRestart on
AllowRetrieveRestart on
#DefaultAddress 89.179.245.70
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=deta...=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
# A basic anonymous configuration, no upload directories.
DefaultRoot ~ !root
<Anonymous ~ftp>
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
# Uncomment this if you're brave.
# <Directory incoming>
# # Umask 022 is a good standard umask to prevent new files and dirs
# # (second parm) from being group and world writable.
# Umask 022 022
# <Limit READ WRITE>
# DenyAll
# </Limit>
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
</Anonymous>
Я странный…
-
xilix
- Сообщения: 16
- ОС: FreeBSD
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
xilix »
Поставил proftpd из портов под фрю, все заработало. Но потом для удобства решил подключиться к базе MySQL и использовать Proftpd Admin
Все работает, юзеры добавляются, логи просматриваются, но анонимных юзеров хоть убей не пускает.
Код: Выделить всё
<- 220 Servers identifying string
-> USER anonymous
<- 331 Anonymous login ok, send your complete email address as your
-> PASS *hidden*
<- 530 Login incorrect.
-> QUIT
<- 221 Goodbye.Я так понимаю, это из-за того, что логины хранятся в базе. Покопался на http://www.proftpd.org/docs/, поправил конфиг
Код: Выделить всё
<Anonymous ~ftp>
AnonRequirePassword off
SQLEngine off
User ftp
Group ftp
### We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
### Limit the maximum number of anonymous logins
MaxClients 20
### We want 'welcome.msg' displayed at login, and '.message' displayed
### in each newly chdired directory.
DisplayLogin welcome.msg
# DisplayFirstChdir .message
### Limit WRITE everywhere in the anonymous chroot
<Limit READ>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>пробовал создавать юзера anonymous с пустым паролем, тоже не помогает. пришлось создать простые лог и пасс, чтобы люди могли качать файло, но как-то не солидно это 
нужен мудрый совет. может кто ставил такую конфигурацию?
-
xilix
- Сообщения: 16
- ОС: FreeBSD
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
xilix »
Seclorum писал(а): ↑
04.11.2009 04:50
Если сборка proftpd с поддержкой acl, то надобно включить acl в fstab для раздела, где расположена home-директория anonymous`a
Для примера:
Код: Выделить всё
Options for proftpd 1.3.2b │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │[X] BAN Include mod_ban (Requires CTRLS) │ │
│ │[X] CLAMAV Include mod_clamav │ │
│ │[X] CTRLS Include controls │ │
│ │[ ] DIGEST Include mod_digest │ │
│ │[X] IFSESSION Include mod_ifsession │ │
│ │[ ] IPV6 Use IPv6 │ │
│ │[ ] LDAP Use LDAP │ │
│ │[ ] LDAP_TLS Use LDAP TLS (Requires LDAP, OPENSSL) │ │
│ │[X] NLS Use nls (builds mod_lang) │ │
│ │[X] OPENSSL Include mod_tls │ │
│ │[ ] PGSQL Postgres auth (Can be combined with MYSQL) │ │
│ │[X] QUOTA Include mod_quota │ │
│ │[ ] QUOTATAB_RADIUS include mod_quotatab_radius │ │
│ │[ ] RADIUS Include mod_radius │ │
│ │[X] RATIO Include mod_ratio │ │
│ │[X] README Include mod_readme │ │
│ │[X] REWRITE Include mod_rewrite │ │
│ │[ ] TDS FreeTDS - Sybase & MS-SQL auth (Exclusive) │ │
│ │[X] WRAP Include mod_wrap2 │ │
│ │[X] WRAP_FILE Include mod_wrap2_file │ │
│ │[X] WRAP_SQL Include mod_wrap2_sql │ │
│ │[X] MYSQL MySQL auth (Can be combined with PGSQL) │ │
├─└────────────────────────────────────────────────────────────────┘─┤
│ [ OK ] Cancel │Нету вроде ACL, да и сцыкотно на колокейшне фстаб менять 
-
xilix
- Сообщения: 16
- ОС: FreeBSD
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
xilix »
KiWi писал(а): ↑
04.11.2009 18:53
Покажите ПОЛНЫЙ конфиг proftpd.
P.S.: acl больше относится к началу тему и proftpd из portage.
Код: Выделить всё
ServerName "XXXXXXXXXXXXXXXXXXXXX"
ServerType standalone
ServerIdent on "Servers identifying string"
DeferWelcome on
DefaultServer on
DisplayLogin .welcome # Textfile to display on login
DisplayConnect .connect # Textfile to display on connection
#DisplayFirstChdir .firstchdir # Textfile to display on first changedir
UseReverseDNS off
IdentLookups off
Port 21
Umask 022
MaxInstances 15
MaxClientsPerHost 3 "Only %m connections per host allowed"
MaxClients 10 "Only %m total simultanious logins allowed"
MaxHostsPerUser 20
User ftp
Group ftp
ScoreboardFile /var/run/proftpd/proftpd.scoreboard
# Some logging formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
# Define log-files to use
TransferLog /var/log/proftpd.xferlog
ExtendedLog /var/log/proftpd.access_log WRITE,READ write
ExtendedLog /var/log/proftpd.auth_log AUTH auth
ExtendedLog /var/log/proftpd.paranoid_log ALL default
SQLLogFile /var/log/proftpd.mysql
# Set up authentication via SQL
# ===========
AuthOrder mod_sql.c
SQLAuthTypes Backend
SQLConnectInfo proftpd_admin@localhost xxxxxxxxx xxxxxxxxxxx
SQLUserInfo usertable userid passwd uid gid homedir shell
SQLGroupInfo grouptable groupname gid members
SQLUserWhereClause "disabled=0 and (NOW()<=expiration or expiration=-1 or expiration=0)"
<IfModule mod_clamav.c> # чЛМАЮБЕН РТПЧЕТЛХ
ClamAV on
</IfModule>
# Log the user logging in
SQLLog PASS counter
SQLNamedQuery counter UPDATE "lastlogin=now(), count=count+1 WHERE userid='%u'" usertable
# logout log
SQLLog EXIT time_logout
SQLNamedQuery time_logout UPDATE "lastlogout=now() WHERE userid='%u'" usertable
# display last login time when PASS command is given
SQLNamedQuery login_time SELECT "lastlogin from usertable where userid='%u'"
SQLShowInfo PASS "230" "Last login was: %{login_time}"
# xfer Log in mysql
SQLLog RETR,STOR transfer1
SQLNamedQuery transfer1 INSERT "'%u', '%f', '%b', '%h', '%a', '%m', '%T', now(), 'c', NULL" xfer_stat
SQLLOG ERR_RETR,ERR_STOR transfer2
SQLNamedQuery transfer2 INSERT "'%u', '%f', '%b', '%h', '%a', '%m', '%T', now(), 'i', NULL" xfer_stat
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# SQLEngine off
# AnonRequirePassword off
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 30
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
## DisplayFirstChdir .message
#
## Limit WRITE everywhere in the anonymous chroot
#<Directory *>
#<Limit WRITE>
#DenyAll
#</Limit>
#</Directory>
#
## Uncomment this if you're brave.
## <Directory incoming>
## # Umask 022 is a good standard umask to prevent new files and dirs
## # (second parm) from being group and world writable.
## Umask 022 022
## <Limit READ WRITE>
## DenyAll
## </Limit>
## <Limit STOR>
## AllowAll
## </Limit>
## </Directory>
#
#</Anonymous>
<Anonymous ~ftp>
AnonRequirePassword off
SQLEngine off
User ftp
Group ftp
### We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
### Limit the maximum number of anonymous logins
MaxClients 20
### We want 'welcome.msg' displayed at login, and '.message' displayed
### in each newly chdired directory.
DisplayLogin welcome.msg
# DisplayFirstChdir .message
### Limit WRITE everywhere in the anonymous chroot
<Limit READ>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
AllowStoreRestart on
AllowRetrieveRestart on
RequireValidShell off
PathDenyFilter "\\.ftp)|\\.ht)[a-z]+$"
DefaultRoot ~
#DefaultRoot /mnt/ftp !snark
DenyFilter \*.*/
<Directory /mnt/ftp/*>
AllowOverwrite off
HideNoAccess off
<Limit READ>
AllowAll
</Limit>
<Limit WRITE>
DenyGroup !admins
</Limit>
</Directory>
<Directory /mnt/ftp/pub/upload/*>
AllowOverwrite on
HideNoAccess on
<Limit READ>
AllowAll
</Limit>
<Limit WRITE>
AllowAll
</Limit>
<Limit STOR MKD>
AllowAll
</Limit>
</Directory>Клам, кстати, тоже не работает.
-
KiWi
- Бывший модератор
- Сообщения: 2521
- Статус: статус, статус, статус
-
Контактная информация:
-
KiWi
- Бывший модератор
- Сообщения: 2521
- Статус: статус, статус, статус
- Контактная информация:
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
KiWi »
xilix писал(а): ↑
05.11.2009 11:24
А можно меня немного подтолкнуть к просветлению?
При авторизации используются только те способы, которые указаны в AuthOrder. В AuthOrder стоит только mod_sql, соответственно, вся авторизация идёт через mod_sql БЕЗ попыток авторизации в системном /etc/passwd.
-
xilix
- Сообщения: 16
- ОС: FreeBSD
Re: Решено: Помогите с Proftpd (anonymous)
Сообщение
xilix »
KiWi писал(а): ↑
05.11.2009 11:33
xilix писал(а): ↑
05.11.2009 11:24
А можно меня немного подтолкнуть к просветлению?
При авторизации используются только те способы, которые указаны в AuthOrder. В AuthOrder стоит только mod_sql, соответственно, вся авторизация идёт через mod_sql БЕЗ попыток авторизации в системном /etc/passwd.
а мне не нужна авторизация через /etc/passwd. я хочу как-то прикрутить анонимного пользователя, который прописан в конфиге. какая из авторизаций AuthOrder отвечает за конфиг?
In case you have a Proftpd FTP server and you receive the following error message in your FTP log, it does not necessarily mean that your password is wrong:
Status: Verbinde mit xxx.xxx.xxx.xxx:21…
Status: Verbindung hergestellt, warte auf Willkommensnachricht…
Antwort: 220 FTP Server ready.
Befehl: USER web24
Antwort: 331 Password required for web24
Befehl: PASS ********
Antwort: 530 Login incorrect.
Fehler: Kritischer Fehler
Obviously you need to check on the server if the password is really correct.
The next step is to use proftpd’s debugging mode. Stop the daemon and launch the following command:
proftpd -nd6
This command launches proftpd in debug mode, where you can trace everything what happens:
# proftpd -nd6
— using TCP receive buffer size of 87380 bytes
— using TCP send buffer size of 16384 bytes
— disabling runtime support for IPv6 connections
— mod_tls/2.4.2: using OpenSSL 0.9.8o 01 Jun 2010
— <IfModule>: using ‘mod_tls.c’ section at line 9
ftp.server.ip.address —
ftp.server.ip.address — Config for example.com:
ftp.server.ip.address — Limit
ftp.server.ip.address — DenyGroup
ftp.server.ip.address — DefaultServer
ftp.server.ip.address — ServerIdent
ftp.server.ip.address — ListOptions
ftp.server.ip.address — IdentLookups
ftp.server.ip.address — TimesGMT
ftp.server.ip.address — LangEngine
ftp.server.ip.address — Umask
ftp.server.ip.address — UserID
ftp.server.ip.address — UserName
ftp.server.ip.address — GroupID
ftp.server.ip.address — GroupName
ftp.server.ip.address — TransferLog
ftp.server.ip.address — AllowOverwrite
ftp.server.ip.address — DefaultRoot
ftp.server.ip.address — TLSEngine
ftp.server.ip.address — TLSLog
ftp.server.ip.address — TLSRSACertificateFile
ftp.server.ip.address — TLSRSACertificateKeyFile
ftp.server.ip.address — TLSOptions
ftp.server.ip.address — TLSRequired
ftp.server.ip.address — mod_lang/0.9: skipping possible language ‘it’: not supported by setlocale(3); see `locale -a’
ftp.server.ip.address — mod_lang/0.9: skipping possible language ‘ru’: not supported by setlocale(3); see `locale -a’
ftp.server.ip.address — mod_tls/2.4.2: passphrase locked into memory
ftp.server.ip.address — ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — session requested from client in unknown class
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — mod_cap/1.0: adding CAP_AUDIT_WRITE capability
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — mod_ident/1.0: ident lookup disabled
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — connected — local : ftp.server.ip.address:21
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — connected — remote : my.remote.ip.address:52478
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — FTP session opened.
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_rewrite
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_tls
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘USER web24’ to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching CMD command ‘USER web24’ to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching POST_CMD command ‘USER web24’ to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching POST_CMD command ‘USER web24’ to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching LOG_CMD command ‘USER web24’ to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching LOG_CMD command ‘USER web24’ to mod_log
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_rewrite
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_tls
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_wrap
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching PRE_CMD command ‘PASS (hidden)’ to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching CMD command ‘PASS (hidden)’ to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — user ‘web24’ authenticated by mod_auth_pam.c
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — USER web24 (Login failed): Invalid shell: ‘/bin/false’
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching POST_CMD_ERR command ‘PASS (hidden)’ to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching POST_CMD_ERR command ‘PASS (hidden)’ to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching LOG_CMD_ERR command ‘PASS (hidden)’ to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching LOG_CMD_ERR command ‘PASS (hidden)’ to mod_log
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — dispatching LOG_CMD_ERR command ‘PASS (hidden)’ to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — mod_tls/2.4.2: scrubbing 1 passphrase from memory
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — FTP session closed.
Yes.. the important line is this one:
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) — USER web24 (Login failed): Invalid shell: ‘/bin/false’
Either the user web24 needs a valid shell like /bin/bash or the proftpd.conf setting needs the following line:
# grep Shell /etc/proftpd/proftpd.conf
RequireValidShell off
By setting this option, proftpd accepts users without valid shells and will allow the FTP session.
Add a comment
Show form to leave a comment
Comments (newest first)
E-sportspelaren from Sweden wrote on Jul 23rd, 2021:
Thanks for this!! The only article ive seen for fixing this problem. Claudio for president!
Nobbi from wrote on Aug 28th, 2013:
My problem has been, that the home-directory of the virtual user wasn’t existing; so the access was denied.
I set it to the ftp-root and it works — after hours of googling and trying.
Thanks for your advice 