CSF Check VPS FTP PASV hole

riverdance

Verified User
Joined
Feb 27, 2009
Messages
123
Location
Belgium
Hello,

Im using CSF, but people cant login in FTP. I need always put ip allow in CSF.
I have the ports in CSF open. But people cant still login in FTP when im not put the ip in CSF.

This is my config from FTP

Code:
ServerName		"ProFTPd"
ServerType          	standalone

Port			21
PassivePorts            30000 35000
UseReverseDNS		off
TimesGMT		off
Uitloging		120
TimeoutIdle		600
TimeoutNoTransfer	900
TimeoutStalled		3600

ScoreboardFile			/var/run/proftpd/proftpd.pid

TransferLog		/var/log/proftpd/xferlog.legacy
LogFormat		default "%h %l %u %t \"%r\" %s %b"
LogFormat		auth    "%v [%P] %h %t \"%r\" %s"
LogFormat		write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat		userlog "%u %b %m %a"
ExtendedLog		/var/log/proftpd/000000000.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer		on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
	TLSEngine on
	TLSLog /var/log/proftpd/proftpd.tls.log
	TLSProtocol SSLv23
	#TLSProtocol TLSv1
	TLSVerifyClient off
	TLSRequired off
	
	#Certificates
	TLSRSACertificateFile /etc/exim.cert
	TLSRSACertificateKeyFile /etc/exim.key
	#TLSCACertificateFile /etc/ftpd/root.cert.pem

	TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
	DeferWelcome		on

	RequireValidShell	no

	DefaultRoot		~
	DirFakeUser on ftp
	DirFakeGroup on ftp

	User			ftp
	Group			ftp
	#UserAlias		anonymous ftp

	AllowStoreRestart	on
	AllowRetrieveRestart	on

	ListOptions		-a

	Umask			022
	DisplayLogin		welcome.msg
	DisplayChdir		readme
	AllowOverwrite		yes
	IdentLookups		off
	ExtendedLog		/var/log/proftpd/access.log WRITE,READ write
	ExtendedLog		/var/log/proftpd/auth.log AUTH auth
	
	#
	# Paranoia logging level....
	#
	#ExtendedLog    /var/log/proftpd/paranoid.log ALL default

	<IfModule mod_tls.c>
		TLSEngine on
		TLSLog /var/log/proftpd/proftpd.tls.log
		TLSRSACertificateFile /etc/exim.cert
		TLSRSACertificateKeyFile /etc/exim.key
	</IfModule>
</Global>

Include /etc/proftpd.vhosts.conf

Can somone put a copie from FTP so i can try if thats works.


Thank you
 
This is mine:

Code:
ServerName              "ProFTPd"
ServerType              standalone

Port                    21
PassivePorts            35000 35999
UseReverseDNS           off
TimesGMT                off
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600

ScoreboardFile                  /var/run/proftpd/proftpd.pid

TransferLog             /var/log/proftpd/xferlog.legacy
LogFormat               default "%h %l %u %t \"%r\" %s %b"
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
LogFormat               write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat               userlog "%u %b %m"
ExtendedLog             /var/log/proftpd/93.63.209.93.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer           on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
        PassivePorts            35000 35999
        DeferWelcome            on

        RequireValidShell       no

        DefaultRoot             ~
        DirFakeUser on ftp
        DirFakeGroup on ftp

        User                    ftp
        Group                   ftp
        #UserAlias              anonymous ftp

        AllowStoreRestart       on
        AllowRetrieveRestart    on

        ListOptions             -a

        Umask                   022
        DisplayLogin            welcome.msg
        DisplayChdir            readme
        AllowOverwrite          yes
        IdentLookups            off
        ExtendedLog             /var/log/proftpd/access.log WRITE,READ write
        ExtendedLog             /var/log/proftpd/auth.log AUTH auth

        #
        # Paranoia logging level....
        #
        #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
   ClamMaxSize 5 Mb
</IfModule>


</Global>

Include /etc/proftpd.vhosts.conf

I suppose is not a ProFTPd issue but a CSF Misconfiguration, be sure to have port 21 in TCP_IN TCP_OUT UDP_IN UDP_OUT in your csf.conf (or from web interface) and to restart csf/lfd after edit.

Regards
 
Thank you mate,

Now we need to test is.
So will you try login in the ftp so i can see if it works.

Its work
 
Last edited:
Thank you Andrea,

Its work, i see it in de log file.

Thanks again Andrea

Gone delete the test now
 
Back
Top