Owned IP can't login with FTP

[Scormen]

Hi all,

I'm having a strange problem. After a transfer from a other server one user with a owned IP address can't login with FTP anymore.

FileZilla's output:

17:02:20 Status: Resolving address of ftp.****.**
17:02:20 Status: Connecting to **.**.**.**:21...
17:02:20 Status: Connection established, waiting for welcome message...
17:02:20 Response: 220 ProFTPD 1.3.1 Server ready.
17:02:20 Command: USER kris
17:02:20 Response: 331 Password required for kris
17:02:20 Command: PASS ***********
17:02:20 Response: 230 User kris logged in
17:02:20 Command: SYST
17:02:20 Response: 215 UNIX Type: L8
17:02:20 Command: FEAT
17:02:20 Response: 211-Features:
17:02:20 Response: MDTM
17:02:20 Response: REST STREAM
17:02:20 Response: SIZE
17:02:20 Response: 211 End
17:02:20 Status: Connected
17:02:20 Status: Retrieving directory listing...
17:02:20 Command: PWD
17:02:20 Response: 257 "/" is the current directory
17:02:20 Command: TYPE I
17:02:20 Response: 200 Type set to I
17:02:20 Command: PASV
17:02:20 Response: 227 Entering Passive Mode (**,**,**,**,162,26).
17:02:20 Command: LIST
17:02:41 Error: Connection timed out
17:02:41 Error: Failed to retrieve directory listing

So it is the right password, he "can login" but he can't retrieve directory listing and receives a connection timed out.

He can't login with his head account and not with a other account.

The passwords from the user are in "/usr/local/directadmin/data/users/*username*/ftp.passwd" so that looks right.

In "/usr/local/directadmin/data/users/*username*/domains/***.**.ftp" the default domains is set to "yes".


Thanks for your help and time,
Kris

 

[scsi]

Then there is a firewall blocking the passive port connections.

 

[Scormen]

Hmm no. This is the piece of iptables:

EXTIF = eth0 (wan port)
UNIVERSE = 0/0

$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 20:21 -j ACCEPT
$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 35000:35999 -j ACCEPT
$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 989 -j ACCEPT
$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 990 -j ACCEPT

 

[nobaloney]

Are you using ports 35000:35999 for ftp? If so you've got to assign them in the proftpd.conf file.

Jeff

 

[Scormen]

Yes, I'm using them for the passive ports.

/etc/proftpd.conf:

Port                    21
PassivePorts            35000 35999

Kris

 

[scsi]

Does this happen to everyone who uses that ftp account or only one person. Maybe the clients firewall or router is causing the problem. Have them try port instead of passive connection.

 

[Scormen]

Its happening to everyone, including me. The problem occurs to all the ftp accounts of that user.

With the other ftp accounts of other users on the server is nothing wrong, they are working well.

 

[scsi]

Is the problem you cant login or is it that you are getting connection timed out when doing a list.

If you cant login you need to make sure your virtual host config is being included in your /etc/proftpd.conf. There should be an include line somewhere at the bottom saying Include /etc/proftpd.vhosts.conf . If it is included you might want to post that virtual host block here so we can see if its correct. The virtualhost block will be in /etc/proftpd.vhosts.conf

 

[Scormen]

Is the problem you cant login or is it that you are getting connection timed out when doing a list.

Excuse me, I mean we can login, but we get a connection timed out when doing a list.

make sure your virtual host config is being included in your /etc/proftpd.conf

It is being included:

<VirtualHost **.**.**.**>
        ServerName              "ProFTPd"
        ExtendedLog             /var/log/proftpd/**.**.**.**.bytes WRITE,READ userlog
        AuthUserFile            /usr/local/directadmin/data/users/*username*/ftp.passwd
</VirtualHost>

 

[scsi]

Well if you can login but having a list issue its a firewall problem somewhere not allowing the passive connection to continue. Try disabling the server firewall for an instant and see if you can login fine. Nothing else in proftpd will cause this.

 

[Scormen]

Hmm I don't think so... All the rest is working fine: http, https, imap(s) etc... on all accounts. Only that account is not working like we want it.

Kris

 

[nobaloney]

Is ftp working fine for others? Yes, or no, the test scsi suggests is a good idea.

Also can you log in using that account's login name(s) from other locations?

Jeff

 

[scsi]

Hmm I don't think so... All the rest is working fine: http, https, imap(s) etc... on all accounts. Only that account is not working like we want it.

Kris

Yeah but none of those use passive connections the way that ftp server does.

 

[Scormen]

Is ftp working fine for others? Yes, or no

Yes, for all other users on the server FTP is working fine.

Also can you log in using that account's login name(s) from other locations?

No we can't.


A quick overview:
All accounts on the server:
- http: working
- ftp: working
- and all the rest: working

That one account on the server:
- http: working
- ftp: not working
- and all the rest: working


I'll have again a look to the firewall, but I would be strange... FTP is working for all accounts on the server, except for that one account.

Kris

 

[scsi]

If you are using a virtualhost do the passive ports actually work for that virtualhost too? More then likely this is the problem and you might need to put in the passive ports tag in the virtual host tag.

http://proftpd.org/docs/directives/linked/config_ref_PassivePorts.html

I would try:

<VirtualHost **.**.**.**>
        ServerName              "ProFTPd"
        ExtendedLog             /var/log/proftpd/**.**.**.**.bytes WRITE,READ userlog
        AuthUserFile            /usr/local/directadmin/data/users/*username*/ftp.passwd
        PassivePorts            35000 35999
</VirtualHost>

Maybe even declare a different set of ports for the virtualhost.

 

[Scormen]

Thanks for your help, scsi, that did the trick!
I had to add the passsiveports line in /etc/proftpd.vhosts.conf.

I have never had this problem, what can be the cause?

But, thanks again for all the responses everyone!

Kris

 

[scsi]

By default it will attempt to make the passive connection between 1024-65535 unless you specify that port range with the passiveports variable. Since you use a firewall that doesnt open every port thats why it was getting blocked. Glad you got it to work finally.