ProFTP + CSF

D

desynced

Verified User
Joined
Dec 29, 2008
Messages
47
I'm setting up a new CentOS 5.7 server (i386) with DirectAdmin. Installed CSF and everything seemed to be working fine. But when the customer that the server was built for uploads or downloads files via FTP, about 30 seconds later they can no longer connect to the server for about 20 minutes. I am assuming it is the firewall, but I cant figure out why. Im comparing everything to my other servers and everything seems to match up, but I cant figure out why on this server its doing it.

proftpd.conf
Code: 
ServerName              "ProFTPd"
ServerType              standalone

Port                    21
PassivePorts            30000 35000
UseReverseDNS           off
TimesGMT                off
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600

ScoreboardFile                  /var/run/proftpd/proftpd.pid

TransferLog             /var/log/proftpd/xferlog.legacy
LogFormat               default "%h %l %u %t \"%r\" %s %b"
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
LogFormat               write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat               userlog "%u %b %m"
ExtendedLog             /var/log/proftpd/208.94.247.106.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer           on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
        DeferWelcome            on
        RequireValidShell       no

        DefaultRoot             ~
        DirFakeUser on ftp
        DirFakeGroup on ftp

        User                    ftp
        Group                   ftp
        #UserAlias              anonymous ftp

        AllowStoreRestart       on
        AllowRetrieveRestart    on

        ListOptions             -a

        Umask                   022
        DisplayLogin            welcome.msg
        DisplayChdir            readme
        AllowOverwrite          yes
        IdentLookups            off
        ExtendedLog             /var/log/proftpd/access.log WRITE,READ write
        ExtendedLog             /var/log/proftpd/auth.log AUTH auth

        #
        # Paranoia logging level....
        #
        #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

</Global>

Include /etc/proftpd.vhosts.conf

In the CSF config, I have 30000:35000 added to TCP_IN.

Any other ideas?
 
We might of found out the problem. The customer is using the FTP client FileZilla which keeps grabbing new passive ports when downloading files instead of using previous used ports, thus the server thinks this was a type of DOS attack and then blocked the IP address.

Going into the Firewall Configuration and changing the value of CT_LIMIT from 400 to 0 (disabled) has resolved this problem.
 
I had same problem but instead of disable it (that should be a risk) ive raised the limit to 500, actually just a customer having this problem when upload a website...

Regards
 
It's going to be re-enabled, but we disabled it for a while to see if that was the problem. I'll keep 500 in mind. ;)

But as SeLLeRoNe has stated, do not disable it permanently as this is a security issue on your server, but disable it for a while to troubleshoot and if this if your problem, raise the number up higher. (Raising it from 300 to 400 did not fix the problem, thus the reason we disabled it just to see if it is the problem. Might raise it to 600 just to be on the safe side.)
 
Last edited:
Check the port range

$ sysctl net.ipv4.ip_local_port_range

Output
net.ipv4.ip_local_port_range = 32768 61000


Then configure proftpd.conf csf.conf TCP_IN ports in this range 35000:50000 - works fine.
 
You must log in or register to reply here.
Back
Top