FTP and SFTP for ProFTPD

ben_tvpp · May 5, 2020, 8:31pm

Hi, got a bit of a strange one. I rebooted our server and it used to have FTP and SFTP both working, now only SFTP works (we need FTP for legacy reasons, not ideal but such is life).

We are using ProFTPD. I looked at the config gile and I am now even more confused, its has

...
LoadModule mod_sftp.c
<IfModule mod_sftp.c>

    SFTPEngine on
    Port <default port 2222 but free to change>
    SFTPLog /var/log/proftpd/sftp.log

    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key
....

Which is odd as we re using 22 and it seems to be working fine.

Anyway, that aside is there something I can add to emable FTP on port 21?

Or do I use another service (i.e. vsftpd) to do FTP on 21? Can I run both as the same time?

Ben

Joe · May 5, 2020, 10:03pm

ProFTPd offers SFTP on 2222 (and FTPS on the usual ports). OpenSSH runs on 22 and also happens to offers to offer SFTP, but its primary purpose is for ssh access…the two can’t share the port, so ProFTPd goes on 2222.

If you need the controls that ProFTPd provides (like not allowing running programs) you need to direct users to 2222 or FTPS and don’t give them an SSH login account.

ben_tvpp · May 5, 2020, 10:20pm

OK, good to know but my main issue is I need FTP on port 22 as well as SFTP. How do I set that up.

Joe · May 5, 2020, 10:33pm

Port 22 is ssh. FTP never runs on 22. You already have the usual default FTP ports (20/21) offering FTP and FTPS. There’s no reason to put FTP on port 22. Just allow your client to connect to the standard FTP ports.

ben_tvpp · May 5, 2020, 10:51pm

Sorry, typo, meant FTP on port 21. port 21 seems to be closed

$  nmap -p 21 domain.tld

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-05 23:46 BST
Nmap scan report for tvpp.tv (213.171.x.x)
Host is up (0.013s latency).
rDNS record for 213.171.204.107: mysever.live-servers.net

PORT   STATE  SERVICE
21/tcp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Think firewall is correct, I have

-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

And like I said, its odd because it was working fine before reboot. Last time the proftpd config files were shanged was a month ago.

chriswoods · May 18, 2020, 12:50pm

Sounds possibly like firewall, if ProFTPD service is running OK.

From a prompt, sudo netstat -tulnp | grep ":21" - does it show anything listening bound to the port?

What’s your output of iptables -nvL INPUT --line ? Also what’s your output of sudo cat /etc/sysconfig/iptables ?

Check Webmin > Networking > Linux Firewall for a TCP 22 accept rule. In /etc/sysconfig/iptables you should have a line

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

which AIUI is generated by Webmin; other rules can then supercede. Same goes for ip6tables if you’re dual stack.

Check Webmin > Networking > FirewallD ; can you see an ftp service listed in public? And does it say “public (default)” in the dropdown?

If you’re running fail2ban, have you checked to make sure you’ve not inadvertently tripped a ban on your own IP?

fail2ban-client status proftpd
sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk -F[\ \:] '{print $19,$17}' | sort | uniq -c | sort -n
sudo zgrep -E "Ban |Unban " /var/log/fail2ban.log* (messier output, quicker)
(or just put your IP inside quotes, e.g. "165.227.42.106")

system · June 17, 2020, 12:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.