FTP and SFTP for ProFTPD

Hi, got a bit of a strange one. I rebooted our server and it used to have FTP and SFTP both working, now only SFTP works (we need FTP for legacy reasons, not ideal but such is life).

We are using ProFTPD. I looked at the config gile and I am now even more confused, its has

LoadModule mod_sftp.c
<IfModule mod_sftp.c>

    SFTPEngine on
    Port <default port 2222 but free to change>
    SFTPLog /var/log/proftpd/sftp.log

    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key

Which is odd as we re using 22 and it seems to be working fine.

Anyway, that aside is there something I can add to emable FTP on port 21?

Or do I use another service (i.e. vsftpd) to do FTP on 21? Can I run both as the same time?


ProFTPd offers SFTP on 2222 (and FTPS on the usual ports). OpenSSH runs on 22 and also happens to offers to offer SFTP, but its primary purpose is for ssh access…the two can’t share the port, so ProFTPd goes on 2222.

If you need the controls that ProFTPd provides (like not allowing running programs) you need to direct users to 2222 or FTPS and don’t give them an SSH login account.

OK, good to know but my main issue is I need FTP on port 22 as well as SFTP. How do I set that up.

Port 22 is ssh. FTP never runs on 22. You already have the usual default FTP ports (20/21) offering FTP and FTPS. There’s no reason to put FTP on port 22. Just allow your client to connect to the standard FTP ports.

Sorry, typo, meant FTP on port 21. port 21 seems to be closed

$  nmap -p 21 domain.tld

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-05 23:46 BST
Nmap scan report for tvpp.tv (213.171.x.x)
Host is up (0.013s latency).
rDNS record for mysever.live-servers.net

21/tcp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Think firewall is correct, I have

-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

And like I said, its odd because it was working fine before reboot. Last time the proftpd config files were shanged was a month ago.

Sounds possibly like firewall, if ProFTPD service is running OK.

From a prompt, sudo netstat -tulnp | grep ":21" - does it show anything listening bound to the port?

What’s your output of iptables -nvL INPUT --line ? Also what’s your output of sudo cat /etc/sysconfig/iptables ?

Check Webmin > Networking > Linux Firewall for a TCP 22 accept rule. In /etc/sysconfig/iptables you should have a line

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

which AIUI is generated by Webmin; other rules can then supercede. Same goes for ip6tables if you’re dual stack.

Check Webmin > Networking > FirewallD ; can you see an ftp service listed in public? And does it say “public (default)” in the dropdown?

If you’re running fail2ban, have you checked to make sure you’ve not inadvertently tripped a ban on your own IP?

  • fail2ban-client status proftpd
  • sudo zgrep -h "Ban " /var/log/fail2ban.log* | awk -F[\ \:] '{print $19,$17}' | sort | uniq -c | sort -n
  • sudo zgrep -E "Ban |Unban " /var/log/fail2ban.log* (messier output, quicker)
    (or just put your IP inside quotes, e.g. "")
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.