SYSTEM INFORMATION | |
---|---|
OS type and version: | Centos 8.4.2105 |
Webmin version: | 1.973 |
Virtualmin version: | 6.16 |
Related products version: | ProFTPD Version 1.3.6e |
I have multiple virtualmin servers, but only this server does not run proftpd. I diagnose proftpd might be reinstalled after running install script. What can I do to make proftpd running again?
# systemctl status proftpd
● proftpd.service - ProFTPD FTP Server
Loaded: loaded (/usr/lib/systemd/system/proftpd.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Mon 2021-07-19 13:34:31 WIB; 19min ago
Process: 1593873 ExecStart=/usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 1593871 ExecStartPre=/usr/sbin/proftpd --configtest (code=exited, status=0/SUCCESS)
Main PID: 1593873 (code=exited, status=0/SUCCESS)
[1593871]: 2021-07-19 13:34:31,186 proftpd[1593871] my.domain.com: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/proftpd/ssh_host_rsa_key', exiting
[1]: Started ProFTPD FTP Server.
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: processing configuration directory '/etc/proftpd/conf.d'
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: mod_dso/0.5: unable to load 'mod_tls.c'; check to see if '/usr/libexec/proftpd/mod_tls.la' exists
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: mod_dso/0.5: module 'mod_tls.c' already loaded
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: detected OpenSSH-encoded private SFTPHostKey '/etc/proftpd/ssh_host_rsa_key'; use `ssh-keygen -e -m PEM -f /etc/proftpd/ssh_host_rsa_key` to convert to supported PEM-encoded key
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/proftpd/ssh_host_rsa_key': (unknown)
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/proftpd/ssh_host_rsa_key', exiting
I tried to remove and reinstall proftpd after this happened.
Tried to run ssh-keygen -e -m PEM -f /etc/proftpd/ssh_host_rsa_key as suggested on systemctl status above, but that recommendation still show up.
Tried to copy proftpd.conf from working server. conf file below.
Tried to disable any mod_tls related by commenting it on modules.conf and commenting all enable TLS lines on /etc/proftpd/conf.d/virtualmin.conf
It appears that proftpd is not using conf from /etc/proftpd/proftpd.conf but instead from /etc/proftpd.conf
proftpd.conf content:
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "Debian"
# Set to inetd only if you would run proftpd by inetd/xinetd.
# Read README.Debian for more information on proper configuration.
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
# DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d
<Global>
</Global>
virtualmin.conf content:
# chroot users into their home by default
DefaultRoot ~
# Enable TLS
#LoadModule mod_tls.c
#TLSEngine on
#TLSRequired off
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/private/proftpd.pem
#TLSOptions NoCertRequest NoSessionReuseRequired
#TLSVerifyClient off
#TLSLog /var/log/proftpd/tls.log
#<IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
#</IfModule>
# VirtualHost for SFTP (FTP over SSH) port
LoadModule mod_sftp.c
<VirtualHost 0.0.0.0>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
# Configure the server to listen on 2222 (openssh owns 22)
Port 2222
# Configure the RSA and ECDSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key
# Configure the file used for comparing authorized public keys of users.
SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
# Enable compression
SFTPCompression delayed
# More then FTP max logins, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6
</VirtualHost>