Proftpd not opening port 21

I have multiple virtualmin servers, but only this server does not run proftpd. I diagnose proftpd might be reinstalled after running install script. What can I do to make proftpd running again?

# systemctl status proftpd
● proftpd.service - ProFTPD FTP Server
   Loaded: loaded (/usr/lib/systemd/system/proftpd.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Mon 2021-07-19 13:34:31 WIB; 19min ago
  Process: 1593873 ExecStart=/usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1593871 ExecStartPre=/usr/sbin/proftpd --configtest (code=exited, status=0/SUCCESS)
 Main PID: 1593873 (code=exited, status=0/SUCCESS)
[1593871]: 2021-07-19 13:34:31,186 proftpd[1593871] my.domain.com: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/proftpd/ssh_host_rsa_key', exiting
[1]: Started ProFTPD FTP Server.
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: processing configuration directory '/etc/proftpd/conf.d'
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: mod_dso/0.5: unable to load 'mod_tls.c'; check to see if '/usr/libexec/proftpd/mod_tls.la' exists
[1593873]: 2021-07-19 13:34:31,200 my.domain.com proftpd[1593873]: mod_dso/0.5: module 'mod_tls.c' already loaded
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: detected OpenSSH-encoded private SFTPHostKey '/etc/proftpd/ssh_host_rsa_key'; use `ssh-keygen -e -m PEM -f /etc/proftpd/ssh_host_rsa_key` to convert to supported PEM-encoded key
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/proftpd/ssh_host_rsa_key': (unknown)
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/proftpd/ssh_host_rsa_key', exiting

I tried to remove and reinstall proftpd after this happened.
Tried to run ssh-keygen -e -m PEM -f /etc/proftpd/ssh_host_rsa_key as suggested on systemctl status above, but that recommendation still show up.
Tried to copy proftpd.conf from working server. conf file below.
Tried to disable any mod_tls related by commenting it on modules.conf and commenting all enable TLS lines on /etc/proftpd/conf.d/virtualmin.conf

It appears that proftpd is not using conf from /etc/proftpd/proftpd.conf but instead from /etc/proftpd.conf

proftpd.conf content:

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

ServerName			"Debian"
# Set to inetd only if you would run proftpd by inetd/xinetd.
# Read README.Debian for more information on proper configuration.
ServerType				standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes 
# DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell		off

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				nobody
Group				nobody

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d
<Global>
</Global>

virtualmin.conf content:

# chroot users into their home by default
DefaultRoot ~

# Enable TLS
#LoadModule mod_tls.c
#TLSEngine                     on
#TLSRequired                   off
#TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile      /etc/pki/tls/private/proftpd.pem
#TLSOptions                    NoCertRequest NoSessionReuseRequired
#TLSVerifyClient               off
#TLSLog                        /var/log/proftpd/tls.log
#<IfModule mod_tls_shmcache.c>
#  TLSSessionCache             shm:/file=/var/run/proftpd/sesscache
#</IfModule>

# VirtualHost for SFTP (FTP over SSH) port
LoadModule mod_sftp.c
<VirtualHost 0.0.0.0>
  SFTPEngine on
  SFTPLog /var/log/proftpd/sftp.log

  # Configure the server to listen on 2222 (openssh owns 22)
  Port 2222

  # Configure the RSA and ECDSA host keys, using the same host key
  # files that OpenSSH uses.
  SFTPHostKey /etc/proftpd/ssh_host_rsa_key
  SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key

  # Configure the file used for comparing authorized public keys of users.
  SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

  # Enable compression
  SFTPCompression delayed

  # More then FTP max logins, as there are more ways to authenticate
  # using SSH2.
  MaxLoginAttempts 6
</VirtualHost>

bump. Is there any way to revert proftpd to standard virtualmin configuration?

Yes.

I diagnose proftpd might be reinstalled after running install script. What can I do to make proftpd running again?

Try running:

virtualmin config-system -i ProFTPd

After running this command and restarting proftpd, systemctl status proftpd still showing the same error as first post.

virtualmin config-system does not revert anything. It only applies the options we normally change during install.

You have to get to a default configuration first, before running any virtualmin-config commands.

I have tried to copy configuration from other virtualmin install that does not change ftp setting, but proftpd still unable to run.

I don’t understand so asking even if i can’t help you to have clear info about error!

You write unable to run, but in first topic it say’s that it is started.

[1]: Started ProFTPD FTP Server.

Only these errors stay as you write more times?:

1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: detected OpenSSH-encoded private SFTPHostKey ‘/etc/proftpd/ssh_host_rsa_key’; use ssh-keygen -e -m PEM -f /etc/proftpd/ssh_host_rsa_key to convert to supported PEM-encoded key
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey ‘/etc/proftpd/ssh_host_rsa_key’: (unknown)
[1593873]: 2021-07-19 13:34:31,204 my.domain.com proftpd[1593873] my.domain.com: mod_sftp/1.0.0: unable to use key in SFTPHostKey ‘/etc/proftpd/ssh_host_rsa_key’, exiting

So is this the situation at this moment, proftp running but those errors?

Or are log files different now?

Also that is all diferent then the topic title that says proftp is not opening port 21?

U the forum spamfilter did hide my reply.
in short in fisrt topic your log say it is started and running, only problem is to connect while certs / keys.
So proftpd itself is not unable to run…
So look for paths in configs files

Yes no LE cert and so on

Also topic title could be wrong you say not opening port 21?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.