# Can't access FTP any linux server



## newtekie1 (Feb 16, 2010)

*Can't access FTP on linux server*

I just set up Proftpd on my kubuntu server, I think I configured everything properly, but I can't access the FTP server from anything but localhost. 

When I'm on the linux server, I can fire up filezilla, and connect to the FTP by going to localhost.  However, I can not access the server by going to the computers IP.  I also can't connect to the server from any other computers on the network using the IP.

It seems that proftpd is bound to only allow connections from localhost, and I'm sure it is just some line in a config file somewhere that I can't find, at least I hope.

Anyone have any insight?

Thanks in advance.


----------



## DirectorC (Feb 16, 2010)

Ports forwarded ?


----------



## newtekie1 (Feb 16, 2010)

Theres really nothing to foward ports though, the linux server doesn't have a firewall(that I'm aware of), and I'm staying inside my local network right now.


----------



## DirectorC (Feb 17, 2010)

I'm pretty sure all Linux distros use iptables (firewall) as default for blocking external access.  I would be scared if they don't.

Did you read this? http://ubuntuforums.org/showthread.php?t=79588


----------



## Disparia (Feb 17, 2010)

Yup, unless you turned it off, iptables is probably running.

If you don't like long complicated iptable commands, *buntu has UFW/GUFW.


----------



## newtekie1 (Feb 17, 2010)

This is what I get when I run iptables --list.


```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
```

This what I get when I run a netstat.

```
tcp        0      0 192.168.1.15:3306       0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp6       0      0 :::21                   :::*                    LISTEN
tcp6       0      0 ::1:631                 :::*                    LISTEN
```

Shouldn't there be a tcp listing for the ftp also and not a tcp6?


----------



## Easy Rhino (Feb 17, 2010)

i use ubuntu server and proftpd and i didnt have to touch anything inside of the OS. i only had to forward port 21 and setup passive ports to forward as well. come to think of it you may have to set those up. they can be anything, i suggest 65500 - 65510 (if you only need 10 concurrent connections). also, have you set your masquarade address to your external ip? you set that stuff up in the proftpd.conf file


----------



## newtekie1 (Feb 17, 2010)

I didn't set up the Masquarade address, I assumed that was only if I wanted to use passive mode.

Maybe that is part of the problem.  I wonder if filezilla is trying to use passive mode, which I haven't setup.

When I try to connect with filezilla I get a 500 error, when I try to connect with IE it seems to connect and ask for a logon, but the logon doesn't work...

Anyway, I gave up on this for the night, I'll try some more suggestions when I get back to work tomorrow.  

Still open for other suggestions though.


----------



## Easy Rhino (Feb 17, 2010)

newtekie1 said:


> I didn't set up the Masquarade address, I assumed that was only if I wanted to use passive mode.
> 
> Maybe that is part of the problem.  I wonder if filezilla is trying to use passive mode, which I haven't setup.
> 
> ...



if your router has a firewall then you have to use passive mode.


----------



## newtekie1 (Feb 17, 2010)

Easy Rhino said:


> if your router has a firewall then you have to use passive mode.



Right now I'm not going through the router, everything is staying on the internal network.  I shouldn't need passive mode for that, should I?


----------



## Clement (Feb 17, 2010)

newtekie1 said:


> I didn't set up the Masquarade address, I assumed that was only if I wanted to use passive mode.
> 
> Maybe that is part of the problem.  I wonder if filezilla is trying to use passive mode, which I haven't setup.
> 
> ...



Filezilla by default AFAIK will auto negotiate the transfer mode. You will only have to change this if the default is not successful at getting an answer from the ftp server. If you wish to setup passive mode later on your ftp server, your iptables config file will have to be updated further. Lets get it up and running first and we'll move to that after the server is able to take requests from your network.

Please post your ftp servers config files and IPtables config file (usually /etc/sysconfig/iptables) here please.


----------



## newtekie1 (Feb 17, 2010)

Proftpd.config

```
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

ServerName			"Joomla"
ServerType			standalone
DeferWelcome			on

MultilineRFC2228		on
DefaultServer			off
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			100
TimeoutIdle			2200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes 
# DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell		off

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		192.168.1.15

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Set /var/www directory as home directory
DefaultRoot /var/www

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /var/www>
Umask 022 022
AllowOverwrite on
	<Limit READ RMD DELE>
      	DenyAll
    	</Limit>

    	<Limit STOR CWD MKD>
      	AllowAll
    	</Limit>
</Directory>

# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>
```

I couldn't find the iptables file, it was not where you suggested.  However, this is the output when I run an iptables --list command:

```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
```


----------



## Easy Rhino (Feb 17, 2010)

newtekie, just try this. put your external IP address in for masqurade address. restart the server and see what happens. you should be able to connect to it from outsite the network.


----------



## newtekie1 (Feb 17, 2010)

Easy Rhino said:


> newtekie, just try this. put your external IP address in for masqurade address. restart the server and see what happens. you should be able to connect to it from outsite the network.



I tried that, no good, I'm not trying to access this from outside the network right now though, I can't even access it from inside the network, or even from the linux server itself other than through localhost.

When I try to connect to the server I get:


```
Status:	Connecting to 192.168.1.15:21...
Status:	Connection established, waiting for welcome message...
Response:	500 Sorry, no server available to handle request on ::ffff:192.168.1.15
Error:	Critical error
Error:	Could not connect to server
```


----------



## xrealm20 (Feb 17, 2010)

newtekie1 - go to terminal and type in

sudo ufw status

And tell me what it says.


----------



## newtekie1 (Feb 17, 2010)

Status: inactive


----------



## newtekie1 (Feb 17, 2010)

Figured it out!!!!!!!

I had to add the following to proftpd.config:

```
DefaultAddress                  192.168.1.15
SocketBindTight                 on
```

*THANK YOU TO EVERYONE FOR THE HELP!*


----------



## DirectorC (Feb 17, 2010)

Awesome


----------



## xrealm20 (Feb 17, 2010)

Good -- glad to know that you got it working - 

You may want to enable ufw at somepoint if your system isn't behind a firewall - just fyi.


----------



## newtekie1 (Feb 17, 2010)

xrealm20 said:


> Good -- glad to know that you got it working -
> 
> You may want to enable ufw at somepoint if your system isn't behind a firewall - just fyi.



Its behind a hardware firewall.


----------



## xrealm20 (Feb 17, 2010)

ok, perfect -- just making sure.


----------



## Easy Rhino (Feb 17, 2010)

newtekie1 said:


> Figured it out!!!!!!!
> 
> I had to add the following to proftpd.config:
> 
> ...




of course it is that simple


----------



## newtekie1 (Feb 17, 2010)

Easy Rhino said:


> of course it is that simple



I know, the entire time all that was running through my mind was that line from OfficeSpace...



> I must have put a decimal point in the wrong place or something.  I always mess up some mundane detail.


----------



## Easy Rhino (Feb 17, 2010)

newtekie1 said:


> I know, the entire time all that was running through my mind was that line from OfficeSpace...



this wasn't a mundane detail, michael!


----------



## Clement (Feb 18, 2010)

newtekie1 said:


> Figured it out!!!!!!!
> 
> I had to add the following to proftpd.config:
> 
> ...



Congratulations!


----------



## newtekie1 (Feb 18, 2010)

Easy Rhino said:


> this wasn't a mundane detail, michael!



I loved that movie.  I went to school for programming initially too, but decided I didn't want to do it for a living specifically because I would miss those mundane details...:shadedshu



Clement said:


> Congratulations!



Thanks, I'm just glad I got it figured out so my boss won't beat me again...


----------

