PDA

View Full Version : Linux - proftpd - can't quite get it happening.



personthingy
31-01-2007, 06:13 PM
Here's the error message when i try to start proftpd on my debian box what connects directly to my cable modem:


server:~# proftpd
- IPv6 getaddrinfo 'server.cable.telstraclear.net' error: Name or service not known
server.cable.telstraclear.net - fatal: Socket operation on non-socket
server:~#

turning IPv6 support off reduces the error to:


server:~# proftpd
server.cable.telstraclear.net - fatal: Socket operation on non-socket
server:~#


Going to ftp://203.97.119.70 or any of the domains i have pointing to my server simply produces a time out error.

"man proftpd" doesn't say anything that i can see as being helpful to me..

I'm running with the standard proftpd.conf file with the exception of:



ServerName "something.net.nz"



Can anyone tell me what i am doing wrong?

What i'd like to be able to do is log in as a user recognized by my server, and be able to alter the files in ~/relevant_user/pub thus effecting the website served

stu161204
31-01-2007, 06:20 PM
Is your cable modem setup to pass the FTP thru to your server? & have you tried your ip address as the server name?

personthingy
31-01-2007, 06:26 PM
I don't think there is an additional problem with the outside world not being able to see in.
All though for all i know there could be.


I get the same time out errors if i go to ftp://192.168.0.1 from other computers on my LAN

personthingy
31-01-2007, 07:05 PM
A symbolic link to the full .conf file is here:

http://www.something.net.nz/proftpd.conf
(saves me updating this thread with every failed modification)

I've renamed the servername to "server" as that is my servers somewhat unimaginative name

Chilling_Silence
31-01-2007, 10:30 PM
You probably wont be able to FTP into yourself

If you're going to do that, FTP to your LAN IP address and not your Internet IP Address.

Get somebody else, a friend on MSN/Jabber/Icq to test for you that the port-forwarding works. From there, you should be able to configure / test it / set it up the way you want it by FTP'ing into your LAN IP.

Some routers / modems just get confused when an internal IP address tries to go out into the world wide web, then come back in and get the data port-forwarded around.. just seems to get them all muddled up :(

personthingy
01-02-2007, 07:25 AM
You probably wont be able to FTP into yourself

If you're going to do that, FTP to your LAN IP address and not your Internet IP Address.
I'm attempting to use FTP from "debs" to access and alter files on "server".

Current set up is:

Cable modem ----- "server" (203.97.119.70 or 192.168.0.1 a gui-less debian box) --- switch --- other machines on the LAN, including "debs" my Mepis box, where i am now.



Some routers / modems just get confused when an internal IP address tries to go out into the world wide web, then come back in and get the data port-forwarded around.. just seems to get them all muddled up :(

Yesh well.. When i go to http://192.168.0.1/ it takes me to the folder that php admin lives at, but when i go to http://203.97.119.70/ it takes me to Bletch's chatf1. It seems that the cable modem has no issues with sending 203.97.119.70 back to server, but the server responds a little differently to requests from the LAN or internet. Not that this is relevant to FTP requests. -- (i hope)

Either way, i'm testing using ftp://192.168.0.1, and it's stil not responding.

Graham L
01-02-2007, 01:20 PM
It should work perfectly within a LAN, but the user "root" will usually not be allowed to use it by default. That's for security. Trying to "externally" access it by going out to the Internet and back in (from the same LAN) usually won't work. That's for efficiency.

personthingy
01-02-2007, 05:17 PM
The point everyone seems to be missing is not that the FTP server is failing to work in the exact way i want it to, but that it is failing to work at all even if i access it from my machine in the next room and go to ftp://192.168.0.1

personthingy
01-02-2007, 11:16 PM
New config file here:
http://www.something.net.nz/proftpd.conf

No reported issues at start up of proftpd anymore.

However, nothing can connect to the ftp server in practice still

It's a great wee www server, just nobody can get into the ftp server.
well, i suppose that adds to security
:p

personthingy
02-02-2007, 09:52 AM
Thinking it might be a firewall issue, i added port 21 to this file
/etc/firestarter/inbound/allow-service

Thus:
FTP 21, everyone, Public FTP
SSH, 22, everyone, Public SSH
HTTP, 80, everyone, Public HTTP
P2P, 6346, everyone,

Still no-one can get at my FTP server that may or may not be running
:(

Graham L
02-02-2007, 09:55 AM
The point everyone seems to be missing is not that the FTP server is failing to work in the exact way i want it to, but that it is failing to work at all even if i access it from my machine in the next room and go to ftp://192.168.0.1Are you trying to access it as root? That is considered bad practice, and usually disallowed by default these days.

What errors are being logged? That's what the files in /var/log are for. (Use tail on any of those files. THe FTP server will have its own error log file(s).

"It doesn't work" isn't a helpful error message. :D

personthingy
02-02-2007, 11:16 AM
Are you trying to access it as root? That is considered bad practice, and usually disallowed by default these days.

What errors are being logged? That's what the files in /var/log are for. (Use tail on any of those files. THe FTP server will have its own error log file(s).

"It doesn't work" isn't a helpful error message. :DI've got about 5 minutes before i have to go out again. I'll answer what i can.

No, i'm not logging in as anything, let alone as root. what i am doing is pointing a web browser (konq) at ftp://192.168.0.1 that being the address of the server which is of course in the same building as i, and getting time out messages rather than an opertunity to log in. I have nothing i would want to alter as root via FTP anyway, and yes root access is disabled . Fish is far better for messing around as root.

What i want it to do is let me (or others) log in as a user, and be able to alter or add to the files in ~/pub so as to change the content of the websites that this machine is hosting.

I'll get a chance to look at the error log tonight sometime.
thanks for the pointer
:)

personthingy
01-05-2007, 06:40 PM
Seems that whatever the issue was, it went away when we nuked and rebuilt server!

So all is good now!

Graham L
01-05-2007, 06:45 PM
The browser would have been trying to connect as "anonymous". Of course anonymous access should have been disabled by default, too. That's the "trouble" with systems built with security in mind. :D

personthingy
01-05-2007, 06:52 PM
The browser would have been trying to connect as "anonymous". Of course anonymous access should have been disabled by default, too. That's the "trouble" with systems built with security in mind. :DNow it simply asks for the user and pass, and the user is jailed in their own account.

Unfortunatly, by default proftpd on etch is NOT safe like this, and any user could see anything, just not write to what wasn't theirs....
A simple line needed to be uncommented, so it read as below



# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~


All good now... i think!

Graham L
01-05-2007, 07:01 PM
In some ways, the anonymous user provision was the "safest" mode in a system designed for a trusted environment. That should have the "/public" tree, which could be kept away from all user directories. But to make it properly safe, it was necessary to have local ("safe") versions of many of the system executables, and even the passwd stuff.

It only needs one unsafe implemantation of an application which runs with privileges to make the whole seystem insecure. (FTP should be started by root, but immediately change user to run as ftp, with limited privileges).

personthingy
01-05-2007, 07:12 PM
Ah.... i suppose that would also depend on precisely what was required of a FTP server.
Mine is so that armed with any exteranal computer, a user can get into ~/pub files, and change whats on their website....

There's currently 3 "public" sites, 2 of mine, CF1, and a possible maybe or three that will possibly never get finished.
For this, we definitely need all users on personalized FTP home detention!
:)

Graham L
01-05-2007, 07:24 PM
I first used FTP to get files from around the world, in the days long befoire web sites had been dreamed of. I got used to logging in as "anonymous" and entering the password which was my 16 character email address. (The password was typed blind --- no echo -- but it wasn't checked. It was used to keep an eye on who was using the service). Most of the servers were on university mainframes ... mostly about as powerful as an Intel 386. Almost all asked users to avoid the "business hours" of the server, and even then had a limit of 3-10 connected users at once. Big files were usually provided compressed and split into sections of about 300k to fit on individual floppies.

user/password access is "reasonably safe" with the chroot option, but there are some potential holes. You can probably rely on "security by obscurity" to some extent.

personthingy
01-05-2007, 07:44 PM
..... ... mostly about as powerful as an Intel 386. Here's our server (http://www.something.net.nz/img/server/server_clothed.jpg) Somewhat less glamorous than a mainframe, but several times more powerful than a 386. Actually it's just been pointed out to me that the file size of the pic, is more than 300K..
How things change.


user/password access is "reasonably safe" with the chroot option, but there are some potential holes. You can probably rely on "security by obscurity" to some extent.

What pitfalls can you see?

beeswax34
01-05-2007, 10:44 PM
lol, no pitfalls that I can see. Just the usual dirt, grime, trash, loose wires and chance of water seeping in that most of us have to live with. And a sealed user manual for something. Well atleast it has plenty of ventilation:D

Chilling_Silence
02-05-2007, 01:26 AM
Bah! What was I saying... if its giving you that error internally as well then it's got nothing to do with port-forwarding.

Geez I musta been away with the faeries that day :p

Erayd
02-05-2007, 02:38 PM
Not to mention that there's no forwarding involved - the server is connected directly to the net. :D