FTP Banners / Welcome message

[nmiguel]

Hi,

How to change the ftp welcome message to the ftp server ?

Thanks in advance ...

 

[UFHH01]

Hi nmiguel,

if you use ProFTPD on your server, then your configuration file is "/etc/proftpd.conf". Because this configuration file might be overwritten in case of updates/upgrades/patches from Plesk, it is a good idea to add possible modifications in your own file, as for example "/etc/proftpd.d/own_proftpd_modifications.conf", because all config - files in "/etc/proftpd.d/*" will be included, as you can see in your "/etc/proftpd.conf":

...
Include /etc/proftpd.d/*.conf

After creating your own configuration file, please have a look at the ProFTPD - documentation, to see possible directives:

http://www.proftpd.org/docs/directives/linked/config_ref_AccessGrantMsg.html

Example: AccessGrantMsg "Guest access granted for %u."​

http://www.proftpd.org/docs/directives/linked/config_ref_AccessDenyMsg.html

Example: AccessDenyMsg "Guest access denied for %u."​

or see all possible directives at: http://www.proftpd.org/docs/directives/configuration_full.html


Another usefull modification is to use:

    # Allow resuming file uploads with ProFTPD
    AllowStoreRestart        on

 

[nmiguel]

Hi UFHH01,

Not working.

For first try i edit the file /etc/proftpd.conf and add the lines:

AccessGrantMsg "Guest access granted for %u."
AccessDenyMsg "Guest access denied for %u."

saved and restart the servisse with /etc/init.d/xinetd restart .

nothing changes in the ftp acess

Thanks

 

[UFHH01]

Hi nmiguel,

sorry, I can't confirm your issue, nor can I reproduce it not to work, when I add your modification, just as you described it:

Added at /etc/proftpd.conf , just before "Include /etc/proftpd.d/*.conf":

...
    # Show Message after Login with ProFTPD
    AccessGrantMsg "Access granted for user: %u."
    AccessDenyMsg "Access denied for user: %u."

Include /etc/proftpd.d/*.conf

Restartet internet superserver xinetd with "/etc/init.d/xinetd restart"

Logged in with "FTP_USERNAME_I_USED"

220 ProFTPD 1.3.5a Server (ProFTPD) [XXX.XXX.XXX.XXX]
230 Access granted for user: FTP_USERNAME_I_USED.

( red = changed for security reasons )


Afterwards, after a re-change, I used the modification as well at /etc/proftpd.d/own_proftpd_modifications.conf ... and it worked as well.

 

[nmiguel]

Hi,

After one more try .... no results ...

After modifications, and services restarted:

Microsoft Windows [Versão 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Todos os direitos reservados.

C:\Users\xxxxxx>ftp xxx.xxx.xxx
Ligado a xxx.xxx.xxx.
220 ProFTPD 1.3.5a Server (xxx.xxx.xxx) [xxx.xxx.xxx]
Utilizador (xxx.xxx.xxxnone)): xxx.xxx.xxx
331 Password required for xxx.xxx.xxx
Palavra-passe:
230 User xxx.xxx.xxx logged in
ftp> bye
221 Goodbye.

Note: I'm not using anonymous ftp, i'm using user and pass for login.

Thks

 

[UFHH01]

Hi nmiguel,

for further investigations, please post your complete configuration files

• /etc/xinetd.d/ftp_psa
• /etc/proftpd.conf
• /etc/proftpd.include

and possible *.conf - files from "/etc/proftpd.d"​

... and please add depending log - entries of your login attempts from your logs ( either "/var/log/auth.log" or "/var/log/secure", depending to your operating system ).

 

[trialotto]

@nmiguel (and @UFHH01),

In a post you stated:

For first try i edit the file /etc/proftpd.conf and add the lines:

AccessGrantMsg "Guest access granted for %u."
AccessDenyMsg "Guest access denied for %u."

saved and restart the servisse with /etc/init.d/xinetd restart .

It is not good or not adviceable to edit proftpd.conf: it is preferred that any customization goed in a separate conf file, to be placed in /etc/proftpd.d/.

Any config file of the sort /etc/proftpd.d/<name>.conf will be read by the Include directive (i.e. Include /etc/proftpd.d/*.conf).

It is not necessary to restart xinetd or any other ftp related service: the modified config files become effective from the first new connection onwards.

In your case, you seem to have a "problem" with ftp from the command line and that does not actually mean that you modifications are not working.

Try to check whether the use of, for instance, FileZilla client will give you the intended welcome messages.

If that is the case, than your "problem" is very likely to be related to the verbosity of the ftp command line utility on Windows, i.e. a non-proftpd related issue.

Now, we have some remarkable facts, concerning your ftp command line utility, being the facts that

a) you use a very old command prompt version (version 6.1.7601) and, as such, that can have an impact on the results you get,

b) the old command prompt version is associated with old Windows versions and, as such, your ftp command line utility is not up-to-date, which can explain the results,

c) you have a Portugese setup, which can cause linguistic issues, that can also cause welcome messages not being displayed (this is proftpd related and cannot be fixed easily),

d) you have a message "230 User xxx.xxx.xxx logged in" and it should be "230 User <username> logged in", implying an incorrect or non-standard proftpd config.

Please revert to the standard proftpd configuration and a custom config file in the directory /etc/proftpd.d/ and continue with testing with FileZilla client, to verify setup.

Hope the above helps.

Kind regards....

 

[nmiguel]

Hi UFHH01,

/etc/xinetd.d/ftp_psa :

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST AFTER YOU UPGRADE PARALLELS PLESK PANEL.

service ftp
{
        flags           = IPv6
        disable         = no
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        instances       = UNLIMITED
        server          = /usr/sbin/in.proftpd
        server_args     = -c /etc/proftpd.conf
}

/etc/proftpd.conf:

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD"
#ServerType                     standalone
ServerType                      inetd
DefaultServer                   on

<Global>
DefaultRoot     ~               psacln
AllowOverwrite          on
<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired off

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

DefaultTransferMode     binary
UseFtpUsers                     on

TimesGMT                        off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /var/log/plesk/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
        GroupOwner      psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off
ServerIdent off

AuthGroupFile   /etc/group

# Show Message after Login with ProFTPD
AccessGrantMsg "Access granted for user: %u."
AccessDenyMsg "Access denied for user: %u."

Include /etc/proftpd.d/*.conf

/etc/proftpd.include - Don't have that !!!

In "/etc/proftpd.d" i have:

50-plesk.conf and ssl.conf .

50-plesk.conf :

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

# Global section
<Global>
<IfModule mod_tls.c>
    TLSEngine on
    TLSRequired off
</IfModule>
</Global>

#Section for xxxxxxxxxxxxx.xxx
<VirtualHost xxx.xxx.xxx.xxx>
ServerName "ftp.xxxxxxxxxxxxx.xxx"

<IfModule mod_cap.c>
    CapabilitiesSet +CAP_CHOWN +CAP_FOWNER
</IfModule>
AuthPAMConfig proftpd
TransferLog /var/log/plesk/xferlog
AllowOverwrite on
<Limit LOGIN>
    Order allow, deny
    AllowGroup psacln
    Deny from all
</Limit>
UserAlias anonymous psaftp
<Anonymous /var/www/vhosts/xxxxxxxxxxxxx.xxx/anon_ftp>
    TransferLog /var/www/vhosts/system/xxxxxxxxxxxxx.xxx/logs/xferlog
    RequireValidShell off
    User psaftp
    Group psaftp
    <Limit LOGIN>
        AllowAll
    </Limit>
    <Limit WRITE>
        DenyAll
    </Limit>

    <Directory incoming>
        UserOwner xxxxxxxxxxxxx
        Umask 022 002
        <Limit STOR>
            DenyAll
        </Limit>
        <Limit WRITE>
            DenyAll
        </Limit>
        <Limit READ>
            DenyAll
        </Limit>
        <Limit MKD XMKD>
            DenyAll
        </Limit>
    </Directory>
</Anonymous>
</VirtualHost>

ssl.conf:

<IfModule mod_tls.c>
    TLSCipherSuite HIGH:!aNULL:!MD5
    TLSProtocol TLSv1 TLSv1.1 TLSv1.2
</IfModule>

In logfile "/var/log/secure" (OS is CentOS release 6.7 (Final) and Plesk is psa-12.5.30-cos6.build1205150826.19.x86_64)

Oct 25 xx:27:09 xxxxxx proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
Oct 25 xx:27:10 xxxxxx proftpd: pam_unix(proftpd:session): session opened for user xxxxxx by (uid=0)
Oct 25 xx:27:10 xxxxxx proftpd[17484]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - USER xxxxxx: Login successful.

Thanks for your time

 

[nmiguel]

@nmiguel (and @UFHH01),

In a post you stated:



It is not good or not adviceable to edit proftpd.conf: it is preferred that any customization goed in a separate conf file, to be placed in /etc/proftpd.d/.

Any config file of the sort /etc/proftpd.d/<name>.conf will be read by the Include directive (i.e. Include /etc/proftpd.d/*.conf).

It is not necessary to restart xinetd or any other ftp related service: the modified config files become effective from the first new connection onwards.

In your case, you seem to have a "problem" with ftp from the command line and that does not actually mean that you modifications are not working.

Try to check whether the use of, for instance, FileZilla client will give you the intended welcome messages.

If that is the case, than your "problem" is very likely to be related to the verbosity of the ftp command line utility on Windows, i.e. a non-proftpd related issue.

Now, we have some remarkable facts, concerning your ftp command line utility, being the facts that

a) you use a very old command prompt version (version 6.1.7601) and, as such, that can have an impact on the results you get,

b) the old command prompt version is associated with old Windows versions and, as such, your ftp command line utility is not up-to-date, which can explain the results,

c) you have a Portugese setup, which can cause linguistic issues, that can also cause welcome messages not being displayed (this is proftpd related and cannot be fixed easily),

d) you have a message "230 User xxx.xxx.xxx logged in" and it should be "230 User <username> logged in", implying an incorrect or non-standard proftpd config.

Please revert to the standard proftpd configuration and a custom config file in the directory /etc/proftpd.d/ and continue with testing with FileZilla client, to verify setup.

Hope the above helps.

Kind regards....

Hi trialotto,

I posted the print from the Windows command line but i also test with FileZilla and it's the same thing !!!

Yes, i have a portuguese setup in the client side, because i' from Portugal, and the clients acessing in that ftp server also have there systems / ftp clients in portuguese.

The ftp server have the default configuration made by plesk (it's a new VPS with CentOS and Plesk 12.5 webadmin).

Thanks

 

[trialotto]

@nmiguel,

Again, you should put

# Show Message after Login with ProFTPD AccessGrantMsg "Access granted for user: %u." AccessDenyMsg "Access denied for user: %u."

in a separate config file in the directory /etc/proftpd.d/, as might be clear from the text in proftpd.conf:

#Following part of this config file were generate by PSA automatically #Any changes in this part will be overwritten by next manipulation #with Anonymous FTP feature in PSA control panel.

In general, you can expect proftpd.conf with the custom config file to behave the same, as it would in your current setup.

It seems to be the case that 50-plesk.conf is the cause of the issue(s), please do the following

- run "mv 50-plesk.conf 50-plesk.conf.old",

- create /etc/proftpd.d/custom.conf and add

# Show Message after Login with ProFTPD
AccessGrantMsg "Access granted for user: %u."
AccessDenyMsg "Access denied for user: %u."

- try to connect another time, in order to analyse whether the issue persists.

Kind regards....

 

[trialotto]

@nmiguel,

I forgot to mention something in the steps to follow: the renaming of 50-plesk.conf to 50-plesk.conf.old will result in the creation of a new 50-plesk.conf file, if a domain is created.

The second step, which I seem to have forgotten, should be the creation of a new test domain, by preference a subdomain test.<domain>.<tld>.

The result would be a 50-plesk.conf with the lines:

# Global section
<Global>
<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
</IfModule>
</Global>

And that should be all: with those lines in place AND the custom.conf file (with the intended messages specified), you should have the message: "230 Access granted for user: ..."

In short, you can also manually create or modify a 50-plesk.conf file, in order to continue with testing.

Kind regards.....

 

[nmiguel]

Hi trialotto,

For now works like a charm ...

Many thanks to both.

 

[nmiguel]

Hi,

Just a update ... in Filezilla 3.14.1 (last version) the software uses a connection with TLS and don't show ftp banners ... any ideias ?

Thanks

 

[trialotto]

Hi trialotto,

For now works like a charm ...

Many thanks to both.

A "best answer" or a "Like" would be appreciated, but besides that, no thanks, no problem!

 

[trialotto]

Hi,

Just a update ... in Filezilla 3.14.1 (last version) the software uses a connection with TLS and don't show ftp banners ... any ideias ?

Thanks

Ah, that little "thing" is very likely related to the way FileZilla likes to select the connection method: use TLS if available.

Do you get a connection with FileZilla? Or does it get stuck when retrieving the directory list?

Anyway, as far as I know, FileZilla is receiving the messages and it can be the case the message is not" transferred" to the log window, i.e. the messages are suppressed.

This has been a FileZilla bug in the past and I am not sure whether the current status is "bug or choice".

However, it does not really matter for you, since the ftp server is sending out the intended messages, as you have verified with the ftp command line utility.

Regards....

 

[nmiguel]

Hi trialotto,

I'm new on forum so who to select the answer as best answer ?!

About ftp .... dahhh ... in Filezilla old version connects and works fine. In the new version works fine but supress all banners. In other ftp clientes works fine (tested listing and file transfer) but in Windows command line (Win 7 Pro) works fine the banners and login but after if i do a ls it stuck and after that shows:

200 PORT command successful
425 Unable to build data connection: Connection timed out

What to do ?!

Thanks

 

[trialotto]

@nmiguel,

Well, you mention two separate issues: one is (apparently) the bug in the latest version of FileZilla (i.e. message suppression) and the other is the connection time-out.

Let´s forget the FileZilla "bug", for the sake of convenience.

The message

425 Unable to build data connection: Connection timed out

is related to

a) active/passive connection issues, requiring you to switch from active to passive (or vice versa), OR

b) firewall related issues on the remote (ftp) server, OR

c) firewall related issues, concerning the local (ftp) client.

In your case, option c. No doubt about that.

Normally, Windows would ask you immediately whether you want to allow the connection through the firewall, but I suppose it didn´t in your case.

For that reason, you have to manually "open" the concerning firewall rule, which should be called "File Transfer Program" (if I am not mistaken). Do not mess with ports, just allow that specific program and retry. Also note that it is not actually required to open anything, you can always use FileZilla or other ftp clients (they automatically adjust the appropriate firewall rules in Windows, this also being an explanation why you do not encounter problems with other ftp clients).

Hope the above helps.

Kind regards.....

 

[nmiguel]

Hi trialotto,

It's not a ftp client problema because for testing the Windows firewall is off and with other ftp servers works fine !!!

Update:

I have this in log file for the command prompt connection:

proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
proftpd: pam_unix(proftpd:session): session closed for user xxxxxxxxx
proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
proftpd: pam_unix(proftpd:session): session opened for user xxxxxxxxx by (uid=0)

Thanks

 

[trialotto]

@nmiguel,

Trust me, have a look at the Windows firewall or a similar application on your Windows machine.

After all, if all other clients do result in the expected (and proper) behavior, but the ftp command line utility does not, the issue is with ftp.exe and this issue has nothing to do with the remote (ftp) server (and the logs are hence not very useful, they simply state that "something goes wrong").

Naturally, it is very unlikely that ftp.exe itself is the cause, on Windows machines it is the unexpected most of the time. Such as unknown firewall settings, messed up registry entries, etc.

And finally, as I have stated before, use the other ftp clients, if they are working properly.

Regards.....