Proftpd problem

[Jean-PhilippeT]

I'm on version 9.5.2 on centos.

We did an update via yum and after a week the ftp service stopped working, any connections get 530 login incorrect.

I'm quite new to plesk and I wonder if I will get into troubles if I use the plesk update manager after I did a yum updates.

I also wonder if this will fix my problem or if I should look elsewhere.

thx everyone.

 

[IgorG]

http://kb.odin.com/en/4647

 

[Jean-PhilippeT]

thx for the fast reply but I already tried this and it does not seem to be the problem. It affects all users/all domains on the box, not just one user.

any other cue ?

 

[fogelf]

try to reinstall psa-proftpd.

 

[Jean-PhilippeT]

Tried too, problem still.

according to every post I've read everything should be working now.

I probably missed one little thing somewhere.

 

[fogelf]

1. make sures that /etc/proftpd.conf contains directivies
AuthPAM on
AuthPAMConfig proftpd

2.check /etc/pam.d/proftpd, it should be equal with:
-----------------------------------
cat /etc/pam.d/proftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
[root@a10-52-35-213 ~]#
-----------------------------------

 

[Jean-PhilippeT]

Everything seems fine, maybe it's cause I'm on plesk 9.5.2.

here's my proftpd.conf file, afaik everyhting is fine

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on

TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

#Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile /etc/group

Include /etc/proftpd.include

# <IfModule mod_tls.c>
# TLSEngine on
# TLSLog /var/log/tls.log
# TLSProtocol SSLv23

# Are clients required to use FTP over TLS?
# TLSRequired off

# Server's certificate
# TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
# TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

# Authenticate clients that want to use FTP over TLS?
# TLSVerifyClient off

# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
# TLSRenegotiate required off
# </IfModule>


thx

 

[fogelf]

Porovide more information, show output of commands:
1. ls -al /etc/xinetd.d/ | grep ftp
2. cat /etc/xinetd.d/ftp_psa

 

[Jean-PhilippeT]

ls -al /etc/xinetd.d/ | grep ftp
-rw-r----- 1 root root 287 Nov 9 12:23 ftp_psa
-rw-r--r-- 1 root root 326 Oct 5 07:46 gssftp

cat /etc/xinetd.d/ftp_psa

service ftp
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
instances = UNLIMITED
server = /usr/sbin/in.proftpd
server_args = -c /etc/proftpd.conf
}

 

[fogelf]

try
mv /etc/xinetd.d/gssftp /etc/xinetd.d/.gssftp
/etc/init.d/xinetd restart

 

[Jean-PhilippeT]

doesn't fix it.

same error

any other cue ?

thx for the help btw, this is greatly appreciated.

 

[fogelf]

Of cause. Get it.

provide /etc/pam.d/proftpd first

 

[fogelf]

by the way, backup /etc/pam directory and call /usr/local/psa/pam_plesk_config/pam_plesk_install -qq

 

[Jean-PhilippeT]

/etc/pam.d/proftpd

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

#auth required pam_unix.so nullok
#account required pam_unix.so
#session required pam_unix.so

 

[fogelf]

doez pam_plesk_install helps?

If not, need to do additional steps:

doez FTP user under U try to login exist in /etc/ftpusers?

provide /etc/ftpchroot

1. tail -f /var/log/messages |& tee /tmp/MESS
2. try to login under domain FTP user
3. provide /tmp/MESS

 

[Jean-PhilippeT]

No doez pam_plesk_install did nothing useful.

When I create a new user with ftp access it does not appear in /etc/ftpusers, that smells problematic.

 

[fogelf]

U do not provide info only partly, so its not enought. Sytem log are need (look my prev. post)

>not appear in /etc/ftpusers
not, that well

 

[fogelf]

also very useful will be output of chkconfig --list

 

[fogelf]

Did U install Kerberos 5, tune it?
Package krb5*

 

[Jean-PhilippeT]

cat /etc/ftpchroot
@psacln


cat /tmp/MESS
Jan 20 09:53:14 cl-t205-534cl xinetd[9050]: START: smtp pid=32135 from=85.198.158.199
Jan 20 09:53:32 cl-t205-534cl xinetd[9050]: EXIT: smtp status=1 pid=32125 duration=55(sec)
Jan 20 09:53:52 cl-t205-534cl xinetd[9050]: EXIT: smtp status=1 pid=32135 duration=38(sec)
Jan 20 09:53:53 cl-t205-534cl xinetd[9050]: START: smtp pid=32142 from=85.198.158.199
Jan 20 09:53:57 cl-t205-534cl sshd[32143]: rexec line 87: Unsupported option UsePAM
Jan 20 09:54:14 cl-t205-534cl xinetd[9050]: EXIT: smtp status=1 pid=32142 duration=21(sec)
Jan 20 09:54:55 cl-t205-534cl xinetd[9050]: START: smtp pid=32181 from=206.162.158.162
Jan 20 09:54:56 cl-t205-534cl xinetd[9050]: EXIT: smtp status=0 pid=32181 duration=1(sec)
Jan 20 09:55:32 cl-t205-534cl xinetd[9050]: START: smtp pid=32195 from=66.36.150.85
Jan 20 09:56:32 cl-t205-534cl xinetd[9050]: EXIT: smtp status=0 pid=32195 duration=60(sec)
Jan 20 09:57:39 cl-t205-534cl proftpd[32262]: 174.142.68.104 :ffff:66.46.166.146[::ffff:66.46.166.146]) - FTP session opened.