ProFTP log

system · September 18, 2004, 8:00pm

Hello,

Since I’m under 1.8.0 I can’t use proFTP in PASV mod.

I connect to the server well, I can change folder but I receive No respondind msg and when I try to get or put files I have an error msg

In logWatch I receive msg that I never rceived before

padawan.carat-hosting.com (62.39.154.5[62.39.154.5]) - FTP no transfer timeout, disconnected proftpd startup succeeded padawan.carat-hosting.com - ProFTPD 1.2.8 (stable) (built Mon Aug 23 01:20:11 EDT 2004) standalone mode STARTUP padawan.carat-hosting.com - Failed binding to 0.0.0.0, port 21: Address already in use padawan.carat-hosting.com - Check the ServerType directive to ensure you are configured correctly.
proftpd startup succeeded
padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com
padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.26.80[193.248.26.80]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.26.80[193.248.26.80]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (220.64.90.210[220.64.90.210]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - FTP no transfer timeout, disconnected padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - FTP no transfer timeout, disconnected padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - FTP no transfer timeout, disconnected padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - FTP no transfer timeout, disconnected padawan.carat-hosting.com (193.248.27.177[193.248.27.177]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument padawan.carat-hosting.com (127.0.0.1[127.0.0.1]) - notice: unable to add scoreboard entry: Invalid argument

Any idea ?

Thanks

Pascal

IWorx-Chris · September 18, 2004, 8:15pm

It’s hard to tell from the error log if it’s related Pascal, if your root info is the same as yesterday and it’s ‘ok’ to login as root I’ll check it out. Coudl you also set me up a test FTP account as well.

Thanks,

Chris

system · September 18, 2004, 8:43pm

I’ve never seen these types of messages in logwatch until the report yesterday. I got a report full of them, just like Pascal. And I haven’t touched anything since installing Interworx 1.8.0.

IWorx-Chris · September 18, 2004, 9:46pm

Could you forward please sonicgroup. Pascal is running 1.2.8p and I think you’re running 1.2.10. Just paste in a ticket if you would and I’ll take a look.

Chris

system · September 19, 2004, 2:33am

Hi

Thanks chris. Login info are the same

To be complete I have to say that in PASV mode it doesn’t work but when I disable PASV mod in my FTP client then it’s Ok.

I just sending you an email with FTP account and SSH access information

Pascal

IWorx-Chris · September 19, 2004, 2:51am

Pascal,

Give it a shot now. We turned off your firewall and it seems to have fixed the PASV ftp problem.

Chris

system · September 19, 2004, 3:34am

Erffff …

You right it’s fine now

H? !!! you never sleep ?

Thanks a lot

Do you have an idea why my Firewall block the PASV ?

I have the modprobe ip_conntrack_ftp and port 21 open ?

#!/bin/bash
set -e

Caution! Once this firewall is active,

changes will almost certainly require a reboot,

or at least console (the network will be unavailable).

Load IRC & FTP modules for use behind a NAT. Usually not necessary.

/sbin/modprobe ip_conntrack_ftp

Flush rules

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z

rp_filter

for f in /proc/sys/net/ipv4/conf/*; do
echo 1 > $f/rp_filter
echo 0 > $f/accept_source_route
echo 0 > $f/accept_redirects
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/ip_forward

Set chain defaults

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

Okay, the rules

Rejects go here

/sbin/iptables -N rej
/sbin/iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A rej -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A rej -j DROP

Slow reject is our packet limiter.

/sbin/iptables -N slowrej
/sbin/iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej
/sbin/iptables -A slowrej -j DROP

UDP rules

/sbin/iptables -N pudp
/sbin/iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp)
/sbin/iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp)

/sbin/iptables -A pudp -p udp --dport bootps:bootpc -j DROP
/sbin/iptables -A pudp -j slowrej

TCP rules

Enable services on an as-needed basis.

Template below includes most popular services.

Default rule (below) is to allow SSH and SNMP.

Everything else is your responsiblity.

/sbin/iptables -N ptcp

/sbin/iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP
/sbin/iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
/sbin/iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS
/sbin/iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP
/sbin/iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH
/sbin/iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
/sbin/iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
/sbin/iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
/sbin/iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
/sbin/iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
/sbin/iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT mysql
/sbin/iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp)
/sbin/iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp)
/sbin/iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
/sbin/iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6999 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7029 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD

/sbin/iptables -A ptcp -j slowrej

ICMP rules

/sbin/iptables -N picmp
/sbin/iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT
/sbin/iptables -A picmp -j DROP

INPUT chain: Anything over loopback, and anything found in the state matching

system is accepted.

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT

If you have constant abusers, block them permanently by CIDR thus:

iptables -A INPUT -s 192.168.1.0/24 -j rej

For particularly abusive servers or brain-dead software that keeps trying

even with rej, try this instead:

iptables -A INPUT -s 192.168.1.0/24 -j DROP
/sbin/iptables -A INPUT -p udp -j pudp
/sbin/iptables -A INPUT -p tcp -j ptcp
/sbin/iptables -A INPUT -p icmp -j picmp

Pascal