CentOS, ProFTPD in Passive Mode + Xinetd?

[Joe0418]

Greetings!

I have a program which requires FTP connectivity to my server to operate. Sadly, I do not have the source code to this program. I've been told that the program requires FTP with PASSIVE mode activated.


I've been working on configuring my web server (CentOS on Go-Daddy with Plesk - yuck) to accept passive ftp connections via proftpd & xenitd. I'm using IPTables as my firewall and I don't believe it to be the issue (though I'm not 100% sure).




My ProFTPD config file looks like this:

#
# To have more informations about Proftpd configuration
# look at : [URL unfurl="true"]http://www.proftpd.org/[/URL]
#

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD"
#ServerType			standalone
ServerType			inetd
DefaultServer			on
<Global>
DefaultRoot	~		psacln
AllowOverwrite		on
</Global>
PassivePorts 51000 51999
DefaultTransferMode	binary
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     600
SystemLog /home/sysadmin/proftpdlog

UseFtpUsers			on

TimesGMT			off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port				21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation 
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/[URL unfurl="true"]www/vhosts>[/URL]
	GroupOwner	psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off 
UseReverseDNS off

AuthGroupFile	/etc/group

Include /etc/proftpd.include

// NOTE: profpd.include is empty

My Xenitd config file looks like this:

defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
#	enabled		=
#	disabled	=

# Define general logging characteristics.
	log_type	= SYSLOG daemon info 
	log_on_failure	= HOST
	log_on_success	= PID HOST DURATION EXIT

# Define access restriction defaults
#
#	no_access	=
#	only_from	=
#	max_load	= 0
	cps		= 50 10
	instances	= 50
	per_source	= 10

# Address and networking defaults
#
#	bind		=
#	mdns		= yes
	v6only		= no

# setup environmental attributes
#
#	passenv		=
	groups		= yes
	umask		= 002

# Generally, banners are not used. This sets up their global defaults
#
#	banner		=
#	banner_fail	=
#	banner_success	=
}

includedir /etc/xinetd.d


----// RELATIVE FILE FROM /etc/xinetd.d

service ftp
{
        disable		= no
	socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        instances       = UNLIMITED
        server          = /usr/sbin/in.proftpd 
        server_args     = -c /etc/proftpd.conf -d5
}

My IPTables look like this:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED,NEW -m tcp -p tcp --dport 51000:51999 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

When I do:
/sbin/iptables -L
I get:

# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhereanywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt csync-https
ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED tcp dpts:51000:51999
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

I am able to manually FTP to the server via winscp, but my program (where I do not have the source code) which tries to FTP to the server fails with the following error:

Error occurred while checking for FTP Connection :: Connection timed out: connect

I'm struggling really hard with this error, does anyone have any suggestions?

 

[m4ilm4n]

I've run into a similar problem before and found this usually solves it:

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

 

[Joe0418]

Thanks for your reply!

I had tried this and found it didn't help. I ended up disabling FTP through xinetd, and turned on vsftpd to listen on port 21.

I'm able to FTP manually to my server with filezilla (passive mode), but the program I have which requires login is still unable to connect.