Can't log into ProFTPD set up by Webmin on CentOS

14.5k views Asked by At

I just installed ProFTPD on a test CentOS webserver, which contains Webmin.

After installing ProFTPD I tried to connect via FTP and it wouldn't let me. I've tried to connect with FileZilla and terminal on the server. To connect I've tried all the users on the server (root, admin, steven10172) and all of them return the same error "530 Login Incorrect."

Could someone please assist me as to why I can't connect via ftp??

Error message (With AuthPam On):

May 23 02:03:34 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD killed (signal 15)
May 23 02:03:34 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD 1.3.3g standalone mode SHUTDOWN
May 23 02:03:36 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17261] 76.209.55.83: ProFTPD 1.3.3g (maint) (built Thu Nov 10 2011 16:20:58 UTC) standalone mode STARTUP
May 23 02:03:39 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session opened.
May 23 02:03:40 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): USER root (Login failed): Incorrect password.
May 23 02:03:42 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session closed.

Error message (with AuthPam Off):

May 23 02:02:21 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD 1.3.3g (maint) (built Thu Nov 10 2011 16:20:58 UTC) standalone mode STARTUP
May 23 02:02:25 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session opened.
May 23 02:02:26 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): USER steven10172 (Login failed): No such user found.
May 23 02:02:29 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session closed.

/etc/proftpd.conf:

# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html

ServerName          "ProFTPD server"
ServerIdent         on "FTP Server ready."
ServerAdmin         root@localhost
DefaultServer           on

# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine         on
DefaultRoot         ~ !adm
VRootAlias          /etc/security/pam_env.conf etc/security/pam_env.conf

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig           proftpd
AuthOrder           mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd       off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS           off

# Set the user and group that the server runs as
User                nobody
Group               nobody

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances            20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile         off

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
#   LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
#   LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
#   LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
#   LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
#   LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
#   LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
#   LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
#   LoadModule mod_quotatab_radius.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
#   LoadModule mod_ctrls_admin.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
#   LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
#   LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
#   LoadModule mod_geoip.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
#   LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
#   LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution 
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
#   LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
#   LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
#   LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
#   LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
#   LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
#   LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
#   LoadModule mod_tls_shmcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
#   LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
#   LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
#   LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
#   LoadModule mod_wrap2_sql.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
#   LoadModule mod_ifsession.c

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine         on
  TLSRequired           on
  TLSRSACertificateFile     /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile  /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite        ALL:!ADH:!DES
  TLSOptions            NoCertRequest
  TLSVerifyClient       off
  #TLSRenegotiate       ctrl 3600 data 512000 required off timeout 300
  TLSLog            /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache     shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule            mod_ban.c
  BanEngine         on
  BanLog            /var/log/proftpd/ban.log
  BanTable          /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent            MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs       all allow user ftpadm
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask             022

  # Allow users to overwrite files and change permissions
AllowOverwrite on
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
RootLogin on
UseFtpUsers off
AuthAliasOnly off
RequireValidShell off

</Global>
SystemLog /var/log/proftpd/errors.log

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User            ftp
    Group           ftp
    AccessGrantMsg      "Anonymous login ok, restrictions apply."

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias           anonymous ftp

    # Limit the maximum number of anonymous logins
    MaxClients          10 "Sorry, max %m users -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir       /pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin        /welcome.msg
    DisplayChdir        .message
    DisplayReadme       README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser         on ftp
    DirFakeGroup        on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    # An upload directory that allows storing files but not retrieving
    # or creating directories.
    <Directory uploads/*>
      AllowOverwrite        no
      <Limit READ>
        DenyAll
      </Limit>

      <Limit STOR>
        AllowAll
      </Limit>
    </Directory>

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog         off

    # Logging for the anonymous transfers
    ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog         /var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>
4

There are 4 answers

0
Craig On

In webmin, go to your ProFTPD module and look for an icon/option of Denied FTP Users. Remove any users from that list, that you want access to the FTP server. One spot I had trouble with.

0
Arun Panneerselvam On

It seems the user is not included in the proftpd users list. Its the default safety procedure with proftd recent versions.

To enable it manually,

  • In the "Server Status" section of the webmin default page (click 'webmin' to get this page), click on 'ProFTPD FTP Server'. This will open the Proftpd module.

  • In the "Global Configuration Section", click "Edit Config files"

  • In the editor find the line umask 22

  • add the following lines below with the webmin username. this will allow webmin user to use ftp and sftp

    umask 22 AllowOverwrite yes <Limit ALL SITE_CHMOD> DenyAll AllowUser webminuser1 webminuser2 </Limit>

save the file and restart proftpd.

**

OR

**

Use the default webmin configuration to enable proftpd for users : remove and fresh install proftpd.

yum install proftpd

and start the service, service proftpd start

check your ftp connection by telnet. telnet <ipaddress> 21

if telnet connects, Go to webmin menu, webmin->webmin configuration->webmin modules

In the Install from section, on Standard module from www.webmin.com, choose proftpd module (you can try just typing in the box, but its better click the globe icon to select proftpd)

After Selecting Proftpd, check Ignore Dependencies option, and check Grant access to all Webmin users, And click on Install module button Restart the System for changes to take effect.

Try connecting with ftpclient with the username and password. It should work!

0
Sean Duggan On

While this only helps for one or two of the usernames you specified, root accounts are generally barred from FTP access.

... a list of the users that either have no business using ftp or have too many privileges to be allowed to log in through the FTP server daemon. Such users usually include root, daemon, bin, uucp, and news.

0
Opcrat On

In most of the ftp clients by default its enabling FTP Passive connection option so just unselect it and then try to connect.