Want more timely Centmin Mod News Updates?
Become a Member

Beta Branch Centmin Mod .08 beta + pure-ftpd virtual FTP user support

Discussion in 'Beta release code' started by eva2000, Jan 19, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Any reason other inconvenience as to why you would want to ? using FTP over clear plain text isn't advisable for security reasons.

     
  2. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    Ah yes, I do realized it's insecure, but I'm having endless connection problem whenever my FTP client (using FileZilla) try to connect to any FTP server that requires TSL/SSL connection. I've tried looking for solution about it on FileZilla forums but they assumed that it's related to my Firewall, while in fact I've given full trust to the application on my Firewall.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    first post in this thread and official site at Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS has screenshots of filezilla setup example. Can you post your screenshot of your settings in filezilla (mask logins)

    what does error logs and messages say ?

    Also what operating system are you running ? My Pure-FTPD TLS setup disables SSLv3 protocol which could affect older OSes like winxp.
     
  4. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    [​IMG]
    As you can guess, I'm running Windows 8.1 Enterprise.

    The message log stuck on "Initializing TLS" forever until it became connection timed out.
    I tried disabling Pure-FTPd and installed vsftpd instead, and I could connect and edit/download/upload files just fine (though of course with no TLS).
    My current web hosting uses Pure-FTPd as well and they support both TSL and non-TLS connection. Whenever I tried to connect with TLS, I'd stuck on Initializing TLS as well. After being persistent for a bit back then, I could connect, but whenever it tried to list directory, it'd stuck until connection timed out.

    EDIT: Also, I'm having an issue on this site. None of the JS-related features work (AJAX overlay, Redactor, even the Spoiler button will redirect me to an unknown page instead).
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You got the full connection messages ? Minus any ip/login username info ? Wrap in CODE tags here.

    Google-foo.. leads to this Can't get past Initializing TLS - FileZilla Forums

    Also for Centmin Mod ensure CSF Firewall is running properly and passive ports is set
    Code:
    service csf status
    Code:
    grep --color '3000:3050' /etc/csf/csf.conf 
    i.e.
    Code:
    grep --color '3000:3050' /etc/csf/csf.conf 
    TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2049,2112,22000,22001,2222,3000,3334,8080,8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,3000:3050"
    TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2049,2112,22000,22001,2222,3000,3334,8080,8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,3000:3050"
    Ensure passive port range set in pure-ftpd.conf file
    Code:
    grep 'PassivePortRange' /etc/pure-ftpd/pure-ftpd.conf 
    
    i.e.
    Code:
    grep 'PassivePortRange' /etc/pure-ftpd/pure-ftpd.conf
    PassivePortRange    3000 3050
    As per CSF - CSF Firewall info | Centmin Mod Community also check if your ip address has been blocked by CSF Firewall - i.e. Getting firewall *tcp_in blocked* | Centmin Mod Community

    check if you ips are blocked using csf -g grep command
    Code:
    csf -g YOURIPADDRESS
    
    check CSF /var/log/lfd.log for clues
    Code:
    tail -50 /var/log/lfd.log
    
    example output from LFD log and CSF blocking SSH attacks
    Code:
    Jul 29 14:47:12 host lfd[3000]: 125.120.229.252 (CN/China/-), 8 distributed sshd attacks on account [root] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    Jul 29 17:34:53 host lfd[3715]: (sshd) Failed SSH login from 45.114.11.38 (HK/Hong Kong/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Jul 29 20:13:13 host lfd[4401]: (sshd) Failed SSH login from 113.195.145.79 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Jul 29 20:19:13 host lfd[4451]: (sshd) Failed SSH login from 222.48.110.117 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Jul 29 20:21:33 host lfd[4482]: 218.65.30.73 (CN/China/73.30.65.218.broad.xy.jx.dynamic.163data.com.cn), 7 distributed sshd attacks on account [root] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    Jul 29 23:06:34 host lfd[5184]: (sshd) Failed SSH login from 50.197.182.225 (US/United States/50-197-182-225-static.hfc.comcastbusiness.net): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
     
    Last edited: Jul 30, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    read welcome private conversation tip - need to disable ad blockers on this forum or you won't get working editor ;)
     
  7. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    Yes, I found that thread as well. My log says something similar as that user, but instead of getting this welcome message:
    Code:
    Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:	220-You are user number 2 of 200 allowed.
    Response:	220-Local time is now 22:22. Server port: 21.
    Response:	220-This is a private system - No anonymous login
    Response:	220-IPv6 connections are also welcome on this server.
    Response:	220 You will be disconnected after 15 minutes of inactivity.
    Command:	AUTH TLS
    Response:	234 AUTH TLS OK.
    after:
    Code:
    Status:	Connection established, waiting for welcome message...
    I got straight into Initializing TLS....
    But when I tried to connect with plain connection (no TLS), I got Pure-FTPd welcome message and message saying that it doesn't accept plain connection.

    Also, my IP is very dynamic. It doesn't require me to reconnect just to change IP, it constantly changes whenever I'm in the middle of browsing. Most of the times it takes a few seconds for me to get different IP (any online service that can tell my IP will have the result change whenever I refresh the page).
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Might need to whitelist dynamic IPs in CSF Firewall as outlined at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS or setup a VPN server and connect through that and have VPN server ip whitelisted for long term stability.

    Interesting indeed, something to investigate when I have time I guess. If you can live with plain text, you can disable the forced TLS encrypted requirements for Pure-ftpd by editing /etc/pure-ftpd/pure-ftpd.conf config file and changing TLS 2 to TLS 1 - keep the exact spacing format just in case in future centmin.sh does some auto magic for changes hehe.
    Code:
    # This option can accept three values :
    # 0 : disable SSL/TLS encryption layer (default).
    # 1 : accept both traditional and encrypted sessions.
    # 2 : refuse connections that don't use SSL/TLS security mechanisms,
    #     including anonymous sessions.
    # Do _not_ uncomment this blindly. Be sure that :
    # 1) Your server has been compiled with SSL/TLS support (--with-tls),
    # 2) A valid certificate is in place,
    # 3) Only compatible clients will log in.
    
    TLS                      2
    so change to
    Code:
    TLS                      1
    then restart pure-ftpd service
    Code:
    service pure-ftpd restart
    If you are only person on server, you can just forgo using pure-ftpd and connect via SFTP encrypted as root user too.
     
  9. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    Gotta be intentional, I bet, lol. Oh well, even if I disable ABP here, nothing changes, I assume because I've got this: Blocking Unwanted Connections with a Hosts File

    Oh well..
     
  10. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    I'll look into that as well. But I'd assume CSF Firewall affects vsftpd as well? When I got that installed instead, my plain connection worked just fine even if I constantly change stuff here and there.
    Ah thanks! For the moment, I'll just bear with it until I figure out the reason why I can't properly connect to any FTP server with TLS (I'd totally assume it's not related with the server, but something on my side).
    Ah yes, I'm the only one on the server. Though I haven't really looked much about SFTP. Any articles that can tell me about how does it work?
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not sure about vsftpd though

    just google-fu it heh but it's just changing FTP protocol from FTP to SFTP and using ssh port 22 to connect unless you changed that port. SFTP is encrypted by default and native to OpenSSH so no FTP server needed, so pure-ftpd could be disabled when not in use. See Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS
     
  12. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    9:14 PM
    1.17.x
    10.3.x
    Thanks a lot!
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  14. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:14 AM
    latest
    10
    Where would I enable that at?
    @eva2000
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    from instructions outlined at Beta Branch - Centmin Mod .08 beta + pure-ftpd virtual FTP user support | Centmin Mod Community
    setup-callupload.sh actually enables the CallUploadScript support
     
  16. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:14 AM
    latest
    10
    ahhhh ok thanks! I don't know how i missed this
     
  17. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:14 AM
    latest
    10
    I have a client that uses Cyberduck as an FTP client and he can not connect but can connect with Filezilla - How would someone connect to FTP using Cyberduck?
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's on supported list according to 1st post https://community.centminmod.com/posts/10171/
    Code:
    * Cyberduck (OSX)
    Cyberduck | Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
    SSL/TLS works out of the box.
     
  19. Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    9:14 AM
    latest
    10
    Do they have to select the same "Passive" mode? I've never used Cyberduck
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Jan 8, 2016