Join the community today
Become a Member

Pure-FTPD FTP Persmission Denied

Discussion in 'Other Centmin Mod Installed software' started by cloud9, Oct 4, 2022.

  1. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    4:45 PM
    1.25.3
    10.6.x
    Please fill in any relevant information that applies to you:
    • CentOS Version: 7 64bit
    • Centmin Mod Version Installed:Latest beta
    • Nginx Version Installed: 1.21.x
    • PHP Version Installed: 8.1.x
    • MariaDB MySQL Version Installed: 10.3
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
    I used to be able to ftp to the server to upload files

    I must have done something - as now I get permission denied in FileZilla when I try to upload an XF update

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,070
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    2:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Has the same FTP username/password and server combination ever worked before? And only now doesn't work? Simple stuff you can check is if you're ftping to the correct server? Are you using domain name for hostname or server IP. I always use server IP. Also check FTP clients verbose logging for clues

    If you are having pure-ftpd disconnection or connection issues when uploading many files at once, it could be CSF Firewall's DDOS protection for Port Flooding in play. You can verify this by doing a grep filter of your /var/log/messages log to see if there are entries with your IP address listed.

    Where you replace 184.105.xxx.xxx with your ISP IP address or the IP address of user who is having issues uploading via pure-ftpd virtual FTP user
    Code (Text):
    grep -n 'Port Flood' /var/log/messages | grep '184.105.xxx.xxx'
    

    If you're behind a VPN or proxy on your connection to pure-ftpd, your ISP IP address maybe masked so you can check to see what IP address your server is seeing for your SSH session using command below:
    Code (Text):
    echo $SSH_CLIENT
    

    example output where your IP detected is the 1st column of ouput i.e. 184.105.xxx.xxx
    Code (Text):
    echo $SSH_CLIENT
    184.105.xxx.xxx 54021 22
    

    If there are entries that are returned from the grep filter, then your pure-ftpd disconnection or connection issues are related to PORTFLOOD protection in CSF Firewall /etc/csf/csf.conf settings.

    You're hitting CSF Firewall Port Flood protection limits. Ideally, you want to limit your FTP clients max concurrent transfer limits and/or instead of uploading individual files, upload a zip file with all files then extract and move the files in place on server via SSH. Example of extracting a zip file via SSH can be seen in step 3 of Xenforo 2 setup. You can practice doing zip upload/extraction etc on test site domain until you are familiar with it.

    Relevant settings in CSF Firewall /etc/csf/csf.conf settings file
    Code (Text):
    grep -C35 '# Port Flood Protection' /etc/csf/csf.conf
    
    ###############################################################################
    # SECTION:Port Flood Settings
    ###############################################################################
    # Enable SYN Flood Protection. This option configures iptables to offer some
    # protection from tcp SYN packet DOS attempts. You should set the RATE so that
    # false-positives are kept to a minimum otherwise visitors may see connection
    # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
    # man page for the correct --limit rate syntax
    #
    # Note: This option should ONLY be enabled if you know you are under a SYN
    # flood attack as it will slow down all new connections from any IP address to
    # the server if triggered
    SYNFLOOD = "0"
    SYNFLOOD_RATE = "100/s"
    SYNFLOOD_BURST = "150"
    
    # Connection Limit Protection. This option configures iptables to offer more
    # protection from DOS attacks against specific ports. It can also be used as a
    # way to simply limit resource usage by IP address to specific server services.
    # This option limits the number of concurrent new connections per IP address
    # that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Connection Limit Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    CONNLIMIT = ""
    
    # Port Flood Protection. This option configures iptables to offer protection
    # from DOS attacks against specific ports. This option limits the number of
    # new connections per time interval that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Port Flood Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    PORTFLOOD = "21;tcp;5;300"
    
    # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
    # These typically originate from exploit scripts uploaded through vulnerable
    # web scripts. Care should be taken on servers that use services that utilise
    # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
    # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
    #
    # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
    UDPFLOOD = "1"
    UDPFLOOD_LIMIT = "100/s"
    UDPFLOOD_BURST = "500"
    
    # This is a list of usernames that should not be rate limited, such as "named"
    # to prevent bind traffic from being limited.
    #
    # Note: root (UID:0) is always allowed
    UDPFLOOD_ALLOWUSER = "named nsd"
    
    ###############################################################################
    # SECTION:Logging Settings
    ###############################################################################
    

    specifically this part
    Code (Text):
    # Port Flood Protection. This option configures iptables to offer protection
    # from DOS attacks against specific ports. This option limits the number of
    # new connections per time interval that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Port Flood Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    PORTFLOOD = "21;tcp;5;300"
    

    from CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS linked CSF Firewall readme file https://download.configserver.com/csf/readme.txt - section 16. Port Flood Protection
    By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
    addresses can be viewed in /proc/net/ipt_recent/* where the port number is the
    filename. Seems on my server that is at /proc/net/xt_recent i.e. for TCP port 21 the tracking IP file would be at /proc/net/xt_recent/21.

    You can check if your server supports ipt_recent using csftest.pl script
    Code (Text):
    /etc/csf/csftest.pl
    

    Code (Text):
    /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    


    Viewing contents of xt_recent tracked TCP port 21 file at
    Code (Text):
    cat /proc/net/xt_recent/21
    

    If IP address listed in that xt_recent TCP port 21 tracking file, and need to remove it type the following where IP address 184.105.xxx.xxx is prefixed with a minus
    Code (Text):
    cd /proc/net/xt_recent
    echo -184.105.xxx.xxx >/proc/net/xt_recent/21
    

    recheck if IP address was removed
    Code (Text):
    cat /proc/net/xt_recent/21
    

    From CSF Firewall there's a default PORTFLOOD check against FTP port 21 for security. If more than 5 connections to tcp port 21 within 300 seconds, then block that IP address from port 21 for at least 300 seconds after the last packet is seen, i.e. there must be a "quiet" period of 300 seconds before the block is
    lifted
    Code (Text):
    PORTFLOOD = "21;tcp;5;300"
    

    So check how many simultaneous download/upload connections is set in your FTP/SFTP client shown.

    For Filezilla, those settings are under Settings -> Transfers (Concurrent transfers) section. Here there's unlimited concurrent download/uploads with 10 max simultaneous transfers.

    [​IMG]

    If you want to use say max 10 concurrent transfers, you would backup CSF Firewall settings file /etc/csf/csf.conf and edit it to raise it from 5 hit count to 10 (max supported is 20 value)

    CSF Firewall backup to file named b4-portflood-edit and list the backups
    Code (Text):
    csf --profile backup b4-portflood-edit
    csf --profile list
    

    example
    Code (Text):
    csf --profile backup b4-portflood-edit
    Creating backup...
    `/etc/csf/csf.conf' -> `/var/lib/csf/backup/1525327615_b4_portflood_edit'
    
    csf --profile list
    
    Configuration Profiles
    ======================
    block_all_perm
    block_all_temp
    disable_alerts
    protection_high
    protection_low
    protection_medium
    reset_to_defaults
    
    Configuration Backups
    =====================
    1525327615_b4_portflood_edit (Thu May  3 06:06:55 2018)
    1525253709_cmm_default_tweaked (Wed May  2 09:35:09 2018)
    1525253709_cmm_before_ptload_action (Wed May  2 09:35:09 2018)
    1525253707_initial_default (Wed May  2 09:35:07 2018)
    1525253706_pre_v12_03_upgrade (Wed May  2 09:35:06 2018)
    

    Edit PORTFLOOD settings raising hit count from 5 to 10. You can use grep on /etc/csf/csf.conf to see the current value set for PORTFLOOD
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf
    

    example output
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf
    PORTFLOOD = "21;tcp;5;300"
    

    Then edit /etc/csf/csf.conf either manually to
    Code (Text):
    PORTFLOOD = "21;tcp;10;300"
    

    or via sed replacement edit
    Code (Text):
    sed -i 's|PORTFLOOD = "21;tcp;5;300"|PORTFLOOD = "21;tcp;10;300"|' /etc/csf/csf.conf
    

    use previous grep command to verify the changes made by sed
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf                                                             
    PORTFLOOD = "21;tcp;10;300"
    

    restart CSF Firewall
    Code (Text):
    csf -ra
    

    If you need to restore from the backup you made the previous settings use these commands.

    The profile list will list csf profile backups look for listing name containing _b4_portflood_edit i.e. 1525327615_b4_portflood_edit and use that in restore command and then restart CSF Firewall
    Code (Text):
    csf --profile list
    csf --profile restore 1525327615_b4_portflood_edit
    csf -ra
    


    Next edit your FTP client's max concurrent transfers to limit them to 10. For Filezilla that would be like

    [​IMG]

    You can count how many concurrent pure-ftpd connections are being used server wide when uploading via pure-ftpd virtual ftp user. Assuming you're only user doing uploads, that number would be your concurrent pure-ftpd connections number.

    In SSH use command for manipulating output for CSF Firewall command, csf -p which list current connections to server. The command below grep filters for pure-ftpd connections and further grep filters for nginx user and then counts the number via wc -l then divides that number by 2 as the list shows both outbound and inbound connections and then minus 1 for the initial established pure-ftpd connection
    Code (Text):
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    

    So for multiple file uploads via pure-ftpd virtual ftp user, if you run this command a few times you will get the number of connections. With above Filezilla max set to 10, you would see something like this after a few runs of the command
    Code (Text):
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    5
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    10
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    10
    

    If you want view the actual connections instead of just the number use commands below:

    Commnd output when you are idly connected to pure-ftpd without any file transfers, you will see inbound and outbound connection listed
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    

    example output - inbound to TCP port 21 and outbound to TCP port 48970
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    21/tcp     4/-  1     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    48970/tcp  4/-  0     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    

    when actively or right after multiple file uploads via pure-ftpd virtual ftp user. The 11 mans 11 connections which are initial connection + 10 max concurrent = 11
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    21/tcp     4/-  11    (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31915/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31917/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31918/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31919/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31923/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31925/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31926/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31929/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31930/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31933/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    30293/tcp  4/-  0     (31930/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    30324/tcp  4/-  0     (31933/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    31904/tcp  4/-  0     (31926/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    32775/tcp  4/-  0     (31919/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    35805/tcp  4/-  0     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    37105/tcp  4/-  0     (31915/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    37658/tcp  4/-  0     (31925/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    42541/tcp  4/-  0     (31917/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    43726/tcp  4/-  0     (31929/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    45697/tcp  4/-  0     (31918/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    49106/tcp  4/-  0     (31923/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    
     
  3. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    4:45 PM
    1.25.3
    10.6.x
    Hmmm

    All the css settings are ok

    Running this

    Code:
    cd /proc/net/xt_recent
    echo -184.105.xxx.xxx >/proc/net/xt_recent/21
    With my IP - fixed FTP so I can now connect - However

    cant upload the XF upgrade 553 cant open and permission denied

    In XF doing the quick upgrade - get files not writeable

    Strange thing is this did always work - ftp or xf upgrades
     
  4. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    4:45 PM
    1.25.3
    10.6.x
    Some screen shots

    Screenshot 2022-10-05 at 19.24.13.png Screenshot 2022-10-05 at 19.24.24.png

    FTP connections and CSF all correct - nothings changed there
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,070
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    2:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like the destination file might not be owned by nginx user group i.e. you previously uploaded or created public/install directory as root user and not the pure-ftpd virtual FTP user so you get permission denied when uploading to overwrite an existing file on the server owned by root user.

    Getting Started Guide step 2 touches on the issue, to make sure all root user uploaded files are chown to nginx user/group.
     
  6. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    4:45 PM
    1.25.3
    10.6.x
    @eva2000 you were correct, all files were root:nginx and not nginx:nginx

    Which is very bizarre as ftp and xf upgrades used to work around 6 months back so not sure what changed the ownership.....
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,070
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    2:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah maybe you did upload and overwrite the files via via direct root user at one time?
     
  8. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    4:45 PM
    1.25.3
    10.6.x
    Coul have, I havent the best memory at 55 ;)
     
  9. Jon Snow

    Jon Snow Active Member

    811
    163
    43
    Jun 30, 2017
    Ratings:
    +240
    Local Time:
    12:45 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    This is why I always run this command whenever I upload as root:
    Code (Text):
    chown -R nginx:nginx /home/nginx/domains/your-domain.com/public

    I have a habit of not using normal FTP users on some servers (too many clog up my FTP program list).