DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Question

ProFTPD stuck on MLSD

I installed ProFTPD, and sometimes it stuck on the MLSD command, but sometimes not…

I enabled the Passive Ports range on the firewall (basic IP tables blocking)

This is my proftpd.conf file:

This is the ProFTPD configuration file

See: http://www.proftpd.org/docs/directives/linked/by-name.html

Server Config - config used for anything outside a <VirtualHost> or <Global> context

See: http://www.proftpd.org/docs/howto/Vhost.html

#MasqueradeAddress “146.185.135.196”

#PassivePorts 50000 50500 #PassivePorts 30000 35000 #PassivePorts 60000 65535

ServerName “localhost” PassivePorts 49152 65534 #MasqueradeAddress 146.185.135.196 ServerIdent on “FTP Server ready.” ServerAdmin root@localhost DefaultServer on

#PassivePorts 49152 65534

Cause every FTP user except adm to be chrooted into their home directory

Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to

work at session-end time (http://bugzilla.redhat.com/477120)

VRootEngine on DefaultRoot ~ !adm VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c

If you use NIS/YP/LDAP you may need to disable PersistentPasswd

#PersistentPasswd off

Don’t do reverse DNS lookups (hangs on DNS problems)

UseReverseDNS off

Set the user and group that the server runs as

User nobody Group nobody

To prevent DoS attacks, set the maximum number of child processes

to 20. If you need to allow more than 20 concurrent connections

at once, simply increase this value. Note that this ONLY works

in standalone mode; in inetd mode you should use an inetd server

that allows you to limit maximum number of processes per service

(such as xinetd)

MaxInstances 20

Disable sendfile by default since it breaks displaying the download speeds in

ftptop and ftpwho

UseSendfile off

Define the log formats

LogFormat default “%h %l %u %t "%r" %s %b” LogFormat auth “%v [%P] %h %t "%r" %s”

Dynamic Shared Object (DSO) loading

See README.DSO and howto/DSO.html for more details

General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)

LoadModule mod_sql.c

Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables

(contrib/mod_sql_passwd.html)

LoadModule mod_sql_passwd.c

Mysql support (requires proftpd-mysql package)

(http://www.proftpd.org/docs/contrib/mod_sql.html)

LoadModule mod_sql_mysql.c

Postgresql support (requires proftpd-postgresql package)

(http://www.proftpd.org/docs/contrib/mod_sql.html)

LoadModule mod_sql_postgres.c

Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)

LoadModule mod_quotatab.c

File-specific “driver” for storing quota table information in files

(http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)

LoadModule mod_quotatab_file.c

SQL database “driver” for storing quota table information in SQL tables

(http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)

LoadModule mod_quotatab_sql.c

LDAP support (requires proftpd-ldap package)

(http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)

LoadModule mod_ldap.c

LDAP quota support (requires proftpd-ldap package)

(http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)

LoadModule mod_quotatab_ldap.c

Support for authenticating users using the RADIUS protocol

(http://www.proftpd.org/docs/contrib/mod_radius.html)

LoadModule mod_radius.c

Retrieve quota limit table information from a RADIUS server

(http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)

LoadModule mod_quotatab_radius.c

Administrative control actions for the ftpdctl program

(http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

LoadModule mod_ctrls_admin.c

Execute external programs or scripts at various points in the process

of handling FTP commands

(http://www.castaglia.org/proftpd/modules/mod_exec.html)

LoadModule mod_exec.c

Support for POSIX ACLs

(http://www.proftpd.org/docs/modules/mod_facl.html)

LoadModule mod_facl.c

Support for using the GeoIP library to look up geographical information on

the connecting client and using that to set access controls for the server

(http://www.castaglia.org/proftpd/modules/mod_geoip.html)

LoadModule mod_geoip.c

Configure server availability based on system load

(http://www.proftpd.org/docs/contrib/mod_load.html)

LoadModule mod_load.c

Limit downloads to a multiple of upload volume (see README.ratio)

LoadModule mod_ratio.c

Rewrite FTP commands sent by clients on-the-fly,

using regular expression matching and substitution

(http://www.proftpd.org/docs/contrib/mod_rewrite.html)

LoadModule mod_rewrite.c

Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over

an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)

LoadModule mod_sftp.c

Use PAM to provide a ‘keyboard-interactive’ SSH2 authentication method for

mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)

LoadModule mod_sftp_pam.c

Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user

and host based authentication

(http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)

LoadModule mod_sftp_sql.c

Provide data transfer rate “shaping” across the entire server

(http://www.castaglia.org/proftpd/modules/mod_shaper.html)

LoadModule mod_shaper.c

Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,

and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)

LoadModule mod_site_misc.c

Provide an external SSL session cache using shared memory

(contrib/mod_tls_shmcache.html)

LoadModule mod_tls_shmcache.c

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny

files, for IP-based access control

(http://www.proftpd.org/docs/contrib/mod_wrap.html)

LoadModule mod_wrap.c

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny

files, as well as SQL-based access rules, for IP-based access control

(http://www.proftpd.org/docs/contrib/mod_wrap2.html)

LoadModule mod_wrap2.c

Support module for mod_wrap2 that handles access rules stored in specially

formatted files on disk

(http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)

LoadModule mod_wrap2_file.c

Support module for mod_wrap2 that handles access rules stored in SQL

database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)

LoadModule mod_wrap2_sql.c

Provide a flexible way of specifying that certain configuration directives

only apply to certain sessions, based on credentials such as connection

class, user, or group membership

(http://www.proftpd.org/docs/contrib/mod_ifsession.html)

LoadModule mod_ifsession.c

TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

<IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine>

Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)

Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd

<IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab

If the same client reaches the MaxLoginAttempts limit 2 times

within 10 minutes, automatically add a ban for that client that

will expire after one hour.

BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

Allow the FTP admin to manually add/remove bans

BanControlsACLs all allow user ftpadm </IfDefine>

Global Config - config common to Server Config and all virtual hosts

See: http://www.proftpd.org/docs/howto/Vhost.html

<Global>

Umask 022 is a good standard umask to prevent new dirs and files

from being group and world writable

Umask 022

Allow users to overwrite files and change permissions

AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit>

</Global>

A basic anonymous configuration, with an upload directory

Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd

<IfDefine ANONYMOUS_FTP> <Anonymous ~ftp> User ftp Group ftp AccessGrantMsg “Anonymous login ok, restrictions apply.”

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias			anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients			10 "Sorry, max %m users -- try again later"

# Put the user into /pub right after login
#DefaultChdir		/pub

# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin		/welcome.msg
DisplayChdir		.message
DisplayReadme		README*

# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser			on ftp
DirFakeGroup		on ftp

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
  DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
  AllowOverwrite		no
  <Limit READ>
    DenyAll
  </Limit>

  <Limit STOR>
    AllowAll
  </Limit>
</Directory>

# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog			off

# Logging for the anonymous transfers
ExtendedLog			/var/log/proftpd/access.log WRITE,READ default
ExtendedLog			/var/log/proftpd/auth.log AUTH auth

ExtendedLog /var/log/proftpd/ProFTPd.read.log READ ExtendedLog /var/log/proftpd/ProFTPd.write.log WRITE </Anonymous> </IfDefine>

The FileZilla log: Status: Connection established, waiting for welcome message… Response: 220 FTP Server ready. Command: USER daniel Response: 331 Password required for daniel Command: PASS **************** Response: 230 User daniel logged in Command: OPTS UTF8 ON Response: 200 UTF8 set to on Status: Connected Status: Retrieving directory listing… Command: CWD /Works/Turns Response: 250 CWD command successful Command: TYPE I Response: 200 Type set to I Command: PASV Response: 227 Entering Passive Mode (146,185,135,196,231,61). Command: MLSD Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out

I tried to install vsftp instead, still the same problem…

And I saw in the internet that this is a very common problem…

Thanks in advance.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Sign up now

Daniel GolubSeptember 26, 2013

For some reason it fixed itself… <br> <br>No idea how…

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up