Job for proftpd.service failed

Submitted by paulfromsurrey on Sat, 03/05/2016 - 21:10 Pro Licensee

can not turn on proftpd

here is the error

Job for proftpd.service failed because the control process exited with error code. See "systemctl status proftpd.service" and "journalctl -xe" for details.

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Sat, 03/05/2016 - 21:31

Howdy -- what output do you receive if you run the two commands mentioned in your output there?

Also, do you see any errors in /var/log/messages?

Submitted by paulfromsurrey on Sat, 03/05/2016 - 22:05 Pro Licensee

● proftpd.service loaded failed failed ProFTPD FTP Server

[root@ns1 ~]# journalctl -xe

-- Unit session-14.scope has begun starting up. Mar 05 22:50:01 ns1.pcpluscomputing.com CROND[5140]: (root) CMD (/etc/webmin/status/monitor.pl) Mar 05 22:50:01 ns1.pcpluscomputing.com su[5157]: (to postgres) root on none Mar 05 22:50:01 ns1.pcpluscomputing.com su[5157]: pam_unix(su:session): session opened for user postgres by (uid=0) Mar 05 22:50:01 ns1.pcpluscomputing.com su[5157]: pam_unix(su:session): session closed for user postgres Mar 05 22:55:01 ns1.pcpluscomputing.com systemd[1]: Started Session 15 of user root. -- Subject: Unit session-15.scope has finished start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-15.scope has finished starting up.

-- The start-up result is done. Mar 05 22:55:01 ns1.pcpluscomputing.com systemd[1]: Starting Session 15 of user root. -- Subject: Unit session-15.scope has begun start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-15.scope has begun starting up. Mar 05 22:55:01 ns1.pcpluscomputing.com CROND[5263]: (root) CMD (/etc/webmin/status/monitor.pl) Mar 05 22:55:01 ns1.pcpluscomputing.com su[5302]: (to postgres) root on none Mar 05 22:55:01 ns1.pcpluscomputing.com su[5302]: pam_unix(su:session): session opened for user postgres by (uid=0) Mar 05 22:55:01 ns1.pcpluscomputing.com su[5302]: pam_unix(su:session): session closed for user postgres Mar 05 23:00:01 ns1.pcpluscomputing.com systemd[1]: Started Session 16 of user root. -- Subject: Unit session-16.scope has finished start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-16.scope has finished starting up.

-- The start-up result is done. Mar 05 23:00:01 ns1.pcpluscomputing.com systemd[1]: Starting Session 16 of user root. -- Subject: Unit session-16.scope has begun start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-16.scope has begun starting up. Mar 05 23:00:01 ns1.pcpluscomputing.com CROND[5415]: (root) CMD (/etc/webmin/status/monitor.pl) Mar 05 23:00:02 ns1.pcpluscomputing.com su[5432]: (to postgres) root on none Mar 05 23:00:02 ns1.pcpluscomputing.com su[5432]: pam_unix(su:session): session opened for user postgres by (uid=0) Mar 05 23:00:02 ns1.pcpluscomputing.com su[5432]: pam_unix(su:session): session closed for user postgres Mar 05 23:01:01 ns1.pcpluscomputing.com systemd[1]: Started Session 17 of user root. -- Subject: Unit session-17.scope has finished start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-17.scope has finished starting up.

-- The start-up result is done. Mar 05 23:01:01 ns1.pcpluscomputing.com systemd[1]: Starting Session 17 of user root. -- Subject: Unit session-17.scope has begun start-up -- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit session-17.scope has begun starting up. Mar 05 23:01:01 ns1.pcpluscomputing.com CROND[5536]: (root) CMD (run-parts /etc/cron.hourly) Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5539]: starting 0anacron Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5545]: finished 0anacron Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5547]: starting 0yum-hourly.cron Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5551]: finished 0yum-hourly.cron Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5553]: starting awstats Mar 05 23:01:01 ns1.pcpluscomputing.com run-parts(/etc/cron.hourly)[5557]: finished awstats +++++++++++++++ logs Mar 5 22:49:26 ns1 NetworkManager[987]: (eno1): DHCPv4 state changed bound -> bound Mar 5 22:49:26 ns1 dhclient[1357]: bound to 192.168.1.113 -- renewal in 3319 seconds. Mar 5 22:49:26 ns1 dbus[904]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' Mar 5 22:49:26 ns1 dbus-daemon: dbus[904]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' Mar 5 22:49:26 ns1 systemd: Starting Network Manager Script Dispatcher Service... Mar 5 22:49:26 ns1 dbus[904]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Mar 5 22:49:26 ns1 systemd: Started Network Manager Script Dispatcher Service. Mar 5 22:49:26 ns1 dbus-daemon: dbus[904]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Mar 5 22:49:26 ns1 nm-dispatcher: Dispatching action 'dhcp4-change' for eno1 Mar 5 22:50:01 ns1 systemd: Started Session 14 of user root. Mar 5 22:50:01 ns1 systemd: Starting Session 14 of user root. Mar 5 22:50:01 ns1 su: (to postgres) root on none Mar 5 22:55:01 ns1 systemd: Started Session 15 of user root. Mar 5 22:55:01 ns1 systemd: Starting Session 15 of user root. Mar 5 22:55:01 ns1 su: (to postgres) root on none Mar 5 23:00:01 ns1 systemd: Started Session 16 of user root. Mar 5 23:00:01 ns1 systemd: Starting Session 16 of user root. Mar 5 23:00:02 ns1 su: (to postgres) root on none Mar 5 23:01:01 ns1 systemd: Started Session 17 of user root. Mar 5 23:01:01 ns1 systemd: Starting Session 17 of user root.

Submitted by andreychek on Sat, 03/05/2016 - 23:27

Hmm, I don't see any errors there related to ProFTPd.

Could you paste in the contents of your /etc/proftpd.conf file? Perhaps something will stand out there that would explain the issue you're seeing.

Submitted by paulfromsurrey on Sat, 03/05/2016 - 23:53 Pro Licensee

This is the ProFTPD configuration file

#

See: http://www.proftpd.org/docs/directives/linked/by-name.html Security-Enhanced Linux (SELinux) Notes:

#

In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux in order to mitigate the effects of an attacker taking advantage of an unpatched vulnerability and getting control of the ftp server. By default, ProFTPD cannot read or write most files on a system nor connect to many external network services, but these restrictions can be relaxed by setting SELinux booleans as follows:

#

setsebool -P allow_ftpd_anon_write=1 This allows the ftp daemon to write to files and directories labelled with the public_content_rw_t context type; the daemon would only have read access to these files normally. Files to be made available by ftp but not writeable should be labelled public_content_t.

#

setsebool -P allow_ftpd_full_access=1 This allows the ftp daemon to read and write all files on the system.

#

setsebool -P allow_ftpd_use_cifs=1 This allows the ftp daemon to read and write files on CIFS-mounted filesystems.

#

setsebool -P allow_ftpd_use_nfs=1 This allows the ftp daemon to read and write files on NFS-mounted filesystems.

#

setsebool -P ftp_home_dir=1 This allows the ftp daemon to read and write files in users' home directories.

#

setsebool -P ftpd_connect_all_unreserved=1 This setting is only available from Fedora 16/RHEL-7 onwards, and is necessary for active-mode ftp transfers to work reliably with non-Linux clients (see http://bugzilla.redhat.com/782177), which may choose to use port numbers outside the "ephemeral port" range of 32768-61000.

#

setsebool -P ftpd_connect_db=1 This setting allows the ftp daemon to connect to commonly-used database ports over the network, which is necessary if you are using a database back-end for user authentication, etc.

#

setsebool -P ftpd_is_daemon=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5. It should be set if ProFTPD is running in standalone mode, and unset if running in inetd mode.

#

setsebool -P ftpd_disable_trans=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5, and when set it removes the SELinux confinement of the ftp daemon. Needless to say, its use is not recommended.

#

All of these booleans are unset by default.

#

See also the "ftpd_selinux" manpage.

#

Note that the "-P" option to setsebool makes the setting permanent, i.e. it will still be in effect after a reboot; without the "-P" option, the effect only lasts until the next reboot.

#

Restrictions imposed by SELinux are on top of those imposed by ordinary file ownership and access permissions; in normal operation, the ftp daemon will not be able to read and/or write a file unless all of the ownership, permission and SELinux restrictions allow it. Server Config - config used for anything outside a or context See: http://www.proftpd.org/docs/howto/Vhost.html Trace logging, disabled by default for performance reasons (http://www.proftpd.org/docs/howto/Tracing.html) TraceLog /var/log/proftpd/trace.log Trace DEFAULT:0

ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on

Cause every FTP user except adm to be chrooted into their home directory

DefaultRoot ~ !adm

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c

If you use NIS/YP/LDAP you may need to disable PersistentPasswd PersistentPasswd off Don't do reverse DNS lookups (hangs on DNS problems)

UseReverseDNS off

Set the user and group that the server runs as

User nobody Group nobody

To prevent DoS attacks, set the maximum number of child processes to 20. If you need to allow more than 20 concurrent connections at once, simply increase this value. Note that this ONLY works in standalone mode; in inetd mode you should use an inetd server that allows you to limit maximum number of processes per service (such as xinetd)

MaxInstances 20

Disable sendfile by default since it breaks displaying the download speeds in ftptop and ftpwho

UseSendfile off

Define the log formats

LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s"

Dynamic Shared Object (DSO) loading See README.DSO and howto/DSO.html for more details

#

General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c

#

Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables (contrib/mod_sql_passwd.html) LoadModule mod_sql_passwd.c

#

Mysql support (requires proftpd-mysql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c

#

Postgresql support (requires proftpd-postgresql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_postgres.c

#

Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c

#

File-specific "driver" for storing quota table information in files (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) LoadModule mod_quotatab_file.c

#

SQL database "driver" for storing quota table information in SQL tables (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c

#

LDAP support (requires proftpd-ldap package) (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) LoadModule mod_ldap.c

#

LDAP quota support (requires proftpd-ldap package) (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) LoadModule mod_quotatab_ldap.c

#

Support for authenticating users using the RADIUS protocol (http://www.proftpd.org/docs/contrib/mod_radius.html) LoadModule mod_radius.c

#

Retrieve quota limit table information from a RADIUS server (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) LoadModule mod_quotatab_radius.c

#

SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be used to copy files/directories from one place to another on the server without having to transfer the data to the client and back (http://www.castaglia.org/proftpd/modules/mod_copy.html) LoadModule mod_copy.c

#

Administrative control actions for the ftpdctl program (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

LoadModule mod_ctrls_admin.c #

Support for MODE Z commands, which allows FTP clients and servers to compress data for transfer (http://www.castaglia.org/proftpd/modules/mod_deflate.html) LoadModule mod_deflate.c

#

Execute external programs or scripts at various points in the process of handling FTP commands (http://www.castaglia.org/proftpd/modules/mod_exec.html) LoadModule mod_exec.c

#

Support for POSIX ACLs (http://www.proftpd.org/docs/modules/mod_facl.html) LoadModule mod_facl.c

#

Support for using the GeoIP library to look up geographical information on the connecting client and using that to set access controls for the server (http://www.castaglia.org/proftpd/modules/mod_geoip.html) LoadModule mod_geoip.c

#

Allow for version-specific configuration sections of the proftpd config file, useful for using the same proftpd config across multiple servers where different proftpd versions may be in use (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) LoadModule mod_ifversion.c

#

Configure server availability based on system load (http://www.proftpd.org/docs/contrib/mod_load.html) LoadModule mod_load.c

#

Limit downloads to a multiple of upload volume (see README.ratio) LoadModule mod_ratio.c

#

Rewrite FTP commands sent by clients on-the-fly, using regular expression matching and substitution (http://www.proftpd.org/docs/contrib/mod_rewrite.html) LoadModule mod_rewrite.c

#

Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) LoadModule mod_sftp.c

#

Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) LoadModule mod_sftp_pam.c

#

Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user and host based authentication (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) LoadModule mod_sftp_sql.c

#

Provide data transfer rate "shaping" across the entire server (http://www.castaglia.org/proftpd/modules/mod_shaper.html) LoadModule mod_shaper.c

#

Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) LoadModule mod_site_misc.c

#

Provide an external SSL session cache using shared memory (contrib/mod_tls_shmcache.html) LoadModule mod_tls_shmcache.c

#

Provide a memcached-based implementation of an external SSL session cache (contrib/mod_tls_memcache.html) LoadModule mod_tls_memcache.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap.html) LoadModule mod_wrap.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, as well as SQL-based access rules, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap2.html) LoadModule mod_wrap2.c

#

Support module for mod_wrap2 that handles access rules stored in specially formatted files on disk (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) LoadModule mod_wrap2_file.c

#

Support module for mod_wrap2 that handles access rules stored in SQL database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) LoadModule mod_wrap2_sql.c

#

Implement a virtual chroot capability that does not require root privileges (http://www.castaglia.org/proftpd/modules/mod_vroot.html) Using this module rather than the kernel's chroot() system call works around issues with PAM and chroot (http://bugzilla.redhat.com/506735)

LoadModule mod_vroot.c #

Provide a flexible way of specifying that certain configuration directives only apply to certain sessions, based on credentials such as connection class, user, or group membership (http://www.proftpd.org/docs/contrib/mod_ifsession.html) LoadModule mod_ifsession.c Allow only user root to load and unload modules, but allow everyone to see which modules have been loaded (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs)

ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user *

Enable basic controls via ftpdctl (http://www.proftpd.org/docs/modules/mod_ctrls.html)

ControlsEngine on ControlsACLs all allow user root ControlsSocketACL allow user * ControlsLog /var/log/proftpd/controls.log

Enable admin controls via ftpdctl (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

AdminControlsEngine on AdminControlsACLs all allow user root

Enable mod_vroot by default for better compatibility with PAM (http://bugzilla.redhat.com/506735)

VRootEngine on

TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log TLSSessionCache shm:/file=/var/run/proftpd/sesscache

Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd

LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab

# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

# Inform the user that it's not worth persisting BanMessage "Host %a has been banned"

# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm

Set networking-specific "Quality of Service" (QoS) bits on the packets used by the server (contrib/mod_qos.html)

LoadModule mod_qos.c # RFC791 TOS parameter compatibility QoSOptions dataqos throughput ctrlqos lowdelay # For a DSCP environment (may require tweaking) #QoSOptions dataqos CS2 ctrlqos AF41

Global Config - config common to Server Config and all virtual hosts See: http://www.proftpd.org/docs/howto/Vhost.html

# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022

# Allow users to overwrite files and change permissions AllowOverwrite yes AllowAll

A basic anonymous configuration, with an upload directory Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd

User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias           anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients          10 "Sorry, max %m users -- try again later"

# Put the user into /pub right after login
#DefaultChdir       /pub

# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files. 
DisplayLogin        /welcome.msg
DisplayChdir        .message
DisplayReadme       README*

# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser         on ftp
DirFakeGroup        on ftp

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
  DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
#
# Directory specification is slightly different if mod_vroot is in
# use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
#          https://bugzilla.redhat.com/show_bug.cgi?id=1045922
<IfModule mod_vroot.c>
  <Directory /uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>
<IfModule !mod_vroot.c>
  <Directory uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>

# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog         off

# Logging for the anonymous transfers
ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
ExtendedLog         /var/log/proftpd/auth.log AUTH auth

LoadModule mod_sftp.c 

SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

Submitted by andreychek on Sun, 03/06/2016 - 00:13

Okay, try commenting out these lines at the end:

SFTPEngine on
    Port 2222
    SFTPLog /var/log/proftpd/sftp.log

    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key

After commenting those out, restart ProFTPd... do things work for you at that point?

Submitted by paulfromsurrey on Sun, 03/06/2016 - 00:21 Pro Licensee

I done this and still not working

SFTPEngine on 
Port 2222
SFTPLog /var/log/proftpd/sftp.log

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

Submitted by paulfromsurrey on Sun, 03/06/2016 - 00:23 Pro Licensee

ok now this is working thanks

Submitted by paulfromsurrey on Wed, 03/09/2016 - 00:44 Pro Licensee

Hello sir i have the same issue on fresh install

Submitted by paulfromsurrey on Wed, 03/09/2016 - 00:53 Pro Licensee

Error message

Failed to start service : Job for proftpd.service failed because the control process exited with error code. See "systemctl status proftpd.service" and "journalctl -xe" for details.

here is the config file

This is the ProFTPD configuration file

#

See: http://www.proftpd.org/docs/directives/linked/by-name.html Security-Enhanced Linux (SELinux) Notes:

#

In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux in order to mitigate the effects of an attacker taking advantage of an unpatched vulnerability and getting control of the ftp server. By default, ProFTPD cannot read or write most files on a system nor connect to many external network services, but these restrictions can be relaxed by setting SELinux booleans as follows:

#

setsebool -P allow_ftpd_anon_write=1 This allows the ftp daemon to write to files and directories labelled with the public_content_rw_t context type; the daemon would only have read access to these files normally. Files to be made available by ftp but not writeable should be labelled public_content_t.

#

setsebool -P allow_ftpd_full_access=1 This allows the ftp daemon to read and write all files on the system.

#

setsebool -P allow_ftpd_use_cifs=1 This allows the ftp daemon to read and write files on CIFS-mounted filesystems.

#

setsebool -P allow_ftpd_use_nfs=1 This allows the ftp daemon to read and write files on NFS-mounted filesystems.

#

setsebool -P ftp_home_dir=1 This allows the ftp daemon to read and write files in users' home directories.

#

setsebool -P ftpd_connect_all_unreserved=1 This setting is only available from Fedora 16/RHEL-7 onwards, and is necessary for active-mode ftp transfers to work reliably with non-Linux clients (see http://bugzilla.redhat.com/782177), which may choose to use port numbers outside the "ephemeral port" range of 32768-61000.

#

setsebool -P ftpd_connect_db=1 This setting allows the ftp daemon to connect to commonly-used database ports over the network, which is necessary if you are using a database back-end for user authentication, etc.

#

setsebool -P ftpd_is_daemon=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5. It should be set if ProFTPD is running in standalone mode, and unset if running in inetd mode.

#

setsebool -P ftpd_disable_trans=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5, and when set it removes the SELinux confinement of the ftp daemon. Needless to say, its use is not recommended.

#

All of these booleans are unset by default.

#

See also the "ftpd_selinux" manpage.

#

Note that the "-P" option to setsebool makes the setting permanent, i.e. it will still be in effect after a reboot; without the "-P" option, the effect only lasts until the next reboot.

#

Restrictions imposed by SELinux are on top of those imposed by ordinary file ownership and access permissions; in normal operation, the ftp daemon will not be able to read and/or write a file unless all of the ownership, permission and SELinux restrictions allow it. Server Config - config used for anything outside a or context See: http://www.proftpd.org/docs/howto/Vhost.html Trace logging, disabled by default for performance reasons (http://www.proftpd.org/docs/howto/Tracing.html) TraceLog /var/log/proftpd/trace.log Trace DEFAULT:0

ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on

Cause every FTP user except adm to be chrooted into their home directory

DefaultRoot ~ !adm

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c

If you use NIS/YP/LDAP you may need to disable PersistentPasswd PersistentPasswd off Don't do reverse DNS lookups (hangs on DNS problems)

UseReverseDNS off

Set the user and group that the server runs as

User nobody Group nobody

To prevent DoS attacks, set the maximum number of child processes to 20. If you need to allow more than 20 concurrent connections at once, simply increase this value. Note that this ONLY works in standalone mode; in inetd mode you should use an inetd server that allows you to limit maximum number of processes per service (such as xinetd)

MaxInstances 20

Disable sendfile by default since it breaks displaying the download speeds in ftptop and ftpwho

UseSendfile off

Define the log formats

LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s"

Dynamic Shared Object (DSO) loading See README.DSO and howto/DSO.html for more details

#

General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c

#

Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables (contrib/mod_sql_passwd.html) LoadModule mod_sql_passwd.c

#

Mysql support (requires proftpd-mysql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c

#

Postgresql support (requires proftpd-postgresql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_postgres.c

#

Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c

#

File-specific "driver" for storing quota table information in files (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) LoadModule mod_quotatab_file.c

#

SQL database "driver" for storing quota table information in SQL tables (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c

#

LDAP support (requires proftpd-ldap package) (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) LoadModule mod_ldap.c

#

LDAP quota support (requires proftpd-ldap package) (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) LoadModule mod_quotatab_ldap.c

#

Support for authenticating users using the RADIUS protocol (http://www.proftpd.org/docs/contrib/mod_radius.html) LoadModule mod_radius.c

#

Retrieve quota limit table information from a RADIUS server (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) LoadModule mod_quotatab_radius.c

#

SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be used to copy files/directories from one place to another on the server without having to transfer the data to the client and back (http://www.castaglia.org/proftpd/modules/mod_copy.html) LoadModule mod_copy.c

#

Administrative control actions for the ftpdctl program (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

LoadModule mod_ctrls_admin.c #

Support for MODE Z commands, which allows FTP clients and servers to compress data for transfer (http://www.castaglia.org/proftpd/modules/mod_deflate.html) LoadModule mod_deflate.c

#

Execute external programs or scripts at various points in the process of handling FTP commands (http://www.castaglia.org/proftpd/modules/mod_exec.html) LoadModule mod_exec.c

#

Support for POSIX ACLs (http://www.proftpd.org/docs/modules/mod_facl.html) LoadModule mod_facl.c

#

Support for using the GeoIP library to look up geographical information on the connecting client and using that to set access controls for the server (http://www.castaglia.org/proftpd/modules/mod_geoip.html) LoadModule mod_geoip.c

#

Allow for version-specific configuration sections of the proftpd config file, useful for using the same proftpd config across multiple servers where different proftpd versions may be in use (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) LoadModule mod_ifversion.c

#

Configure server availability based on system load (http://www.proftpd.org/docs/contrib/mod_load.html) LoadModule mod_load.c

#

Limit downloads to a multiple of upload volume (see README.ratio) LoadModule mod_ratio.c

#

Rewrite FTP commands sent by clients on-the-fly, using regular expression matching and substitution (http://www.proftpd.org/docs/contrib/mod_rewrite.html) LoadModule mod_rewrite.c

#

Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) LoadModule mod_sftp.c

#

Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) LoadModule mod_sftp_pam.c

#

Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user and host based authentication (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) LoadModule mod_sftp_sql.c

#

Provide data transfer rate "shaping" across the entire server (http://www.castaglia.org/proftpd/modules/mod_shaper.html) LoadModule mod_shaper.c

#

Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) LoadModule mod_site_misc.c

#

Provide an external SSL session cache using shared memory (contrib/mod_tls_shmcache.html) LoadModule mod_tls_shmcache.c

#

Provide a memcached-based implementation of an external SSL session cache (contrib/mod_tls_memcache.html) LoadModule mod_tls_memcache.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap.html) LoadModule mod_wrap.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, as well as SQL-based access rules, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap2.html) LoadModule mod_wrap2.c

#

Support module for mod_wrap2 that handles access rules stored in specially formatted files on disk (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) LoadModule mod_wrap2_file.c

#

Support module for mod_wrap2 that handles access rules stored in SQL database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) LoadModule mod_wrap2_sql.c

#

Implement a virtual chroot capability that does not require root privileges (http://www.castaglia.org/proftpd/modules/mod_vroot.html) Using this module rather than the kernel's chroot() system call works around issues with PAM and chroot (http://bugzilla.redhat.com/506735)

LoadModule mod_vroot.c #

Provide a flexible way of specifying that certain configuration directives only apply to certain sessions, based on credentials such as connection class, user, or group membership (http://www.proftpd.org/docs/contrib/mod_ifsession.html) LoadModule mod_ifsession.c Allow only user root to load and unload modules, but allow everyone to see which modules have been loaded (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs)

ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user *

Enable basic controls via ftpdctl (http://www.proftpd.org/docs/modules/mod_ctrls.html)

ControlsEngine on ControlsACLs all allow user root ControlsSocketACL allow user * ControlsLog /var/log/proftpd/controls.log

Enable admin controls via ftpdctl (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

AdminControlsEngine on AdminControlsACLs all allow user root

Enable mod_vroot by default for better compatibility with PAM (http://bugzilla.redhat.com/506735)

VRootEngine on

TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log TLSSessionCache shm:/file=/var/run/proftpd/sesscache

Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd

LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab

# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

# Inform the user that it's not worth persisting BanMessage "Host %a has been banned"

# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm

Set networking-specific "Quality of Service" (QoS) bits on the packets used by the server (contrib/mod_qos.html)

LoadModule mod_qos.c # RFC791 TOS parameter compatibility QoSOptions dataqos throughput ctrlqos lowdelay # For a DSCP environment (may require tweaking) #QoSOptions dataqos CS2 ctrlqos AF41

Global Config - config common to Server Config and all virtual hosts See: http://www.proftpd.org/docs/howto/Vhost.html

# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022

# Allow users to overwrite files and change permissions AllowOverwrite yes AllowAll

A basic anonymous configuration, with an upload directory Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd

User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias           anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients          10 "Sorry, max %m users -- try again later"

# Put the user into /pub right after login
#DefaultChdir       /pub

# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files. 
DisplayLogin        /welcome.msg
DisplayChdir        .message
DisplayReadme       README*

# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser         on ftp
DirFakeGroup        on ftp

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
  DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
#
# Directory specification is slightly different if mod_vroot is in
# use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
#          https://bugzilla.redhat.com/show_bug.cgi?id=1045922
<IfModule mod_vroot.c>
  <Directory /uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>
<IfModule !mod_vroot.c>
  <Directory uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>

# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog         off

# Logging for the anonymous transfers
ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
ExtendedLog         /var/log/proftpd/auth.log AUTH auth

LoadModule mod_sftp.c

# SFTPEngine on # Port 2222 #SFTPLog /var/log/proftpd/sftp.log

#SFTPHostKey /etc/ssh/ssh_host_rsa_key

#SFTPHostKey /etc/ssh/ssh_host_dsa_key

Submitted by andreychek on Wed, 03/09/2016 - 00:55

Understood... we're working on a fix for that, but in the meantime you'll need to perform the steps mentioned above to correct that issue.

Submitted by paulfromsurrey on Wed, 03/09/2016 - 01:08 Pro Licensee

i did the isssue it is still not starting

SFTPEngine on

# Port 2222 #SFTPLog /var/log/proftpd/sftp.log

#SFTPHostKey /etc/ssh/ssh_host_rsa_key

#SFTPHostKey /etc/ssh/ssh_host_dsa_key

Submitted by paulfromsurrey on Wed, 03/09/2016 - 08:44 Pro Licensee

any other solution to turn on proftpd

Submitted by andreychek on Wed, 03/09/2016 - 10:09

Ah, it sounds like you may be seeing a different error then. What error message(s) are you seeing in the logs when trying to start ProFTPd?

Submitted by paulfromsurrey on Wed, 03/09/2016 - 11:30 Pro Licensee

Status: Active » Closed (fixed)