FTP login incorrect?

11 posts / 0 new
Last post
#1 Thu, 01/25/2007 - 11:59
SeanKelly

FTP login incorrect?

Hi all,

I installed webmin & Virtualmin yesterday on my VPS (centos 4.4/i386). All has been going well though when I setup a new domain and user, the user cannot access the home directory. Error is 'incorrect login'.

there was a /bin/false error on install, added this to /etc/shells as instructed (very nice)

Any ideas as to why the vhost works on http but user cannot access via ftp to upload files?

Scoured the forum and tried a few suggestions...still no go.

Thanks.

Thu, 01/25/2007 - 12:05
Joe
Joe's picture

Hey Sean,

It's hard to say without more data.

We'd need to know what FTP server you're using (ProFTPd and vsftpd are "supported", though any FTP server that can authenticate via PAM or shadow should work with proper configuration), and what's showing up in the relevant log file(s) (I dunno what logs to point you to, since we don't know the FTP server). Probably messages and secure will be the right place to look.

--

Check out the forum guidelines!

Thu, 01/25/2007 - 12:12
SeanKelly

Hi Joe,

Using Proftpd, checked /var/log/proftpd yet there are no files in there...

S

Thu, 01/25/2007 - 12:24 (Reply to #3)
Joe
Joe's picture

Yeah, I don't understand ProFTPd logging either...it creates proftpd logs and directories, but by default it logs to /var/log/messages and /var/log/secure.

--

Check out the forum guidelines!

Thu, 01/25/2007 - 12:46
SeanKelly

ahh gotta love noobs

k, so /var/log/messages

Jan 25 10:23:07 myserver proftpd[[20038]]: myserver.com (client hostname[[IP addy]]) - FTP session opened.
Jan 25 10:23:07 myserver proftpd[[20038]]: myserver.com (client hostname[[IP addy]]) - FTP session closed.
Jan 25 10:23:19 myserver proftpd[[20242]]: myserver.com (client hostname[[IP addy]]) - FTP session opened.
Jan 25 10:23:19 myserver proftpd[[20242]]: myserver.com (client hostname[[IP addy]]) - FTP session closed.

And /var/log/secure

Jan 25 10:23:02 myserver xinetd[[28271]]: START: ftp pid=20038 from=ip addy
Jan 25 10:23:07 myserver proftpd[[20038]]: myserver.com (client hostname[[ip addy]]) - USER sk3lly (Login failed): Limit access denies login
Jan 25 10:23:07 myserver xinetd[[28271]]: EXIT: ftp pid=20038 duration=5(sec)
Jan 25 10:23:19 myserver xinetd[[28271]]: START: ftp pid=20242 from=ip addy
Jan 25 10:23:19 myserver proftpd[[20242]]: myserver.com (client hostname[[ip addy]]) - USER sk3lly (Login failed): Limit access denies login

Using bulletproof ftp client which shows:

Connecting to ftp.myvirtualdomain.ca port 21
Connected, waiting for response...
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [[IP addy]]
USER sk3lly
331 Password required for sk3lly.
PASS (not shown)
530 Login incorrect.
Not logged in.
Delaying for 10 seconds before reconnect...

Reconnecting - try #1
Connected, waiting for response...
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [[IP addy]]
USER sk3lly
331 Password required for sk3lly.
PASS (not shown)
530 Login incorrect.
Not logged in.
Delaying for 10 seconds before reconnect...
Disconnected.

Thu, 01/25/2007 - 12:57 (Reply to #5)
Joe
Joe's picture

Hey Sean,

That message indicates you've got some access control rules in ProFTPd that is preventing login. I'm a bit of a newbie myself with regards to ProFTPd configuration, so I'm not sure exactly what to point you to...but if you post your /etc/proftpd.conf (or /etc/proftpd/proftpd.conf, depending on version) file, I bet we can help you spot the trouble.

--

Check out the forum guidelines!

Thu, 01/25/2007 - 14:01 (Reply to #6)
SeanKelly

K, here is the Proftpd.conf pulled from within Webmin

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType inetd
DefaultServer on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# Disable IdentLookups by default
IdentLookups off

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
AllowStoreRestart on
AllowRetrieveRestart on
</Directory>

# Needed for NIS.
PersistentPasswd off

# A basic anonymous configuration, no upload directories.
#[Anonymous ~ftp>
# User ftp
# Group ftp
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
# RequireValidShell off
# AnonRequirePassword off
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# [Limit WRITE>
# DenyAll
# [/Limit>
#
#[/Anonymous>

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
# DefaultRoot /home/foo foo

# By default webadmin access to /var/www

DefaultChdir /var/www webadmin

<Limit LOGIN>
AllowGroup ftpusers
DenyAll
</Limit>

Thu, 01/25/2007 - 14:17 (Reply to #7)
Joe
Joe's picture

Here's the offending section:

<Limit LOGIN>
AllowGroup ftpusers
DenyAll
</Limit>

If this is a dedicated hosting box, just take this out. (Everybody who has a shell will presumably need FTP access...this is how Virtualmin ordinarily sets FTP access or not...either /dev/null for no access, or any shell in /etc/shells for FTP access to the users home.)

If it isn't a dedicated hosting box, and you have some users that have shell access (probably including ssh) but you don't want them to have FTP for some reason, you'll need to configure Virtualmin to add new server account users to the ftpusers group (actually I think this has trickled back down into the Users and Groups module, which won't make it easy to make this change only for Virtualmin users...).

You're also chdiring folks into a place that probably isn't writable for them with this line:

DefaultChdir /var/www webadmin

Even if this is writable, you almost certainly don't want them putting their stuff there...it's not where the webserver will be looking for the virtual domains content. By default, it'll be looking in /home/domainname/public_html, but even if you've switched over to using /var/www, it'll go into /var/www/domainname/public_html. In both cases, /var/www isn't a sensible starting place for your users.

They'll go straight to their home directory without this line...which is what you almost certainly want.

--

Check out the forum guidelines!

Thu, 01/25/2007 - 13:13
SeanKelly

Uhh I just noticed the following on the main VM page.

Virtualmin Feature Status

Available features Mail for domain, BIND DNS domain, Apache website, Webalizer reporting, SSL website, Log file rotation, MySQL database, Webmin login

Disabled features PostgreSQL database, ProFTPd server
Disk quotas Not active on home directories filesystem.
Mail server Sendmail

My problems may be due to ProFTPd server being disabled...how do I turn this on to verify?

S

Thu, 01/25/2007 - 14:28
Joe
Joe's picture

Actually, it's probably worth mentioning at this point that the default configuration in the ProFTPd package from Fedora Extras, and in the package for most other platforms, is just about perfect for virtual hosting right out of the box.

We don't actually do anything to the ProFTPd configuration on most of our supported platforms during installation. We just start it up.

--

Check out the forum guidelines!

Thu, 01/25/2007 - 14:28
SeanKelly

SWEET

I removed the lines suggested and all is working well now.

Much thanks Joe..really appreciate your help here.

S