When posting try giving enough information, this might include but
not be limited to.
You aren't starting ProFTPD as root, or you have inetd configured
to run ProFTPD as a user other than root. The ProFTPD daemon must be
started as root in order to bind to tcp ports lower than 1024, or to
open your shadow password file when authenticating users. The daemon
switches uid/gids to the user and group specified by the User/Group
directives during normal operation, so a "ps" will show it running as
the user you specified.
0.0.0.0 is INADDR_ANY, which means to bind to any interface. The
"address in use" will normally mean that something has already bound
to that address.
Under linux it is possible to run:
fuser -n tcp 21
to get the PID of the process currently bound to port ProFTPD is
configured to run as.
The most common cause is that ProFTPD is configured standalone and
inetd is still configured for port 21. Comment out the line starting
"ftp" in /etc/inetd.conf and restart (killall -HUP inetd or something
similar should do the trick) and try again.
You have ProFTPD configured to run in inetd mode rather than
standalone. In this mode, ProFTPD expects that it will be run from the
inetd super-server, which implies that stdin/stdout will be sockets
instead of terminals. As a result, socket operations will fail and the
above error will be printed. If you wish to run ProFTPD from the
shell, in standalone mode, you'll need to modify your proftpd.conf
configuration file and add or edit the ServerType directive to read:
ServerType standalone
The hosting machine has a poorly configured hostname setup to the
point where the resolver library cannot determine the IP from the
name. Solutions include, fixing the DNS for the domain, fixing the
hostname, fixing the /etc/hosts file. Which one works for you will
largely depend on your OS and exactly what is wrong.
Yup. Although ProFTPD has built-in IP access control (see the Deny
and Allow directives), many admins choose to consolidate IP access
control in one place via in.tcpd. Just configure ProFTPD to run from
inetd as any other tcp-wrapper wrapped daemon and add the
appropriate lines to hosts.allow/deny files.
If running ProFTPD in standalone mode, mod_wrap can be used to direct the
server to use the normal hosts.allow/deny files.
Yes. Use a <VirtualHost> block with your machine's FQDN
(Fully Qualified Domain Name) or IP address, and a Port directive
inside the <VirtualHost> block. For example, if your host is
named "myhost.mydomain.com" and you want to run an additional FTP
server on port 2001, you would:
...
<VirtualHost myhost.mydomain.com>
Port 2001
...
</VirtualHost>
Yes the mod_ratio module provides for doing just this.
The ratio directives take four numbers: file ratio, initial file
credit, byte ratio, and initial byte credit. Setting either ratio
to 0 disables that check.
The directives are HostRatio (matches FQDN, wildcards allowed),
AnonRatio (matches password entered at login), UserRatio (accepts "*"
for "any user"), and GroupRatio.
Ratios on # enable module
UserRatio ftp 0 0 0 0
HostRatio master.debian.org 0 0 0 0 # leech access (default)
GroupRatio proftpd 100 10 5 100000 # 100:1 files, 10 file cred 5:1 bytes, 100k byte cred
AnonRatio billg@microsoft.com 1 0 1 0 # 1:1 ratio, no credits
UserRatio * 5 5 5 50000 # special default case
This example is for someone who (1) has downloaded 1 file of 82k,
(2) has uploaded nothing, (3) has a ratio of 5:1 files and 5:1
bytes, (4) has 4 files and 17k credit remaining, and (5) is now
changing directory to /art/nudes/young/carla. The initial credit,
not shown, was 5 files and 100k (UserRatio * 5 5 5 100000).
Version 2.0 and above of this module integrate with mod_sql.
It appears that the ratio limits in mod_ratio are only maintained
on a per session basis and there is no ongoing tracking of usage.
This is probably caused by a firewall or DNS timeout. By default
ProFTPD will try to do both DNS and ident lookups against the incoming
connection. If these are blocked or excessively delayed a slower than
normal login will result. To turn off DNS and ident use:
UseReverseDNS off
IdentLookups off
IdentLookups and tcpwrappers
***
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
The above log extract is likely to be caused by a local monitoring
system or a particularly aggressive DoS attack. Most service
monitoring systems try opening the ftp port on the target server to
detect whether it is active and running. Most of the time these tests
are followed by an immediate "QUIT" or disconnection.
TCPdump/TCPshow on the server in question should show which machine
on your network is is generating these connections.
The ftpwho command lists the state of each ftp connection to the
server and what it's current activity is. However this does not
detail the connection information on a virtual by virtual basis.
Check for /etc/shutmsg and delete it.
ftpshut, allows the server to disallow connections with a message
without actually taking down the service. The shutdown can be
scheduled for a point in the future or right now, existing connections
can be allowed to finish, or be terminated now. Re-enabling is done
by removing the /etc/shutmsg file.
No, the shutmsg file works at a daemon level not at a virtual host
level.
This appears to be a general catch all error code meaning "something
nasty has gone wrong".
Connection has timed out
The DefaultRoot specified doesn't exist
The parent server has been killed
Check /etc/services
Wrong permissions on the DefaultRoot
You get the idea...
Two possible reasons, first that it's simply not running, try
proftpd -n -d2 to run in debug mode and see what happens. The other
is that it's running from inetd and there are no active sessions at
the moment.
A bug was introduced in 1.2.0rc2 which prevented the PORT command
working properly and therefore breaking the data socket under certain
conditions. The bug was documented as bug 240 and has been fixed in
CVS. A rc3 release is due before the end of Jan 2001.
Proftpd was unable to work out what IP is associated with the
hostname in the VirtualHost block. Normally caused by a problem
with the DNS resolution of the host, check the resolv.conf file
and that your chosen nameservers are functional.
AllowStoreRestart is disabled by default because it will allow any
writable file to be corrupted by a malicious user. It is recommended
that this option is only used with authenticated users and then only
in certain directories.
As mentioned in the description of the HiddenStor configuration directive,
use of that directive is incompatible with the FTP command REST. Either
disable use of REST with the AllowRetrieveRestart and AllowStoreRestart
directives, or do not use HiddenStor.
Make sure that ReverseDNS is disabled, turn off ident lookups.
Additionally check the size of your /etc/passwd (or shadow) file, if
it is large then the only solution may be to move to another
authentication scheme.
There appear to be some problems with both the use of sendfile()
in ProFTPD and with the implementation within certain operating systems.
Short answer, no. Longer answer is no, but you can minimise the
effects. The cleanest approach on servers which have significant
amounts of traffic appears to be to use ftpshut to block new
connections and terminate existing ones after a pre-determined time
period and then to upgrade and restart. This approach limits the
number of downloads which are terminated part way through.
The default ProFTPD configuration file uses the user "nouser" and
the group "nogroup", some systems / distributions do not have the
group "nogroup" defined. The solution is to either add the group
"nogroup" to /etc/groups or to change the "nogroup" entry in the
proftpd.conf to a group which does exist.
The setting of the group privileges for a process uses the setgroups(2)
system call. This call will fail with the above error message for
one of two reasons: there is a negative GID value for one of the
groups, or the maximum number of groups for a single user has been
exceeded.
Ideally, all IDs, both UID and GID, will be positive. Unfortunately,
it is common on many systems to use -1 or -2, especially for such
users as 'nobody', or group 'nogroup'. Use of these values uses C's
treatment of data types to make the actual numeric value very high;
some functions, like setgroups(), do not like this, though. In
general, always use positive ID numbers.
The other limitation is the number of supplemental groups for a user
(eg non-primary groups, the ones configured in /etc/group). The
maximum number of supplemental groups to which a user may belong
is defined by the operating system constant NGROUPS_MAX. On
some operating systems, such as Solaris, this limitation may be
tunable.
Some other applications may not encounter this error if they use the
initgroups(3) function, which reads the /etc/group file for a user's
supplemental group memberships, and sets those groups. This function,
however, silently ignores any supplemental groups for user greater than
NGROUPS_MAX, unlike setgroups(2), which complains.
If this is the cause of your error message, any solution will most
likely involve reducing the number of groups your users are members of,
or tuning the NGROUPS_MAX value, if your operating system allows it.
PAM(exit): Permission denied
open_module: stat(/usr/lib/security/pam_unix.so.1) failed: No such file or directory
load_modules: can not open module /usr/lib/security/pam_unix.so.1
PAM(exit): Dlopen failure.
These messages appear when the DefaultRoot configuration directive is
in effect. This directive causes a user to be confined using the
chroot(2) system call. This call, however, affects other system
utilities, such as PAM. In this case, PAM's configuration is causing
the PAM library to attempt to open PAM modules using a path that is
no longer valid, thus the errors. This happens on logout because the
chroot has already happened by that point; on login, the PAM modules
are successfully found and loaded before the chroot, so no errors.
These are merely cosmetic reporting errors, and do not really affect
the functionality or security of the server.