Okay, this is really starting to piss me off. I'm setting up an ftp server that basicly is started from the commandline on demand via me through ssh. It needs to do these things:

1)Allow ftpguest (a user) to upload to /ftproot/upload
2)Allow ftpguest (a user) to download from /ftproot/download
3)Allow ftpadmin (me) to download from either /upload or /download
4)Allow ftpadmin to upload to /ftproot/upload

I basicly set this thing up using Hayl's guide. And as soon as I hit the part where I needed to decide who owns the /ftproot and upload directories things started falling apart. Currently /ftproot and all recursive directories are owned by the user nobody and the group ftpusers (consisting of ftpguest and ftpadmin of course). Now here's what pisses me off. Using the commandline program ftp I can ftp in and upload/download files either from inside my network (192.168.1.103) or through my router which is port fowarding. The commandline program seems to work fine. IE and Firebird however flip out like a hippie on lsd at a 4 day long Ben and Jerry's ice cream feed. They both complain that the users logged in more than once, and only one login is allowed. What is going on here? Errr. Well here's /etc/proftpd.conf:

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

#jail all users
DefaultRoot /ftproot

ServerName "Beehatch"
ServerIdent on "This is beehatch, the FTP server. What up?"
ServerType standalone
DeferWelcome off

ShowDotFiles off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on

MaxClientsPerHost 1 "Only one login!"
RequireValidShell off
RootLogin off
UseFtpUsers off

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
LsDefaultOptions "-l"

DenyFilter \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off

# Port 21 is the standard FTP port.
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

#Stock Config
# Normally, we want files to be overwriteable.
#<Directory /*>
# # Umask 022 is a good standard umask to prevent new files and dirs
# # (second parm) from being group and world writable.
# Umask 022 022
#
# AllowOverwrite on
#</Directory>

#Hayl's config
<Directory />
Umask 022 022
AllowOverwrite off
<Directory />
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory ~/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory ~/upload/*>
Umask 022 022
AllowOverwrite on
<Limit MKD XMKD RNRF RNTO DELE RMD XRMD STOR>
AllowAll
</Limit>
</Directory>



sigh...

Any ideas. Help is most welcome.

try raising or commenting out maxclientsperhost

I commented out the MaxClientsPerHost line. That will get IE excpet that apparently IE doesn't request a username or a password. I can only assume that either I've configured proftpd so horribly wrong that it's now accepting anonymous ftp connections or that IE is storing the username/password and automaticly using them instead of poping up a login in box. This is more or less confirmed by that fact the commandline ftp program still requests a username and a pasword.

Now mozilla firebird.... It just sits there when I try to ftp in via the outside IP address after I type in the password. However! ftp://ftpadmin@192.168.1.103 gets me in. That's odd. Maybe my router won't let me loopback in through itself? (192.168.1.105 [Desktop] --> 192.168.1.1 [Router] --> ***.***.***.*** [Outside IP] --> 192.168.1.103 [Server] --> ***.***.***.*** [Outside IP] --> 192.168.1.1 [Router] --> 192.168.1.105 [Desktop]) Sorry if that doesn't make sence but the jist of it is in firebird ftp://ftpadmin@192.168.1.103 works while ftp://ftpadmin@***.***.***.*** doesn't. Odd.

Still havn't figured out how to allow to ftpadmin to upload/download to either folder. Thinking maybe a symlink owned only by ftpadmin that links to /upload allowing me to get all the goodies that have been uploaded to me in one fell swoop. Anyways.

Here's the problems as they stand now:

1)Does IE let anonymous access in? (See first paragraph of this post for more info)
2)Get ftpadmin to be able to upload to both the upload and download folders.
3)Why does ftp access via firebird only work through the internal IP address?
4)How the hell do you upload stuff using firebird? Unsupported?

Signing out with no sleep. Appreciate the help.

#Hayl's config
<Directory />
Umask 022 022
AllowOverwrite off
<Directory />

that is probably scrwing things up.

I have the same loopback problem using a Linksys router. I can connect using the domain name from outside of my network, but within my network I must use the network IP. Check to see if firebird has a 'passive' setting, if it does change it to the other state and try it. IE has a 'passive' setting in 'tools/internet options/advanced/ use passive ftp.

As far as uploading by ftpadmin try changing your directive to some thing like:
<Directory ~/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
Allow ftpadmin
</Limit>
</Directory>

Well I have linksys router as well. The loopback issue is probably related to it for whatever reason.

Firebird doesn't have a passive/active setting as far as I can tell. However it seems to work flawlessly once I use the internal network ip. I still can't figure out how to upload. Netscape used to have a entry in the file menu where you could type in the file you wanted to upload and it would go to it. Not a big deal if firebird can't do this. There are lots of clients out there and so far the commandline one works pretty good for me.

Your configs worked perfectly and things seem to be working fairly well now. The only problem I'm having is if people need to upload and there browsers defaults to passive mode they're screwed. It seems passive ftp is far more widely used than active. Is there a good way to run proftpd as passive or maybe even as both passive and active (if that's possible). The only command I can find relating to this is the PassivePorts commmand which specfies which port range passive mode can return on. Using PassivePorts 1024 5000 didn't work with IE set on passive mode though.

If anyone has an proftpd fof idiots guide, please feel free to post a link. Thanks for everyone's help.

You may want to check from outside of your network and see if you can connect using passive and not using passive. I've tried and for me it's only an issue when trying to access localhost.

Yep. From the outside of the network things connect only in active mode. With the current configs everything works from the internal side. I should clairfy, that the proftpd will need to accept requests from people outside of the internal network. This works if the outside client can use and active/passive option but those that can't (netscape) have problems connecting. Is there a way I can set proftpd up to run in passive mode? Or maybe both active and passive?

Thanks once again.

Without any entries for the passive ports in the conf, and your system setup as DMZ on your router, can you access it from outside your network in both modes?

With no entries regarding passive ports in /etc/proftpd.conf, the router fowarding the 21 port to the ftp server and IE set to active yes it can be accessed from outside of the network by someone. I've tested this by asking a friend to login and it works good. I still get the "loopback linksys" error if I try to ftp in using my external IP but as stated that is not a problem cosidering I can just access the ftp server via the internal IP.

A thought just occured to me. If active FTP accepts data on port 21 and sends it on 20 do I need to foward port 20 from the router to the ftp server? Wouldn't the returning data be passed through since it's an already approved connection?

Also I'm sorry for how convulted and confusing my posts are. I'm having a hard time trying to describe the problem and networking is pretty new stuff for me. If you need clarification on any of the stuff I've posted feel free to let me know. Thanks again.

I've just done some testing with mine, I can access from inside the network to the external domain name using passive mode only with the server setup as DMZ. Using the network ip I can access either way. Tomorrow I will re-check both modes using an computer outside of the network and let you know. If this works I'll post my conf and router settings although I really think this is more of a router/firewall and possibly an isp issue rather than a ProFTP conf issue.

I did some testing today from outside my network and using AOL as an ISP, here are the results:

Router port 21 forwarded to the server. No DMZ.
FTP Client passive
Connection fail

Router port 21 forwarded to the server. No DMZ.
FTP Client passive not enabled
Connection and file transfer ok

Router port 21 forwarded to the server. DMZ.
FTP Client passive
Connection and file transfer ok.

Router port 21 forwarded to the server. DMZ.
FTP Client passive not enabled
Connection and file transfer ok.

It seems that it is definetly a firewall/ISP issue and that the only controls within ProFTP for a passive client would be limiting the number of ports that it uses, which is perferable to setting the server as a DMZ.

I also checked using IE for FTP and the results were very arbitrary and inconsistent.

Below is my conf, as you can see there are only a few minor changes.


# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "FTP Server 1"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

<Global>
RequireValidShell off
</Global>

Hmmm. So it basicly seems like the best and most consistant solution to this problem would be to run the ftp server as a DMZ computer on the network. I'm not compleltly sure exactly what this means so I'll need to rustle up the manuals for the router. Will running a machine as a DMZ means that all incoming internet traffic requesting access will be aloud to go through the router unharmed by the router's firewall? In this case I assume all requests for any ports on that machine will be allowed through. The FTP server is no where near that secure currently. I was planning to only foward the FTP port when a friend needed to upload a file and then I'd kill the daemon and the fowarding service. As you can see I have plenty of work to do security wise if I plan on running the FTP server as a DMZ machine.

The other option I can see is to run a different daemon and hope that I might get better results with something like pureftp.

Thanks once again!

Running the server as the DMZ will open all ports to the server and this wouldn't be desirable since it would be very insecure. You have a couple of choices:
1. Use the passive port directive and set it for a low number of ports, then forward only those ports and port 21 to your server. This should allow users to access your server using passive mode and maintain some security.

2. Forward only port 21.

Your users can download one of many free ftp clients to access your server for uploads, most of these will have many more options for connection and are very easy to use.

It's very likely that you'll have the same problem with other servers, but it's worth a try. I have both a Linux ProFTP and Windows FTP server and this issue exists with both.

If downloads are a concern, use a web server, with that users can access the files for download. Also, there are several scripts you can run on a web server that allow uploading of files.

With this setup my win2k box can (using (IE6) ftp into my linux box and ask for a password during the process.

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart on

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group nogroup

# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>

# Needed for NIS.
PersistentPasswd off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
# DefaultRoot /home/foo foo

~

Well here's what I've got so far.

1)This isn't a ProFTPd configuration problem
2)Most likely either a routing problem (Linksys router) or the user's client problem (Internet Explorer)

Sound about right to you guys?

I used the PassivePorts tag to enable the 1024 and 1025 as the port range in which passive ftp would use. I can tell ProFTPd is running in passive mode cause a netstat -a shows port 1024 listening. I then fowarded ports 21, 1024, and 1025 through the Linksys router to the ftp server (192.168.1.103). This had no effect on the usage of Internet Explorer 6 in passive mode. IE6 can still use the FTP server in active mode though. I've had other people test the FTP server using older versions of IE and Netscape, with no luck. So I've concluded from looking at my proftpd.conf as well as you guy's working configurations that this can't, no matter what IE tech support or the microserfs say is a proftpd configuration issue.

Solutions:

1)Have users use a real FTP client.
2)Try a different ftp daemon. (Really Really long shot.)
3)Use a p1 box as a router instead of the Linksys.

Problems:

1)The whole idea of this FTP server was to have a fast convient place for my friends to upload pictures/word docuements/music, etc. so we could replace the lack of file transfer ability when I use linux's version of MSN messenger. The ftp server would also be useful when microsoft kicks us "3rd Party Clients" off their network. I know they're lots of other IM protcals out there that work way better than MSN, but they don't do me much good cause my friends don't use them.

2)This probably won't solve anything cause the issue is more than likey the Linksys router (grrrr.) or Internet Explorer (Double grrrr.).

3)Would probably solve this issue and many others I have on my home lan, but It means more money and time sometime down the road.

Right now, I'm pretty much out of ideas. I suppose I could hack together someway to use file transfer through MSN, but that will only work through Oct or whenever microsoft decides to pull the plug.

Anyways, once again. Big thanks to everyone who has helped.

Lessons to be learned from my mistakes:
1)Anything a boxed router like my Linksys can do Linux on a P1 can do better
2)Anything IE can do, a dog turd can do better.

For everyone's refreshment my proftpd.conf file:


DefaultRoot /ftproot

ServerName "Beehatch"
ServerIdent on "This is beehatch, the FTP server. What up?"
ServerType standalone
DeferWelcome off

ShowDotFiles off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on

RequireValidShell off
RootLogin off
UseFtpUsers on
PassivePorts 1024 1025

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
LsDefaultOptions "-l"

DenyFilter \*.*/

#PersistentPasswd off

Port 21
MaxInstances 30

User nobody
Group nogroup

<Directory ~/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
Allow ftpadmin
</Limit>
</Directory>

<Directory ~/upload/*>
Umask 022 022
AllowOverwrite on
<Limit MKD XMKD RNRF RNTO DELE RMD XRMD STOR>
AllowAll
</Limit>
</Directory>



Ugh, well there's my post/rant/cry for help.

Once again, Big thanks to everyone who's helped.

YAH! I got another person from an outside IP to get in! Internet Explorer 6 works with this configuration and my linksys! Woohoo! That means that so far IE6 and the command line FTP client both work!

Now to figure out why netscape doesn't...


Peace out.

Any other ideas?

EDIT:
Confirmed User-Side Clients That Work:
Internet Explorer 6 (2 confirmations)
FTP CLI Client on Linux (1 Confirmation)
FTP CLI Client on XP Home (1 Confirmation)
Mozilla Firebird (1 Confirmation)

User-side Clients that DO NOT work:
Internet Explorer 5
Netscape 4

The current, current update:

Confirmed User-Side Clients That Work:
Internet Explorer 6 (2 confirmations)
FTP CLI Client on Linux (1 Confirmation)
FTP CLI Client on XP Home (1 Confirmation)
Mozilla Firebird (1 Confirmation)

User-side Clients that DO NOT work:
Internet Explorer 5
Netscape 4 (Mac OS __)
Mozilla 5 (Mac OS X)

-------------------------------------------
These have all been tested from computers outside of my network to get around the "Linksys Loopback" problem. I'm current using the PassivePorts setting to foward the 1024 port for use with Passive mode. Configuration is the same. Here's some intresting stuff from the logs and netstat. As far as I can tell the connection goes like this:

Client makes a request to server, if all goes well it does this:

192.168.1.103:ftp xx.xxx.xxx.xxx:49417 ESTABLISHED

Pulled that line from netstat -a while doing a connection attempt using Mozilla 5. At this point in time netstat also lists 1024 as listening.

Now in in my incoming logs on the linksys wonder-router.

xx.xxx.xxx.xxx incoming to 192.168.1.103 21

Looks okay so far right? Wait till it tries to return the favor.

The outgoing logs on my linksys-microserf-windowsXP-compatible-only-router says this:

192.168.1.103 outgoing to xx.xxx.xxx.xxx 113

quickly followed by a

192.168.1.103 outgoing to xx.xxx.xxx.xxx 49417

Hmmm, well that's kind of odd. I tried fowarding 113 and it changed the error message from timeout to permission deined.

Any other ideas?

How are you logging in to your site, with explorer? Are you using:

'ftp://username:password@servername.com'

Actually I have not been doing that. I've been using ftp://ftpguest@xx.xxx.xxx.xx. I'll have to report back with the results of ftpguest:password@xx.xxx.xxx.xx.