# how to make proftpd use hosts.allow/deny files?

## r0ck80y

Just set up a proftpd server and its working fine. When i try to limit certain ips from accessing the server, things dont work the way i want. Heres my proftpd.conf file :

```
 This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anonymous access.

ServerName                      "R0ck80y ProFTPD Server"

ServerType                      standalone

DefaultServer                   on

RequireValidShell               off

AuthPAM                         off

AuthPAMConfig                   ftp

# Port 21 is the standard FTP port.

Port                            21

# Do not perform ident nor DNS lookups (hangs when the port is filtered)

IdentLookups                    on

UseReverseDNS                   on

# User access settings

<Limit LOGIN>

        Order  Allow,Deny

        Allow  10.5., 10.1., 10.2.

        Deny   All

</Limit>

MaxLoginAttempts                3

MaxClientsPerHost               1

TimeoutLogin                    15

TimeoutNoTransfer               30

TimeoutIdle                     30

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit the maximum number of processes per service

# (such as xinetd).

MaxInstances            5

# Set the user and group under which the server will run.

User                            fender

Group                           fender

# Log format and location

LogFormat               default "%t %h %a %s %m %f %b %T \"%r"\"

ExtendedLog             /var/log/proftpd ALL default

SystemLog               /var/log/proftpd ALL default

TransferLog             /var/log/proftpd ALL default

#--------------------My Settings -------------------------------------------#

# grant login only for members of the group

<Limit LOGIN>

DenyGroup !fender !ftp

</Limit>

# alternatively u can write this to deny all users to access ftp. You can then

# enable user-specific settings and 'AllowALL' there.

#<Limit LOGIN>

#   DenyALL

#</Limit>

# Normally, we want files to be overwriteable.

<Directory />

        AllowOverwrite          on

</Directory>

#----------------Settings for 'fender' start here---------------------------#

# A basic anonymous configuration, with no upload directories.

<Anonymous /var/ftp>

#        <Limit LOGIN>

#             Allow ALL

#        </Limit>

User                            fender

Group                           fender

AnonRequirePassword             on

# Limit the maximum number of anonymous logins.

MaxClients      3 "The server is full, hosting %m users"

# We want clients to be able to login with "anonymous" as well as "ftp".

#UserAlias                      fender ftp

DefaultChdir                  /var/ftp

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin                    welcome.msg

<Limit ALL>

        Deny ALL

</Limit>

# Hide all files owned by user 'root'

#HideUser         root

# Disallow clients from any access to hidden files.

<Limit READ DIRS>

IgnoreHidden         on

</Limit>

# Allow clients to do the options listed with Limit (obtained from net and

# gproftpd conf file)

<Limit LIST NLST  RETR  PWD XPWD  SIZE  STAT  CWD XCWD  CDUP XCUP >

        AllowAll

</Limit>

# Deny clients to do the options as listed with Limit (obtained from net and

# gproftpd conf file)

<Limit STOR STOU  APPE  RNFR RNTO  DELE  MKD XMKD SITE_MKDIR  RMD XRMD SITE_RMDIR  SITE  SITE_CHMOD  SITE_CHGRP  MTDM >

        DenyAll

</Limit>

# Limit WRITE everywhere in the anonymous chroot.

<Limit WRITE>

        DenyAll

</Limit>

# Uploading permissions

# <Directory /var/ftp/upload_here>

#       Umask   022  022

#    <Limit MKD STOR STOU>

#          Allow   All

#    </Limit>

# </Directory>

</Anonymous>

#---------------Settings for 'fender' end here -----------------------------#
```

I want the server to use the settings in the hosts.allow and hosts.deny files to give access to ips. These  settings are:

1) for /etc/hosts.allow

```

ALL: 10.1. 10.2. 10.3. 10.4. 10.5. 10.6. 10.7. 10.8. 10.9. 10.10. 10.11. 10.12. 10.13. 10.21. 10.22. 10.129.
```

2) for /etc/hosts.deny

```

ALL: ALL
```

Also the following section in proftpd.conf file:

```

# User access settings

<Limit LOGIN>

        Order  Allow,Deny

        Allow  10.5., 10.1., 10.2.

        Deny   All

</Limit>
```

actually disallows all ips from connecting. If i write 10.5.1.1 or 10.1.1.10 etc, only these ips get access. How can i enable proftpd to use the hosts.allow/deny files? Is there anything wrong with my config? A l'il help will be much appreciated  :Smile: 

----------

## di1bert

Your config file looks alright. Perhaps just double check you built it with TCP wrappers support

```

equery u proftpd

```

You're looking for the tcpd flag and that it's enabled....

HTH

-m

----------

## r0ck80y

yup the tcpd flag is enabled

```
[ Found these USE variables for net-ftp/proftpd-1.3.1_rc2-r1 ]

 U I

 - - acl          : Adds support for Access Control Lists

 - - authfile     : Enable support for auth-file module

 - - clamav       : Adds support for Clam AntiVirus software (usually with a plu

gin)

 - - hardened     : activate default security enhancements for toolchain (gcc, g

libc, binutils)

 - - ifsession    : Enable support for the ifsession module

 + + ipv6         : Adds support for IP version 6

 + + ldap         : Adds LDAP support (Lightweight Directory Access Protocol)

 + + mysql        : Adds mySQL Database support

 + + ncurses      : Adds ncurses support (console display library)

 + + nls          : Adds Native Language Support (using gettext - GNU locale uti                                                             lities)

 - - noauthunix   : Disable support for auth-unix module

 - - opensslcrypt : Enable support for openssly crypto

 + + pam          : Adds support PAM (Pluggable Authentication Modules) - DANGER                                                             OUS to arbitrarily flip

 - - postgres     : Adds support for the postgresql database

 - - radius       : Adds support for RADIUS authentication

 - - rewrite      : Enable support for rewrite module

 - - selinux      : !!internal use only!! Security Enhanced Linux support, this                                                              must be set by the selinux profile or breakage will occur

 - - shaper       : Enable support for the mod_shaper

 - - sitemisc     : Enable support for sitemisc module

 - - softquota    : Enable support for the mod_quotatab

 + + ssl          : Adds support for Secure Socket Layer connections

 + + tcpd         : Adds support for TCP wrappers

 - - vroot        : Enable support for virtual root module

 - - xinetd       : Add support for the xinetd super-server
```

----------

## di1bert

Are you running Proftpd as a standalone server or from x/inetd ? I saw this in a FAQ

recently....

 *Quote:*   

> 
> 
> Just configure proftpd to run from inetd as any other tcp-wrapper wrapped daemon does:
> 
> ftp stream tcp nowait root in.tcpd in.proftpd
> ...

 

which might explain why it's not working...

-m

----------

## r0ck80y

hmm!! Well that seems possible. The gentoo wiki on proftpd says:

```
 Xinetd can also control host access and much more
```

So i unmerge proftpd and reinstall it with xinetd USE flag. I open /etc/xinetd.d/proftpd file and change "disable=yes" to "disable=no". I restart proftpd. A new set of error messages   :Mad: 

```
R0ck80y xinetd.d # proftpd -c /etc/proftpd/proftpd.conf

R0ck80y - getnameinfo error: ai_family not supported

R0ck80y - fatal: Socket operation on non-socket

```

 Dunno what this means!!

----------

## di1bert

You won't run proftpd manually. You'll need to start xinetd and make sure it starts up alright.

Xinetd will then run proftpd when you connect to the FTP port. You'll also need to 

ensure that you have the option to use x/inetd in your proftpd.conf file (not

sure what it is off hand).

That should take care of it...

-m

----------

## r0ck80y

ya the "inetd" option is enabled. But now i am not able to connect at all!! Or rather i get disconnected after connecting

```
Looking up 10.5.2.26

Trying 10.5.2.26:21

Connected to 10.5.2.26:21

Disconnecting from site 10.5.2.26

Waiting 30 seconds until trying to connect again

Operation canceled
```

Tried by removing/keeping hosts.allow/deny files, removing/keeping the user access settings in my proftpd.conf file...but same thing  :Sad: 

what am i doing wrong here?

----------

## di1bert

That looks like it's connecting but disconnecting again because of a failed username and password.

What FTP client are you using when connecting ?

Also, check /var/log/messages as it should give you a reason for failure there.

-m

----------

## r0ck80y

username/pass is okay...i was able to connect in standalone mode.

I tried with both gftp and kftpgrabber.

here are a few relevant lines from /var/log/messages :

```

Jun 12 16:57:07 R0ck80y xinetd[6299]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.

Jun 12 16:57:07 R0ck80y xinetd[6299]: Started working: 1 available service

Jun 12 16:57:14 R0ck80y xinetd[6299]: START: ftp pid=6302 from=10.5.2.26

Jun 12 16:57:14 R0ck80y xinetd[6302]: FAIL: ftp address from=10.5.2.26

Jun 12 16:59:47 R0ck80y xinetd[6299]: START: ftp pid=6308 from=10.12.224.19

Jun 12 16:59:47 R0ck80y xinetd[6308]: FAIL: ftp address from=10.12.224.19

Jun 12 17:00:01 R0ck80y cron[6310]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Jun 12 17:00:01 R0ck80y cron[6312]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Jun 12 17:00:17 R0ck80y xinetd[6299]: START: ftp pid=6323 from=10.12.224.19

Jun 12 17:00:17 R0ck80y xinetd[6323]: FAIL: ftp address from=10.12.224.19

Jun 12 17:00:47 R0ck80y xinetd[6299]: START: ftp pid=6324 from=10.12.224.19

Jun 12 17:00:47 R0ck80y xinetd[6324]: FAIL: ftp address from=10.12.224.19

Jun 12 17:01:17 R0ck80y xinetd[6299]: START: ftp pid=6326 from=10.12.224.19

Jun 12 17:01:17 R0ck80y xinetd[6326]: FAIL: ftp address from=10.12.224.19

Jun 12 17:01:47 R0ck80y xinetd[6299]: START: ftp pid=6327 from=10.12.224.19

Jun 12 17:01:47 R0ck80y xinetd[6327]: FAIL: ftp address from=10.12.224.19

Jun 12 17:02:17 R0ck80y xinetd[6299]: START: ftp pid=6328 from=10.12.224.19

Jun 12 17:02:17 R0ck80y xinetd[6328]: FAIL: ftp address from=10.12.224.19

Jun 12 17:02:47 R0ck80y xinetd[6299]: START: ftp pid=6330 from=10.12.224.19

Jun 12 17:02:47 R0ck80y xinetd[6330]: FAIL: ftp address from=10.12.224.19

Jun 12 17:03:17 R0ck80y xinetd[6299]: START: ftp pid=6331 from=10.12.224.19

Jun 12 17:03:17 R0ck80y xinetd[6331]: FAIL: ftp address from=10.12.224.19

Jun 12 17:03:47 R0ck80y xinetd[6299]: START: ftp pid=6333 from=10.12.224.19

Jun 12 17:03:47 R0ck80y xinetd[6333]: FAIL: ftp address from=10.12.224.19

Jun 12 17:03:48 R0ck80y xinetd[6299]: Exiting...

............

...........

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/chargen-dgram [file=/etc/xinetd.conf] [line=49]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/chargen-stream [file=/etc/xinetd.d/chargen-stream] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/cups-lpd [file=/etc/xinetd.d/cups-lpd] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/daytime-dgram [file=/etc/xinetd.d/daytime-dgram] [line=12]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/daytime-stream [file=/etc/xinetd.d/daytime-stream] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/discard-dgram [file=/etc/xinetd.d/discard-dgram] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/discard-stream [file=/etc/xinetd.d/discard-stream] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/echo-dgram [file=/etc/xinetd.d/echo-dgram] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/echo-stream [file=/etc/xinetd.d/echo-stream] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/ftp-sensor [file=/etc/xinetd.d/ftp-sensor] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/proftpd [file=/etc/xinetd.d/proftpd] [line=70]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/rexec [file=/etc/xinetd.d/rexec] [line=15]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/rlogin [file=/etc/xinetd.d/rlogin] [line=12]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/rsh [file=/etc/xinetd.d/rsh] [line=12]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/tcpmux-server [file=/etc/xinetd.d/tcpmux-server] [line=12]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/time-dgram [file=/etc/xinetd.d/time-dgram] [line=68]

Jun 12 17:03:51 R0ck80y xinetd[6416]: Reading included configuration file: /etc/xinetd.d/time-stream [file=/etc/xinetd.d/time-stream] [line=67]

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing chargen

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing chargen

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing printer

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing daytime

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing daytime

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing discard

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing discard

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing echo

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing echo

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing exec

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing login

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing shell

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing tcpmux

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing time

Jun 12 17:03:51 R0ck80y xinetd[6416]: removing time

Jun 12 17:03:51 R0ck80y xinetd[6416]: bind failed (Address already in use (errno = 98)). service = ftp

Jun 12 17:03:51 R0ck80y xinetd[6416]: Service ftp failed to start and is deactivated.

Jun 12 17:03:51 R0ck80y xinetd[6416]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.

Jun 12 17:03:51 R0ck80y xinetd[6416]: Started working: 1 available service

Jun 12 17:03:57 R0ck80y xinetd[6416]: 6416 {process_sensor} Adding 10.5.2.26 to the global_no_access list for 120 minutes

Jun 12 17:03:57 R0ck80y xinetd[6416]: FAIL: ftp-sensor address from=10.5.2.26

```

I tried by setting "disable=no" in /etc/xinetd.d/ftp-sensor...still same connection problem.  :Sad: 

----------

## di1bert

Looks like there is already something listening on that port. Perhaps stop any other FTP services (old proftpd service) and try again ?

-m

----------

## r0ck80y

That shouldnt be the case coz this is the first time i am running a server on gentoo. Just rebooted and started xinetd again (manually). Heres what "ps -e" shows:

```
 PID TTY          TIME CMD

    1 ?        00:00:00 init

    2 ?        00:00:00 migration/0

    3 ?        00:00:00 ksoftirqd/0

    4 ?        00:00:00 watchdog/0

    5 ?        00:00:00 events/0

    6 ?        00:00:00 khelper

    7 ?        00:00:00 kthread

  102 ?        00:00:00 kblockd/0

  103 ?        00:00:00 kacpid

  192 ?        00:00:00 ata/0

  193 ?        00:00:00 ata_aux

  194 ?        00:00:00 ksuspend_usbd

  197 ?        00:00:00 khubd

  199 ?        00:00:00 kseriod

  211 ?        00:00:00 khpsbpkt

  231 ?        00:00:00 pdflush

  232 ?        00:00:00 pdflush

  233 ?        00:00:00 kswapd0

  234 ?        00:00:00 aio/0

  235 ?        00:00:00 jfsIO

  236 ?        00:00:00 jfsCommit

  237 ?        00:00:00 jfsSync

  238 ?        00:00:00 xfslogd/0

  239 ?        00:00:00 xfsdatad/0

  911 ?        00:00:00 scsi_eh_0

  912 ?        00:00:00 scsi_eh_1

  966 ?        00:00:00 kpsmoused

  980 ?        00:00:00 kjournald

 1075 ?        00:00:00 udevd

 2304 ?        00:00:00 kjournald

 3949 ?        00:00:00 syslog-ng

 4624 ?        00:00:00 cron

 4691 tty1     00:00:00 login

 4694 tty2     00:00:00 agetty

 4695 tty3     00:00:00 agetty

 4696 tty4     00:00:00 agetty

 4697 tty5     00:00:00 agetty

 4698 tty6     00:00:00 agetty

 4709 tty1     00:00:00 bash

 4720 tty1     00:00:00 startx

 4736 tty1     00:00:00 xinit

 4737 tty7     00:00:00 X

 4744 tty1     00:00:00 fluxbox

 4747 ?        00:00:00 gftp-gtk

 4749 ?        00:00:00 xterm

 4751 pts/0    00:00:00 bash

 4755 pts/0    00:00:00 su

 4758 pts/0    00:00:00 bash

 4811 ?        00:00:00 xinetd

 4819 pts/0    00:00:00 ps
```

Any ideas whats happening?

----------

## di1bert

Not really. Perhaps try running 

```
netstat -nat | grep -i list
```

to see what's listening on TCP ports on your server. Also if you have any FTP clients that

may still be connected, kill them as they will keep the old daemon running.

Failing that do the old fashioned Microsoft thing and reboot   :Wink: 

From what I can see your configuration is right in both proftpd.conf and

in your xinetd configuration.

-m

----------

## r0ck80y

```
R0ck80y pwawag # netstat -nat | grep -i list

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      

```

Tell me theres still hope   :Confused:   :Very Happy: 

----------

## di1bert

That tells me there is still something listening on that port. As far as I can remember there shouldn't be

anything listening as xinetd manages all of this, however I could be wrong as it's been a while

since I've used xinetd.

Run 

```
netstat -natp | grep -i list
```

 and you'll get the PID and service

that's listening on that port. Try killing that and restarting xinetd to see if you still get the error.

-m

----------

## r0ck80y

okay.....

```
R0ck80y pwawag # netstat -natp | grep -i list

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      4811/xinetd
```

then i kill 4811...now connect to server..

```
Looking up 10.5.2.26

Trying 10.5.2.26:21

Cannot connect to 10.5.2.26: Connection refused
```

Strange !!

----------

## di1bert

Sorry, it was xinetd listening on port 21 so you should be able to connect to the FTP service. You will need to restart xinetd though as you killed it.

Give it a restart and try your FTP login again....

-m

----------

## r0ck80y

after killing xinetd, i do: 

```
R0ck80y pwawag # /etc/init.d/xinetd start

 * WARNING:  xinetd has already been started.
```

what tha..?? I connect to server with gftp and it says connection refused (meaning server not running). How can xinetd be running if i killed it now?? I stop xinetd and start again...same error about connecting and then disconnecting.   :Confused:   :Confused: 

----------

## di1bert

It's started but because we killed it it didn't shutdown cleanly. Do the following and it should come up again...

```
/etc/init.d/xinetd zap
```

```
/etc/init.d/xinetd start
```

If you're FTP service still doesn't allow you in then it might be a config problem in

xinet.d for proftpd.

Let's get it up and running again, try and connect and if that fails, post your xinetd config for proftpd.

I might take a while to reply as I have a flight back home in a couple of hours....

-m

----------

## r0ck80y

/etc/xinetd.d/proftpd:

```
#

# ProFTPd FTP daemon - http://www.proftpd.org

#

service ftp

{

       flags            = REUSE

       socket_type      = stream

       instances        = 5

       wait             = no

       user             = root

       server           = /usr/sbin/proftpd

       log_on_success   = HOST PID

       log_on_failure   = HOST

       disable          = no

}

```

/etc/xinetd.d/ftp-sensor

```
# This is an example sensor running on the ftp port. Xinetd sensors are

# a form of intrusion detection aimed at locating hosts that are trying

# to access an unadvertised service. Once tripped, they are denied

# access to everything until the deny_time expires.

service ftp

{

# This is for quick on or off of the service

        disable         = yes

# The next attributes are mandatory for all services

        id              = ftp-sensor

        type            = INTERNAL

        wait            = no

        socket_type     = stream

#       protocol        =  socket type is usually enough

# External services must fill out the following

#       user            =

#       group           =

#       server          =

#       server_args     =

# External services not listed in /etc/services must fill out the next one

#       port            =

# RPC based services must fill out these

#       rpc_version     =

#       rpc_number      =

# Logging options

#       log_type        =

#       log_on_success  =

#       log_on_failure  =

# Networking options

        flags           = SENSOR

#       bind            =

#       redirect        =

#       v6only          =

# Access restrictions

#       only_from       =

#       no_access       =

#       access_times    =

#       cps             = 50 10

#       instances       = UNLIMITED

#       per_source      = UNLIMITED

#       max_load        = 0

        deny_time       = 120

#       mdns            = yes

# Environmental options

#       env             =

#       passenv         =

#       nice            = 0

#       umask           = 022

#       groups          = yes

#       rlimit_as       =

#       rlimit_cpu      =

#       rlimit_data     =

#       rlimit_rss      =

#       rlimit_stack    =

# Banner options. (Banners aren't normally used)

#       banner          =

#       banner_success  =

#       banner_fail     =

}

```

P.S. Thanx a lot for the prompt replies and all the help  :Smile: 

----------

## di1bert

Finally...home..

Anyhoo..

You're setup looks right to me. What happens when you try and connect now with it running from

xinetd ?

I did take a look at the Gentoo Wiki

entry and it all looks good. Perhaps there is something else that's breaking it ?

-m

----------

## r0ck80y

Hi dilbert, 

sorry to bother u again   :Smile: 

Tinkered with the /etc/xinetd.d/profptd file as seen below: 

```
# ProFTPd FTP daemon - http://www.proftpd.org

#

service ftp

{

       flags            = REUSE

       socket_type      = stream

       instances        = 5

       wait             = no

       user             = fender

       server           = /usr/sbin/proftpd

       log_on_success   = HOST PID

       log_on_failure   = HOST 

       disable          = no

       #bind            = localhost (or my_ip)

       only_from   = 0.0.0.0/0

       #And from two remote locations

       #only_from   = 10.1.1.2 sampleconfig.com

       #allow from anywhere

       #only_from   = 10.5.2.26

}
```

Also tinkered with proftpd.conf file...no luck (connects then disconnects)

A new set of errors on /var/log/messages:

```
Jun 13 01:52:35 R0ck80y xinetd[9008]: xinetd Version 2.3.14 started with libwrap loadavg options compiled in.

Jun 13 01:52:35 R0ck80y xinetd[9008]: Started working: 1 available service

Jun 13 01:52:39 R0ck80y proftpd[9012]: notice: unable to bind to Unix domain socket at '/var/run/proftpd/test.sock': Permission denied

Jun 13 01:52:39 R0ck80y proftpd[9012]: notice: unable to listen to local socket: Operation not permitted

Jun 13 01:52:39 R0ck80y proftpd[9012]: Fatal: SystemLog: unable to redirect logging to '/var/log/proftpd': Permission denied on line 44 of '/etc/proftpd/proftpd.conf' ([i]this line is in the logs format section[/i])

Jun 13 01:52:39 R0ck80y xinetd[9008]: START: ftp pid=9012 from=10.5.2.26

Jun 13 01:52:55 R0ck80y proftpd[9014]: notice: unable to bind to Unix domain socket at '/var/run/proftpd/test.sock': Permission denied

Jun 13 01:52:55 R0ck80y proftpd[9014]: notice: unable to listen to local socket: Operation not permitted

Jun 13 01:52:55 R0ck80y proftpd[9014]: Fatal: SystemLog: unable to redirect logging to '/var/log/proftpd': Permission denied on line 44 of '/etc/proftpd/proftpd.conf'
```

Just googled the error messages on "messages" file. Found these links:

http://www.macsat.com/forum/index.php?PHPSESSID=84356c2fbbe48ee598f73d5e9ce626f8&topic=46.msg332#msg332

http://bbs.archlinux.org/viewtopic.php?pid=233427

Its all Greek to me..may be irrelevant also. Hope u get a clue.

----------

## di1bert

The reason for this is because you're trying to run the service as fender. It's giving you a Operation not permitted 

error because normal users aren't allowed to bind applications or services to ports below 1024.

Change the user back to root and restart xinetd. 

What happens then when you try and login ? I think we should get Proftpd starting up fine before

we tinker with access control. Trim out all the unnecessary stuff from your config and just

get Proftpd starting and we'll take it from there.

-m

----------

## r0ck80y

Yipee!! looks like its done!!

changed the user to root in xinetd. Now the hosts.allow/deny files are being read to grant server access. Here what the /etc/xinetd.d/proftpd file looks like. 

```

#

# ProFTPd FTP daemon - http://www.proftpd.org

#

service ftp

{

       flags            = REUSE

       socket_type      = stream

       instances        = 5

       wait             = no

       user             = root

       server           = /usr/sbin/proftpd

       log_on_success   = HOST PID

       log_on_failure   = HOST

       disable          = no

       only_from        = 0.0.0.0/0

}
```

The "only_from" line has to be added. Only then does it read the long list of ips from hosts.allow file and grant user access. The user access section in proftpd.conf file 

```
# User access settings

<Limit LOGIN>

        Order  Allow,Deny

        Allow  10.5., 10.1., 10.2.

        Deny   All

</Limit> 
```

has been removed, leaving rest of the settings in that file untouched.

Also 

```
IdentLookups    off

UseReverseDNS   off

```

I still remember someone doing this in standalone mode. He had set the above two options "on". 

Anyway, this feels good now. Thanx dilbert! We had a good chat. 

Cheers to our success *clink*  :Razz: 

----------

## di1bert

Huzzah   :Very Happy: 

Glad to be of assistance...

-m

----------

## r0ck80y

Okay...the same problem happening. But this time the server seems to be looking for proftpd-rc2. Just now i updated to proftpd-rc2-r2. Why is this happening? How can it use the new proftpd?

----------

