# Proftpd refusing connections

## jeezus84

Hi everybody,

I'm trying to set up a ProFTP server to share my music and such. So here's the scoop, I installed the server, configured it, tried to connect to it, and I get this message:

```

    SmartFTP v1.5.990.19

    Resolving host name "<my domain>"

    Connecting to <my domain> Port: 2121

    Connected to <my domain>.

220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [192.168.1.103]

    USER anonymous

331 Anonymous login ok, send your complete email address as your password.

    PASS (hidden)

230 Anonymous access granted, restrictions apply.

    SYST

215 UNIX Type: L8

    FEAT

211-Features:

 MDTM

 REST STREAM

 SIZE

211 End

    PWD

257 "/" is current directory.

    TYPE I

200 Type set to I

    PASV

227 Entering Passive Mode (192,168,1,103,128,113).

    Opening data connection to 192.168.1.103 Port: 32881

    LIST -aL

    No connection could be made because the target machine actively refused it.

    Timeout (40s).

    Active Help: http://www.smartftp.com/support/kb/index.php/74

    Client closed the connection.

    Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".

```

In the router I have port 2121 forwarded to the server computer (192.168.1.103). I had to use port 2121 because my bastard ISP blocks incoming on port 21.

Here is my proftpd.conf file:

```

underMyDesk jeezus84 # cat /etc/proftpd/proftpd.conf

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             off

AuthPAMConfig       ftp

# Port 21 is the standard FTP port.

Port                            2121

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            proftpd

Group                           ftp

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

# A basic anonymous configuration, no upload directories.

<Anonymous ~ftp>

  User                          ftp

  Group                         ftp

  MaxClients                    5

  DisplayLogin                  welcome.msg

  # We want clients to be able to login with "anonymous" as well as "ftp"

  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins

  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed

  # in each newly chdired directory.

  DisplayLogin                  welcome.msg

  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot

  <Limit WRITE>

    Deny from all

  </Limit>

</Anonymous>

underMyDesk jeezus84 #

```

So what am I doing wrong? I noticed it's trying to use port 32881 when it changes to Active Mode. So, I'm lost. help meee please.

----------

## Quincy

Perhaps select passive mode in your client?

----------

## UberLord

You'll also need to set a passive port range in your config and forward those ports from the router to the server.

Also, if you use TLS/SSL you need to specify the public IP address in the config file too

----------

## jeezus84

okay, i've set up PassivePort in the config file to use port 51000 to 51999 as passive. I also forwarded these ports in the router to the server computer.

I still only get this far when trying to log into the FTP server:

```

    SmartFTP v1.5.990.19

    Resolving host name "<my domain>"

    Connecting to <my ip> Port: 2121

    Connected to <my domain>.

220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [192.168.1.103]

    USER anonymous

331 Anonymous login ok, send your complete email address as your password.

    PASS (hidden)

230 Anonymous access granted, restrictions apply.

    SYST

215 UNIX Type: L8

    FEAT

211-Features:

 MDTM

 REST STREAM

 SIZE

211 End

    PWD

257 "/" is current directory.

    TYPE I

200 Type set to I

    PASV

227 Entering Passive Mode (192,168,1,103,199,176).

    Opening data connection to 192.168.1.103 Port: 51120

    LIST -aL

    No connection could be made because the target machine actively refused it.

```

Here is my proftpd.conf file:

```

underMyDesk jeezus84 # cat /etc/proftpd/proftpd.conf

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             off

AuthPAMConfig       ftp

# Port 21 is the standard FTP port.

Port                            2121

PassivePorts                    51000 51999

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            proftpd

Group                           ftp

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

# A basic anonymous configuration, no upload directories.

<Anonymous ~ftp>

  User                          ftp

  Group                         ftp

  MaxClients                    5

  DisplayLogin                  welcome.msg

  # We want clients to be able to login with "anonymous" as well as "ftp"

  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins

  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed

  # in each newly chdired directory.

  DisplayLogin                  welcome.msg

  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot

  <Limit WRITE>

    Deny from all

  </Limit>

</Anonymous>

underMyDesk jeezus84 #

```

When the error message refers to "target machine', are they referring to my ftp server of the client trying to log in?

----------

## Quincy

I think the client tries to connect to the local ip of your server. the setup of your NAT seems to fail on some stage.

What kind of router do you use? Is it able to be aware of ftp connections?

----------

## jeezus84

My router is a Linksys WRT54G running the Sveasoft Alchemy firmware. I do not understand the NAT stuff that you speak of. As for being aware of FTP connections, I am unaware.

In my Proftpd config I have passive ports set to 51000 to 51999. In the router I have set up port triggering for 51000 to 51999. My router also forwards port 2121 to my ftp server computer (192.168.1.103).

Here is my latest proftpd.conf file:

```

jeezus84@underMyDesk ~ $ cat /etc/proftpd/proftpd.conf

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             off

AuthPAMConfig       ftp

# Port 21 is the standard FTP port.

Port                            2121

PassivePorts                    51000 51999

SocketOptions rcvbuf            8192

SocketOptions sndbuf            8192

CommandBufferSize               512

tcpBackLog                      5

tcpNoDelay                      on

TransferRate                    APPE,STOR 12000

TransferRate                    RETR 12000

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            proftpd

Group                           ftp

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

# A basic anonymous configuration, no upload directories.

<Anonymous /home/ftp>

  User                          ftp

  Group                         ftp

  MaxClients                    5

  DisplayLogin                  welcome.msg

  # We want clients to be able to login with "anonymous" as well as "ftp"

  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins

  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed

  # in each newly chdired directory.

  DisplayLogin                  welcome.msg

  DisplayFirstChdir             .message

  <Limit LOGIN>

        Allow All

  </Limit>

  <Limit ALL>

        Deny All

  </Limit>

  <Limit PWD CWD LIST RETR PASV>

        Allow All

  </Limit>

</Anonymous>

jeezus84@underMyDesk ~ $

```

----------

## Quincy

If your client is outside your local network (router between the two networks), then the client shouldn't see the local IP Adress of your FTP Server (192.168.1.103). The router has to masquerade these packets with the external IP adress. The FTP server inside the LAN always answeres with its LAN adress, but while travelling through the router this sould be changed. Perhaps its a problem because you are not using the standard FTP Port 21.

I'm sorry, but i'm not familiar with this kind of router, but it should masquerade every outgoing package, because there is no chance for packets starting with 192.168.x.x travelling through the internet.

----------

## duhblow7

```
MasqueradeAddress       66.66.66.66
```

where 66.66.66.66 is your WAN IP, as shown on www.whatismyip.com.

does this help?

----------

## nitr0

I am pretty sure that's a firewall setting problem. Did you try to connect to your ftp server from outside your network ?

Because from the output you give that was a local connection (because of the 192.xx.xxx. address). What is the output ?

Tracking FTP connections is problematic, so some routers have problems with that. For example in the linux kernel you

have to build a special module for FTP protocol if you want to use it with NAT.

----------

