Plesk 12.x / Linux :: Firewall Enabled - FTP Stopped Working In Passive Mode
Aug 19, 2014
I am running Plesk 12 . Centos 6.5
I have Plesk Firewall Installed.
After the Plesk Firewall was enabled the FTP Stopped working in passive Mode.
I searched the net and found the following :
Code:
/etc/sysconfig/iptables-config and change the line with IPTABLES_MODULES to: IPTABLES_MODULES="ip_conntrack_ftp"
It started working.
I changed the default FTP port from proftpd.conf
Code:
port 2392
and /etc/services
Code:
ftp 2392/tcp
ftp 2392/udp fsp fspd
I allowed the new port in Plesk Firewall in Incoming connection and disabled port 21
Now I am not able to connect to the ftp, I get the following error. Have I missed anything ?
Code:
Response:257 "/" is the current directory
Command:TYPE I
Response:200 Type set to I
Command:PASV
Response:227 Entering Passive Mode (85,25,51,34,216,46).
Command:MLSD
Error:Connection timed out
Error:Failed to retrieve directory listing
After some recents updates (currently running on: 12.0.18 Update #19) appeared a problem with connecting to FTP for passive mode users:
Connect ok! "/" is the current directory Get directory 227 Entering Passive Mode 550 Access is denied.
Server logs: /var/log/messages Oct 14 12:11:26 host xinetd[3692]: START: ftp pid=2709 from=::ffff:xxx.xxx.xxx.xxx Oct 14 12:11:26 host proftpd[2709]: processing configuration directory '/etc/proftpd.d' Oct 14 12:11:26 host proftpd[2709]: yyy.yyy.yyy.yyy (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened.
But: /var/log/secure:
Oct 14 12:11:26 host proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so): /lib64/security/pam_stack.so: cannot open shared object file: No such file or directory Oct 14 12:11:26 host proftpd: PAM adding faulty module: /lib64/security/pam_stack.so Oct 14 12:11:26 host proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers Oct 14 12:11:26 host proftpd[2709]: yyy.yyy.yyy.yyy (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - USER client: Login successful.
ad1: yes, i do have passive ports configured in /etc/proftpd.conf and FW is properly configured ad2: everything was fine until recent updates ad3: this is happening only for passive users only ad4: we are experiencing this issues across all Plesk instances [6x] on CentOS 6.5 with 12.0.18 Update #19
From some reasons, plesk is blocking incoming 25 port (in plesk shows opened, but it's not)My emails are delivered trough port 25, after doing some tests ( i've sent some emails to an email account hosted in the server) there was no email in the roundcube inbox! All emails were blocked...
a) Firewall was blocking the port 25 on server restart. b) I have succesfully unblocked it from plesk manager -> tools -> edit/change -> even if i didn't change anything, i saved the "changes" and in my roundcube inbox i recived all the test emails. c) In /var/log/maillog there is no error.
2. Passive FTP gets blocked in the same way, to successfully connect FireFTP on passive mode i need to repeat 1.b steps even if i've created a special rule to prevent the blocking, opening 49152-65534 ports and set PassivePorts 49152 65534 in /etc/proftpd.conf
The issue appears randomly, because in the last 5 days i didn´t restart the server, the last time i checked it worked. Today, without touching anything, firewall blocked my passive FTP and I had probmels reciving emails from gmail, yahoo etc...
After upgrading to Plesk 12 the FTP connection has become very slow. Mode Security, Fail2Ban and Plesk Firewall have been enabled, the security is set to force sFTP and maximum security and in /etc/proftpd.d/ a conf file has been added to set the passive ports that have been opened in the Plesk Firewall (60000 to 62000)
Turning off the Mod Security does not solve the slow connection.
What can we do to detect the cause of the problem?
I enabled plesk firewall to my ip now I cant seem retrieve directory listing. I've done the same with ssh that works fine.
Response:230 User logged in Command:OPTS UTF8 ON Response:200 UTF8 set to on Status:Connected Status:Retrieving directory listing... Command:PWD Response:257 "/" is the current directory Command:TYPE I Response:200 Type set to I Command:PASV Response:227 Entering Passive Mode Command:MLSD Error:Connection timed out Error:Failed to retrieve directory listing
on one of our Plesk-Servers (Plesk 12.0.18 Update 34 on Debian 7.6) the scheduled backup stopped working. Scheduled Backup is active in Backup-Manager, but it's not executed.
Automatic Parallels Plesk. 12.0.18 has stopped working but no solution from plesk yet? I think every user has the same problem. Many people asked the same question but no solution/answer from plesk.
I am getting this error after installing the AfterLogic WebMail Pro_7 app on a domain.
I removed the app but AfterLogic still appears in the list of available Webmail options. I am getting the error even after changing all my domains to use Roundcube.
backup_info_1406131330.xml: Line 423 error: Element 'external-webmail': This element is not expected.
My backups since the day I installed that app are no longer valid.
I'm not been able to start plesk although web and mail services are running.I'm getting the error unable to execute php_handlers_control.I've patched and updated plesk with command line and bootstrap repair and I'm getting this errors:
Errors occured in mail restore procedure Some utilities have exited with errors: /usr/lib64/plesk-9.0/mail_auth_dump /usr/lib64/plesk-9.0/mail_responder_restore
In plesk I have set the ssh rule to allow from source, deny others and added my IP. However, if I connect my PC to my work VPN, I can still login via ssh, even when I am on a different IP as the allowed IP
I temporarily enabled and activated Plesk firewall module (which I wish I didn't the first time) and for some reason it seems to have overwritten the default iptables configuration that was set, leaving my ftp unable to be logged into. I tried to disable the firewall module and reboot the server. It didn't work.
I also noticed that it somehow seem to have changed my hostname to my previous server hostname as well
Is there any way to completely revert back to original iptables settings before enabling the Firewall module?
When I deny all other traffic for the "System policy for incoming traffic" to secure the server by only allowing the explicit ports I've requested to open, my server stops operating correctly.
It appears when I set the "System policy for incoming traffic" to deny, it appears to be disrupting various functions such as web traffic over ports 80/443, FTP, SSH, they either work extremely slow or don't work at all.
I brought this up with my Plesk license provider and they stated that the Plesk firewall doesn't add any tracking for ephemeral ports, therefore if you set the policy to drop for incoming/outgoing, it's not going to allow proper TCP communication since the return socket can't be opened. Also that the firewall is an explicit deny system rather than explicit allow based system.
Am I doing something wrong? All I want to do is to block all ports other than the ones I've set to allow. Is this how it is supposed to work?
After Plesk panel upgrade to 12.x webadmin stopped working . It's showing following error
Code: Server Error in '/' Application. The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. review the following URL and make sure that it is spelled correctly.
I'm running a Win2003 dedicated server with IIS and Plesk v9. While trying to configure my FTP ports I found out that my host has a basic (free) hardware firewall on my main/shared IP with ports 2000-2015 reserved for passive FTP connections. I asked them if they could change the ports to match the default ones but to customize hardware firewall settings I'm require to upgrade to a paid solution.
I again tried to approach the problem by trying to get IIS to conform to the host's ports. However after some research I found that the default MSFTP range is 1025-5000 while custom values have to be between 5001-65535. My host recommends I upgrade to a personal hardware firewall or make do with a software firewall. Other than dropping the firewall is there nothing I can do here?
I've thought of serving FTP on a dedicated IP (which would be exempted from the hardware firewall) but when I tried to set it up I got a directory permission error during connection attempts. I may be mistaken but this appears to be an an issue with Plesk not liking to serve a website's HTTP and FTP on separate IPs. Is solving this problem my best bet?
Do you still have to add each port individually to Server 2008's Firewall like we did on Server 2003?
If so, will the guides that were put out for 2003 work on 2008's? I want to be sure before putting all these ports in....if I can just specify a range instead, it would be much easier!
when trying to add several useraccounts to our mail domain using the cli, we have a problem enabling the antivirus. We add user with the following CLI command, the antivirus flag is set. /usr/local/psa/bin/mail --create mail@mail.box -mailbox true -antivirus inout -passwd yourpassword -cp-access true
But when we got to the web interface and select the newly created user, the antivirus is still disabled for him and has to be enabled manually. Is this a known problem? Or is there any other way to automatically enable antivirus than using the "-antivirus" flag? Because we 're talking about more than 100 users it would take a lot of time enabling the AV manually for each of them.We 're running 12.0.18 Update Nr. 29
The FTP on my VPs running centos 6.6 and plesk 12.0.18 Update #44 has stopped allowing FTP conections via filezilla or dreamweaver. My tech knowledge with server management outside of the gui is minimal but i have done the following. Checked that the firwall is allowing ftp traffic through the GUI in plesk.
restarted xinetd and checked status [root@367549 ~]# service xinetd status xinetd (pid 11707) is running... [root@367549 ~]# lsof -i tcp:21 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME xinetd 11707 root 5u IPv6 682472 0t0 TCP *:ftp (LISTEN)
Then tried the following [root@367549 ~]# ftp localhost -bash: ftp: command not found
But i can connect via telnet on port 21
when trying to use +dreamweaver or filezilla i get the following. This may be due to one or more of the following reasons: - The network cable is unplugged or the network is down. Please verify that the network cable is connected and that the network is up. - The FTP server is down. Please verify that you can connect to the FTP server using another FTP program. - The FTP host name is incorrect. Please verify that the host name is correct in the Site definition dialog box. - Accessing the server requires proxy settings that aren't properly set. Please verify that the proxy settings in the Site category of the Preferences dialog box are properly set, and that the Use Proxy option in the Site definition dialog box is selected. - You may need to connect to the server using a different port than the one provided. Please specify the correct port in the box provided.
Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listin.
What to do and why after no change this just stopped working when ive been using ftp on this server previous.. the company that i brought the vps from have no intrest and tell me its unmanaged.
I've this terrible problem: on my site I start a script that executes a batch process that imports into the Mysql database a lot of products (texts and images). I'm monitoring the query process from Phpmyadmin>Status and I notice that after some minutes the number of queries decreases from ~900 to ~30, that means that the script is stopped! Then I check the error_log and infact there's this error:
[Thu Oct 02 17:09:34 2014] [warn] [client xxx.xxx.xxx.xxx] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server [Thu Oct 02 17:09:34 2014] [error] [client xxx.xxx.xxx.xxx] Premature end of script headers: insert_products.php
I just installed Nginx. It seems it works well, but watchdog reports it as "stopped".I restarted watchdog several times, and it always says the service has stopped.What shall I do to make watchdog see Nginx as a working service?
Following this KB [URL] ...., I can confirm that command "/usr/local/psa/admin/sbin/nginxmng -s" return "Enabled".
I enabled rkhunter in Plesk 12 to check the system weekly. I get a warning now, which I never got in older versions of Plesk:
The current hash function (/usr/bin/sha1sum) or package manager (DPKG) is incompatible with the hash function (Unset) or package manager (Unset) used to store the values. Debian 7.6 x64
Can not change in 24 hour Clock mode Plesk 12?The scheduled backups start false, because in Plesk 12 running 12 hours mode.The language in Plesk is German.
I run a small website on a dedicated unmanged server with cpanel. About a month ago,i stopped getting the daily mails from addresses that are located on the server...
Also,when I attempted to send mail to one of these addresses I never received it...
Its a RHEL 3 server with cpanel,is there anything I can do to see where the problem is?