无法以 PASV 模式连接到 ProFTPd

tag-icon tag-icon firewall ftp
无法以 PASV 模式连接到 ProFTPd

我已经在 Ubuntu 18.04 中安装了 ProFTPd

它已经工作了好几个月了。现在由于某些原因,它不再与我的 Go Client 配合使用。

如果我想连接 Filezilla,只要我以主动模式连接它就可以工作。

这很奇怪,因为在 AWS 中,我的 Go 客户端正在运行,运行在我的 Kubernetes 集群中,但这不是本地的。

我在本地也遇到了这个问题,我localhost通过更改解决了它127.0.0.1,但我不确定它为什么起作用。

但是我尝试对远程服务器进行同样的事情,通过 IP 更改 ftp.domain.com,但没有效果。

AWS 安全组对所有端口、所有 IP 开放,并且 ufw 处于非活动状态,因此不应该存在防火墙问题。

另外,我没有使用 TLS,而是使用普通的 FTP。我的所有文件都已加密。

这是proftpd.conf配置文件

# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6             on
# If set on you can experience a longer connection delay in many cases.
IdentLookups            off

ServerName          "FTP"
# Set to inetd only if you would run proftpd by inetd/xinetd.
# Read README.Debian for more information on proper configuration.
ServerType              standalone
DeferWelcome            off

MultilineRFC2228        on
DefaultServer           on
ShowSymlinks            on

TimeoutNoTransfer       600
TimeoutStalled          600
TimeoutIdle         1200

DisplayLogin                    welcome.msg
DisplayChdir                .message true
ListOptions                 "-l"

DenyFilter          \*.*/

# Use this to jail all users in their homes 
DefaultRoot         ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell       off

# Port 21 is the standard FTP port.
Port                21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress     1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances            30

# Set the user and group that the server normally runs at.
User                proftpd
Group               nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask               022  022
# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd      off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder         mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile           off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User                ftp
#   Group               nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias           anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell       off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients          10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin            welcome.msg
#   DisplayChdir        .message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask               022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

另外,我可以检查netstat -nlpute | grep 21FTP 是否正在监听端口 21:

tcp6       0      0 :::21                   :::*                    LISTEN      113        46129898    28696/proftpd: (acc

我尝试加载模块:

sudo /sbin/modprobe ip_conntrack_ftp

按照一些页面的建议,重新启动了 ftp,但没有效果

更新:

切换到4G连接后,我的问题发生了变化:

Status: Resolving address of localhost
Status: Connecting to [::1]:21...
Status: Connection established, waiting for welcome message...
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful
Status: Disconnected from server
Status: Resolving address of ftp.xxxx.fr
Status: Connecting to xxxxxxx:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Type set to I
Command:    PASV
Error:  Could not read from socket: ECONNRESET - Connection reset by peer
Error:  Disconnected from server
Error:  Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of ftp.xxx.fr
Status: Connecting to xxxxxx:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Type set to I
Command:    PASV
Error:  Could not read from socket: ECONNRESET - Connection reset by peer
Error:  Disconnected from server
Error:  Failed to retrieve directory listing

当我选择主动传输模式时它仍然有效。

当我做 :

proftpd -vv

我得到:

2020-08-21 06:48:41,796 ip-172-31-45-72 proftpd[29875]: warning: unknown/unsupported LANG environment variable 'en_US.UTF-8', ignoring
2020-08-21 06:48:41,799 ip-172-31-45-72 proftpd[29875]: mod_ctrls/0.9.5: unable to open ControlsLog '/var/log/proftpd/controls.log': Permission denied
2020-08-21 06:48:41,799 ip-172-31-45-72 proftpd[29875]: fatal: ControlsLog: unable to open '/var/log/proftpd/controls.log': No such file or directory on line 122 of '/etc/proftpd/proftpd.conf'

我认为他们都无法解决我的问题。

最后,检查日志,重置连接后,我得到:

2020-08-21 06:55:57,273 ip-172-31-45-72 proftpd[29943] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[my ip]): FTP session opened.
2020-08-21 06:55:57,429 ip-172-31-45-72 proftpd[29943] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[my ip]): USER sgsource: Login successful.
2020-08-21 06:55:57,613 ip-172-31-45-72 proftpd[29943] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[93.23.197.105]): FTP session closed.
2020-08-21 06:55:57,816 ip-172-31-45-72 proftpd[29959] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[my ip]): FTP session opened.
2020-08-21 06:55:57,965 ip-172-31-45-72 proftpd[29959] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[my ip]): USER sgsource: Login successful.
2020-08-21 06:55:58,190 ip-172-31-45-72 proftpd[29959] ip-172-31-45-72.eu-west-3.compute.internal (my ip.rev.sfr.net[my ip]): FTP session closed.

当我通过 SSH 连接到我的 ftp 服务器,并使用以下命令在 localhost 中连接 ftp 时:

ftp localhost

我输入我的登录名/密码,然后:

quote PASV
ls

我可以看到我的文件列表,所以它起作用了。

我仍然不明白发生了什么以及我应该怎么做才能解决它。

任何帮助将不胜感激 !

相关内容