[SOLVED] FTP access denied

[Brent502]

The NAS4Free FTP server have subnet 10.0.254.X. Clients from 10.0.254.X can FTP into it, but from other subnet can not..
FTP configure to access CIFS share /mnt/ds2. Host allow/Host deny = empty
Here is a the screenshot of FTP logs
Any idea?

N4F_ftp_log_e.jpg

[alexey123]

Idea?
In first, for local network add to /etc/host.allow line

Code: Select all

ALL : ALL  : allow

In second - this not help me organize access from internet to ftp folders. I think - this is router problem, but I don't know how to repair.

[Brent502]

The /etc/host.allow already have
ALL : ALL : allow

I don't think it's a router problem. I have a system running FileZilla Server in 10.0.254.X and clients from different subnet were able FTP into it..I was going to replace the FileZilla server with this NAS4Free FTP but run into this problem..

[alexey123]

You right, this is wrapper problems
I want attach to LAB server from my home some little program.
What I have?
1. Advanced|File Editor - not working, it can not load some files.

2. ProFTPd - not working, mod_wrap denied access. Temporary solved by adding to /etc/hosts my remote IP. But this task for router, for his DHCP server, NAS4Free must ask from DHCP and dynamically add IPs names to /etc/host.

3. SSHd - also not working. Also some wrapper. I'm dumb, I threw SSH port to another server today, and climb the password from the main. And I do not understand why the server did not banned me.
I can only write in a firewall rule - add deny ip from any to any But the files will be carefully preserved

[alexey123]

If you have full version, you can edit /etc/rc.d/proftpd file and give to work FTP access
Find string

Code: Select all

proftpd_modwrap_enable=${proftpd_modwrap_enable:-"YES"}

and replace to NO.
____________________________________________________________________________________________________________________________
for embedded version need some as install packages

Code: Select all

mkdir -p /mnt/data/opt/etc_rcd
mount_unionfs /mnt/data/opt/etc_rcd /etc/rc.d

And edit string into file /etc/rc.d/proftpd

Code: Select all

proftpd_modwrap_enable=${proftpd_modwrap_enable:-"YES"}

replace to NO.
After check how it work ( save and restart ftp ) - add startup postinit script /any/place/postinit.sh
cat /any/place/postinit.sh

Code: Select all

#!/bin/sh
mount_unionfs /mnt/data/opt/etc_rcd /etc/rc.d
/etc/rc.d/proftpd restart

chmod 755 /any/place/postinit.sh

[Brent502]

Thanks! I have the embedded version running on USB stick. I will try it tomorrow and see.

[daoyama]

I can't confirm this. My server accepts connections, and can deny by /etc/host.allow.

ftpd: IPADDR : deny

proftpd_modwrap_enable=${proftpd_modwrap_enable:-"YES"}

You don't need edit this.
Just add the value to System|Advanced|rc.conf.

Name: proftpd_modwrap_enable
Value: NO

Then, restart FTP service.

Daisuke Aoyama

[alexey123]

I can't confirm this. My server accepts connections, and can deny by /etc/host.allow.
ftpd: IPADDR : deny

Before the request goes to /etc/hosts.allow, it must pass filter /etc/hosts, is not it? In case connect to FTP from outside my lan, how many hosts I need add to /etc/hosts and /etc/hosts.allow when my clients have dynamic IP? I need add manually all internet hosts to 2 files, and 0.2*$All_Internet_host_count I need add to hosts.deny.

Nas4free have firewall, It work great, why I need use wrapper?

proftpd_modwrap_enable=${proftpd_modwrap_enable:-"YES"}

You don't need edit this.
Just add the value to System|Advanced|rc.conf.

Name: proftpd_modwrap_enable
Value: NO

Then, restart FTP service.

Daisuke Aoyama

Thank you, I check this way.

[daoyama]

I can't confirm this. My server accepts connections, and can deny by /etc/host.allow.
ftpd: IPADDR : deny

Before the request goes to /etc/hosts.allow, it must pass filter /etc/hosts, is not it? In case connect to FTP from outside my lan, how many hosts I need add to /etc/hosts and /etc/hosts.allow when my clients have dynamic IP? I need add manually all internet hosts to 2 files, and 0.2*$All_Internet_host_count I need add to hosts.deny.

I didn't check, but you don't have reverse DNS of IPs ?
I have no additional /etc/hosts entry. It's only three lines. (::1, 127.0.0.1, 192.168.1.4)

You need ALL deny + allowed IPs/Names like this:

ftpd: allowed IPs or Names: allow
ftpd: ALL : deny


My NAS4Free 9.1.0.1.431(local IP 192.168.1.4) is behind NAT router(124.155.XXX.XXX).
My FTP client(local IP 172.18.0.20) connect via NAT router(203.141.148.97).

If no set to /etc/host.allow(ALL:ALL:allow only):
proftpd[5686]: 192.168.1.4 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
proftpd[5686]: 192.168.1.4 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: allowed connection from bf-gw.peach.ne.jp


If set to "ftpd: 203.141.148.97: deny" to /etc/host.allow:
proftpd[7387]: 192.168.1.4 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
proftpd[7387]: 192.168.1.4 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: refused connection from bf-gw.peach.ne.jp

Daisuke Aoyama

[alexey123]

Dear Aoyama, you right, but if your client from outside have static IP.
If client have dynamic IP from internet provider, all building not work. It only prevents normal operation
I have no problem with FTP inside my LAN, CPU overload during transfer - this is not problem for me.
I have problem, when I want work from my home or from any factory and need access to my files. My boss live in another city, and he also sometimes search on my storage any backup, any manual, any schematics. We have dynamic IPs - providers replace IPs 1/day, and I need manually one time per day input IP/hostnames to /etc/hosts and /etc/hosts.allow? This way not possible.
Wrappers give me security? NO! Against brute force attack I have firewall + ban module for ftp and fail2ban for SSH and web server. They works great.
Plus prevent ban on router's firewall for some IPs and networks.
May be inside big LAN wrappers can help, I don't know, but If I give access to server from WAN - NO, I don't need its.

[daoyama]

Hi,

Dear Aoyama, you right, but if your client from outside have static IP.
If client have dynamic IP from internet provider, all building not work.

This is not true. I have both fixed IP and dynamic IP. I can connect with dynamic IP.
Below log is the log of dynamic IP client.

proftpd[7289]: 192.168.1.4 (210.139.89.108[210.139.89.108]) - mod_wrap/1.2.4: allowed connection from pl364.nas93g.p-tokyo.nttpc.ne.jp

Yes, the server is static IP. But the client have dynamic IP and connect to NAS4Free via the provider.
I have not yet edited /etc/hosts. But I edited /etc/hosts.allow from WebGUI only.
So, I didn't understand why you can't connect.

I have firewall + ban module for ftp and fail2ban for SSH and web server.

Yes, I agree this setting. TCP warpper is one of filter. It can not cover all case.

Daisuke Aoyama

[alexey123]

In first, add to /etc/rc.conf variable proftpd_modwrap_enable="NO" is true. It work. I can repair topic to solved, but I want understanding also
In second, without picture no understand. Network


I use default ftp setting, differences only


What I know?
I know all my network hosts and I can add its to /etc/hosts, /etc/hosts.allow and /etc/hosts.deny. For /etc/hosts I need add ALL LAN hosts for give access over mod_wrap.
To /etc/hosts.allow I define allowed hosts and protocol, to /etc/hosts.deny I define denied protocols for some hosts on my LAN.
For LAN I do it only once and this work great
Algorithm


Now I need define outside hosts. OUPS!!!
I don't know any about outside hosts in case dynamic IP, such hostname or IP. Providers change hostnames, IPs for remote hosts and I can't define it before boss or accountant or any people call to me and say: "I can't input, repair your server!!". In this case I go to logs, see where denied IPs, add its to /etc/hosts AND /etc/hosts.allow, and call to boss & e.t.c - "CHECK NOW". This work, but tomorrow I will have to remove the string, entered today, and do work from call.
Also strangle
When I connect to my server over dydns name: PC(mynetwork) --> DyDNS --> NAS(mynetwork) - wrapper give me access without define /etc/hosts and /etc/hosts.allow
When I connect to my server over dydns name: PC(anothernetwork) --> DyDNS --> NAS (mynetwork) - wrapper deny access. I need define outside IP
___________________________________________________
Not need rebuild ftp server, need only add checkbox to webgui "Enable/disable wrapper". Also, I don't understand, why use mod_wrap+mod_wrap2. Need only one of them.

[daoyama]

Now I need define outside hosts. OUPS!!!
I don't know any about outside hosts in case dynamic IP, such hostname or IP.

Probably, inside/outside/static/dynamic is not a true problem. It's you use the IPs which can't resolved or not matched.
So, I have used 203.141.148.97(static) and 210.139.89.108(dynamic). But both have reversed name.

203.141.148.97 -> bf-gw.peach.ne.jp -> 203.141.148.97
210.139.89.108 -> pl364.nas93g.p-tokyo.nttpc.ne.jp -> 210.139.89.108

Code: Select all

[root@aria ~]# dig -x 203.141.148.97

; <<>> DiG 9.8.3-P3 <<>> -x 203.141.148.97
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53386
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;97.148.141.203.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
97.148.141.203.in-addr.arpa. 43022 IN   PTR     bf-gw.peach.ne.jp.

;; AUTHORITY SECTION:
148.141.203.in-addr.arpa. 12125 IN      NS      ddns2.interlink.or.jp.
148.141.203.in-addr.arpa. 12125 IN      NS      ddns1.interlink.or.jp.

;; ADDITIONAL SECTION:
ddns1.interlink.or.jp.  12125   IN      A       203.141.128.39
ddns2.interlink.or.jp.  12125   IN      A       203.141.142.30

;; Query time: 2 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Nov 12 23:49:10 2012
;; MSG SIZE  rcvd: 161

[root@aria ~]# dig -x 210.139.89.108

; <<>> DiG 9.8.3-P3 <<>> -x 210.139.89.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33191
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;108.89.139.210.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
108.89.139.210.in-addr.arpa. 203 IN     PTR     pl364.nas93g.p-tokyo.nttpc.ne.jp.

;; AUTHORITY SECTION:
89.139.210.in-addr.arpa. 203    IN      NS      ns1.sphere.ad.jp.
89.139.210.in-addr.arpa. 203    IN      NS      ns2.sphere.ad.jp.

;; ADDITIONAL SECTION:
ns1.sphere.ad.jp.       78305   IN      A       202.239.113.18
ns1.sphere.ad.jp.       78305   IN      AAAA    2001:2c0:1:100::a01
ns2.sphere.ad.jp.       85392   IN      A       202.239.113.26
ns2.sphere.ad.jp.       85392   IN      AAAA    2001:2c0:11:1::a02

;; Query time: 2 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Nov 12 23:49:15 2012
;; MSG SIZE  rcvd: 225

[root@aria ~]# dig bf-gw.peach.ne.jp.

; <<>> DiG 9.8.3-P3 <<>> bf-gw.peach.ne.jp.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48433
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;bf-gw.peach.ne.jp.             IN      A

;; ANSWER SECTION:
bf-gw.peach.ne.jp.      3415    IN      A       203.141.148.97

;; AUTHORITY SECTION:
peach.ne.jp.            3415    IN      NS      ns1.peach.ne.jp.
peach.ne.jp.            3415    IN      NS      ns2.peach.ne.jp.

;; ADDITIONAL SECTION:
ns1.peach.ne.jp.        3415    IN      A       203.141.148.98
ns1.peach.ne.jp.        3415    IN      AAAA    2001:380:e06:127::53
ns2.peach.ne.jp.        3415    IN      A       203.141.148.99
ns2.peach.ne.jp.        3415    IN      AAAA    2001:380:e06:127::123

;; Query time: 2 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Nov 12 23:49:34 2012
;; MSG SIZE  rcvd: 175

[root@aria ~]# dig pl364.nas93g.p-tokyo.nttpc.ne.jp.

; <<>> DiG 9.8.3-P3 <<>> pl364.nas93g.p-tokyo.nttpc.ne.jp.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;pl364.nas93g.p-tokyo.nttpc.ne.jp. IN   A

;; ANSWER SECTION:
pl364.nas93g.p-tokyo.nttpc.ne.jp. 85383 IN A    210.139.89.108

;; AUTHORITY SECTION:
p-tokyo.nttpc.ne.jp.    85383   IN      NS      ns2.sphere.ad.jp.
p-tokyo.nttpc.ne.jp.    85383   IN      NS      ns1.sphere.ad.jp.

;; ADDITIONAL SECTION:
ns1.sphere.ad.jp.       78277   IN      A       202.239.113.18
ns1.sphere.ad.jp.       78277   IN      AAAA    2001:2c0:1:100::a01
ns2.sphere.ad.jp.       85364   IN      A       202.239.113.26
ns2.sphere.ad.jp.       85364   IN      AAAA    2001:2c0:11:1::a02

;; Query time: 2 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Nov 12 23:49:43 2012
;; MSG SIZE  rcvd: 200

libwrap used by mod_wrap can't allow IP which does not have reversed correct name.
But mod_wrap2 does not use libwrap. So, it's never affected.

Also strangle
When I connect to my server over dydns name: PC(mynetwork) --> DyDNS --> NAS(mynetwork) - wrapper give me access without define /etc/hosts and /etc/hosts.allow
When I connect to my server over dydns name: PC(anothernetwork) --> DyDNS --> NAS (mynetwork) - wrapper deny access. I need define outside IP

I think this is a side effect. If you enable Zeroconf/Bonjour, the mDNSresponder is called.
It will resolve in the subnet. Then it was resolved?

Not need rebuild ftp server, need only add checkbox to webgui "Enable/disable wrapper". Also, I don't understand, why use mod_wrap+mod_wrap2. Need only one of them.

It seems "enable mod_wrap2" is required too. mod_wrap2 is not standard module.
mod_wrap exists at first time I think. At least FreeNAS 0.69 have it.
The mod_wrap2 is provided at FreeNAS 0.7.5423.
http://freenas.svn.sourceforge.net/view ... ision=5423

One of big different between mod_wrap and mod_wrap2 is mod_wrap2 can deny before "login".
In your case, you can use after "Nas firewall" by using:

WrapOptions CheckOnConnect

For more detail see below:
http://proftpd.open-source-solution.org ... wrap2.html

Daisuke Aoyama

[alexey123]

Thank you for manual, I was test.
About my NAS. I never not use Zeroconf/Bonjour, it disabled becouse it very chatty and make many messages on system log. But I have running isc-dhcp4.2- server on NAS4Free.

Now I create ftp access for test. Your static IP I add to host database. I reverse wrapper setting to YES. /etc/hosts.allow : ALL:ALL:allow
user nas4free, pass nas4free. Server (link)
You can check ftp.log here
I make 2 test login itself
My curent ip 84-229-210-186 and name from provider is IGLD-84-229-210-186.inter.net.il

And I'm go to learn your manual and test on test machine.
After 1.5 hours I check from home my server

Also this problem is not only my problem - check forum messages about access over ftp.

[daoyama]

Thank you.

Now I create ftp access for test. Your static IP I add to host database. I reverse wrapper setting to YES. /etc/hosts.allow : ALL:ALL:allow
user nas4free, pass nas4free. Server (link)
You can check ftp.log here

Code: Select all

Nov 12 18:51:14 nasserver proftpd[16412]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - FTP session opened. 
Nov 12 18:51:14 nasserver proftpd[16412]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: using access files: /etc/ftpd.allow, /etc/ftpd.deny 
Nov 12 18:51:14 nasserver proftpd[16412]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: allowed connection from daoyama 
Nov 12 18:51:14 nasserver proftpd[16412]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - USER anonymous: no such user found from 203.141.148.97 [203.141.148.97] to ::ffff:10.0.0.1:21 
Nov 12 18:51:15 nasserver proftpd[16412]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - FTP session closed. 
Nov 12 18:51:44 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - FTP session opened. 
Nov 12 18:51:44 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: using access files: /etc/ftpd.allow, /etc/ftpd.deny 
Nov 12 18:51:44 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - mod_wrap/1.2.4: allowed connection from daoyama 
Nov 12 18:51:44 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - Preparing to chroot to directory '/mnt/disk/users/nas4free' 
Nov 12 18:51:44 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - USER nas4free: Login successful. 
Nov 12 18:52:05 nasserver proftpd[16420]: 10.0.0.1 (203.141.148.97[203.141.148.97]) - FTP session closed. 

Sorry, I miss to connect with anonymous
At this time, I can login to the server.

Daisuke Aoyama

[alexey123]

I see your login.
But If I remove your host from /etc/hosts you can't login. I remove
Also my boss, when he replace his ip and name ( blalala-<ip>-<swindlers>.net.il ) - he can't input

Anonymous I never not use, only password and username. My Paranoia

In general, if I invite somebody to my ftp I do not have to ask him IP or something, as provider name. I have to give a username and password.
However, it is wrong to remove wrappers. TRUE - allow users to choose their own mode - with or without the wrapper. Only one checkbox in ftp page webgui

[daoyama]

But If I remove your host from /etc/hosts you can't login.

Please remove from /etc/hosts.

However, it is wrong to remove wrappers. TRUE - allow users to choose their own mode - with or without the wrapper. Only one checkbox in ftp page webgui

Currently, enabled mod_wrap is default. So, it seems "disable mod_wrap" is need for FTP page.

[alexey123]

I remove all to my normal state

So, it seems "disable mod_wrap" is need for FTP page.

Thank you very match

[Brent502]

You don't need edit this.
Just add the value to System|Advanced|rc.conf.

Name: proftpd_modwrap_enable
Value: NO

Then, restart FTP service.
Daisuke Aoyama

Thanks guys for your help!! This one work for me!

[alexey123]

understood and agreed
Brent502, pls repair your first post to solved