How to install or update the FTP service

The easiest way to update or install the FTP service is over CustomBuild.

cd /usr/local/directadmin/custombuild
./build update
./build set ftpd "proftpd"
./build proftpd
1
2
3
4

How to run ProFTPD in debug mode

If you are having any issues logging in, or uploading files, creating directories, etc.. you can** run ProFTPD in debug mode** to see what the ProFTPD server is doing and possibly find out why it's generating the errors it is.

To do so, type the following:

service proftpd stop
proftpd -n -d 20
1
2

This will stop ProFTPD and then start it up in the console in debug mode.

Note on FreeBSD, you'd use

/usr/local/etc/rc.d/proftpd stop
1

to stop ProFTPD.

Then use whatever client again to generate the error. ProFTPD will dump out a lot of information. The errors you want usually happen right near the bottom of all of the output.

Once you find what you need, press Ctrl-C to quit the daemon. DA should automatically start ProFTPD up again in normal mode within a minute, or just start it with the same command as above, but with "start" instead of "stop.

How to install mod_sftp into ProFTPD

For any server admins who wish to allow their Users to upload data using SFTP, instead of FTP or FTPS, this guide will outline how to install SFTP (Secure shell FTP) into ProFTPD.

Note, this assumes you're using the newer unified_FTP_password_fileopen in new window setup for ProFTPD (you should have an empty proftpd.vhosts.conf file)

  1. Recompile ProFTPD with the required changes:
cd /usr/local/directadmin/custombuild
./build update
./build set ftpd proftpd
mkdir -p custom/proftpd/conf
wget -O custom/proftpd/configure.proftpd http://files.directadmin.com/services/all/sftp/configure.proftpd.sftp
wget -O custom/proftpd/conf/proftpd.conf http://files.directadmin.com/services/all/sftp/proftpd.conf
chmod 755 custom/proftpd/configure.proftpd
wget -O /etc/proftpd.sftp.conf http://files.directadmin.com/services/all/sftp/proftpd.sftp.conf
./build proftpd
1
2
3
4
5
6
7
8
9
  1. Restart ProFTPD:
service proftpd restart
1
  1. And test:
# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 ProFTPD 1.3.4a Server ready.
QUIT
221 Goodbye.
Connection closed by foreign host.

# telnet localhost 23
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-mod_sftp/0.9.8
garbledtext
       Connection closed by foreign host.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Note, the default for SFTP clients is to use port 22. However, SSHd uses this port by default.

If you want SFTP to use 22, you'd first need to change the port that SSHd is using (ensure your firewall is open on the new port), then change the Port 23 value in the /etc/proftpd.sftp.conf file to use 22 instead, then restart ProFTPD.

If you need ClamAV, CB2 will automatically add this to the proftpd.conf while it's being installed. As such, you'd also need to run:

cd /usr/local/directadmin/custombuild
mkdir -p custom/proftpd/conf
wget -O custom/proftpd/conf/proftpd.conf http://files.directadmin.com/services/all/sftp/proftpd.conf
./build proftpd
1
2
3
4

and it should copy the custom proftpd.conf, and also add the ClamAV parts.

Restrict access to ProFTPD based on IP or reverse lookup

If you'd like to lock down FTP so that only specific IPs, ranges or reverse IP lookup values are allowed to connect you can use the following.

  1. To only allow specific IPs to connect, add the following to your <Global> section of /etc/proftpd.conf file:
      <Limit LOGIN>
               Order allow,deny
               Allow from 1.2.3.4, 5.6.7.8
               Deny from all
       </Limit>
1
2
3
4
5

You can use ranges and wildcardopen in new window values.

  1. Or to only allow IPs who's reverse IP lookups belong to a certain family of IPs (usually a specific ISP), you can use the following in your <Global> section of /etc/proftpd.conf file.
      <Limit LOGIN>
               Order allow,deny
               Allow from .your.isp.com
               Deny from all
       </Limit>
1
2
3
4
5

where the reverse IP lookup of all IPs that are to connect, end in .your.isp.com .

How to re-add all system FTP accounts to the /etc/proftpd.passwd file

If, for whatever reason, you're missing all or some of your system FTP accounts in your /etc/proftpd.passwd file, you can do the following to ensure they're all added and present. Create a file fix_ftp.sh and insert the following code:

#!/bin/sh

PF=/etc/proftpd.passwd

cd /usr/local/directadmin/data/users
for u in `ls`; do
{
          if [ ! -d $u ]; then
                    continue;
          fi

          SHADOW=/home/$u/.shadow
          if [ ! -e $SHADOW ]; then
                    continue;
          fi

          #make sure it doesn't already exist
          COUNT=`grep -c -e "^${u}:" $PF`
          if [ "$COUNT" -ne 0 ]; then
                    continue;
          fi

          UUID=`id -u $u`
          UGID=`id -g $u`

          echo "${u}:`cat /home/$u/.shadow`:${UUID}:${UGID}:system:/home/${u}:/bin/false";

};
done;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Make it executable:

chmod 755 fix_ftp.sh
1

To test it out first, do the following so that it will just display the output data without real changes:

./fix_ftp.sh
1

Make sure it's dumping out the information that goes into the proftpd.passwd file.

Once satisfied that it's the data you want, pipe it to the tail end of the file (backup first):

cp -rp /etc/proftpd.passwd /etc/proftpd.passwd_back
./fix_ftp.sh >> /etc/proftpd.passwd
1
2

making sure to use 2 > characters (>>) and not just 1, as using just 1 would delete whatever was previously there (which is a bad thing if there are any ftp@domain.com accounts).

Make sure /etc/proftpd.passwd is chown'd to root:ftp as well:

chown root:ftp /etc/proftpd.passwd
chmod 640 /etc/proftpd.passwd
1
2

That's it, then just test out the FTP accounts.

How to reset your FTP password without logging into the panel

Users can access:

http(s)://domain[.]com:2222/CMD_CHANGE_FTP_PASSWORD
1

to get a interface to change their password (replace http(s)😕/domain[.]com with the domain or with the server's hostname).

Note:

  • you cannot change your system ftp account with this.
  • you must use the full user@domain.com format, even for owned IP accounts that have a login of just "user", you must always include the domain.

Feature can be disabled with:

email_ftp_password_change=0
1

in the directadmin.conf, in DA 1.41.0, which also affects the similar email password change functionalityopen in new window.

You even have the form on your own web page and utilize it via POST like so:

action="http://domain.com:2222/CMD_CHANGE_FTP_PASSWORD"
method: POST
ftp=user@domain.com
oldpassword=theoldpass
password1=newpass
password2=newpass
1
2
3
4
5
6

You can also pass:

redirect=http://where.you/want/togo.html
1

to have DA redirect the browser to that page after a successful login.

If you want to call this using the API, simply also include:

api=yes
1

to have the results url encoded. Do NOT pass

api=no
1

if you do not wish to have results because the value isn't checked, only the presence of "api".

The template can be found here:

/usr/local/directadmin/data/templates/ftp_pass_change/index.html
1

If you want to customize it, create the customized copy here:

/usr/local/directadmin/data/templates/ftp_pass_change/custom/index.html
1

Related pre/post.sh scripts include:

  • /usr/local/directadmin/scripts/custom/ftp_change_pass_pre.sh
  • /usr/local/directadmin/scripts/custom/ftp_change_pass_post.sh

I cannot login to FTP, but SSH and DA work fine

If ProFTPD is not letting you login, then there are few things you can do check to see why that is.

  1. Try resetting your password to ensure it all matches up.

  2. Check the log files:

tail -f /var/log/messages /var/log/secure /var/log/proftpd/auth.log
1

Then try to log in. Type Ctrl+C when done.

  1. Try running ProFTPD in debug mode.

How to increase the maximum number of connections per IP for PureFTPd

Use the /etc/pure-ftpd.conf file and adjust the:

MaxClientsPerIP 15
1

value, which defaults to 15.

LAN: Entering Passive Mode returns the wrong IP, causing ECONNREFUSED

When trying to connect to FTP from a remote location, after you've connected to port 21 and if you transfer any data, it will usually be done in Passive Mode (where the client connects to the server a 2nd time on a high random port number usually within the range 35000-35999 unless configured otherwise).

However, if you're on a LAN, when the request for data transfer happens, the FTP server will respond with with which IP to connect to, which might look like:

Command:        PASV
Response:       227 Entering Passive Mode (192,168,1,2,139,237)
Command:        MLSD
Error:          The data connection could not be established: ECONNREFUSED - Connection refused by server
1
2
3
4

where 192.168.1.2 is the LAN IP, and not accessible from a remote location.

We need it to show your public/external IP, so if you're running Pure-FTPd.

  1. Edit the /etc/pure-ftpd.conf file and force using special IP:
ForcePassiveIP 1.2.3.4
1

Where you'd replace 1.2.3.4 with your public server IP

  1. Restart service:
systemctl restart pure-ftpd
1

Script to delete all remote tar.gz files in a directory

The script below will delete all .tar.gz files in a remote directory.

To affect which files are removed, change the grep value.

**Note **that this script has been tested, and works in our case, but extra testing and debugging may be required for your specific setup.

#!/bin/sh

ftp_path=/remote/ftp/path
ftp_username=username
ftp_password=password
ftp_ip=remote.host.com
ftp_port=21

for i in `curl -s -l ftp://"$ftp_username":"$ftp_password"@$ftp_ip/$ftp_path/ | grep tar.gz`; do
{
       echo "deleting ${ftp_path}/$i";
       curl ftp://${ftp_ip}:${ftp_port}/${ftp_path}/${i} -u "${ftp_username}:${ftp_password}" -O --quote "DELE ${ftp_path}/${i}"
};
done;
1
2
3
4
5
6
7
8
9
10
11
12
13
14

Make it executable with "chmod 755" and run.

Last Updated: 6/23/2021, 9:36:08 PM