General FTP
How to install or update the FTP service
The easiest way to update or install the FTP service is over CustomBuild.
da build set ftpd "proftpd"
da build "proftpd"
How to run ProFTPD in debug mode
If you are having any issues logging in, or uploading files, creating directories, etc.. you can** run ProFTPD in debug mode** to see what the ProFTPD server is doing and possibly find out why it's generating the errors it is.
To do so, type the following:
systemctl stop proftpd
proftpd -n -d 20
This will stop ProFTPD and then start it up in the console in debug mode.
Then use whatever client again to generate the error. ProFTPD will dump out a lot of information. The errors you want usually happen right near the bottom of all of the output.
Once you find what you need, press Ctrl-C to quit the daemon. DA should automatically start ProFTPD up again in normal mode within a minute, or just start it with the same command as above, but with "start" instead of "stop.
How to install mod_sftp into ProFTPD
For any server admins who wish to allow their Users to upload data using SFTP, instead of FTP or FTPS, this guide will outline how to install SFTP (Secure shell FTP) into ProFTPD.
Note, this assumes you're using the newer unified_FTP_password_file setup for ProFTPD (you should have an empty proftpd.vhosts.conf file)
- Recompile ProFTPD with the required changes:
cd /usr/local/directadmin/custombuild
da build set ftpd proftpd
mkdir -p custom/proftpd
sed 's/:mod_tls/:mod_tls:mod_sftp/g' configure/proftpd/configure.proftpd > custom/proftpd/configure.proftpd
chmod +x custom/proftpd/configure.proftpd
da build proftpd
chmod 0600 /etc/ssh/ssh_host_rsa_key
- Restart ProFTPD:
systemctl restart proftpd
- And test:
# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 ProFTPD 1.3.4a Server ready.
QUIT
221 Goodbye.
Connection closed by foreign host.
# telnet localhost 23
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-mod_sftp/0.9.8
garbledtext
Connection closed by foreign host.
Note, the default for SFTP clients is to use port 22. However, SSHd uses this port by default.
If you want SFTP to use 22, you'd first need to change the port that SSHd is using (ensure your firewall is open on the new port), then change the Port 23 value in the /etc/proftpd.sftp.conf
file to use 22 instead, then restart ProFTPD.
If you need ClamAV, CB2 will automatically add this to the proftpd.conf while it's being installed. As such, you'd also need to run:
cd /usr/local/directadmin/custombuild
mkdir -p custom/proftpd/conf
cp configure/proftpd/conf/proftpd.conf custom/proftpd/conf/proftpd.conf
da build proftpd
and it should copy the custom proftpd.conf
, and also add the ClamAV parts.
Restrict access to ProFTPD based on IP or reverse lookup
If you'd like to lock down FTP so that only specific IPs, ranges or reverse IP lookup values are allowed to connect you can use the following.
- To only allow specific IPs to connect, add the following to your
<Global>
section of/etc/proftpd.conf
file:
<Limit LOGIN>
Order allow,deny
Allow from 1.2.3.4, 5.6.7.8
Deny from all
</Limit>
You can use ranges and wildcard values.
- Or to only allow IPs who's reverse IP lookups belong to a certain family of IPs (usually a specific ISP), you can use the following in your
<Global>
section of/etc/proftpd.conf
file.
<Limit LOGIN>
Order allow,deny
Allow from .your.isp.com
Deny from all
</Limit>
where the reverse IP lookup of all IPs that are to connect, end in .your.isp.com .
How to re-add all system FTP accounts to the /etc/proftpd.passwd file
If, for whatever reason, you're missing all or some of your system FTP accounts in your /etc/proftpd.passwd
file, you can do the following to ensure they're all added and present. Create a file fix_ftp.sh
and insert the following code:
#!/bin/sh
PF=/etc/proftpd.passwd
cd /usr/local/directadmin/data/users
for u in `ls`; do
{
if [ ! -d $u ]; then
continue;
fi
SHADOW=/home/$u/.shadow
if [ ! -e $SHADOW ]; then
continue;
fi
#make sure it doesn't already exist
COUNT=`grep -c -e "^${u}:" $PF`
if [ "$COUNT" -ne 0 ]; then
continue;
fi
UUID=`id -u $u`
UGID=`id -g $u`
echo "${u}:`cat /home/$u/.shadow`:${UUID}:${UGID}:system:/home/${u}:/bin/false";
};
done;
Make it executable:
chmod 755 fix_ftp.sh
To test it out first, do the following so that it will just display the output data without real changes:
./fix_ftp.sh
Make sure it's dumping out the information that goes into the proftpd.passwd
file.
Once satisfied that it's the data you want, pipe it to the tail end of the file (backup first):
cp -rp /etc/proftpd.passwd /etc/proftpd.passwd_back
./fix_ftp.sh >> /etc/proftpd.passwd
making sure to use 2 > characters (>>) and not just 1, as using just 1 would delete whatever was previously there (which is a bad thing if there are any ftp@domain.com accounts).
Make sure /etc/proftpd.passwd
is chown'd to root:ftp as well:
chown root:ftp /etc/proftpd.passwd
chmod 640 /etc/proftpd.passwd
That's it, then just test out the FTP accounts.
How to reset your FTP password without logging into the panel
Users can access:
http(s)://domain[.]com:2222/CMD_CHANGE_FTP_PASSWORD
to get a interface to change their password (replace http(s)😕/domain[.]com with the domain or with the server's hostname).
Note:
- you cannot change your system ftp account with this.
- you must use the full user@domain.com format, even for owned IP accounts that have a login of just "user", you must always include the domain.
Feature can be disabled with:
email_ftp_password_change=0
in the directadmin.conf, in DA 1.41.0, which also affects the similar email password change functionality.
You even have the form on your own web page and utilize it via POST like so:
action="http://domain.com:2222/CMD_CHANGE_FTP_PASSWORD"
method: POST
ftp=user@domain.com
oldpassword=theoldpass
password1=newpass
password2=newpass
You can also pass:
redirect=http://where.you/want/togo.html
to have DA redirect the browser to that page after a successful login.
If you want to call this using the API, simply also include:
api=yes
to have the results url encoded. Do NOT pass
api=no
if you do not wish to have results because the value isn't checked, only the presence of "api".
The template can be found here:
/usr/local/directadmin/data/templates/ftp_pass_change/index.html
If you want to customize it, create the customized copy here:
/usr/local/directadmin/data/templates/ftp_pass_change/custom/index.html
Related pre/post.sh scripts include:
/usr/local/directadmin/scripts/custom/ftp_change_pass_pre.sh
/usr/local/directadmin/scripts/custom/ftp_change_pass_post.sh
I cannot login to FTP, but SSH and DA work fine
If ProFTPD is not letting you login, then there are few things you can do check to see why that is.
Try resetting your password to ensure it all matches up.
Check the log files:
tail -f /var/log/messages /var/log/secure /var/log/proftpd/auth.log
Then try to log in. Type Ctrl+C
when done.
- Try running ProFTPD in debug mode.
How to increase the maximum number of connections per IP for PureFTPd
Use the /etc/pure-ftpd.conf
file and adjust the:
MaxClientsPerIP 15
value, which defaults to 15.
LAN: Entering Passive Mode returns the wrong IP, causing ECONNREFUSED
When trying to connect to FTP from a remote location, after you've connected to port 21 and if you transfer any data, it will usually be done in Passive Mode (where the client connects to the server a 2nd time on a high random port number usually within the range 35000-35999 unless configured otherwise).
However, if you're on a LAN, when the request for data transfer happens, the FTP server will respond with with which IP to connect to, which might look like:
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,2,139,237)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
where 192.168.1.2 is the LAN IP, and not accessible from a remote location.
We need it to show your public/external IP, so if you're running Pure-FTPd.
- Edit the
/etc/pure-ftpd.conf
file and force using special IP:
ForcePassiveIP 1.2.3.4
Where you'd replace 1.2.3.4 with your public server IP
- Restart service:
systemctl restart pure-ftpd
Script to delete all remote tar.gz files in a directory
The script below will delete all .tar.gz files in a remote directory.
To affect which files are removed, change the grep value.
**Note **that this script has been tested, and works in our case, but extra testing and debugging may be required for your specific setup.
#!/bin/sh
ftp_path=/remote/ftp/path
ftp_username=username
ftp_password=password
ftp_ip=remote.host.com
ftp_port=21
for i in `curl -s -l ftp://"$ftp_username":"$ftp_password"@$ftp_ip/$ftp_path/ | grep tar.gz`; do
{
echo "deleting ${ftp_path}/$i";
curl ftp://${ftp_ip}:${ftp_port}/${ftp_path}/${i} -u "${ftp_username}:${ftp_password}" -O --quote "DELE ${ftp_path}/${i}"
};
done;
Make it executable with "chmod 755" and run.