-1

I have a server running CentOS 7.4, cPanel, and Pure-FTPd 1.0.45. I can FTP to this server just fine from some hosts, but not from others.

It's not a firewall issue, as I can see the rejected login attempts in the log file. I've tried the broken clients compatibility option, as well as making TLS disabled, optional and required. None of these changes have any positive effect (TLS required broke things even worse). I don't see any way that Pure-FTPd supports IP black or white listing of IPs, so I don't believe that's the issue.

All the suggestions I've found through Googling are to do with FTP vs shell users, corrupted password databases, etc., and those are obviously not the problems, since it works reliably from some hosts.

I've dialed the Pure-FTPd logging up as high as it seems to go (two "VerboseLog yes" lines), but the info logged is still pretty minimal and unhelpful. Here's the conversations from successful and failed attempts:

(?@xxx.xxx.xxx.xxx) [INFO] New connection from xxx.xxx.xxx.xxx
(?@xxx.xxx.xxx.xxx) [DEBUG] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
(?@xxx.xxx.xxx.xxx) [DEBUG] 220-You are user number 1 of 50 allowed.
(?@xxx.xxx.xxx.xxx) [DEBUG] 220-Local time is now 16:43. Server port: 21.
(?@xxx.xxx.xxx.xxx) [DEBUG] 220-This is a private system - No anonymous login
(?@xxx.xxx.xxx.xxx) [DEBUG] 220-IPv6 connections are also welcome on this server.
(?@xxx.xxx.xxx.xxx) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity.
(?@xxx.xxx.xxx.xxx) [DEBUG] Command [user] [me@mydomain.com]
(?@xxx.xxx.xxx.xxx) [DEBUG] 331 User me@mydomain.com OK. Password required
(?@xxx.xxx.xxx.xxx) [DEBUG] Command [pass] [<*>]
(?@xxx.xxx.xxx.xxx) [INFO] me@mydomain.com is now logged in
(me@mydomain.com@xxx.xxx.xxx.xxx) [DEBUG] 230 OK. Current restricted directory is /

(?@yyy.yyy.yyy.yyy) [INFO] New connection from yyy.yyy.yyy.yyy
(?@yyy.yyy.yyy.yyy) [DEBUG] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
(?@yyy.yyy.yyy.yyy) [DEBUG] 220-You are user number 1 of 50 allowed.
(?@yyy.yyy.yyy.yyy) [DEBUG] 220-Local time is now 16:45. Server port: 21.
(?@yyy.yyy.yyy.yyy) [DEBUG] 220-This is a private system - No anonymous login
(?@yyy.yyy.yyy.yyy) [DEBUG] 220-IPv6 connections are also welcome on this server.
(?@yyy.yyy.yyy.yyy) [DEBUG] 220 You will be disconnected after 15 minutes of inactivity.
(?@yyy.yyy.yyy.yyy) [DEBUG] Command [user] [me@mydomain.com]
(?@yyy.yyy.yyy.yyy) [DEBUG] 331 User me@mydomain.com OK. Password required
(?@yyy.yyy.yyy.yyy) [DEBUG] Command [pass] [<*>]
(?@yyy.yyy.yyy.yyy) [DEBUG] 530 Login authentication failed
(?@yyy.yyy.yyy.yyy) [WARNING] Authentication failed for user [me@mydomain.com]

Any suggestions for what else to look at much appreciated. My best guess (based on relative age of the various installations) is that it might be something to do with different versions of OpenSSL library on the client, but I have no idea how to go about testing that hypothesis. Simply updating the client to the latest version is not a good solution, as it's the newer installs that are failing while the older ones work!

EDIT

Seems that cPanel uses their own "pureauth" script for performing authentication to Pure-FTPd. I can't find much info about this, but I can't see anything in the config files I've found about IP addresses. cPanel may well be using some other database (not in the MySQL sense) to manage blocked IP addresses more centrally, but the only thing I've found so far is their "IP Blocker", which is not blocking anything.

Greg Schmidt
  • 107
  • 4
  • What authentication system are you using, a private password database or system passwords? – Simon Greenwood Jan 10 '18 at 22:53
  • It's using whatever cPanel sets up for Pure-FTPd accounts. I'm not actually sure where it is, or how I would find out. I haven't done anything specially for MySQL, nor do I see anything about any of this in the config file. I am using @mydomain.com-style user names for logging in here, so I think that means it's not system passwords. This is definitely happening with at least one account that does not have a corresponding entry in /etc/passwd. – Greg Schmidt Jan 11 '18 at 03:24
  • cPanel uses per domain database authentication so there's a default user `username@domain.com` plus any others that are created in the domain cPanel. Check the domain cPanel to see what is set up - my immediate thought is that there might be an IP address restriction configured. – Simon Greenwood Jan 11 '18 at 06:41
  • I just created one of the users, and did not add any restrictions when I did so, nor can I see anything anywhere else that would restrict them. – Greg Schmidt Jan 11 '18 at 14:29
  • Can you update the question to mention cPanel and add the tag as a few more people might see it - there are people who know the ins and outs of cPanel better than Linux on its own. – Simon Greenwood Jan 11 '18 at 14:59
  • Done. I did mention cPanel in the question, though not in the title. I didn't want to overemphasize it; the fact that logins succeed from some hosts makes it seem to me the fault is most probably in Pure-FTPd (e.g. some configuration that cPanel might write, but might also be set otherwise). – Greg Schmidt Jan 11 '18 at 16:12

1 Answers1

-1

Turns out that cPHulk is the culprit here. Whitelisting the IP address in question has resolved the issue. I thought cPHulk had been deprecated in a recent update, so didn't look at that, but it's only the storage of its data in a MySQL database that's been stopped.

Greg Schmidt
  • 107
  • 4