Hi, after a weekly reboot of my server - it appears proftpd will not start. I have made absolutely no changes what-so-ever and can't work out why it will not start.
Running /usr/sbin/proftpd shows: Fatal: unknown configuration directive 'VRootEngine' on line 16 of '/etc/proftpd.conf'
I checked my /etc/proftpd.conf and it has not changed since september?
This is is here - please advise !!
This is the ProFTPD configuration file#
See: http://www.proftpd.org/docs/directives/linked/by-name.html Server Config - config used for anything outside a or context See: http://www.proftpd.org/docs/howto/Vhost.htmlServerName "ITGroup FTP Server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on
Cause every FTP user except adm to be chrooted into their home directory Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to work at session-end time (http://bugzilla.redhat.com/477120)VRootEngine on DefaultRoot ~ !adm VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
Use pam to authenticate (default) and be authoritativeAuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c
If you use NIS/YP/LDAP you may need to disable PersistentPasswd PersistentPasswd off Don't do reverse DNS lookups (hangs on DNS problems)UseReverseDNS off
Set the user and group that the server runs asUser nobody Group nobody
To prevent DoS attacks, set the maximum number of child processes to 20. If you need to allow more than 20 concurrent connections at once, simply increase this value. Note that this ONLY works in standalone mode; in inetd mode you should use an inetd server that allows you to limit maximum number of processes per service (such as xinetd)MaxInstances 20
Disable sendfile by default since it breaks displaying the download speeds in ftptop and ftpwhoUseSendfile off
Define the log formatsLogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s"
Dynamic Shared Object (DSO) loading See README.DSO and howto/DSO.html for more details#
General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c#
Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables (contrib/mod_sql_passwd.html) LoadModule mod_sql_passwd.c#
Mysql support (requires proftpd-mysql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c#
Postgresql support (requires proftpd-postgresql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_postgres.c#
Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c#
File-specific "driver" for storing quota table information in files (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) LoadModule mod_quotatab_file.c#
SQL database "driver" for storing quota table information in SQL tables (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c#
LDAP support (requires proftpd-ldap package) (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) LoadModule mod_ldap.c#
LDAP quota support (requires proftpd-ldap package) (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) LoadModule mod_quotatab_ldap.c#
Support for authenticating users using the RADIUS protocol (http://www.proftpd.org/docs/contrib/mod_radius.html) LoadModule mod_radius.c#
Retrieve quota limit table information from a RADIUS server (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) LoadModule mod_quotatab_radius.c#
Administrative control actions for the ftpdctl program (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) LoadModule mod_ctrls_admin.c#
Execute external programs or scripts at various points in the process of handling FTP commands (http://www.castaglia.org/proftpd/modules/mod_exec.html) LoadModule mod_exec.c#
Support for POSIX ACLs (http://www.proftpd.org/docs/modules/mod_facl.html) LoadModule mod_facl.c#
Support for using the GeoIP library to look up geographical information on the connecting client and using that to set access controls for the server (http://www.castaglia.org/proftpd/modules/mod_geoip.html) LoadModule mod_geoip.c#
Configure server availability based on system load (http://www.proftpd.org/docs/contrib/mod_load.html) LoadModule mod_load.c#
Limit downloads to a multiple of upload volume (see README.ratio) LoadModule mod_ratio.c#
Rewrite FTP commands sent by clients on-the-fly, using regular expression matching and substitution (http://www.proftpd.org/docs/contrib/mod_rewrite.html) LoadModule mod_rewrite.c#
Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) LoadModule mod_sftp.c#
Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) LoadModule mod_sftp_pam.c#
Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user and host based authentication (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) LoadModule mod_sftp_sql.c#
Provide data transfer rate "shaping" across the entire server (http://www.castaglia.org/proftpd/modules/mod_shaper.html) LoadModule mod_shaper.c#
Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) LoadModule mod_site_misc.c#
Provide an external SSL session cache using shared memory (contrib/mod_tls_shmcache.html) LoadModule mod_tls_shmcache.c#
Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap.html) LoadModule mod_wrap.c#
Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, as well as SQL-based access rules, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap2.html) LoadModule mod_wrap2.c#
Support module for mod_wrap2 that handles access rules stored in specially formatted files on disk (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) LoadModule mod_wrap2_file.c#
Support module for mod_wrap2 that handles access rules stored in SQL database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) LoadModule mod_wrap2_sql.c#
Provide a flexible way of specifying that certain configuration directives only apply to certain sessions, based on credentials such as connection class, user, or group membership (http://www.proftpd.org/docs/contrib/mod_ifsession.html) LoadModule mod_ifsession.c TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log TLSSessionCache shm:/file=/var/run/proftpd/sesscache
Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpdLoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm
Global Config - config common to Server Config and all virtual hosts See: http://www.proftpd.org/docs/howto/Vhost.html# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022
# Allow users to overwrite files and change permissions AllowOverwrite yes AllowAll
A basic anonymous configuration, with an upload directory Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpdUser ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
Comments
Submitted by andreychek on Sun, 01/22/2012 - 15:54 Comment #1
Howdy -- well, I don't know what might have changed to cause that error -- it could be another proftpd config file that loaded that module may have changed.
However, since it's complaining about that VRootEngine line, I'd try commenting it out and then restarting ProFTPd.
Submitted by steve@itgroup.net.au on Sun, 01/22/2012 - 22:47 Pro Licensee Comment #2
yes, I can (and have) done that - and yes, it starts. However, that does not chroot users to their own directories - which is dangerous. Can you supply the default proftpd.conf file contents from a Virutalmin install and I can check what is different - or advise otherwise? thank you !
Submitted by steve@itgroup.net.au on Sun, 01/22/2012 - 22:48 Pro Licensee Comment #3
I just did that - Proftpd starts, but when I try to ftp (using a multitude of usernames) - I cannot logon?
Submitted by JamieCameron on Sun, 01/22/2012 - 23:01 Comment #4
That's odd, as Virtualmin and Webmin never set the VRootEngine directive ..
Which ProFTPd package version are you using exactly?
Submitted by andreychek on Sun, 01/22/2012 - 23:06 Comment #5
Whenever installing ProFTPd, Virtualmin doesn't make any changes from the default config.
Also, when enabling directory restrictions, Virtualmin doesn't use the VRootEngine parameter; instead, it sets the "DefaultRoot" parameter.
However, that does not chroot users to their own directories - which is dangerous.
Well, we disagree, for the reasons described here:
https://www.virtualmin.com/documentation/security/faq
A user can simply upload a PHP-based filemanager, or use SSH, to gain access to files they have rights to view. So the key is to make sure that users don't have rights to view files they shouldn't be able to see, or to use containers such as VPS's to fully restrict them.
However, we appreciate that folks wish to provide restrictions for FTP users anyhow :-)
What you may want to do is verify that in Limits and Validation -> FTP Directory Restrictions, that a home directory restriction is still enabled.
As far as not being able to login via FTP -- what errors do you see in /var/log/secure when attempting to log in?
Submitted by steve@itgroup.net.au on Sun, 01/22/2012 - 23:16 Pro Licensee Comment #6
thank you for your reply. I don't mind either way - i just want it to work ! I have tried nine different (known working) logons - and all fail.
/var/log/secure shows "(Login failed): Incorrect password." for all of them.
please advise.
Submitted by steve@itgroup.net.au on Mon, 01/23/2012 - 20:42 Pro Licensee Comment #7
any update on this please - no one can logon - please HELP !!
Submitted by andreychek on Mon, 01/23/2012 - 20:46 Comment #8
Well, one of the keys might be the question Jamie had asked above -- what ProFTPd version are you using there?
You can determine that by running this command:
rpm -qa | grep proftpd
Submitted by steve@itgroup.net.au on Mon, 01/23/2012 - 20:52 Pro Licensee Comment #9
sorry, missed that one...
proftpd-1.3.4a-1.el6.rf.i686
is what it shows.
Submitted by andreychek on Mon, 01/23/2012 - 21:08 Comment #10
That may be your problem -- that's a package from a non-standard repository, the RPMForge repository.
It looks like someone had enabled that repository on your system, and ProFTPd was pulled in from it.
We don't know anything about ProFTPd from that repository, or how it would work with your current configuration, and it's likely that's related to the problems you're having.
Our recommendation would be to disable the RPMForge repository, and then reinstall the version of ProFTPd that comes with Virtualmin.
You can download the i386 version of the CentOS 6 ProFTPd RPM with this command:
wget http://software.virtualmin.com/gpl/centos/6/i386/proftpd-1.3.3e-1.el6.i686.rpm
After you download it, you can install it with this command:
rpm -Uvh --oldpackage proftpd-1.3.3e-1.el6.i686.rpm
Submitted by steve@itgroup.net.au on Mon, 01/23/2012 - 21:13 Pro Licensee Comment #11
done - and fixed - thank you !!!!!