Hi there,
Websites using Vaultpress on a Virtualmin server are unable to use this Wordpress plug-in/service because Vaultpress claims that one or more of their IP addresses are being blocked. We are not blocking those IP addresses on the server, and currently Fail2ban is not working; additionally, I have no reason to believe that the data centre (Linode) is blocking them either, therefore this reason seems more like an excuse to me from Vaultpress.
FTPS works fine with Filezilla (and apparently Transit, as tested by someone from Vaultpress). The TLS certificate is a legitimate and valid wildcard, but the certificate is not the cause of the problem anyway, according to Vaultpress.
I'd have to consult my notes to remember exactly how I configured FTPS, but in my mind this is a pretty standard FTPS configuration.
Any idea on what might be causing this problem or how to investigate it some more? Thanks.
Craig
Comments
Submitted by craigh on Sun, 06/12/2016 - 15:02 Pro Licensee Comment #1
Submitted by andreychek on Sun, 06/12/2016 - 15:22 Comment #2
Howdy -- I'm unfortunately not familiar with VaultPress. However, Virtualmin wouldn't be causing anything to be blocked... it doesn't do any sort of IP address blocking by default.
You might want to disable any firewall on your server though, just to be sure that isn't causing a problem. You can see if there are any active firewall rules by running "iptables -L -n".
And you're right, it's unlikely that Linode would be blocking them, though if you get stuck you could always ask them just in case there's been some kind of problem with their network in the past.
One thing you could always try is to see if you can access their servers from your own server, using tools such as ping, mtr, or links.
The instructions provided by Vaulpress here offer some input on general troubleshooting of connectivity issues, though you may have gone through this already:
https://help.vaultpress.com/connection-issues/
Submitted by craigh on Sun, 06/12/2016 - 17:27 Pro Licensee Comment #3
Hi Eric,
Thanks for your reply. Yes, done everything in the Vaultpress troubleshooting list, and there are no IPs listed in iptables at all.
Didn't think that a default Virtualmin installation would cause the problem, but thought I'd ask in case you or someone had seen this before.
Craig
Submitted by andreychek on Mon, 06/13/2016 - 08:43 Comment #4
What service is Vaultpress trying to connect to... is it just FTPS?
And is Vaultpress support saying they can't communicate with your server at all (such as with a ping)? Or are they saying it's just FTPS they're seeing an issue with?
Submitted by craigh on Wed, 06/15/2016 - 17:45 Pro Licensee Comment #5
Hi Eric,
It's just FTPS they're trying to connect to and having problems with.
Turns out the cause and solution is described on Stack Overflow. Waiting for Vaultpress to get back to me with a permanent solution that doesn't involve overriding ProFTPD's more secure default.
Craig
Submitted by craigh on Thu, 06/16/2016 - 19:07 Pro Licensee Comment #6
Hi again,
Just a further update on this issue for those who may be interested in the future. As mentioned in the link in my last update, this is caused by an issue in PHP FTP. There is an open PHP bug about the issue that was opened almost a year ago, and the developer at Vaultpress/Wordpress/Automattic that I have been in contact with added a new -- and the only -- comment on the issue two days ago as a result of my interaction with them.
As mentioned in the link in my last update, downgrading the default security in ProFTPD (which is also the default in vsftpd) allows Vaultpress to work. I was hoping that this would be a temporary security downgrade but, to quote Vaultpress support, "There is some discussion around us submitting a patch for this but, unfortunately, this is a low priority issue for us at this time. We are looking into possibly just patching this on our end. If that does happen, we will let you know. Otherwise, we are [at] the whim of the PHP community at this point for the most stable solution." (Emphasis mine.) I have strongly criticised Automattic in my reply about not patching this issue themselves or implementing a workaround (non-PHP if necessary), given that (a) Vaultpress is a paid service, (b) there are only (as far as I know, as I don't use Vaultpress myself) three or four connection options available (FTPS, SFTP, FTP and [I'm guessing possibly] rsync), and (c) that I've always assumed that Automattic is probably a significant contributor to the PHP codebase.
TL;DR: This will continue to be an issue for some time, one way or the other, requiring server administrators to lower their security for the foreseeable future if they want to interact with a PHP-based FTP service such as Vaultpress.
Craig
Submitted by andreychek on Thu, 06/16/2016 - 20:23 Comment #7
Thanks for the update!
What option are they requiring you to set in the ProFTPd config in order to get it working?
Also, is using SFTP an option in your case? That might be a secure way of doing things, that would also bypass using ProFTPd.
Submitted by craigh on Thu, 06/16/2016 - 20:45 Pro Licensee Comment #8
Hi Eric,
Thanks for your interest. The option, as detailed at Stack Overflow, is to set ...
TLSOptions NoSessionReuseRequired... in the mod_tls configuration.
Yes, I suppose I could allow SFTP but, as I believe is documented in my other support tickets here, I find the revealing of the entire server's file system to unprivileged users (without significant effort to prevent that) to be a major issue. Others say it's not an issue, especially if all file permissions on several thousand OS files are flawlessly set, and others say that the FTP jail/chroot is not much of a deterrent to a skilled cracker anyway, and they're probably both right. But to me the SFTP option is a significant cosmetic issue that reveals far too much for my liking to curious users who are not otherwise inclined to try and break out of an FTP jail.
To be clear, I don't believe ProFTPD is the issue here; according to my reading, they (and vsftpd) seem to be doing FTPS right and in a secure fashion. It's PHP that is behind here, and Vaultpress (or at least the customer service "happiness engineer" drones rather than their "code wrangler" developer/programmer counterparts) are being very slow to realise that there is an issue here that they need to address with their own systems to use FTPS in a fully secure manner.
Craig
Submitted by craigh on Sun, 09/18/2016 - 07:31 Pro Licensee Comment #9
I should update this ticket with the resolution from a week or two ago.
To make a long story short, despite my earlier criticism of Automattic, they seem to have been the driving force behind getting this PHP bug addressed and fixed. So this is no longer an issue, and now FTPS works with PHP-based FTP(S) using the default ProFTPD configuration.
Craig
Submitted by craigh on Sun, 09/18/2016 - 07:31 Pro Licensee Comment #10