Proftpd/mod_wrap refuses ipv6 connections
by jayjwa from LinuxQuestions.org on (#6N69K)
I noticed proftpd was refusing connections via ipv6, no matter what was written in the libwrap files. The logs are full of ip addresses and host names, but the important part is this:
Code:2024-05-29 12:55:21,756 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
2024-05-29 12:55:21,756 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: checking under service name 'proftpd'
2024-05-29 12:55:26,986 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: refused connection from 2603:x:x:x::1The behaviour is seen when starting proftpd with "-6", allowing ipv6 connections. If you force it to ipv4 only ("-4") clients can connect. If your system prefers ipv6, it will always try that first and get denied.
While trying to find the problem, I found this: https://proftp-user.narkive.com/BPfJ...not-ipv6-aware
It looks like proftpd's mod_wrap has always had some problems, (important line:
Quote:
) possibly related to ipv6 hostname resolution. mod_wrap2, which is an entirely different module, does not have this issue. Suggesting rebuild with mod_wrap2 rather than mod_wrap.
This line in the proftpd.SlackBuild file:
Code:PROFTPD_MODS="mod_radius:mod_ban:mod_readme:mod_ratio:mod_tls:mod_wrap2:mod_wrap2_file:mod_ctrls_admin:mod_quotatab:mod_quotatab_file:mod_sftp:mod_facl:mod_ldap"Sample config code to allow for either use:
Code: <ifModule mod_wrap.c>
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPAccessSyslogLevels info warn
TCPServiceName proftpd
</ifModule>
<ifModule mod_wrap2.c>
<ifModule mod_wrap2_file.c>
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
</ifModule>
WrapAllowMsg "libwrap sez: Look'in good."
WrapDenyMsg "libwrap sez: Hit the road, Jack (%u)"
WrapEngine on
WrapLog /var/log/proftpd/proftpd.log
WrapServiceName proftpd
</ifModule>There's no longer an issue with ipv6 connections:
Code:2603:x:x:x:x:x:x:e04 UNKNOWN - [29/May/2024:13:16:09 -0400] "USER anonymous" 331 -
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: using 'file:/etc/hosts.allow' for allow table
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: using 'file:/etc/hosts.deny' for deny table
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: looking under service name 'proftpd'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: checking access rules for connection
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: checking allow table rules
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: table daemon list:
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: proftpd
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: table client list:
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: ALL
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: daemon matches 'proftpd'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: comparing client hostname '2603:x:x:x:x:x:x:e04' against ALL
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: client matches 'ALL'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: allowed connection from anonymous@2603:x:x:x:x:x:x:e04Code:220 ProFTPD Server (FTP [ATr2 -*- RG] Service) [2603:x:x:x::1]
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-libwrap sez: Look'in good.
230 Request accepted, aaaayyyy.
ftp> ls
200 EPRT command successful
150 Opening BINARY mode data connection for file list
drwxr-xr-x 5 root root 101 Sep 15 2023 pub
drwxr-xr-x 2 ftp ftp 6 May 10 17:01 atr2-upload
226 Transfer complete
ftp> bye
Code:2024-05-29 12:55:21,756 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: using access files: /etc/hosts.allow, /etc/hosts.deny
2024-05-29 12:55:21,756 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: checking under service name 'proftpd'
2024-05-29 12:55:26,986 server proftpd[31859] (2603:x:x:x::1[2603:x:x:x::1]): mod_wrap/1.2.4: refused connection from 2603:x:x:x::1The behaviour is seen when starting proftpd with "-6", allowing ipv6 connections. If you force it to ipv4 only ("-4") clients can connect. If your system prefers ipv6, it will always try that first and get denied.
While trying to find the problem, I found this: https://proftp-user.narkive.com/BPfJ...not-ipv6-aware
It looks like proftpd's mod_wrap has always had some problems, (important line:
Quote:
## wrap2 - note: wrap(1) denies hosts that don't reverse DNS lookup, so have to use wrap2 |
This line in the proftpd.SlackBuild file:
Code:PROFTPD_MODS="mod_radius:mod_ban:mod_readme:mod_ratio:mod_tls:mod_wrap2:mod_wrap2_file:mod_ctrls_admin:mod_quotatab:mod_quotatab_file:mod_sftp:mod_facl:mod_ldap"Sample config code to allow for either use:
Code: <ifModule mod_wrap.c>
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPAccessSyslogLevels info warn
TCPServiceName proftpd
</ifModule>
<ifModule mod_wrap2.c>
<ifModule mod_wrap2_file.c>
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
</ifModule>
WrapAllowMsg "libwrap sez: Look'in good."
WrapDenyMsg "libwrap sez: Hit the road, Jack (%u)"
WrapEngine on
WrapLog /var/log/proftpd/proftpd.log
WrapServiceName proftpd
</ifModule>There's no longer an issue with ipv6 connections:
Code:2603:x:x:x:x:x:x:e04 UNKNOWN - [29/May/2024:13:16:09 -0400] "USER anonymous" 331 -
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: using 'file:/etc/hosts.allow' for allow table
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: using 'file:/etc/hosts.deny' for deny table
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: looking under service name 'proftpd'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: checking access rules for connection
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: checking allow table rules
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: table daemon list:
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: proftpd
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: table client list:
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: ALL
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: daemon matches 'proftpd'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: comparing client hostname '2603:x:x:x:x:x:x:e04' against ALL
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: client matches 'ALL'
2024-05-29 13:16:15,518 mod_wrap2/2.0.7[14249]: allowed connection from anonymous@2603:x:x:x:x:x:x:e04Code:220 ProFTPD Server (FTP [ATr2 -*- RG] Service) [2603:x:x:x::1]
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-libwrap sez: Look'in good.
230 Request accepted, aaaayyyy.
ftp> ls
200 EPRT command successful
150 Opening BINARY mode data connection for file list
drwxr-xr-x 5 root root 101 Sep 15 2023 pub
drwxr-xr-x 2 ftp ftp 6 May 10 17:01 atr2-upload
226 Transfer complete
ftp> bye