Home Linux Web Server Upgrade Proftpd on CentOS to fix Filezilla connection with FTPS
Jul 31
Saturday

Main Menu

Upgrade Proftpd on CentOS to fix Filezilla connection with FTPS PDF Print E-mail
Written by Ron Bassett   
Thursday, 26 February 2009 22:53
If any of you have updated Filezilla over the past few months and are using FTPS (SSL/TLS) you may have received this error.

Status: Server did not properly shut down TLS connection
Error: Could not read from transfer socket: ECONNABORTED - Connection
aborted
Response: 226 Transfer complete
Error: Failed to retrieve directory listing

Filezilla clams that this is more of a security fix than a bug. That is fine but since there are so many servers out there using ProFTPD 1.3.1 they should at least have a walk through of how to fix this issue. Since I could not find a good walk through for a Linux noobie I decided to make one.  I would also like to thank the developers of Filezilla for coding such a great open source FTP Client. I prefer it over most paid for clients.

The easiest way I found to resolve this issue was to upgrade ProFTPD 1.3.1 to 1.3.2. Not only does the new release fix the SSL/TLS session shutdowns ( Server did not properly shut down TLS connection ) it also has a SQL injection vulnerability fix. Since I am by no means a Linux expert I prefer to use yum when installing and updating applications/programs. The update did cause an issue that I had to resolve but actually ended up improving performance. I will also show the fix for that.

My linux web server is running CentOS 5, so instructions may vary depending on your distro. Staring off we will need to add some yum repositories. http://www.atomicrocketturtle.com has many different repositorys. Instructions can be found here. http://www.atomicorp.com/channels/

First we need to get the GPG key. All ART packages are signed with GPG. This is to ensure that the packages have not been tampered with.

Install the ART GPG key:

wget http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
rpm --import RPM-GPG-KEY.art.txt

Next we install the Archives

Yum Atomic Archives
CentOS 3 - 5 / RHEL 3 - 5 / Fedora 4 - 8
The Atomic archives are available through the yum package manager for Fedora, RHEL and CentOS.These archives require access to both the vendors base and update channels, RHEL3 and RHEL 4 users are therefore recommended to access the atomic archives through up2date.

Automatic configuration
Using Lynx (yum -y install lynx):
lynx -source http://www.atomicorp.com/installers/atomic.sh | sh


Using Wget:
wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

By default the Automic Rocket Turtle (ART) Testing Repository is commented out in the yum repo file. To do the upgrade we will need uncomment it.

# cd /etc/yum.repos.d
# vi atomic.repo


# Almost Stable, release candidates for [atomic]
[atomic-testing]
name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com - (Testing)
mirrorlist = http://www.atomicorp.com/mirrorlist/atomic-testing/centos-5-$basearch
enabled = 1
#priority = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
gpgcheck = 1

Press ESC :wq to save and close the file
[root@ip-55-55-55-55 yum.repos.d]# yum update psa-proftpd
Loading "priorities" plugin
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* utterramblings: www.jasonlitka.com
* update: s2mirror01.prod.sdl2.secureserver.net
* atomic-testing: www.atomicorp.com
* rpmforge: apt.sw.be
* base: s2mirror01.prod.sdl2.secureserver.net
* atomic: www3.atomicorp.com
* addons: s2mirror01.prod.sdl2.secureserver.net
* extras: s2mirror01.prod.sdl2.secureserver.net
utterramblings 100% |=========================| 951 B 00:00
update 100% |=========================| 951 B 00:00
atomic-testing 100% |=========================| 951 B 00:00
rpmforge 100% |=========================| 1.1 kB 00:00
base 100% |=========================| 1.1 kB 00:00
atomic 100% |=========================| 951 B 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
0 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package psa-proftpd.i386 0:1.3.2-2.el5.art set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Updating:
psa-proftpd i386 1.3.2-2.el5.art atomic-testing 1.8 M

Transaction Summary
=============================================================================
Install 0 Package(s)
Update 1 Package(s)
Remove 0 Package(s)

Total download size: 1.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/1): psa-proftpd-1.3.2- 100% |=========================| 1.8 MB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : psa-proftpd ######################### [1/2]
Cleanup : psa-proftpd ######################### [2/2]

Updated: psa-proftpd.i386 0:1.3.2-2.el5.art
Complete!

Your server should now be updated to ProFTPD 1.3.2. Depending on how your ftp was previously set up ftp may not start. This is may be due to improper ServerType. There are two different types "inetd" and "standalone". If you receive the error below when trying to start ProFTPD then this is your problem.

/etc/init.d/proftpd restart
Fatal: Socket operation on non-socket


Inetd Mode
In inetd mode, the proftpd server expects to be started by the inetd (or xinetd) servers. It is these servers, inetd/xinetd, that listen on the FTP port (usually 21) for connection requests, then start proftpd and pass the connection off. This mode is usually best suited for low traffic sites, for sites that do not handle many FTP sessions.

Standalone Mode
In this mode, the proftpd listens for incoming FTP session requests itself, and forks off child processes to handle those requests. This mode is best suited for high traffic, popular sites; the overhead of having to parse the configuration file each time, as is done for inetd-handled sessions, is avoided in this mode. Also, there is no need to change any other configuration files other than the proftpd.conf, for ports, virtual servers, or anything else.

From what I had read removing ftp starting in side the /etc/inetd.conf file would fix the problem. After an hour of trying to figure our why I didn't have this file I discover it does not exist on CentOS, Fedora, and Redhat servers. Instead individual configs are split into separate files located in /etc/xinetd.d/
$ cd /etc/xinetd.d/
$ ls
chargen-dgram discard-stream ntalk submission.psa time-stream
chargen-stream echo-dgram poppassd_psa swat
daytime-dgram echo-stream rsync talk
daytime-stream finger smtp_psa tcpmux-server
discard-dgram ftp_psa smtps_psa time-dgram

Open the ftp_psa file and change "disable=no" to "disable=yes"
$ vi ftp_psa
service ftp
{
disable = yes
socket_type = stream
protocol = tcp
wait = no
user = root
instances = UNLIMITED
server = /usr/sbin/in.proftpd
server_args = -c /etc/proftpd.conf
}

Open the proftpd.conf file located at /etc/proftpd.conf. Change ServerType to 'ServerType standalone'
# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
ServerType standalone

Reboot the server and your ftp access should be back.
 
Home Linux Web Server Upgrade Proftpd on CentOS to fix Filezilla connection with FTPS