ProFTPd - Cannot login at all, constant 530 error

linux ftp proftpd

I cannot for whatever reason connect/login either via FTP client or command line to my FTP server. I'm using Webmin and ProFTPd. I have setup a user, with a simple password as part of the ftp group with /sbin/nologin as the shell path. Logs only say "FTP connection opened" and "FTP connection closed". The passive ports I've specified are open on the firewall.

It's as if the password isn't right, but it is. Here's my proftpd.conf file:

# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

DefaultRoot ~
ServerName          "ProFTPD server"
ServerIdent         on "FTP Server ready."
ServerAdmin         root@localhost
ServerType standalone
#ServerType         inetd
DefaultServer           off
AccessGrantMsg          "User %u logged in."
#DisplayConnect         /etc/ftpissue
#DisplayLogin           /etc/ftpmotd
#DisplayGoAway          /etc/ftpgoaway
DeferWelcome            off

# Use this to excude users from the chroot
DefaultRoot         ~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig           proftpd
AuthOrder           mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups            off
UseReverseDNS off

# Port 21 is the standard FTP port.
Port                21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask               022

# Default to show dot files in directory listings
ListOptions         "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228       off
#RootLogin          off
#LoginPasswordPrompt        on
#MaxLoginAttempts       3
#MaxClientsPerHost      none
#AllowForeignAddress        off # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart        on
AllowStoreRestart       on

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Set the user and group that the server normally runs at.
User                ftp
Group               ftp

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile         no

# This is where we want to put the pid file
ScoreboardFile          /var/run/proftpd.score

# Normally, we want users to do a few things.
<Global>
  AllowOverwrite        yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
PassivePorts 64000 64321
RequireValidShell off
</Global>

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine          on
#TLSRequired            on
#TLSRSACertificateFile      /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile   /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite         ALL:!ADH:!DES
#TLSOptions         NoCertRequest
#TLSVerifyClient        off
##TLSRenegotiate        ctrl 3600 data 512000 required off timeout 300
#TLSLog             /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
#   LoadModule mod_sql.c
#   LoadModule mod_sql_mysql.c
#   LoadModule mod_sql_postgres.c
#</IfModule>

# A basic anonymous configuration, with an upload directory.
#<Anonymous ~ftp>
#  User             ftp
#  Group                ftp
#  AccessGrantMsg       "Anonymous login ok, restrictions apply."
#
#  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias            anonymous ftp
#
#  # Limit the maximum number of anonymous logins
#  MaxClients           10 "Sorry, max %m users -- try again later"
#
#  # Put the user into /pub right after login
#  #DefaultChdir            /pub
#
#  # We want 'welcome.msg' displayed at login, '.message' displayed in
#  # each newly chdired directory and tell users to read README* files. 
#  DisplayLogin         /welcome.msg
#  DisplayFirstChdir        .message
#  DisplayReadme            README*
#
#  # Some more cosmetic and not vital stuff
#  DirFakeUser          on ftp
#  DirFakeGroup         on ftp
#
#  # Limit WRITE everywhere in the anonymous chroot
#  <Limit WRITE SITE_CHMOD>
#    DenyAll
#  </Limit>
#
#  # An upload directory that allows storing files but not retrieving
#  # or creating directories.
#  <Directory uploads/*>
#    AllowOverwrite     no
#    <Limit READ>
#      DenyAll
#    </Limit>
#
#    <Limit STOR>
#      AllowAll
#    </Limit>
#  </Directory>
#
#  # Don't write anonymous accesses to the system wtmp file (good idea!)
#  WtmpLog          off
#
#  # Logging for the anonymous transfers
#  ExtendedLog      /var/log/proftpd/access.log WRITE,READ default
#  ExtendedLog      /var/log/proftpd/auth.log AUTH auth
#
#</Anonymous>

Enter in shell as root

vi /etc/passwd

find your username, and on the end of line see: /bin/false

change to:

/bin/bash

and solve it!

(or any one displayed in: vi /etc/shells)

Now ftp is working in your own user.


I think that listing invalid shells like /sbin/nologin as valid ones is not the proper way to go (they have been removed on purpose), and neither is allowing the FTP users to log in to the system when they should not be allowed to do so.

IMHO the best way to go is to simply configure ProFTPD not to require a valid shell for the FTP users.

Simply add the directive RequireValidShell off to section in your proftpd.conf and reload/restart ProFTPD.

<Global>
...
RequireValidShell off
</Global>

In case you are using PAM authentication in your ProFTPD (you probably are since it's on by default), you might also need to disable the requirement for valid shell in PAM settings. In my case, I had to comment out the below line from my ProFTPD's PAM config file (/etc/pam.d/proftpd)

#auth       required     pam_shells.so

Related

What do I need to do to prevent exploitation of my postfix server?
White Screen - PHP 7 on Ubuntu 16.04 fails to render scripts
Apache SSL New Domain Redirect
How to make Apache output packets through a certain network interface when connected to VPN?
Logwatch: Ignore certain IPs for SSH & PAM checks?
Make an arbitrary Linux application use a specific IP address for outbound connections
What to use for a hostname on a dedicated Linux server?
Apache SSL error after reboot: Error 107 (net::ERR_SSL_PROTOCOL_ERROR)
Creating Dovecot Master users/passwords doesn't work
DNS on Plesk VDS and godaddy [closed]
What firewall rules should be used for a home based system [closed]
How to remotely initiate netinstall of CentOS 7?