hawk23
20.11.08, 22:59
hallo nochmal!
ich hab ein problem beim "Secure Site-To-Site Transfer" zwischen 2 servern.
sobald ich von einem server direkt zum andren was flashen will kommt folgender fehler (im FlashFXP debug fenster):
[L] PASV
[L] 227 Entering Passive Mode (*,*,*,*,181,215).
[L] Opening data connection IP: *.*.*.*PORT: *****
[L] LIST -al
[L] Connected. Negotiating SSL session..
[L] 150 Opening ASCII mode data connection for file list
[L] SSL negotiation successful...
[L] SSL encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[L] 226 Transfer complete.
[L] List Complete: 113 bytes in 0,50 seconds (0,2 KB/s)
[R] TYPE I
[R] 200 Type set to I
[L] TYPE I
[L] 200 Type set to I
[R] CPSV
[R] 500 CPSV not understood
Secure site to site transfers not supported by this ftp server
[L] Transfer Failed!
1 File failed to transfer
Server Error, Aborted
das witzige ist, von server3 geht es einwandfrei daten auf server2 und server1 zu schieben sowie von jeweils einem der beiden zu empfangen.
auch server4 kann zu server2 daten schieben zB. server2 zu server4.
server4 kann aber gleichzeitig auch fehlerfrei site-2-site zu server1 connecten.
einzig server1 und server2 haben irgendetwas gegeneinander. woran könnte das liegen?
ich hab bereits verschiedene FlashFXP einstellungen ausprobiert (einmal die checkbox vor "Secure-Site-To-Site Transfers" markiert, einmal abgewählt), hat alles nichts geholfen.
hier die configs beider server:
server1:
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off
ServerName "proftpd name"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
# FXP ENABLED!
AllowForeignAddress On
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# A basic anonymous configuration, no upload director
<Directory /home/ftp/data/*>
<Limit READ WRITE>
AllowAll
</Limit>
</Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
#</Directory>
RequireValidShell off
DefaultRoot ~
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 000 000
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
#TLS
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd_tls.log
#TLSProtocol TLSv1
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /etc/proftpdcert/host.cert
TLSRSACertificateKeyFile /etc/proftpdcert/host.key
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
Server2:
#
# Includes required DSO modules. This is mandatory in proftpd 1.3
#
Include /etc/proftpd/modules.conf
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone
ServerType standalone
DefaultServer on
<Global>
AllowForeignAddress on
DefaultRoot ~ psacln
AllowStoreRestart on
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd_scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /opt/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
IdentLookups off
UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.include
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
</IfModule>
ich hab ein problem beim "Secure Site-To-Site Transfer" zwischen 2 servern.
sobald ich von einem server direkt zum andren was flashen will kommt folgender fehler (im FlashFXP debug fenster):
[L] PASV
[L] 227 Entering Passive Mode (*,*,*,*,181,215).
[L] Opening data connection IP: *.*.*.*PORT: *****
[L] LIST -al
[L] Connected. Negotiating SSL session..
[L] 150 Opening ASCII mode data connection for file list
[L] SSL negotiation successful...
[L] SSL encrypted session using cipher DHE-RSA-AES256-SHA (256 bits)
[L] 226 Transfer complete.
[L] List Complete: 113 bytes in 0,50 seconds (0,2 KB/s)
[R] TYPE I
[R] 200 Type set to I
[L] TYPE I
[L] 200 Type set to I
[R] CPSV
[R] 500 CPSV not understood
Secure site to site transfers not supported by this ftp server
[L] Transfer Failed!
1 File failed to transfer
Server Error, Aborted
das witzige ist, von server3 geht es einwandfrei daten auf server2 und server1 zu schieben sowie von jeweils einem der beiden zu empfangen.
auch server4 kann zu server2 daten schieben zB. server2 zu server4.
server4 kann aber gleichzeitig auch fehlerfrei site-2-site zu server1 connecten.
einzig server1 und server2 haben irgendetwas gegeneinander. woran könnte das liegen?
ich hab bereits verschiedene FlashFXP einstellungen ausprobiert (einmal die checkbox vor "Secure-Site-To-Site Transfers" markiert, einmal abgewählt), hat alles nichts geholfen.
hier die configs beider server:
server1:
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off
ServerName "proftpd name"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
# FXP ENABLED!
AllowForeignAddress On
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# A basic anonymous configuration, no upload director
<Directory /home/ftp/data/*>
<Limit READ WRITE>
AllowAll
</Limit>
</Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
#</Directory>
RequireValidShell off
DefaultRoot ~
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 000 000
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
#TLS
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd_tls.log
#TLSProtocol TLSv1
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /etc/proftpdcert/host.cert
TLSRSACertificateKeyFile /etc/proftpdcert/host.key
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
Server2:
#
# Includes required DSO modules. This is mandatory in proftpd 1.3
#
Include /etc/proftpd/modules.conf
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone
ServerType standalone
DefaultServer on
<Global>
AllowForeignAddress on
DefaultRoot ~ psacln
AllowStoreRestart on
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd_scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /opt/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
IdentLookups off
UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.include
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
</IfModule>