[BlueOnyx:25274] Re: New install 5210R and the FTP not working.

Michael Stauber mstauber at blueonyx.it
Mon Dec 27 10:20:21 -05 2021 

Hi Mon Chan,

> I try to install the new Blueonyx server 5210R, and the FTP services not
> working at the public. after disable the firewall, same issue.
> 
> login to ssh using root. 
> 1. FTP 127.0.0.1 via admin or vsite user, is work fine.
> 2. FTP to the public internet interface, show the error message: 421
> Service not available, remote server has closed connection (file
> firewalls allow 20:21 port and stop the firewall is same issue)
> 3. the log message show denied to geoip filter/policy, I cannot find any
> setting in GUI, and we install the new server again is same issue.
> Dec 27 22:11:30 bx01 proftpd[5035]: 2021-12-27 22:11:30,251
> bx01.xxx.com.hk <http://bx01.xxx.com.hk> proftpd[11551] ip1 (ip1[ip1]):
> mod_geoip/0.9: Connection denied to ip1 due to GeoIP filter/policy
> Dec 27 22:11:30 bx01 proftpd[5035]: 2021-12-27 22:11:30,251
> bx01.xxx.com.hk <http://bx01.xxx.com.hk> proftpd[11551] ip1 (ip1[ip1]):
> mod_geoip.c: error initializing session: Permission denied
> Dec 27 22:11:30 bx01 proftpd[5035]: 2021-12-27 22:11:30,252
> bx01.xxx.com.hk <http://bx01.xxx.com.hk> proftpd[11551] ip1 (ip1[ip1]):
> FTP session closed.
> 4. check  /etc/proftpd.conf, this module load at the proftpd.
> #LoadModule mod_geoip.c
> and GeoIPEngine set to off, it can login. 
> 
> so this is the wrong setting or me missing something?


This does indeed look like GeoIP is blocking your connections. Here are
the relevant sections dealing with GeoIP in /etc/proftpd.conf:

LoadModule mod_geoip.c

  # GeoIP:
  GeoIPEngine                   on
  GeoIPLog                      /var/log/proftpd/geoip.log
  GeoIPTable                    /usr/share/GeoIP/GeoIP.dat MemoryCache UTF8
  GeoIPDenyFilter CountryCode
(AE|BG|BY|CN|HK|IN|IR|KP|MN|MM|MK|ME|MD|PH|PK|PS|RO|RS|RU|SG|SI|SK|SY|TH|TJ|TM|TR|TW|UA|UZ|VE|VN)

If GeoIP reports that your connecting IP is from one of the listed
countries, then your connection will be blocked.

You can check this from the shell this way:

geoiplookup <your-IP>

As you can see, "HK" is in the list, so that would explain it. Either
remove "HK" from the list, or set "GeoIPEngine" to "off" and you should
be fine again.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list