You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have proftpd server running with mod_sftp to be able to do sftp. We have a number of clients running jobs to send data to this proftpd server. However, we have noticed that we are getting a lot of random disconnects from the proftpd server. The client uses phpseclib and returns messages like:
Connection closed by server
No data received from server
Error reading from socket
This happens randomly and we are not able to steadily reproduce this. We have already tested everything on the network, which is all fine. Below are also log file output from the proftpd server. We are not able to see any more logs than the ones below:
2023-06-20 11:42:57,730 [435265] <ssh2:8>: verified public key for user xxxx
2023-06-20 11:42:57,734 [435265] <ssh2:19>: waiting for max of 600 secs while polling socket 1 for writing using select(2)
2023-06-20 11:42:57,734 [435265] <ssh2:3>: sent SSH_MSG_USER_AUTH_SUCCESS (52) packet (48 bytes)
2023-06-20 11:42:57,735 [435265] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2023-06-20 11:42:57,740 [435265] <ssh2:20>: SSH2 packet len = 28 bytes
2023-06-20 11:42:57,740 [435265] <ssh2:20>: SSH2 packet padding len = 8 bytes
2023-06-20 11:42:57,740 [435265] <ssh2:20>: SSH2 packet payload len = 19 bytes
2023-06-20 11:42:57,740 [435265] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2023-06-20 11:42:57,740 [435265] <ssh2:20>: SSH2 packet MAC len = 32 bytes
2023-06-20 11:42:57,740 [435265] <ssh2:19>: waiting for max of 600 secs while polling socket 0 for reading using select(2)
2023-06-20 11:42:57,740 [435265] <ssh2:3>: received SSH_MSG_CHANNEL_DATA (94) packet
2023-06-20 11:42:57,740 [435265] <ssh2:8>: unable to handle data for channel ID 1: Permission denied
2023-06-20 11:42:57,740 [435265] <ssh2:9>: disconnecting (Application error) [at packet.c:1633]
2023-06-20 11:42:57,740 [435265] <ssh2:19>: waiting for max of 5 secs while polling socket 1 for writing using select(2)
2023-06-20 11:42:57,740 [435265] <ssh2:3>: sent SSH_MSG_DISCONNECT (1) packet (80 bytes)
What I Expected/Wanted
We want our jobs to not fail because of disconnects and more information on what unable to handle data for channel ID 1: Permission denied and disconnecting (Application error) [at packet.c:1633] mean or ways on how to troubleshoot this further.
ProFTPD Version and Configuration
Please help us reproduce the problem/issue you are encountering. To do this,
we need to know which version of ProFTPD you are using, how it was built, etc. The following command is an easy way to get all of this information:
In addition, we need to see all of the ProFTPD configuration files you are
using (minus any sensitive information like passwords, of course). Armed
with the version and configuration data, then, we can set up ProFTPD locally
using the same configuration, and see what happens.
This is the config of our sftp:
<VirtualHost HOST IP>
Include /etc/proftpd/users.d/HOSTIP_22.conf
ServerName "Name"
ServerIdent on "FTP server ready"
ServerAdmin Name
Port 22
DisplayLogin welcome.msg
PathDenyFilter \.ftp[a-z]+$
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /data/logs/proftpd/sftp/sftp.log
SFTPHostKey /etc/proftpd/ssl/ssh_host_rsa_key
SFTPHostKey /etc/proftpd/ssl/ssh_host_ecdsa_key
# Note that this option first appeared in proftpd-1.3.6rc1.
#InsecureHostKeyPerms false
SFTPClientMatch WinSCP|ClientSftp sftpProtocolVersion 1-3
SFTPCompression delayed
SFTPClientMatch ".*XFB.*" sftpProtocolVersion 1-3 channelWindowSize 256MB
SFTPClientMatch ".*SecureBlackbox.*" sftpProtocolVersion 1-3
</IfModule>
Umask 0006 0007
DeleteAbortedStores on
MaxClientsPerHost 45
MaxLoginAttempts 6
DefaultRoot ~
AllowOverwrite on
TimesGMT off
TransferLog /data/logs/proftpd/sftp/HOSTIP_22_xferlog
ExtendedLog /data/logs/proftpd/sftp/HOSTIP_22_commands.log all
WtmpLog off
<Limit WRITE>
DenyUser Name
DenyGroup readonly
</Limit>
</VirtualHost>
The text was updated successfully, but these errors were encountered:
In this code path, we have received a CHANNEL_DATA SSH message from the client. Each channel is identified by a number, which is provided to the client, by the server (mod_sftp) in response to a CHANNEL_OPEN request from the client. A CHANNEL_DATA SSH message, then, provides the channel ID, and the payload of data for that channel.
Under what conditions would we log "unable to handle data for channel N: Permission denied", though? The only way that happens is if this condition is reached:
Here, we are looking up the channel context/info for the channel ID that the client provided. If we don't have any currently open channels, though, we return the EACCES error ("Permission denied"). This indicates that, for some reason, the client is sending us a CHANNEL_DATA message for a channel that we've never seen/opened. And that is very confusing.
Do you perhaps have a load balancer in front of your ProFTPD, such that there are several different servers/processes, and a given client might connect to a different server over its lifetime? Or maybe the client opens multiple concurrent SFTP connections via threads, and the thread state is getting mixed up?
Thanks for your investigation so far. I'm working together with @robbevaes2 to troubleshoot this issue on our stack.
Do you perhaps have a load balancer in front of your ProFTPD, such that there are several different servers/processes, and a given client might connect to a different server over its lifetime?
No, we're using a standalone ProFTPD server.
Or maybe the client opens multiple concurrent SFTP connections via threads, and the thread state is getting mixed up?
Client does open multiple concurrent connections, but from different processes. We have about 50-60 clients simultaneously doing this from multiple (10) processes each.
What I Did
We have proftpd server running with mod_sftp to be able to do sftp. We have a number of clients running jobs to send data to this proftpd server. However, we have noticed that we are getting a lot of random disconnects from the proftpd server. The client uses phpseclib and returns messages like:
Connection closed by server
No data received from server
Error reading from socket
This happens randomly and we are not able to steadily reproduce this. We have already tested everything on the network, which is all fine. Below are also log file output from the proftpd server. We are not able to see any more logs than the ones below:
What I Expected/Wanted
We want our jobs to not fail because of disconnects and more information on what unable to handle data for channel ID 1: Permission denied and disconnecting (Application error) [at packet.c:1633] mean or ways on how to troubleshoot this further.
ProFTPD Version and Configuration
Please help us reproduce the problem/issue you are encountering. To do this,
we need to know which version of ProFTPD you are using, how it was built,
etc. The following command is an easy way to get all of this information:
In addition, we need to see all of the ProFTPD configuration files you are
using (minus any sensitive information like passwords, of course). Armed
with the version and configuration data, then, we can set up ProFTPD locally
using the same configuration, and see what happens.
This is the config of our sftp:
The text was updated successfully, but these errors were encountered: