Unable to login over FTP: 421 Service not available, remote server has closed connection

Created:

2016-12-21 19:18:36 UTC

Modified:

2017-08-08 13:18:43 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Unable to login over FTP: 421 Service not available, remote server has closed connection

Symptoms

  1. Unable to connect to FTP. The following error is displayed:

    530 Login incorrect.
    Login failed.
    421 Service not available, remote server has closed connection
    
  2. SELinux is running in enforcing mode.

  3. SELinux policy Plesk component is installed.

  4. In /var/log/messages the following error can be seen:

    chroot to '/var/www/vhosts/example.com' failed for user 'user': Permission denied
    error: unable to set DefaultRoot directory
    FTP session closed. 
    
  5. In /var/log/audit/audit.log the following error can be seen:

    type=AVC msg=audit(1482428585.108:134): avc:  denied  { net_admin } for  pid=2652 comm="in.proftpd" capability=12  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
    

Cause

SELinux is preventing Proftpd from using the 'net_admin' capabilities.

Resolution

  1. Install setroubleshoot-server package:

    # yum install setroubleshoot-server
    
  2. Restart audit daemon.

    # service auditd restart
    
  3. Run the following command to find sealert UUID:

    # cat /var/log/messages |grep "/usr/sbin/proftpd" | grep 'sealert'
    
    ser129 setroubleshoot: SELinux is preventing /usr/sbin/proftpd from using the net_admin capability. For complete SELinux messages. run sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
  4. Run the command found in previous step:

    # sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
    Plugin catchall (100. confidence) suggests
    You can generate a local policy module to allow this access.
    To allow this access for now by executing:
    ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
    semodule -i my-inproftpd.pp
  5. Follow the instructions from previous step to solve the issue:

    # ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
    # semodule -i my-inproftpd.pp
Have more questions? Submit a request
Please sign in to leave a comment.