Hi Team,
Could you please assist with the following?
Despite the fact I temporarily fully disabled FTP access from 0.0.0.0/0 to my HestiaCP web panel yesterday morning, the FTP Usage widget still report one connection:
This FW rule has been applied to the VCN protecting my HestiaCP web panel and it definitely works.
The way I see this is that this widget should report 0.00 connection instead of 1.00 but perhaps I’m incorrect.
Can you please explain this?
Thanks in advance.
What do your logs say?
Hi Linkp,
Thanks for your swift reply.
I’m using proftp and upon checking the log file seems to be empty:
Anything else to check?
Thanks.
Regards.
Anyone has some hints? This behaviour is not correct.
Hestia uses this command to check active ftp connections:
ps aux | grep "$FTP_SYSTEM" | grep -v grep | grep -v nobody | grep -v root | wc -l
In your case $FTP_SYSTEM is proftpd:
ps aux | grep "proftpd" | grep -v grep | grep -v nobody | grep -v root | wc -l
I don’t know what happened but tls.log has activity at the same time of the 2 connections shown in your screenshot.
Hi @sahsanu,
Thanks for your help.
Well this is the content of the /var/log/proftpd/tls.log from October 15th, 2024 (and nothing else):
2024-10-15 00:28:39,490 mod_tls/2.9[76551]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 00:28:40,510 mod_tls/2.9[76551]: TLSv1.3 connection accepted, using cipher TLS_CHACHA20_POLY1305_SHA256 (256 bits)
2024-10-15 00:28:40,510 mod_tls/2.9[76551]: SSL_shutdown error: SSL:
(1) error:0A000126:SSL routines::unexpected eof while reading
(2) error:0A000197:SSL routines::shutdown while in init
2024-10-15 02:07:11,080 mod_tls/2.9[89627]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 02:07:11,121 mod_tls/2.9[89627]: unable to accept TLS connection: protocol error:
(1) error:0A000102:SSL routines::unsupported protocol
2024-10-15 02:07:11,121 mod_tls/2.9[89627]: TLS/TLS-C negotiation failed on control channel
2024-10-15 04:33:08,826 mod_tls/2.9[111089]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 04:33:09,893 mod_tls/2.9[111089]: client supports secure renegotiations
2024-10-15 04:33:09,893 mod_tls/2.9[111089]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
2024-10-15 07:12:41,107 mod_tls/2.9[134736]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 07:12:41,119 mod_tls/2.9[134736]: unable to accept TLS connection: protocol error:
(1) error:0A000102:SSL routines::unsupported protocol
2024-10-15 07:12:41,119 mod_tls/2.9[134736]: TLS/TLS-C negotiation failed on control channel
2024-10-15 16:06:33,474 mod_tls/2.9[260588]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 16:06:33,783 mod_tls/2.9[260588]: client supports secure renegotiations
2024-10-15 16:06:33,783 mod_tls/2.9[260588]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
2024-10-15 16:06:33,929 mod_tls/2.9[260588]: SSL_shutdown error: SSL:
(1) error:0A000126:SSL routines::unexpected eof while reading
(2) error:0A000197:SSL routines::shutdown while in init
2024-10-15 16:38:20,605 mod_tls/2.9[264674]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 16:38:20,868 mod_tls/2.9[264674]: unable to accept TLS connection: protocol error:
(1) error:0A000102:SSL routines::unsupported protocol
2024-10-15 16:38:20,868 mod_tls/2.9[264674]: TLS/TLS-C negotiation failed on control channel
2024-10-15 19:24:49,522 mod_tls/2.9[306342]: TLS/TLS-C requested, starting TLS handshake
2024-10-15 19:24:50,498 mod_tls/2.9[306342]: TLSv1.3 connection accepted, using cipher TLS_CHACHA20_POLY1305_SHA256 (256 bits)
2024-10-15 19:24:50,499 mod_tls/2.9[306342]: SSL_shutdown error: SSL:
Additional info (please note that the hostname has been changed for privacy reasons):
root@undisclosed:/home/ubuntu# FTP_SYSTEM="proftpd"
root@undisclosed:/home/ubuntu# echo $FTP_SYSTEM
proftpd
root@undisclosed:/home/ubuntu# ps aux | grep "$FTP_SYSTEM" | grep -v grep | grep -v nobody | grep -v root | wc -l
1
root@undisclosed:/home/ubuntu# ps aux | grep "$FTP_SYSTEM"
proftpd 1492 0.0 0.0 18380 5208 ? SLs Dec07 0:01 proftpd: (accepting connections)
root 205910 0.0 0.0 6412 1920 pts/1 S+ 09:59 0:00 grep --color=auto proftpd
root@undisclosed:/home/ubuntu# netstat -ntlupa | grep :20
root@undisclosed:/home/ubuntu# netstat -ntlupa | grep :21
tcp6 0 0 :::21 :::* LISTEN 1492/proftpd: (acce
Meanwhile nothing has changed on the web UI (not cached) and today the number of reported active FTP connections is still 1:
Any further help is welcome.
Thanks.
The problem is this:
Even without active connections, the ps aux command used by Hestia always shows one process. As I don’t use ProFTPD, I’m not sure how active connections appear in the ps aux
command, but you can fix this by editing the file /usr/local/hestia/bin/v-update-sys-rrd-ftp.
Add this:
if [[ "$FTP_SYSTEM" == "proftpd" ]];then
a=$((a-1))
fi
In context:
# Parsing data
if [ "$period" = 'daily' ]; then
a=0
a=$(ps aux | grep "$FTP_SYSTEM" | grep -v grep | grep -v nobody \
| grep -v root | wc -l)
if [[ "$FTP_SYSTEM" == "proftpd" ]];then
a=$((a-1))
fi
# Updating rrd database
rrdtool update $RRD/ftp/ftp.rrd N:$a
fi
Hi @sahsanu,
Thanks for the time spent on this.
I see what you mean however I would have preferred a permanent solution from one of the HestiaCP developers. I can certainly apply this modification but it will probably be erased at the next HestiaCP update.
Anyhow, I will definitely apply this change in my Staging environment and see what happens after the next HestiaCP update. If it survives the update, then I will also apply it in my Production environment.
Regards.
Ivano
Anyhow, I will definitely apply this change in my Staging environment and see what happens after the next HestiaCP update. If it survives the update, then I will also apply it in my Production environment.
It will get reset every update only way to make it permanent is via a PR to Hestia branch: