Chapter 16. Common Problems

"inet_create_connection() failed: Operation not permitted".

You aren't starting ProFTPD as root, or you have inetd configured to run ProFTPD as a user other than root. The ProFTPD daemon must be started as root in order to bind to tcp ports lower than 1024, or to open your shadow password file when authenticating users. The daemon switches uid/gids to the user and group specified by the User/Group directives during normal operation, so a `ps' will show it running as the user you specified.

"bind: unable to bind to port"

Proftpd is unable to take control of port 21 (or whatever port has been defined) at startup. This is normally down to one of two reasons.

Clash with inetd

Proftpd has been configured to in standalone mode but inetd hasn't been reconfigured to not provide the ftp service. Ensure that the line starting with "ftp" has been removed or commented out and send a SIGHUP to the inetd process.

Another copy of Proftpd is running

Check the process listing for the server to ensure that another proftpd process is not already running. If it is either kill this process or send the master daemon a SIGHUP to make it reload it's configuration if desired.

"Fatal: Socket operation on non-socket"

You have ProFTPD configured to run in inetd mode rather than standalone. In this mode, ProFTPD expects that it will be run from the inetd super-server, which implies that stdin/stdout will be sockets instead of terminals. As a result, socket operations will fail and the above error will be printed. If you wish to run ProFTPD from the shell, in standalone mode, you'll need to modify your proftpd.conf configuration file and add or edit the ServerType directive to read:

ServerType standalone

I'm having problems with FTP clients behind firewalls

The FTP Specification defines that two sockets should be used for all communications. The first runs over port 21 and is the control channel over which all commands and response codes are sent. Whenever data is required to be transfered, for example for a file download, a directory listing etc etc. A second channel is created on demand, this socket can take one of two forms.


The server end of the data socket uses port 20. This is nice and easy to work into a firewall configuration.


The port at either end is dynamically allocated. This is virtually impossible to cater for in a firewall configuration given that the port mapping will be different for every data connection.

The solution is to force the users to configure their clients to use the non-passive mode (ie port 20)

Can I run more that one VirtualHost on a single IP?

No, or at least not in the HTTP/1.1 manner of virtual hosting. This is an inbuilt limitation of the current FTP RFC., unlike the HTTP/1.1 spec there is no mechanism comparable to the "Host:" HTTP header for specifying which host the connection is for. Therefore the only method for determining which VirtualHost the connection is destined for is by the destination IP.

The one exception to this is if you host multiple servers on the same IP but using different ports, however this requires that the connecting client uses a non-standard port and therefore is probably not a good solution for mass hosting.

Is there anything in the pipeline to fix this?

There is a draft standard with the IETF which extends and improves on the FTP specification including support for a HOST command. However given that the IP crunch is coming from websites and not virtual ftp servers this is unlikely to be pushed through any time soon.

How do I run ProFTPD from inetd?

Find the line in /etc/inetd.conf that looks something like this: " ftp stream tcp nowait root in.ftpd in.ftpd"

Replace it with: " ftp stream tcp nowait root in.proftpd in.proftpd"

Then, find your inetd process in the process listing and send it the SIGHUP signal so that it will rehash and reconfigure itself. You may also need to add in.ProFTPD to hosts.allow on your system.

Can I use tcp-wrappers with ProFTPD?

Yup. Although ProFTPD has built-in IP access control (see the Deny and Allow directives), many admins choose to consolidate IP access control in one place via in.tcpd. Just configure ProFTPD to run from inetd as any other tcp-wrapper wrapped daemon and add the appropriate lines to hosts.allow/deny files.

Can I run an FTP server on a non-standard port?

Yes. Use a <VirtualHost> block with your machine's FQDN (Fully Qualified Domain Name) or IP address, and a Port directive inside the <VirtualHost> block. For example, if your host is named "" and you want to run an additional FTP server on port 2001, you would: ... <VirtualHost> Port 2001 ... </VirtualHost>

Can control upload/download ratios?

Yes the mod_ratio module provides for doing just this.

The ratio directives take four numbers: file ratio, initial file credit, byte ratio, and initial byte credit. Setting either ratio to 0 disables that check.

The directives are HostRatio (matches FQDN, wildcards allowed), AnonRatio (matches password entered at login), UserRatio (accepts "*" for 'any user'), and GroupRatio.

Ratios on                                    # enable module
UserRatio ftp 0 0 0 0
HostRatio 0 0 0 0          # leech access (default)
GroupRatio proftpd 100 10 5 100000           # 100:1 files, 10 file cred
5:1 bytes, 100k byte cred
AnonRatio 1 0 1 0        # 1:1 ratio, no credits
UserRatio * 5 5 5 50000                      # special default case

This example is for someone who (1) has downloaded 1 file of 82k, (2) has uploaded nothing, (3) has a ratio of 5:1 files and 5:1 bytes, (4) has 4 files and 17k credit remaining, and (5) is now changing directory to /art/nudes/young/carla. The initial credit, not shown, was 5 files and 100k (UserRatio * 5 5 5 100000).

Version 2.0 and above of this module integrate with mod_sql.

Limitations of mod_ratio

It appears that the ratio limits in mod_ratio are only maintained on a per session basis and there is no ongoing tracking of usage.

Slow logins

This is probably caused by a firewall or DNS timeout. By default ProFTPD will try to do both DNS and ident lookups against the incoming connection. If these are blocked or excessively delayed a slower than normal login will result. To turn off DNS and ident use: UseReverseDNS off IdentLookups off

Lots of "FTP session closed" messages

Oct  7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct  7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct  7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct  7 12:30:48 salvage2 proftpd[8874]: FTP session closed.

The above log extract is likely to be caused by a local monitoring system or a particularly aggressive DoS attack. Most service monitoring systems try opening the ftp port on the target server to detect whether it is active and running. Most of the time these tests are followed by an immediate "QUIT" or disconnection.

TCPdump/TCPshow on the server in question should show which machine on your network is is generating these connections.

How do I see who is connected?

The ftpwho command lists the state of each ftp connection to the server and what it's current activity is. However this does not detail the connection information on a virtual by virtual basis.

Can I force ProFTPD to listen on only one IP?

Sort, of it's not quite as clean as the socket binding under Apache but the principle works something like this.

Standalone mode

To listen on the primary IP of a host Use the SocketBindTight directive To listen on a interfaces which are not the primary host interface Use the SocketBindTight directive, place your server configuration in a <VirtualHost> block and use "Port 0" for the main host configuration and and "Port 21" inside the VirtualHost block.


There are two approaches possible, the first is to use the patch from Daniel Roesen <> (check the mailing list archives).

The second method is to run ProFTPD from xinetd (, a more advanced replacement of inetd. An entry for this in xinetd.conf would be something like this:

Example 16-1. xinetd configuration

service ftp
        flags           = REUSE
        socket_type     = stream
        instances       = 50
        wait            = no
        user            = root
        server          = /usr/sbin/proftpd
        bind            = <the-ip-you-wish-to-bind-to>
        log_on_success  = HOST PID
        log_on_failure  = HOST RECORD

How do I shutdown the server without killing proftpd?

ftpshut, allows the server to disallow connections with a message without actually taking down the service. The shutdown can be scheduled for a point in the future or right now, existing connections can be allowed to finish, or be terminated now. Re-enabling is done by removing the /etc/shutmsg file.

Is is possible to shutdown a single VirtualHost?

No, the shutmsg file works at a daemon level not at a virtual host level.

Unable to resolve IP

This is not normally a problem with proftpd, but with the configuration of the hosting server or the DNS servers it relies on. The error message simply means the daemon was unable to map the hostname given in the configuration to an IP address. Check the /etc/resolv.conf (or equivalent) and the spelling of the hostname in the proftpd.conf file, also try tools such as nslookup to check the behaviour of the local DNS servers.