We Keep Coding

how to open ejabberd server to public - xmpp

i recently installed ejabberd on Ubuntu 12.04 LTS. I made the necessary configuration and am able to connect using a xmpp client PSI on a different computer using LAN ip. Now I want to allow my ejabberd server to be accessible from the public url, but have been unsuccessful. I have done the following:
Assuming my public domain is example.domain.com and the public IP is 123.123.10.210
opened port 5222 5269 and 5280.
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp --dport 5280 -j ACCEPT
added the following to my host file:
123.123.10.210 example.domain.com
Allow ubuntu firewall:
sudo ufw allow 5222
sudo ufw allow 5269
sudo ufw allow 5280
Here is my ejabberd.cfg:
%%%
%%% Debian ejabberd configuration file
%%% This config must be in UTF-8 encoding
%%%
%%% The parameters used in this configuration file are explained in more detail
%%% in the ejabberd Installation and Operation Guide.
%%% Please consult the Guide in case of doubts, it is available at
%%% /usr/share/doc/ejabberd/guide.html
%%% This configuration file contains Erlang terms.
%%% In case you want to understand the syntax, here are the concepts:
%%%
%%% - The character to comment a line is %
%%%
%%% - Each term ends in a dot, for example:
%%% override_global.
%%%
%%% - A tuple has a fixed definition, its elements are
%%% enclosed in {}, and separated with commas:
%%% {loglevel, 4}.
%%%
%%% - A list can have as many elements as you want,
%%% and is enclosed in [], for example:
%%% [http_poll, web_admin, tls]
%%%
%%% - A keyword of ejabberd is a word in lowercase.
%%% The strings are enclosed in "" and can have spaces, dots...
%%% {language, "en"}.
%%% {ldap_rootdn, "dc=example,dc=com"}.
%%%
%%% - This term includes a tuple, a keyword, a list and two strings:
%%% {hosts, ["jabber.example.net", "im.example.com"]}.
%%%
%%% ===================================
%%% OVERRIDE OPTIONS STORED IN DATABASE
%%
%% Override global options (shared by all ejabberd nodes in a cluster).
%%
%%override_global.
%%
%% Override local options (specific for this particular ejabberd node).
%%
%%override_local.
%%
%% Remove the Access Control Lists before new ones are added.
%%
%%override_acls.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Options which are set by Debconf and managed by ucf
%% Admin user
{acl, admin, {user, "admin", "localhost"}}.
%% Hostname
{hosts, ["localhost", "example.domain.com"]}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% =========
%%% DEBUGGING
%%
%% loglevel: Verbosity of log files generated by ejabberd.
%% 0: No ejabberd log at all (not recommended)
%% 1: Critical
%% 2: Error
%% 3: Warning
%% 4: Info
%% 5: Debug
%%
{loglevel, 4}.
%%
%% watchdog_admins: If an ejabberd process consumes too much memory,
%% send live notifications to those Jabber accounts.
%%
%%{watchdog_admins, ["bob#example.com"]}.
%%% ================
%%% SERVED HOSTNAMES
%%
%% hosts: Domains served by ejabberd.
%% You can define one or several, for example:
%% {hosts, ["example.net", "example.com", "example.org"]}.
%%
%% (This option is defined by debconf earlier)
%% {hosts, ["localhost"]}.
%%
%% route_subdomains: Delegate subdomains to other Jabber server.
%% For example, if this ejabberd serves example.org and you want
%% to allow communication with a Jabber server called im.example.org.
%%
%%{route_subdomains, s2s}.
%%% ===============
%%% LISTENING PORTS
%%
%% listen: Which ports will ejabberd listen, which service handles it
%% and what options to start it with.
%%
%5222
{listen,
[
{5222, ejabberd_c2s, [
{access, c2s},
{access, register},
{shaper, c2s_shaper},
{max_stanza_size, 65536},
%%zlib,
starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}
]},
%%
%% To enable the old SSL connection method (deprecated) in port 5223:
%%
%%{5223, ejabberd_c2s, [
%% {access, c2s},
%% {shaper, c2s_shaper},
%% {max_stanza_size, 65536},
%% zlib,
%% tls, {certfile, "/etc/ejabberd/ejabberd.pem"}
%% ]},
%5269
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
%% External MUC jabber-muc
%%{5554, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {host, "muc.localhost", [{password, "secret"}]}
%% ]},
%% Jabber ICQ Transport
%%{5555, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {hosts, ["icq.localhost", "sms.localhost"],
%% [{password, "secret"}]}
%% ]},
%% AIM Transport
%%{5556, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {host, "aim.localhost", [{password, "secret"}]}
%% ]},
%% MSN Transport
%%{5557, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {host, "msn.localhost", [{password, "secret"}]}
%% ]},
%% Yahoo! Transport
%%{5558, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {host, "yahoo.localhost", [{password, "secret"}]}
%% ]},
%% External JUD (internal is more powerful,
%% but doesn't allow to register users from other servers)
%%{5559, ejabberd_service, [
%% {ip, {127, 0, 0, 1}},
%% {access, all},
%% {shaper_rule, fast},
%% {host, "jud.localhost", [{password, "secret"}]}
%% ]},
%5280
{5280, ejabberd_http, [
%%{request_handlers,
%% [
%% {["pub", "archive"], mod_http_fileserver}
%% ]},
%%captcha,
http_bind,
http_poll,
web_admin
]}
]}.
%%
%% max_fsm_queue: Enable limiting of lengths of "message queues"
%% for outgoing connections. Roughly speaking, each message in such
%% queues represents one XML stanza queued to be sent into
%% an output stream it is serving.
%% The default value is an atom 'undefined' which specifies no limiting.
%%
%% When specified globally, this option limits the message queue lengths
%% for all ejabberd_c2s_in and ejabberd_service listeners,
%% as well as for outgoing s2s connections.
%%
%% This option can also be specified as an option for ejabberd_c2s_in
%% and ejabberd_service listeners, in wich case it will override
%% the value of the global option.
%%
{max_fsm_queue, 1000}.
%%
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
%% Allowed values are: true or false.
%% You must specify a certificate file.
%%
{s2s_use_starttls, true}.
%%
%% s2s_certfile: Specify a certificate file.
%%
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
%%
%% domain_certfile: Specify a different certificate for each served hostname.
%%
%%{domain_certfile, "example.org", "/path/to/example_org.pem"}.
%%{domain_certfile, "example.com", "/path/to/example_com.pem"}.
%%
%% S2S whitelist or blacklist
%%
%% Default s2s policy for undefined hosts.
%%
%%{s2s_default_policy, allow}.
%%
%% Allow or deny communication with specific servers.
%%
%%{{s2s_host, "goodhost.org"}, allow}.
%%{{s2s_host, "badhost.org"}, deny}.
%%
%% The maximum allowed delay for retry to connect
%% after a failed connection attempt to a remote server, in seconds.
%% The default value is 300 seconds (5 minutes).
%%
%% The reconnection algorythm works like this: if connection fails,
%% ejabberd makes an initial random delay between 1 and 15 seconds,
%% then retries, and if this attempt fails, makes another delay,
%% twice as long as previous. These attempts are performed either
%% until a successful connection is made or until the next calculated
%% delay is greated or equal than the value of s2s_max_retry_delay.
%%
%%{s2s_max_retry_delay, 300}.
%%
%% Outgoing S2S options
%%
%% Preferred address families (which to try first) and connect timeout
%% in milliseconds.
%%
%%{outgoing_s2s_options, [ipv4, ipv6], 10000}.
%%% ==============
%%% AUTHENTICATION
%%
%% auth_method: Method used to authenticate the users.
%% The default method is the internal.
%% If you want to use a different method,
%% comment this line and enable the correct ones.
%%
{auth_method, internal}.
%%
%% Authentication using external script
%% Make sure the script is executable by ejabberd.
%%
%%{auth_method, external}.
%%{extauth_program, "/path/to/authentication/script"}.
%%
%% Authentication using ODBC
%% Remember to setup a database in the next section.
%%
%%{auth_method, odbc}.
%%
%% Authentication using PAM
%%
%%{auth_method, pam}.
%%{pam_service, "pamservicename"}.
%%
%% Authentication using LDAP
%%
%%{auth_method, ldap}.
%%
%% List of LDAP servers:
%%{ldap_servers, ["localhost"]}.
%%
%% Encryption of connection to LDAP servers (LDAPS):
%%{ldap_encrypt, none}.
%%{ldap_encrypt, tls}.
%%
%% Port connect to LDAP server:
%%{ldap_port, 389}.
%%{ldap_port, 636}.
%%
%% LDAP manager:
%%{ldap_rootdn, "dc=example,dc=com"}.
%%
%% Password to LDAP manager:
%%{ldap_password, "******"}.
%%
%% Search base of LDAP directory:
%%{ldap_base, "dc=example,dc=com"}.
%%
%% LDAP attribute that holds user ID:
%%{ldap_uids, [{"mail", "%u#mail.example.org"}]}.
%%
%% LDAP filter:
%%{ldap_filter, "(objectClass=shadowAccount)"}.
%%
%% Anonymous login support:
%% auth_method: anonymous
%% anonymous_protocol: sasl_anon | login_anon | both
%% allow_multiple_connections: true | false
%%
%%{host_config, "public.example.org", [{auth_method, anonymous},
%% {allow_multiple_connections, false},
%% {anonymous_protocol, sasl_anon}]}.
%%
%% To use both anonymous and internal authentication:
%%
%%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.
%%% ==============
%%% DATABASE SETUP
%% ejabberd uses by default the internal Mnesia database,
%% so you can avoid this section.
%% This section provides configuration examples in case
%% you want to use other database backends.
%% Please consult the ejabberd Guide for details about database creation.
%% NOTE that ejabberd in Debian supports "out of the box"
%% only mnesia (default) and ODBC storage backends.
%% Working with MySQL and PostgreSQL DB backends requires
%% building and installation of the corresponding Erlang modules,
%% not distributed as a part of ejabberd.
%% Refer to /usr/share/doc/ejabberd/README.Debian for details.
%%
%% MySQL server:
%%
%%{odbc_server, {mysql, "server", "database", "username", "password"}}.
%%
%% If you want to specify the port:
%%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}.
%%
%% PostgreSQL server:
%%
%%{odbc_server, {pgsql, "server", "database", "username", "password"}}.
%%
%% If you want to specify the port:
%%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}.
%%
%% If you use PostgreSQL, have a large database, and need a
%% faster but inexact replacement for "select count(*) from users"
%%
%%{pgsql_users_number_estimate, true}.
%%
%% ODBC compatible or MSSQL server:
%%
%%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.
%%
%% Number of connections to open to the database for each virtual host
%%
%%{odbc_pool_size, 10}.
%%
%% Interval to make a dummy SQL request to keep alive the connections
%% to the database. Specify in seconds: for example 28800 means 8 hours
%%
%%{odbc_keepalive_interval, undefined}.
%%% ===============
%%% TRAFFIC SHAPERS
%%
%% The "normal" shaper limits traffic speed to 1.000 B/s
%%
{shaper, normal, {maxrate, 1000}}.
%%
%% The "fast" shaper limits traffic speed to 50.000 B/s
%%
{shaper, fast, {maxrate, 50000}}.
%%% ====================
%%% ACCESS CONTROL LISTS
%%
%% The 'admin' ACL grants administrative privileges to Jabber accounts.
%% You can put as many accounts as you want.
%%
%%{acl, admin, {user, "aleksey", "localhost"}}.
%%{acl, admin, {user, "ermine", "example.org"}}.
%%
%% Blocked users
%%
%%{acl, blocked, {user, "baduser", "example.org"}}.
%%{acl, blocked, {user, "test"}}.
%%
%% Local users: don't modify this line.
%%
{acl, local, {user_regexp, ""}}.
%%
%% More examples of ACLs
%%
%%{acl, jabberorg, {server, "jabber.org"}}.
%%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%%{acl, test, {user_regexp, "^test"}}.
%%{acl, test, {user_glob, "test*"}}.
%%
%% Define specific ACLs in a virtual host.
%%
%%{host_config, "localhost",
%% [
%% {acl, admin, {user, "bob-local", "localhost"}}
%% ]
%%}.
%%% ============
%%% ACCESS RULES
%% Define the maximum number of time a single user is allowed to connect:
{access, max_user_sessions, [{10, all}]}.
%% Maximum number of offline messages that users can have:
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
%% This rule allows access only for local users:
{access, local, [{allow, local}]}.
%% Only non-blocked users can use c2s connections:
%{access, c2s, [{deny, blocked},
% {allow, all}]}.
% TODO: Testing. Allow all
{access, c2s, [{allow, all}]}.
%% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
%% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
%% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.
%% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
%% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
%% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
%% No username can be registered via in-band registration:
%% To enable in-band registration, replace 'deny' with 'allow'
% (note that if you remove mod_register from modules list then users will not
% be able to change their password as well as register).
% This setting is default because it's more safe.
%{access, register, [{deny, all}]}.
%TODO: testing. allow registration
{access, register, [{allow, all}]}.
%% By default frequency of account registrations from the same IP
%% is limited to 1 account every 10 minutes. To disable put: infinity
%%{registration_timeout, 600}.
%% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
%%
%% Define specific Access rules in a virtual host.
%%
%%{host_config, "localhost",
%% [
%% {access, c2s, [{allow, admin}, {deny, all}]},
%% {access, register, [{deny, all}]}
%% ]
%%}.
%%% ================
%%% DEFAULT LANGUAGE
%%
%% language: Default language used for server messages.
%%
{language, "en"}.
%%
%% Set a different default language in a virtual host.
%%
%%{host_config, "localhost",
%% [{language, "ru"}]
%%}.
%%% =======
%%% CAPTCHA
%%
%% Full path to a script that generates the image.
%% Note that this script must be made executable
%% for the user ejabberd:ejabberd.
%%
%%{captcha_cmd, "/usr/lib/ejabberd/priv/bin/captcha.sh"}.
%%
%% Host part of the URL sent to the user.
%% The port specified must be configured as the "ejabberd_http"
%% listener which must have the "captcha" directive included
%% in its configuration (see the "LISTENING PORTS" section above).
%%
%%{captcha_host, "localhost:5280"}.
%%% =======
%%% MODULES
%%
%% Modules enabled in all ejabberd virtual hosts.
%%
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % requires mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_admin_extra, []},
{mod_disco, []},
%%{mod_echo, [{host, "echo.localhost"}]},
{mod_irc, []},
%% NOTE that mod_http_fileserver must also be enabled in the
%% "request_handlers" clause of the "ejabberd_http" listener
%% configuration (see the "LISTENING PORTS" section above).
%%{mod_http_fileserver, [
%% {docroot, "/var/www"},
%% {accesslog, "/var/log/ejabberd/access.log"}
%% ]},
{mod_last, []},
{mod_muc, [
%%{host, "conference.#HOST#"},
{access, muc},
{access_create, muc},
{access_persistent, muc},
{access_admin, muc_admin},
{max_users, 500}
]},
%%{mod_muc_log,[]},
{mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
{mod_privacy, []},
{mod_private, []},
{mod_proxy65, [
{access, local},
{shaper, c2s_shaper}
]},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{pep_sendlast_offline, false},
{last_item_cache, false},
%%{plugins, ["default", "pep"]}
{plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps
]},
{mod_register, [
%%
%% After successful registration, the user receives
%% a message with this subject and body.
%%
{welcome_message, {"Welcome!",
"Welcome to a Jabber service powered by Debian. "
"For information about Jabber visit "
"http://www.jabber.org"}},
%% Replace it with 'none' if you don't want to send such message:
%%{welcome_message, none},
%%
%% When a user registers, send a notification to
%% these Jabber accounts.
%%
%%{registration_watchers, ["admin1#example.org"]},
{access, register}
]},
{mod_roster, []},
%%{mod_service_log,[]},
%%{mod_shared_roster,[]},
{mod_stats, []},
{mod_time, []},
{mod_vcard, []},
{mod_version, []}
]}.
%%
%% Enable modules with custom options in a specific virtual host
%%
%%{host_config, "localhost",
%% [{{add, modules},
%% [
%% {mod_echo, [{host, "mirror.localhost"}]}
%% ]
%% }
%% ]}.
%%% $Id: ejabberd.cfg.example 2497 2009-08-17 20:27:28Z cromain $
%%% Local Variables:
%%% mode: erlang
%%% End:
%%% vim: set filetype=erlang tabstop=8:

Verify that connections really go through to the server.
On an Internet-connected box use telnet, nc or a similar command to verify connecting to well-known ports of your server works. Do
$ telnet 123.123.10.210 5222
and then type in some gibberish and press Enter to send it—you should receive an XML stanza from your server telling you you've sent a malformed stream and indicating a stream closure (to exit telnet session, press Crl-] then enter q and hit Enter).
If this command hangs and then times out or outright fails, you have a network connectivity problem.
When you're checking it's really handy to have an instance of tcpdump running to see if clien't packets come in and replies come out:
# tcpdump -n -i eth0 'tcp and (port 5222 or port 5269)'
(substitute the name of your Internet-connected interface instead of eth0).
You must have a proper DNS setup for your XMPP domain.
That is, if your users have JIDs in example.domain.com, everyone on the Internet should be able to ask their DNS servers about how to contact users with JIDs in that domain using XMPP. This is done using SRV records. The DNS server(s) maintaining the example.domain.com must have two DNS records:
_xmpp-client._tcp.example.domain.com pointing to the host and port of the server accepting client connections (so they should be 123.123.10.210 and 5222).
_xmpp-server._tcp.example.domain.com pointing to the host and port of the server accepting server connections (so they should be 123.123.10.210 and 5269).
More info here.
Run
$ host -t srv _xmpp-client._tcp.gmail.com
$ host -t srv _xmpp-server._tcp.gmail.com
to get some idea about how it should look like.
One more thing to be aware here is that if your server is in a DMZ (not directly connected to Internet but mediated by a NAT device) the firewall setup should be more involved. But before delving into this please check the connectivity as explained above.

Related

Using Ubuntu 18.04 LTS and ProFTPD 1.3.5e.
I have ProFTPD serving FTP on ports 20, 21 and running just fine.
When I add in /etc/proftpd/conf.d/sftp.conf, FTP quits working. When I delete the sftp.conf and restart proftpd, FTP starts working again. I conclude that there is something wrong with this conf file.
Also, I want sftp to accept just a login id and password for authentication. How do I do that? I have looked at the SFTPAuthMethods directive and it looks like if I leave it out then it will allow all authentication methods and that is okay with me.
Here is the sftp.conf file:
<IfModule mod_sftp.c>
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
</IfModule>
What should I change to get SFTP running on port 2222 and continue to have FTP running on ports 20 & 21?
Thanks in advance!
Update:
Based on the excellent feedback I have received in the notes, instead of using the sftp.conf file I have above, I added a wrapper and some other configuration parameters and have put that config into the proftpd.conf file. It reads as follows:
<snip>
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
# The SFTP configuration
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
Include /etc/proftpd/sql.conf
SFTPAuthMethods password keyboard-interactive hostbased publickey
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
</VirtualHost>
</IfModule>
So now the server is answering on FTP ports normally and on port 2222. When I attempt to connect to port 2222 using WinSCP, it fails authentication. Here is the sftp.log file snipped that is generated each time I try to connect.
2020-04-21 21:03:50,340 mod_sftp/0.9.9[13017]: sent server version 'SSH-2.0-mod_sftp/0.9.9'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: received client version 'SSH-2.0-WinSCP_release_5.17.3'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: handling connection from SSH2 client 'WinSCP_release_5.17.3'
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session key exchange: ecdh-sha2-nistp256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server hostkey: ssh-rsa
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session client-to-server encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server-to-client encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session client-to-server MAC: hmac-sha2-256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]: + Session server-to-client MAC: hmac-sha2-256
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]: + Session client-to-server compression: none
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]: + Session server-to-client compression: none
2020-04-21 21:03:51,957 mod_sftp/0.9.9[13017]: sending acceptable userauth methods: password,keyboard-interactive,hostbased,publickey
2020-04-21 21:03:52,302 mod_sftp/0.9.9[13017]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2020-04-21 21:03:52,322 mod_sftp_pam/0.3[13017]: PAM authentication error (7) for user 'test': Authentication failure
For FTP, I am authenticating successfully from a MySQL database. But the last line of the sftp.log file says that PAM authentication failed for my SFTP attempt. I am just trying to authenticate in the WinSCP client with a login and password that come from MySQL. Does that involve PAM authentication?
I think I am getting close!
Thanks in advance!

Here is the full /etc/proftpd/proftpd.conf that accomplishes my goals as stated above.
Note that I am also using mod_sql to provide for authentication via MySQL. So there are other configuration files referenced by this config file but are not listed in this posting.
# cat /etc/proftpd/proftpd.conf
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "hostname"
# Set to inetd only if you would run proftpd by inetd/xinetd.
# Read README.Debian for more information on proper configuration.
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# This line will create the user directories of an FTP user if they successfully authenticate but do not have a user directory.
# See http://www.proftpd.org/docs/howto/CreateHome.html
# CreateHome off|on [<mode>] [skel <path>] [dirmode <mode>] [uid <uid>] [gid <gid>] [homegid <gid>] [NoRootPrivs]
CreateHome on dirmode 750
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive transfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 50
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
# The SFTP configuration
SFTPEngine on
Port 2222
SFTPAuthMethods password
RequireValidShell off
SFTPLog /var/log/proftpd/sftp.log
Include /etc/proftpd/sql.conf
# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
#SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
# Enable compression
SFTPCompression delayed
DefaultRoot ~
</VirtualHost>
</IfModule>
# Time stamp - IP Address - Protocol - User Name - UID - Filename - File Sizeo - Response Time in Milliseconds - Transfer Time in Seconds - Transfer Status - Reason for failure if applicable
# http://www.proftpd.org/docs/modules/mod_log.html#LogFormat
LogFormat custom "%{iso8601} %a %{protocol} %u %{uid} %f %{file-size} %R %T %{transfer-status} %{transfer-failure}"
ExtendedLog /var/log/proftpd/custom.log READ,WRITE custom

The essence of the solution to make it listen on both FTP 21 and SFTP 2222 is to add <VirtualHost 0.0.0.0> section inside of <IfModule mod_sftp.c>:
...
Port 21
...
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0> # << *** this part makes it listen on both 21 above and 2222 below ***
...
Port 2222
...
</VirtualHost> # << closing tag
</IfModule>
(thanks to the original question author and his response, eyeballing two configs I was able to boil it down to this)

whenever I change dovecot config to use 993 IMAPS port instead of standard 143 IMAP, roundcube refuses to work with errormessage:
Connection to storage server failed.
Server Error: Could not connect to localhost:143: Connection refused
Port 143 is not responding since I disabled it and want to use 993 only.
But I can't get roundcube to use this port even though when I configre standardport for IMAP to 993 in "/etc/roundcube/defaults.inc.php":
$config['default_host'] = 'ssl://localhost';
// TCP port used for IMAP connections
$config['default_port'] = 993;
Dovecot version:
ii dovecot-core 1:2.2.27-3+deb9u1 amd64
ii dovecot-imapd 1:2.2.27-3+deb9u1 amd64
ii dovecot-managesieved 1:2.2.27-3+deb9u1 amd64
ii dovecot-sieve 1:2.2.27-3+deb9u1 amd64
Roundcube version:
ii roundcube 1.2.3+dfsg.1-4
ii roundcube-core 1.2.3+dfsg.1-4
ii roundcube-mysql 1.2.3+dfsg.1-4
ii roundcube-plugins 1.2.3+dfsg.1-4
ii roundcube-plugins-extra 1.2.1-20160803
Help would be appreciated.

It was an error within my settings. Because of the certificate u need use the proper hostname and not localhost.
$config['default_host'] = 'ssl://FQDNofhostname';
// TCP port used for IMAP connections
$config['default_port'] = 993;

As a test, I have a local bind instance running:
>netstat -ant | grep LISTEN
tcp 0 0 10.72.186.23:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
...
>nslookup mysubdomain.example.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: mysubdomain.example.com
Address: nn.nn.nn.251
Name: mysubdomain.example.com
Address: nn.nn.nn.249
Name: mysubdomain.example.com
Address: nn.nn.nn.201
Name: mysubdomain.example.com
Address: nn.nn.nn.138
I'm running haproxy 1.6.2 on the same host, with a resolvers section:
resolvers dns
nameserver dns1 127.0.0.1:53
nameserver dns2 10.72.186.23:53
hold valid 10s
It doesn't reject the resolvers section, but doesn't seem to be using it, either. It doesn't show in the stats page, and attempting to add this service command:
server mysubdomain-dev mysubdomain.example.com
causes this error:
>service haproxy restart
* Restarting haproxy haproxy
[ALERT] 322/171813 (10166) : parsing [/etc/haproxy/haproxy.cfg:77] : 'server mysubdomain-dev' : invalid address: 'mysubdomain.example.com' in 'mysubdomain.example.com'
[ALERT] 322/165300 (29751) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 322/165300 (29751) : Fatal errors found in configuration.
The haproxy doc https://cbonte.github.io/haproxy-dconv/configuration-1.6.html indicates this should work.
server <name> <address>[:[port]] [param*]
...
<address> is the IPv4 or IPv6 address of the server. Alternatively, a
resolvable hostname is supported, but this name will be resolved
during start-up. Address "0.0.0.0" or "*" has a special meaning.
Is there some other piece that needs to be added to the haproxy.cfg that activates the resolvers section?

When HAProxy first starts, it attempts to resolve the hostnames of any servers in all the backends to fill the server structures. During this first startup phase, HAProxy uses the OS resolver, i.e. generally the servers defined in your /etc/resolv.conf file.
Only later, when the server's IP addresses are updated during checks, HAProxy uses its internal resolver configuration and its internal DNS resolver.
From your error description, it now seems as if your host itself can not resolve the mysubdomain.example.com hostname. HAProxy will only be able to start if it can resolve the hostnames without an explicit named nameserver. This can be verified with e.g.
dig mysubdomain.example.com

might be you are not specifying the resolvers to use for that server
server mysubdomain-dev mysubdomain.example.com ->
server mysubdomain-dev mysubdomain.example.com resolvers dns

I can't TCP from MATLAB to MATLAB
Server Code:
t = tcpip('192.168.1.14', 8000, 'NetworkRole', 'Server');
set(t, 'InputBufferSize', 900000);
fprintf('waiting for client \n');
fopen(t);
fprintf('client connected');
MATLAB waiting for client when I use fopen(t)
when I'm trying to connect from another PC on the same network I use this Code:
tc = tcpip('192.168.1.14', 8000,'NetworkRole','Client');
fopen(tc)
on the Client PC return no errors after fopen(tc) 'that's mean the Server is working fine
but on the Server PC .. It still waiting for client without detecting the Client and jump to fprintf('client connected');
when I tried both of these codes on the same PC using different versions of MATLAB it worked fine on the server and Client ..
.......
there is another problem there .. I don't need the code to be paused for waiting a client I need
there is no Client:
do something
If client exist do something else
Thank you

I have simple server on OpenShift by Erlang, which creates socket and wait new connections. Local ip for server is 127.10.206.129 and server listens 16000 port.
Code of my server:
-module(chat).
-export ([start/0, wait_connect/2, handle/2]).
start() ->
{ok, ListenSocket} = gen_tcp:listen(16000, [binary, {ip,{127,10,206,129}}]),
wait_connect(ListenSocket, 0).
wait_connect(ListenSocket, Count) ->
io:format("~s~n", ["Wait..."]),
gen_tcp:accept(ListenSocket),
receive
{tcp, _Socket, Packet} ->
handle(Packet, Count),
spawn(?MODULE, wait_connect, [ListenSocket, Count+1]);
{tcp_error, _Socket, Reason} ->
{error, Reason}
end.
Code of my client:
-module(client).
-export ([client/2]).
client(Host, Data) ->
{ok, Socket} = gen_tcp:connect(Host, 16000, [binary]),
send(Socket, Data),
ok = gen_tcp:close(Socket).
send(Socket, <<Data/binary>>) ->
gen_tcp:send(Socket, Data).
Server starts without troubles. I tried run client on my localhost and had error (it tried to connect for time much than timeout:
2> client:client("chat-bild.rhcloud.com", <<"Hello world!">>).
** exception error: no match of right hand side value {error,etimedout}
in function client:client/2 (client.erl, line 4)
I tried this stupid way (although 127.10.206.129 is a incorrect ip, because it's server local ip):
3> client:client({127,10,206,129}, <<"Hello world!">>).
** exception error: no match of right hand side value {error,econnrefused}
in function client:client/2 (client.erl, line 16)
How to do gen_tcp:connect with url?

Only ports 80, 443, 8000, and 8443 are open to the outside world on openshift. You can not connect to other ports on OpenShift from your local workstation, unless you use rhc port-forward command, and that will only work with published ports that are used by cartridges.

Your listen call is limiting the listen interface to 127.10.206.129, but judging from the second client example, your client can't connect to that address. Try eliminating the {ip,{127,10,206,129}} option from your listen call so that your server listens on all available interfaces, or figure out what interface the server name "chat-bild.rhcloud.com" corresponds to and listen only on that interface.