Re: [Proftpd-user] Fatal: unable to open incoming connection: Transport endpoint is not connected

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> We are seeing strange log entries recently:
> 
>   proftpd[31071]: 192.168.22.104 - Fatal: unable to open incoming connection: Transport endpoint is not connected
> 
> This happens when we scan the server with "nmap -sT SERVER" from a fast 
> client, it does however not happen when being scanned from a slow client 
> or a virtual machine.
> 
> Other software (i.e. https://zeromq.jira.com/browse/LIBZMQ-585 or 
> https://code.google.com/p/pyftpdlib/issues/detail?id=100) say that this 
> is a kind of race condition "since the connection is closing before we 
> can get the peername with getpeername()" and only nmap or similar 
> software is able to close the TCP connection so fast.

That's correct.  A TCP connection is established very briefly; by the time 
proftpd gets around to retrieving information on the TCP peer, the 
connection has closed.

> The customer thinks that the performance of the server is affected (i.e. 
> normal clients fail to establish a session) when being scanned

This is not the case; the performance of proftpd is not affected by 
connections such as the above.

> 1: As this is a fatal error, our logs are filled with it - we seem to be scanned very often recently.
>    Is there a way to prevent this from being logged at all?

This particular error is indeed NOT fatal.  It happens to fall into the 
general error handling case at that point in the proftpd code.

Could you file a bug report, on bugs.proftpd.org, to address this?  It 
will be relatively easy to handle in a much better manner (i.e. by 
ignoring that particular error, and possibly others in a similar vein).

> 2: Does it affect client limits by IP? I assume this in a very early 
> stage of the protocol handshake and thus no client address is even 
> present to work on with mod_limit/mod_ban/..

Correct.  If you see the "unable to open incoming connection" log message, 
the session lifecycle will not yet have reached the point of calling out 
to any modules.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   To believe in something, and not to live, is dishonest.

   	-Mahatma Gandhi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~