Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
faq:tcpip [2010/03/08 15:19] digitalmanfaq:tcpip [2020/06/01 21:33] (current) – [Rebind] TIME WAIT or CLOSE WAIT - both are indications of the same problem digital man
Line 1: Line 1:
-====== TCP/IP ======+====== TCP/IP Servers and Services ======
  
 Answers to Frequently Asked Questions regarding Synchronet and TCP/IP (the Internet protocol suite). Answers to Frequently Asked Questions regarding Synchronet and TCP/IP (the Internet protocol suite).
Line 11: Line 11:
   * [[#ftp_connect|Why can't users connect to my FTP server]]?    * [[#ftp_connect|Why can't users connect to my FTP server]]? 
   * [[#ftp_nat|Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server]]?    * [[#ftp_nat|Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server]]? 
 +  * [[#ftp_html|Why won't a web browser render HTML content from my FTP Server]]?
   * [[#bind|Why do some or all of my servers get bind errors when starting or recycling]]?    * [[#bind|Why do some or all of my servers get bind errors when starting or recycling]]? 
   * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]?    * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]? 
 +  * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?
 +  * [[#ssh_algo|Why do some SSH clients fail to connect to my BBS]]?
 +  * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?
  
 ===== Ports ===== ===== Ports =====
  
-**Question:**\\+:?: **Question:**\\
 What inbound ports do I need to open in my firewall? What inbound ports do I need to open in my firewall?
  
-**Answer:**\\+:!: **Answer:**\\
 Depends on which Synchronet servers and services you wish to make available to Internet clients and which ports you have configured those servers and services to listen on. Depends on which Synchronet servers and services you wish to make available to Internet clients and which ports you have configured those servers and services to listen on.
  
Line 27: Line 31:
 |Telnet         |23 |- |For Telnet logins (highly recommended)| |Telnet         |23 |- |For Telnet logins (highly recommended)|
 |SSH         |22 |- |For SecureShell logins (recommended)| |SSH         |22 |- |For SecureShell logins (recommended)|
-|RLogin         |513 |- |Optional for quick-login from RLogin clients (e.g. SyncTerm)| +|RLogin         |513 |- |Optional for quick-login from RLogin clients (e.g. SyncTERM)| 
-|SMTP         |25 |- |Necessary for receiving Internet e-mail and inter-BBS instant messages|+|SMTP         |25 |- |Necessary for receiving Internet e-mail 
 +|Submission     |587 |- |Necessary for users to send Internet e-mail through the BBS from a standard e-mail client| 
 +|Submission/TLS |465 |- |Necessary for users to send Internet e-mail through the BBS from a standard e-mail client using TLS((encrypted communications over TCP))|
 |POP3         |110 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express)| |POP3         |110 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express)|
 +|POP3/TLS       |995 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express) using TLS|
 |FTP         |21 |- |Allows access to the BBS file/download areas using a standard FTP client or web browser| |FTP         |21 |- |Allows access to the BBS file/download areas using a standard FTP client or web browser|
 |HTTP         |80 |- |Required for access to the BBS's web server| |HTTP         |80 |- |Required for access to the BBS's web server|
 +|HTTPS         |443 |- |Required for secure access to the BBS's web server using TLS|
 |NNTP         |119 |- |Allows BBS users to read and post messages using standard news readers/clients| |NNTP         |119 |- |Allows BBS users to read and post messages using standard news readers/clients|
 |Gopher         |70 |- |Archaic protocol allows reading of messages and other BBS info| |Gopher         |70 |- |Archaic protocol allows reading of messages and other BBS info|
 |IRC         |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS| |IRC         |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS|
-|Finger         |79 |79 |Allows remote querying of BBS user info, who's online, and other BBS info| +|Finger         |79 | |Allows remote querying of BBS user info, who's online, and other BBS info| 
-|SYSTAT         |11 |11 |Allows remote querying of who's online (aka Active Users)| +|SYSTAT         |11 |11 |Allows remote querying of who's online (aka Active Users) required for [[module:sbbsimsg|inter-BBS instant messaging]]
-|QOTD         |17 |17 |Allows remote querying of the current auto-message (aka Quote Of The Day)+|MSP         |18 |  |Allows incoming [[module:sbbsimsg|inter-BBS instant messages]]| 
-|MSP         |18 |18 |Allows incoming inter-BBS instant messages without SMTP connectivity|+|WS             |1123         |WebSocket Service - to support the [[http://ftelnet.ca|fTelnet web browser-based terminal]] | 
 +|WSS            |11235  |       |WebSocket Secure Service - to support the [[http://ftelnet.ca|fTelnet web browser-based terminal]] over TLS |
  
 Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located "behind" the firewall. Your firewall may have the option of placing the entire BBS computer in a "DMZ" (opening all its ports to the public Internet), but doing so is not normally recommended.  Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located "behind" the firewall. Your firewall may have the option of placing the entire BBS computer in a "DMZ" (opening all its ports to the public Internet), but doing so is not normally recommended. 
 +
 +[[http://vert.synchro.net/scanmyports.ssjs|This page]] or [[http://cvs.synchro.net/scanmyports.ssjs|this one]] can be used to scan your host (your BBS computer) for open ports and active TCP/IP (including UDP) services. **The password is //sbbs//**.
  
 ===== Private IP ===== ===== Private IP =====
  
-**Question:**\\+:?: **Question:**\\
 How come my friends can't connect to my BBS at my 192.168.x.x, 172.[16-31].x.x, or 10.x.x.x IP address? How come my friends can't connect to my BBS at my 192.168.x.x, 172.[16-31].x.x, or 10.x.x.x IP address?
  
-**Answer:**\\+:!: **Answer:**\\
 The IP address ranges listed above are reserved for use in private networks and are not publicly addressable from the Internet. See [[rfc>1918|this document]] for technical details. The IP address ranges listed above are reserved for use in private networks and are not publicly addressable from the Internet. See [[rfc>1918|this document]] for technical details.
  
Line 53: Line 64:
  
 ===== Public IP ===== ===== Public IP =====
-**Question:**\\+:?: **Question:**\\
 What is my public IP address?  What is my public IP address? 
  
-**Answer:**\\+:!: **Answer:**\\
 If you need to know your public IP address, you can usually query your router/firewall device using it's configuration interface (typically via Telnet or HTTP to its private/LAN port) or access [[http://whatismyipaddress.com/|any]] [[http://checkip.dyndns.org/|one]] of [[http://www.whatismyip.com/|many]] public web-sites that can tell you what your public IP address is. However, it is usually much better to advertise a //hostname// (e.g. ''vert.synchro.net'') rather than a cryptic hard-to-remember IP address (e.g. ''64.148.159.105'').  If you need to know your public IP address, you can usually query your router/firewall device using it's configuration interface (typically via Telnet or HTTP to its private/LAN port) or access [[http://whatismyipaddress.com/|any]] [[http://checkip.dyndns.org/|one]] of [[http://www.whatismyip.com/|many]] public web-sites that can tell you what your public IP address is. However, it is usually much better to advertise a //hostname// (e.g. ''vert.synchro.net'') rather than a cryptic hard-to-remember IP address (e.g. ''64.148.159.105''). 
  
 If you use a [[module:dyndns|Dynamic-DNS]] service to get a hostname for your BBS, the service can usually correctly determine your public IP address automatically, even if your IP address changes (e.g. via DHCP). So **you** don't need to necessarily know what it is.  If you use a [[module:dyndns|Dynamic-DNS]] service to get a hostname for your BBS, the service can usually correctly determine your public IP address automatically, even if your IP address changes (e.g. via DHCP). So **you** don't need to necessarily know what it is. 
 +
 +Another way that will accurately scan and diagnose your IP connectivity is [[http://ipv6-test.com|the IPv6 test]] site.  It will identify both your [[IPv4|IPv4]] and your [[IPv6|IPv6]] for future connectivity.  This scan will show you your accurate IPv4 and is a great aid to know just how connectable your system is.
 +
  
 ===== Relay Mail ===== ===== Relay Mail =====
-**Question:**\\+:?: **Question:**\\
 Why can't I relay Internet e-mail through my BBS?  Why can't I relay Internet e-mail through my BBS? 
  
-**Answer:**\\+:!: **Answer:**\\
 Indications of this problem include error messages in your e-mail client similar to the following:  Indications of this problem include error messages in your e-mail client similar to the following: 
   553 Relaying through this server requires authentication. Please authenticate before sending.    553 Relaying through this server requires authentication. Please authenticate before sending. 
Line 81: Line 95:
  
 You can allow specific hosts or users to relay e-mail through your mail server by either:  You can allow specific hosts or users to relay e-mail through your mail server by either: 
-Entering the sending host's IP address or hostname in your [[config:relay.cfg]] file. +Entering the sending host's IP address or hostname in your ''[[dir:ctrl]]/[[config:relay.cfg]]'' file. 
 This file may be edited with the SBBSCTRL:Mail->Edit->Allowed Relay List menu option.  This file may be edited with the SBBSCTRL:Mail->Edit->Allowed Relay List menu option. 
  
Line 88: Line 102:
 Use SMTP authentication:  Use SMTP authentication: 
 Enable the mail server configuration option to allow authenticated users to relay mail.  Enable the mail server configuration option to allow authenticated users to relay mail. 
-This can be done by adding ''ALLOW_RELAY'' to the ''Options'' key of the ''[mail]'' section of your ''[[config:sbbs.ini]]'' file. +This can be done by adding ''ALLOW_RELAY'' to the ''Options'' key of the ''[mail]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. 
 Or, if using SBBSCTRL, checking the "Allow Authenticated Users to Relay Mail" checkbox on the SMTP tab of the Mail Server Configuration dialog.  Or, if using SBBSCTRL, checking the "Allow Authenticated Users to Relay Mail" checkbox on the SMTP tab of the Mail Server Configuration dialog. 
  
Line 100: Line 114:
  
 ===== Send Mail ===== ===== Send Mail =====
-**Question:**\\+:?: **Question:**\\
 Why can't I send Internet e-mail from my BBS?  Why can't I send Internet e-mail from my BBS? 
  
-**Answer:**\\+:!: **Answer:**\\
 You must have the Synchronet SendMail thread enabled in your Synchronet Mail Server configuration.  You must have the Synchronet SendMail thread enabled in your Synchronet Mail Server configuration. 
 If you do not see the following message in your Synchronet Mail Server window/log output when the server is started or recycled: If you do not see the following message in your Synchronet Mail Server window/log output when the server is started or recycled:
Line 136: Line 150:
  
 If your ISP's mail server only allows e-mail to be sent from ''somename@yourisp.com'' then you need to contact your ISP about how you can send e-mail from a different domain using their mail server. Perhaps they only allow this feature when using SMTP authentication?  If your ISP's mail server only allows e-mail to be sent from ''somename@yourisp.com'' then you need to contact your ISP about how you can send e-mail from a different domain using their mail server. Perhaps they only allow this feature when using SMTP authentication? 
 +
 +One possible solution if **outbound** TCP port 25 is blocked by your ISP is to use an SMTP relay server which accepts connections on another TCP port (say, 587) and will then relay your mail to the destination mail server on port 25. If you wish, you can [[howto:relay_smtp|relay the outbound mail from your BBS through Vertrauen]] using your QWKnet account for authentication (this service is for Synchronet sysops only, provides no guarantee of privacy, and may be terminated at any time for any reason).
  
 You have your mail server configured to use an external "Relay Server", but have an improperly configured relay server hostname or IP address.  You have your mail server configured to use an external "Relay Server", but have an improperly configured relay server hostname or IP address. 
Line 147: Line 163:
   0000 !Delivery attempt #1 FAILED (somehost.org replied with: "553 Authentication required." instead of the expected reply: "250 ..."   0000 !Delivery attempt #1 FAILED (somehost.org replied with: "553 Authentication required." instead of the expected reply: "250 ..."
  
-Synchronet v3.12+ supports the Plain, Login, and CRAM-MD5 methods of SMTP authentication when relaying mail through an external relay server. To enable SMTP authentication when relaying, add one of the ''RELAY_AUTH'' flags to the ''Options'' value in the ''[Mail]'' section of your ''[[config:sbbs.ini]]'' file. Or, if running SBBSCTRL-Win32, enable one of the authentication radio buttons on the "Relay" tab of the Mail Server Configuration dialog. +Synchronet v3.12+ supports the Plain, Login, and CRAM-MD5 methods of SMTP authentication when relaying mail through an external relay server. To enable SMTP authentication when relaying, add one of the ''RELAY_AUTH'' flags to the ''Options'' value in the ''[Mail]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. Or, if running SBBSCTRL-Win32, enable one of the authentication radio buttons on the "Relay" tab of the Mail Server Configuration dialog. 
  
 You have a message in your outbound e-mail queue that is flagged as 'in transit'. If you're running only one instance of the Synchronet Mail Server, this is not a normal condition and the affected message will not be sent until the 'in transit' flag is cleared.  You have a message in your outbound e-mail queue that is flagged as 'in transit'. If you're running only one instance of the Synchronet Mail Server, this is not a normal condition and the affected message will not be sent until the 'in transit' flag is cleared. 
Line 155: Line 171:
 This condition can occur if the Synchronet SendMail thread is terminated unexpectedly while in the process of attempting the delivery an outbound e-mail message. The 'in transit' flag is used to protect multiple instances of the SendMail thread from attempting to deliver the same e-mail message simultaneously.  This condition can occur if the Synchronet SendMail thread is terminated unexpectedly while in the process of attempting the delivery an outbound e-mail message. The 'in transit' flag is used to protect multiple instances of the SendMail thread from attempting to deliver the same e-mail message simultaneously. 
  
-If you only have one instance of the Synchronet SendMail thread active (the usual scenario), you can eliminate this problem by adding ''SEND_INTRANSIT'' to the ''Options'' value in the ''[Mail]'' section of your ''[[config:sbbs.ini]]'' file. Or you can remove the 'in transit' flags from all existing e-mail messages by running the fixsmb utility on your data/mail database or by running the exec/notransit.js script. +If you only have one instance of the Synchronet SendMail thread active (the usual scenario), you can eliminate this problem by adding ''SEND_INTRANSIT'' to the ''Options'' value in the ''[Mail]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. Or you can remove the 'in transit' flags from all existing e-mail messages by running the fixsmb utility on your data/mail database or by running the exec/notransit.js script. 
 In general, you need to check your Synchronet Mail Server window/log output for details about why Internet e-mail delivery attempts may be failing.  In general, you need to check your Synchronet Mail Server window/log output for details about why Internet e-mail delivery attempts may be failing. 
  
 ===== Receive Mail ===== ===== Receive Mail =====
  
-**Question:**\\+:?: **Question:**\\
 Why can't my BBS receive Internet e-mail?  Why can't my BBS receive Internet e-mail? 
  
-**Answer:**\\+:!: **Answer:**\\
 You must have the Synchronet SMTP (mail) server running and listening for incoming connections on TCP port 25 (the standard SMTP port). You (or a friend) can test this basic connectivity by attempting to Telnet to port 25 (instead of port 23) at your BBS's hostname or [[#public IP]] address from a remote location on the Internet. The remote Telnet client should see a successful connection and a text message similar to the following: You must have the Synchronet SMTP (mail) server running and listening for incoming connections on TCP port 25 (the standard SMTP port). You (or a friend) can test this basic connectivity by attempting to Telnet to port 25 (instead of port 23) at your BBS's hostname or [[#public IP]] address from a remote location on the Internet. The remote Telnet client should see a successful connection and a text message similar to the following:
   220 bbs.synchro.net Synchronet SMTP Server 1.362-Win32 Ready    220 bbs.synchro.net Synchronet SMTP Server 1.362-Win32 Ready 
Line 173: Line 189:
 ===== FTP Connect ===== ===== FTP Connect =====
  
-**Question:**\\+:?: **Question:**\\
 Why can't users connect to my FTP server?  Why can't users connect to my FTP server? 
  
-**Answer:**\\+:!: **Answer:**\\
 You must have the Synchronet FTP server running and listening for incoming connections on TCP port 21 (the standard FTP port). See the previous answer about methods of testing this basic connectivity using a remote Telnet client.  You must have the Synchronet FTP server running and listening for incoming connections on TCP port 21 (the standard FTP port). See the previous answer about methods of testing this basic connectivity using a remote Telnet client. 
  
 If your FTP server window/log indicates an accepted FTP connection, then it's not a connectivity problem and probably a login failure.  If your FTP server window/log indicates an accepted FTP connection, then it's not a connectivity problem and probably a login failure. 
  
-FTP sessions require a login. If you have not created a Guest account for your BBS, then the FTP server will not allow Annonymous logins (most web browsers, for example, will attempt to login anonymously by default). If this is the problem, then either create a Guest account (preferably using the ''exec/makeguest.js'' module) or tell your FTP users that they must login with a valid BBS user account in order to use the FTP server. +FTP sessions require a login. If you have not created a [[:access:#Guest]] account for your BBS, then the FTP server will not allow Annonymous logins (most web browsers, for example, will attempt to login anonymously by default). If this is the problem, then either [[:access:#guest_account_creation|create a Guest account]] or tell your FTP users that they must login with a valid BBS user account in order to use the FTP server. 
  
 ===== FTP NAT ===== ===== FTP NAT =====
-**Question:**\\+:?: **Question:**\\
 Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server?  Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server? 
  
-**Answer:**\\+:!: **Answer:**\\
 Your BBS computer is probably behind a Network Address Translator ([[rfc>1631|NAT]]). NAT functionality is typically built into router/firewall devices. If your NAT device supports active and passive FTP servers "behind" the NAT, then you should have no problems. Unfortunately, this is not always the case: some cheaper consumer-level firewalls do not handle FTP server connections correctly or they do not support FTP servers listening on non-standard ports. Sometimes passive (PASV) transfers work fine, but active (PORT) transfers do not, or vice versa.  Your BBS computer is probably behind a Network Address Translator ([[rfc>1631|NAT]]). NAT functionality is typically built into router/firewall devices. If your NAT device supports active and passive FTP servers "behind" the NAT, then you should have no problems. Unfortunately, this is not always the case: some cheaper consumer-level firewalls do not handle FTP server connections correctly or they do not support FTP servers listening on non-standard ports. Sometimes passive (PASV) transfers work fine, but active (PORT) transfers do not, or vice versa. 
  
 [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions.  [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions. 
  
-:!: Note: Most web browsers (e.g. Microsoft Internet Explorer) use passive FTP transfer mode by default. +**Note**: Most web browsers use //passive// FTP transfer mode by default, though this may be configurable
  
-:!: Note: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe'') only support active mode transfers. +**Note**: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe''//only// support //active// mode transfers. 
  
-Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Win32.  +Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Windows
- +
-If you're having problems with passive transfers and you're seeing +
-  !UNSUPPORTED COMMAND from username: 'P@SW' +
-in your FTP server log/window output, you're probably using an //SMC Barricade// router (see [[http://www.gbnetwork.co.uk/smcftpd/|this document]] for details). Upgrade to Synchronet v3.13a (FTP Server Revision 1.296) or later to work-around this problem with this device+
  
 If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later:  If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later: 
-If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[config:sbbs.ini]]'' file to specify your [[#public IP]] address. +If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to specify your IPv4 [[#public IP]] address. 
  
 This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client).  This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client). 
Line 223: Line 235:
 Use an FTP client that supports passive mode and can display all the responses received-from the FTP server to help identify this particular problem. The FTP client must be running on a system outside your private network, so you may need a friend to assist you with this.  Use an FTP client that supports passive mode and can display all the responses received-from the FTP server to help identify this particular problem. The FTP client must be running on a system outside your private network, so you may need a friend to assist you with this. 
  
-If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new Lookup Passive IP feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in SBBSCTRL-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses. +If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new //Lookup Passive IP// feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in [[monitor:SBBSCTRL]]-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses. 
  
-If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specifiy a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server. +If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specify a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server.  
 + 
 +===== FTP HTML ===== 
 +:?: **Question:**\\ 
 +Why will a web browser not (no longer) render the HTML content sent by the Synchronet FTP Server (i.e. ''00index.html'' generated by ''ftp-html.js'')?  
 + 
 +:!: **Answer:**\\ 
 +For security reasons, modern web browsers (e.g. Google Chrome) have stopped rendering HTML content served by protocols other than HTTP or HTTPS. 
 +  * [[https://www.bleepingcomputer.com/news/google/chrome-and-firefox-developers-aim-to-remove-support-for-ftp/]] 
 + 
 +Some web browsers (e.g. Microsoft Edge) are removing FTP support altogether. 
 +  * [[https://www.ghacks.net/2020/03/19/mozilla-will-remove-ftp-support-in-the-firefox-web-browser/]]
  
 ===== Bind ===== ===== Bind =====
-**Question:**\\+:?: **Question:**\\
 Why do some or all of my servers get bind errors when starting or recycling?  Why do some or all of my servers get bind errors when starting or recycling? 
-**Answer:**\\+ 
 +:!: **Answer:**\\
 If you're getting bind errors when first starting up one or more Synchronet servers, similar to the following:  If you're getting bind errors when first starting up one or more Synchronet servers, similar to the following: 
   0420 !ERROR 48 binding FTP Server socket to port 21    0420 !ERROR 48 binding FTP Server socket to port 21 
  
-This usually means you have another TCP/IP server on your system that is already bound to (and is presumably already listening for incoming connections on) this port. This could be a pre-existing instance of Synchronet or any other Telnet/Web/Mail/FTP servers that you may have installed on your systemYou can use utilities such as [[man>netstat]] (for Windows or Unix) or [[http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx|TCPView]] (for Windows) to verify what programs (if any) have the TCP or UDP port in question already bound. If these utilities do not report any program is bound to (and listening) on this port, you can try Telnetting to the port in question and see if anything answers. If you're unable to connect to the port with a Telnet client and Synchronet cannot bind the port, your TCP/IP stack probably needs to be reset, so a system reboot may be in order+**Note:**\\ 
 +On Unix-like systems, the error number may be different, e.g''ERROR 98'' (EADDRINUSE) on Linux.
  
-If you're running a Unix-like operating system (not Windows) and get bind errors only when recycling serversthis is most likely because a TCP session is stuck in a ''TCP TIMEWAIT'' state (you can use netstat to verify this). The session will eventually time-out and close properly on its own, allowing the port to be re-bound at that time. To work-around this problem, you can either increase the ''BindRetryCount'' and/or ''BindRetryDelay'' values in your ''[[config:sbbs.ini]]'' file, or you can add the following line to your ''ctrl/sockopts.cfg'' file:  +This usually means you have another TCP/IP server on your system that is already bound to (and is presumably already listening for incoming connections on) this port. This could be a pre-existing instance of Synchronet or any other Telnet/Web/Mail/FTP servers that you may have installed on your system. You can use utilities such as ''[[man>netstat]]'' (for Windows or Unix((e.g. 'netstat -naptu' as root user on Linux))) or [[http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx|TCPView]] (for Windows) to verify what programs (if any) have the TCP or UDP port in question already bound. If these utilities do not report any program is bound to (and listening) on this port, you can try Telnetting to the port in question and see if anything answers. If you're unable to connect to the port with a Telnet client and Synchronet cannot bind the port, your TCP/IP stack probably needs to be reset, so a system reboot may be in order.  
-  REUSEADDR 1  + 
-Or, if running Synchronet v3.13b or later, your ''[[config:sockopts.ini]]'' file: +:!: **Answer:**\\ 
 +If you're getting bind errors when first starting up one or more Synchronet servers, similar to the following:  
 +  0003 !ERROR 13 binding Web Server socket to port 80 
 + 
 +Error ''13'' means "access denied"
 +This error upon binding usually means that you're running Synchronet as non-privileged user account (e.g. not 'root') and the operating system you're running does not allow processes run under non-privileged user accounts to bind to low (TCP or UDP) port numbers (usually less than 1024). You can either use higher TCP port numbers in your configuration or have Synchronet switch to a non-privileged user *after* binding the TCP ports (see [[config:nix]] for details), see also: [[howto:Linux non-root]]. 
 + 
 +==== Rebind ==== 
 +:!: **Answer:**\\ 
 +If you're running a Unix-like operating system (not Windows) and get bind errors //only// when recycling servers
 +  sbbs: term 0001 !ERROR 98 binding Telnet Server socket to port 23 
 +  sbbs: term 0001 Will retry in 15 seconds (1 of 2) 
 + 
 +... this is most likely because a TCP session is stuck in a TCP "TIME WAIT" or "CLOSE WAIT" state (you can use ''[[man>netstat]]'' to verify this). The session will eventually time-out and close properly on its own, allowing the port to be re-bound at that time. To work-around this problem, you can either increase the ''BindRetryCount'' and/or ''BindRetryDelay'' values in your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file, or you can add the following line to the root section of your ''[[dir:ctrl]]/[[config:sockopts.ini]]'' file: 
   REUSEADDR=1    REUSEADDR=1 
 +
  
 ===== Bandwidth ===== ===== Bandwidth =====
-**Question:**\\+:?: **Question:**\\
 How many nodes/clients/users can I support with my Internet connection?  How many nodes/clients/users can I support with my Internet connection? 
  
-**Answer:**\\+:!: **Answer:**\\
 Depends on what those clients will be doing while connected. Here are some facts to consider:  Depends on what those clients will be doing while connected. Here are some facts to consider: 
  
Line 269: Line 308:
 If you have a 256Kbps upstream channel, for example, you could support four or five simultaneous "56K" clients all downloading files, and all getting 100% utilization of their respective downstream channels. If you have a 256Kbps upstream channel, for example, you could support four or five simultaneous "56K" clients all downloading files, and all getting 100% utilization of their respective downstream channels.
  
 +===== Block Hackers =====
 +:?: **Question:**\\
 +Can Synchronet automatically block the IP address of hackers/attack-scripts? 
 +
 +:!: **Answer:**\\
 +Yes, see [[howto:Block-Hackers]] for detailed instructions.
 +
 +===== SSH Algo =====
 +:?: **Question:**\\
 +Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server?
 +
 +:!: **Answer:**\\
 +SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor.
 +
 +
 +==== SSH Cipher Algo ====
 +
 +Should be fixed as of Fri Feb 14 07:37:04 2020 UTC. aes128-ctr and aes256-ctr support was added.
 +
 +Example:
 +  $ ssh vert.synchro.net
 +  Unable to negotiate with vert.synchro.net port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc
 +  
 +Workarounds for OpenSSH:
 +
 +  $ ssh -c aes128-cbc user@yourbbs.com
 +  
 +or in the ''~/.ssh/config'' file (OpenSSH v6):
 +
 +  Host yourbbs.com
 +  Ciphers aes128-cbc
 +  
 +==== SSH Kex Algo ====
 +
 +Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256 support was added.
 +
 +Example:
 +  $ ssh vert.synchro.net
 +  Received disconnect from 71.95.196.34: 2: Handshake failed
 +  
 +or:
 +  Unable to negotiate with legacyhost: no matching key exchange method found.
 +  Their offer: diffie-hellman-group1-sha1
 +
 +From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]:
 +> OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default.
 +
 +Workarounds for OpenSSH:
 +
 +  $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@yourbbs.com
 +
 +or in the ''~/.ssh/config'' file (OpenSSH v6):
 +
 +  Host yourbbs.com
 +  KexAlgorithms diffie-hellman-group1-sha1
 +  
 +**Note:**
 +If you created this file to work-around the cryptlib v3.4.2 compatibility issue, you will need to remove this file or modify it after updating to cryptlib v3.4.4  (currently, the latest).
 +
 +or in the ''~/.ssh/config'' file (OpenSSH v7):
 +
 +  Host yourbbs.com
 +  KexAlgorithms +diffie-hellman-group1-sha1
 +
 +Note: Run ''ssh -V'' to see what version of OpenSSH you have.
 +
 +==== SSH MAC Algo ====
 +
 +Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. hmac-sha2-256 support was added.
 +
 +Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm.
 +
 +Workaround for OpenSSH (reported by nelgin):
 +
 +  $ ssh -m hmac-md5 user@yourbbs.com
 +
 +===== SSH Session Key =====
 +:?: **Question:**\\
 +How do I resolve the following terminal server SSH error?
 +
 +  'Couldn't import the session key used to protect the private key' (-22) getting private key
 +
 +:!: **Answer:**\\
 +Rename/move or delete your ''[[dir:ctrl]]/cryptlib.key'' file.
 +
 +If you're using TLS for your other [[server:|Synchronet servers (e.g. web, mail, ftp, etc.)]], you may also need to rename/move or delete your ''[[dir:ctrl]]/ssl.cert'' file.
 +
 +These files (''cryptlib.key'' and ''ssl.cert'') are encrypted with the Synchronet //system password//, so if the system password is changed then these files must also be regenerated. The files are automatically recreated by //sbbs// upon startup if they do not already exist.
 ===== See Also ===== ===== See Also =====
-  * [[:server:|TCP/IP Servers]]+  * [[:server:|Servers]] 
 +  * [[:service:|Services]]
   * [[:faq:|Frequently Asked Questions]]   * [[:faq:|Frequently Asked Questions]]
  
-{{tag>tcpip}}+{{tag>tcpip servers}}

Trace: