[Freeswitch-users] ftp-proxy interferes with event_socket on mac os x 10.8.5

Joel Dodson jdodson at acm.org
Thu Oct 17 01:28:52 MSD 2013 

Hi,

First off, thank you Mario for the great documentation for installing
freeswitch on Mac OS X.  It was very helpful.

I ran into a problem starting freeswitch locally on my mac.  The problem
was port 8021 was in use (default event_socket port).  I had some
misdirections figuring out what was using 8021 so I thought I'd write up a
few notes with my experience (I've included the stupid things I did hoping
others can learn from it) and maybe they can be posted on wiki in the
trouble shooting section (or maybe they are already and I missed it :) ).

The first thing I did was run netstat:

netstat -an | grep 8021

output:

tcp6       0      0  fe80::1%lo0.8021       *.*
LISTEN
tcp4       0      0  127.0.0.1.8021         *.*
LISTEN
tcp6       0      0  ::1.8021               *.*
LISTEN

and see that yes, something else was using port 8021.  But how do I get the
PID?  Got to love stackoverflow:

http://stackoverflow.com/questions/4421633/who-is-listening-on-a-given-tcp-port-on-mac-os-x

sudo lsof -iTCP:8021 -sTCP:LISTEN

I ran that to find it's launchd, output:

COMMAND PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
launchd   1 root   83u  IPv6 0x6977044a72cceb65      0t0  TCP
localhost:intu-ec-client (LISTEN)
launchd   1 root   84u  IPv4 0x6977044a74952245      0t0  TCP
localhost:intu-ec-client (LISTEN)
launchd   1 root   85u  IPv6 0x6977044a72cce785      0t0  TCP
localhost:intu-ec-client (LISTEN)

here's where my big detour started.  I wondered, what is intu-ec-client?
Well, if you google it, you'll find the first several hits are people
saying their ios devices have been hacked.  So I thought, oh ****, my
laptop has been hacked (though it's OS X 10.8.5, not ios).  I poked around
some more, ran a complete virus checker, a lot more googling...

What I've finally concluded is the only reason intu-ec-client is listed
there is because 8021 is registered with IANA as the default port for some
intuit protocol and lsof is doing port number to name conversion.  Turns
out -P is used in lsof to not convert port numbers, -n is only for not
converting address.

Once I decided my system was probably not hacked, and it's just a
coincidence with the intu-ec-client port, I set out to figure out what
really is using that port.  I'm not a systems expert by any stretch so
others reading this might think, what a dumbass, why didn't you do that in
the first place.

Though considering it's launchd, with PID 1 and user root using that port,
I guess I panicked thinking I'd better get this resolved while my system is
still working...

Anyway, after googling around some more and learning something about
launchd, I tried to telnet to the port (another suggestion from
stackoverflow which in hind sight I should have done immediately) to see
what was running there.  I found there's an ftp-proxy running there.

Okay, so why is there an ftp-proxy running there?  I've been running FS on
this laptop for several weeks and haven't run into this before.

I checked all the programs that start automatically and removed some that I
thought might possibly be starting an ftp-proxy (though I couldn't imagine
why they would be).  Rebooted and still there's that ftp-proxy.  I guess,
again in hindsight, none of those would have launched as root via launchd.

>From the launchd man page, I found the configurations are in:

     ~/Library/LaunchAgents         Per-user agents provided by the user.
     /Library/LaunchAgents          Per-user agents provided by the
administrator.
     /Library/LaunchDaemons         System-wide daemons provided by the
administrator.
     /System/Library/LaunchAgents   Per-user agents provided by Mac OS X.
     /System/Library/LaunchDaemons  System-wide daemons provided by Mac OS
X.

And from that I found the ftp-proxy in:

/System/Library/LaunchDaemons/com.apple.ftp-proxy.plist

which, sure enough, has localhost and 8021 defined as a listener.

What I'm still wondering is why I hadn't hit that before.  In the last few
weeks, I haven't added an ftp-proxy.  And that ftp-proxy.plist file is
dated July, 2012.  I did recently launch the apple installed version of
apache on my laptop.  I'm suspicious that also added the ftp-proxy to
launchd.  I probably should look into that but for now, I'm comfortable my
system has not been hacked, I understand why that port is in use so I'll
just change the setting in event_socket.conf.xml and get back to work  :)

thanks,
Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20131016/9eab82ae/attachment.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list