PureFTP doesn't work with Explicit over TLS
I'm using Filezilla, passive mode.
With plain authentication all works right.
However, with Explicit over TLS, the login is succesful but later it hangs displaying this error:
I have firewall ports 60000:60100 open for passive mode Also I have tried with 30000:35000 ports, with same result. Please, some help to solve this issue
227 Entering Passive Mode (...
MLSD
Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out
I have firewall ports 60000:60100 open for passive mode Also I have tried with 30000:35000 ports, with same result. Please, some help to solve this issue
-
Not only do you have to have the appropriate inbound TCP ports open in the firewall, but you must also have pureFTPD set up to use those ports. 1. In csf.conf, make sure you have 30000:35000 or 60000:60100 added to the TCP_IN line 2. In /etc/pureftpd.conf make sure you have PassivePortRange uncommented and set ex: PassivePortRange 30000 35000 or PassivePortRange 60000:60100 3. /scripts/restartsrv_pureftpd Mike 0 -
yes.. I have: # cat /var/cpanel/conf/pureftpd/local ForcePassiveFTP: ~ PassivePortRange: 60000 60100 #/scripts/restartsrv_pureftpd Waiting for "pureftpd" to restart "waiting for "pureftpd" to initialize "finished. Service Status pure-ftpd (pure-ftpd (SERVER)) is running as root with PID 8380 (pidfile+/proc check method). Startup Log Starting pure-config.pl: [ OK ] Starting pure-authd: pureftpd restarted successfully
inside /etc/csf/csf.confTCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2078,2080,2083,2087,2096,60000:60100" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,465,587,2078,2080,2083,2087" PORTS_ftpd = "20,21"
Is this right? thanks!0 -
Yes, that is right. Just do it and test it. M 0 -
Oh, I forgot -- You need to restart CSF as well, if you haven't already. M 0 -
I restart csf but it doesn't work .. Logged in Retrieving directory listing of "/public_html"... CWD /public_html 250 OK. Current directory is /public_html TYPE I 200 TYPE is now 8-bit binary PASV 227 Entering Passive Mode (x.x.x.x.) MLSD Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out Error: Connection timed out after 40 seconds of inactivity
inside /var/log/messages there is no problem with TLS:#tail -f /var/log/messages Jun 18 21:41:10 host pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x Jun 18 21:41:10 host pure-ftpd: (?@x.x.x.x) [INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
Some idea or help or more things to check? thanks for your help!0 -
No more from me. It's a pretty simple process. (1) add PassivePortRange in FTP and restart FTP server and (b) add those ports in TCP_IN in CSF and restart CSF. M 0 -
Does it work if you disable CSF? csf -x0 -
mttindor thanks anyway for your time :) Don't know what happens with this.. 0 -
Does it work if you disable CSF?
csf -x
I don't know really. My server is under constant attacks all the time and I do not dare to disable csf&lfd. Some users keeps very weak passwords. I have changed the passive ports to a wider range of 53000:55000 and now I can retrieve the directory list with Filezilla. However, when I go to other folders there is a long delay in some folders, and sometimes the connection is lost I'm not sure if pureftpd is returning the passive ports connections with ipv6: (server: 11.11.11.11 / my ip: 22.22.22.22 )# netstat -atpn | grep ftp tcp 0 0 11.11.11.11:61814 0.0.0.0:* LISTEN 3312/proftpd: class tcp 0 0 :::21 :::* LISTEN 31225/proftpd tcp 0 0 ::ffff:11.11.11.11:21 ::ffff:22.22.22.22:53295 ESTABLISHED 3312/proftpd: class
What do you think? I'm not sure about the netstat output. I ask this because I have the ipv6 disabled in the server and perhaps it can be the cause.0 -
Instead of disabling CSF, just whitelist your IP address like so: csf -a 2.2.2.2
This will bypass CSF for that IP alone, does the issue persist? basically, you want to narrow down the issue, is it CSF or not, then go from there.0 -
yes, my ip is inside csf white list and the issue persist. I believe the point is the plain connection works flawlessly, the only problem is with TLS. However, the starting TLS connection is established without problems. And passive ports are well configured. The Csf is well configured otherwise the plain connection also would suffer the same problem with passive ports The problem is in the TLS communication itself which is very slow. There is no enough time to retrieve the folder contents and the communication is ended even with "keep alive". And later the Filezilla try to connect again to recover the last operation. A nightmare Maybe the solution can be in some pureftp parameters, although this ftp software is really a shame both in structure and documentation. I wonder why such anti-human software is allowed in the world. Seems to be a dark design for the author and his friends, to talk about its problems in the launch time "When TLS has been successfully negociated for a connection, you'll see something similar to this in log files : << TLS: Enabled TLSv1.2 with AES256-SHA, 256 secret bits cipher >>" 0 -
Hi @Mise CSF should automatically enable the passive FTP ports, though this issue does sound like there's an issue with passive mode over TLS. Would you mind opening a ticket using the link in my signature so that we can take a closer look? In this instance, it would be easier to troubleshoot the issue with access to the server. Once the ticket is open please reply with the ticket ID so we can update this thread with the outcome. Thanks! 0 -
Check the pure-ftpd.conf and check if the value of ForcePassiveIP is set. If enable it should be set to your public ip address. Remember to restart pure-ftp after saving any changes 0 -
just to say, all was solved after change to ProFtpd, without need to change any thing in the config except passive ports to 30000:35000. Both Filezilla modes "simple" and "explicit over TLS" works well. I assume the problem was Pureftpd with TLS. I don't know the cause. No more time to waste with pureftpd 0 -
Hi @Mise Thanks for letting us know, though if you do ever need to switch back to PureFTPd and you encounter the same issue please feel free to open a ticket in regard to this. Thanks! 0
Please sign in to leave a comment.
Comments
15 comments