The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Timeouts

Discussion in 'General Discussion' started by ttremain, Jan 27, 2006.

  1. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Using PureFTP or ProFTP and APF firewall

    We've made no changes, until:
    About a week ago, clients on multiple servers started complaing about FTP downloads
    of about 20 Meg or more, getting slower and slower, and then timing out.

    I do not (did not) have passive ports open in APF and PureFTP, however I did experiment with it later.

    I would like FTP to work, as it always has, with passive mode OFF.

    No changes have been made to the firewall setting in 5 or 6 months, and this started happening on multiple servers at once.


    Partial APF settings:
    CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666"
    IG_UDP_CPORTS="21,53,465,873"
    IG_ICMP_TYPES="3,5,11,0,30,8"

    EGF="1"
    EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,465,443,873,2089,3306"
    EG_UDP_CPORTS="20,21,22,53,465,873,1129"
    EG_ICMP_TYPES="all"


    Suggestions? Thoughts?
     
  2. autod

    autod Registered

    Joined:
    Jan 27, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Having similar issues. Just tested with APF off, and was able to upload a 30 and a 50MB test file without issues after 3 days of lost connections, hsRead/Write and connection errors in general.

    Trying to sort out what has changed with APF. I'm runing CentOS 4 and using Pure-FTP.
     
  3. autod

    autod Registered

    Joined:
    Jan 27, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  4. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    But having passive off has worked for years, why reconfigure everything and force clients
    to use passive mode?
     
  5. autod

    autod Registered

    Joined:
    Jan 27, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Your guess is as good as mine. I simply want to FTP and have my very small group of clients also have the ability to upload their files.

    My tech INSISTS that opening ports 35000_36000 in APF presents a major security hole. His recommendation is that I use FTP/SSH2 as its more secure and guaranteed to work.

    He doesn't seem to understand that I am not leasing a server to secure the internet. By his reasoning, I should turn down the server because it will be more secure that way. I mean, every open port is vulnerable right?

    I'm confused and entirely frustrated. I've lost days trying to deal with this. If I get a resolution, I will be sure to share.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'm not surprised. APF is a great firewall script, but I've seen many servers where it simply doesn't work. The advice you were given was completely correct regarding both the holes in the firewall and the most secure way to allow FTP (SFTP) access, though the latter is not ideal for many.

    I'd strongly recommend you simply don't use APF and look to using one of the other many and varied iptables configuration scripts. One that I use with success when APF proves too buggy is KISSMyFirewall:
    http://www.webhostgear.com/index.php?art/id:87
     
  7. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    There another firewall besides APF that supports the mono kernel?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRc, you can do it with KISS, but have to hack out the module checks within the script. You do have to be sure the modules are correctly compiled in, though, or you'll be locked out ;) For testing I'd suggest an iptables stop cron job running every 5 minutes so you don't have to resort to the console.
     
  9. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Don't mean to beat a dead horse but not being able to upload files bigger then 25 megs when APF is on is a real pain.

    Any other less un-secure ways to help with this?

    We want to keep APF, it's works great other then this.
     
  10. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    ok, the question is still, how do we fix the problem?

    And why does the problem suddenly occur, if it was working fine a few days ago?
     
Loading...

Share This Page