Hi
Wondering if you can help. I've tried my web host but they seem unable to provide any useful response to what might be going on, and I have tried everything I'm capable of including some guides I have read here.
The server is running Centos 7.7 Virtuozzo with cPanel/WHM version 82.0.16
The server is using CSF firewall and I believe IPTABLES is also installed although I'm not sure if this has much relevance to the issue I'll describe.
I have a site that periodically sends files over standard FTP to remote servers using PHP. This all worked perfectly for years until I moved to the new server (which is near identical set-up to the old one, including firewall settings), but have recently found that rather randomly, connections to remote servers would fail and then on repeated upload attemtps randomly work.
In using my own local server as a test I noted that Filezilla was presenting a "Data connection can't be established" message which I suspect is what the other remote server had also generated, albeit randomly.
As such - and most recently - I changed the script to specifically use a 'passive' connection which from what I have read seems to be the ideal way to go in order to at least avoid the above message. This is the current set-up I'm sticking with.
However the server seems to be blocking the connection
I've checked the CSF firewall configuration both via WHM and command line "nano /etc/csf/csf.conf" and currently these ports are set:
CSF Firewall Config
Note: the last entry 30000:35000 in TCP_IN was added by CSF after I tried it's "Fix common problems" option.
I also checked PureFTPd config "nano /var/cpanel/conf/pureftpd/main " which has the following settings:
I have not touched the main.cache file.
PureFTP Config
Note: I'm not sure if the server is or isn't behind a NAT, not that I understand what this even means, but did try the ForcePassiveIP configuration option, but this seemed to make no difference to the outcome.
Lastly I checked IPTABLES configuration "nano /etc/sysconfig/iptables" which has simular entries to what was suggested here:
documentation.cpanel.net
IPTABLES config
Note: As a test I added the second line of the code above purely because CSF added these extra ports to the firewall. I understand that these ports are probably defuct.
Now, with all of these being set, trying to upload files via the server basically fails, however if I turn the CSF firewall off, or add the remote server IP to the firewall, files transfer over passive like normal.
This leads me to assume something within the Firewall config is doing this, but what?
As far as I'm aware the Firewall settings are allowing connections, but hoping someone here can shed some light on what's happening and what else I can try to resolve this WITH the firewall active.
Remote FTP Server log
If it's of any help, below is an FTP log extract which shows the connection that works and one that just fails.
Just to be clear. If leaving the script to connect by default in 'Active' mode when making FTP connections, with the firewall on, the upload works intermittently, forcing Passive just doesn't work at all for any server it's try to connect with.
Cheers
Wondering if you can help. I've tried my web host but they seem unable to provide any useful response to what might be going on, and I have tried everything I'm capable of including some guides I have read here.
The server is running Centos 7.7 Virtuozzo with cPanel/WHM version 82.0.16
The server is using CSF firewall and I believe IPTABLES is also installed although I'm not sure if this has much relevance to the issue I'll describe.
I have a site that periodically sends files over standard FTP to remote servers using PHP. This all worked perfectly for years until I moved to the new server (which is near identical set-up to the old one, including firewall settings), but have recently found that rather randomly, connections to remote servers would fail and then on repeated upload attemtps randomly work.
In using my own local server as a test I noted that Filezilla was presenting a "Data connection can't be established" message which I suspect is what the other remote server had also generated, albeit randomly.
As such - and most recently - I changed the script to specifically use a 'passive' connection which from what I have read seems to be the ideal way to go in order to at least avoid the above message. This is the current set-up I'm sticking with.
However the server seems to be blocking the connection
I've checked the CSF firewall configuration both via WHM and command line "nano /etc/csf/csf.conf" and currently these ports are set:
CSF Firewall Config
Code:
# Allow incoming TCP ports
TCP_IN = "20,21,22,2211,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443,49152:65534,30000:35000"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,2211,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
I also checked PureFTPd config "nano /var/cpanel/conf/pureftpd/main " which has the following settings:
I have not touched the main.cache file.
PureFTP Config
Code:
AllowAnonymousFXP: 'no'
AllowUserFXP: 'no'
AltLog: xferlog:/etc/apache2/logs/domlogs/ftpxferlog
AnonymousCanCreateDirs: 'no'
AnonymousCantUpload: 'yes'
AnonymousOnly: 'no'
AntiWarez: 'yes'
AutoRename: 'no'
Bind: 21
BrokenClientsCompatibility: 'no'
ChrootEveryone: 'yes'
CustomerProof: 'yes'
Daemonize: 'No'
DisplayDotFiles: 'no'
DontResolve: 'yes'
ExtAuth: /var/run/ftpd.sock
LimitRecursion: 10000 8
MaxClientsNumber: 200
MaxClientsPerIP: 8
MaxDiskUsage: 99
MaxIdleTime: 3600
MaxLoad: 4
MinUID: 100
NoAnonymous: 'yes'
PassivePortRange: 49152 65534
ProhibitDotFilesRead: 'no'
ProhibitDotFilesWrite: 'no'
RootPassLogins: 'yes'
SyslogFacility: ftp
TLS: 1
TLSCipherSuite: HIGH
Umask: 133:022
VerboseLog: 'no'
Lastly I checked IPTABLES configuration "nano /etc/sysconfig/iptables" which has simular entries to what was suggested here:
How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation
IPTABLES config
Code:
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 30000:35000 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
Now, with all of these being set, trying to upload files via the server basically fails, however if I turn the CSF firewall off, or add the remote server IP to the firewall, files transfer over passive like normal.
This leads me to assume something within the Firewall config is doing this, but what?
As far as I'm aware the Firewall settings are allowing connections, but hoping someone here can shed some light on what's happening and what else I can try to resolve this WITH the firewall active.
Remote FTP Server log
If it's of any help, below is an FTP log extract which shows the connection that works and one that just fails.
Code:
> Connected on port 21, sending welcome message...
> USER feeds
> 331 Password required for feeds
> PASS *************
> 230 Logged on
> PASV
> 227 Entering Passive Mode (94,9,102,218,11,202)
> TYPE I
> 200 Type set to I
> STOR 358.zip
> 150 Opening data channel for file upload to server of "/358.zip"
> 226 Successfully transferred "/358.zip"
> QUIT
> 221 Goodbye
> disconnected.
> Connected on port 21, sending welcome message...
> USER feeds
> 331 Password required for feeds
> PASS *************
> 230 Logged on
> PASV
> 227 Entering Passive Mode (94,9,102,218,15,92)
> TYPE I
> 200 Type set to I
> QUIT
> 221 Goodbye
> disconnected.
Cheers
Last edited: