Problem completing connection to FTP server from FileZilla - malformed FEAT reply?

[mgreis]

I've been using FileZilla Pro for a long time to connect to FTP on a VPS running CentOS6. I just provisioned a new CentOS7 VPS and am now having problems connecting to it using FileZilla PRO 3.46.3.

The message log provides the following:

Status: Connecting to <IPADDRESSREMOVED>:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing of "/public_html"...
Command: CWD /public_html
Response: 250 OK. Current directory is /public_html
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (64,202,160,248,211,75)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

The message log seems to indicate that the connection is being made and the directory on the server is selected. But FileZilla never displays the contents of the remote directory, then times out saying that it failed to retrieve the directory listing.

I'm using the exact same configuration in FileZilla PRO that I've been using for years for my CentOS 6 server).

I can use FTP from a Windows workstation to log in to the new server with no problems.

In an exchange on the FileZilla PRO support forums, I provided a log from a test of this server using the ftptest.net site, showing the following error: (The same test from my CentOS 6 server completes with no errors.)

Command: FEAT
Reply: 211-Extensions supported:
Reply: EPRT
Reply: IDLE
Reply: MDTM
Reply: SIZE
Reply: MFMT
Reply: REST STREAM
Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Reply: MLSD
Reply: AUTH TLS
Reply: PBSZ
Reply: PROT
Reply: UTF8
Reply: TVFS
Reply: ESTA
Reply: PASV
Reply: EPSV
Error: Carriage return without line feed received

FileZilla PRO support reported back that the error indicated that:

"Your server sends a malformed FEAT reply in violation of the FTP specifications. This isn't a configuration issue, this requires fixing the server software itself."

The CentOS 6.10 server and the CentOS 7.7 server are both running cPanel 84.0.20.

Thanks for any help you can provide!

 

[cPanelLauren]

Hello,

Firstly I would like to point out that we don't recommend using FileZilla, instead, we recommend CoreFTP on Windows and Cyberduck on MAC and we offer configuration files for them.

Secondly, is the server NAT routed (meaning do you have a separate private IP and public IP as a result of a hardware appliance)? If not have you tried using ACTIVE mode only for FTP?
Furthermore, you may want to check if NAT routing is being forced: How to Edit FTP Server Configuration from the Command Line | cPanel & WHM Documentation

If you are NAT routed and need to use PASV mode - the following goes over how to enable it: How to Enable FTP Passive Mode | cPanel & WHM Documentation

 

[mgreis]

Thanks. My devices are behind a cable modem router, so NAT is in use.

Here's the thing. I've been using this configuration between FileZilla and my CentOS6 server for years. It has always worked and still does. FileZilla specifies default (neither active nor passive), so I'm not sure what's been used. The only thing that's changed is the new server (same FileZilla, same level of cPanel).

But I did see the article about enabling passive mode. Perhaps there's a new level of the FTP server in this new CentOS7 server that requires passive mode to be specified. I first try specifying passive mode from the FiileZilla client, since that is a trivial change. Nothing. I then followed the instructions in the article to add a local configuration file /var/cpanel/conf/pureftpd/local with the ForcePassiveIP: ~ entry and restarted the FTP server. Still nothing.

BTW,
- the /var/cpanel/conf/pureftpd/main file entry as configured by cPanel is explicit - ForcePassiveIP: 64.202.xxx.xxx
- when restarting the PureFTPd service, I did receive the following notice:

Jan 23 11:28:09 ip-107-180-xx-xxx.ip.secureserver.net pure-ftpd[4343]: (?@?) [DEBUG] Couldn't load the DH parameters file /etc/ssl/private/pure-ftpd-dhparams.pem

I also looked at the /var/cpanel/conf/pureftpd/mail file on the CentOS6 server where FTP is working. There is no ForcePassiveIP: statement in it.

So, to recap:
- Confiiguring explicit passive mode on the PureFTPd server didn't work
- This configuration works with no problems on the CentOS6 server

What might I try next?

Thanks!

 

[cPanelLauren]

On the new server does the firewall have the passive ports range open?

 

[mgreis]

It does. The configuration file main includes the line:

PassivePortRange: 49152 65534

Michael

 

[rackaid]

That is not the firewall but the FTP configuration. You need to check your firewall. Firewalls will block the ports unless they are opened.

iptables -nL

Will list your firewall rules. Some cPanel boxes use CSF, which you can access from WHM.

Under FTP Server Configuration, make sure TLS Encryption is set to optional. If you happen to have a stateful firewall on the server, it will not work with STARTTLS. I think Filezilla tries STARTTLS by default.

 

[arnisraido]

One thing to note - check if Your serves has "ConfigServer Security & Firewall" installed. Mine have `csf v14.02.`
FTP server with "passive" connections has to be tuned in csf.
Workaround is to add specific IP address to firewall whitelist under

ConfigServer Security & Firewall > csf > Firewall Allow IPS

Include /etc/csf/cpanel.comodo.allow
Include /etc/csf/cpanel.allow
11.22.33.44 # Manually allowed for Passive FTP 1
88.99.22.11 # Manually allowed for Passive FTP 2

Or just add Your Ip under
ConfigServer Security & Firewall > csf > Quick Allow