Problem with FTP using TTL/SSL setting (firewall block all the connection)

[phoenixweb]

Hi everybody,

I have a big problem with this setting:
- WHM -> FTP Server Configuration -> TLS Encryption Support

if I turn it on "Required" then the FTP server stop to work correctly.
I open the TTLs port on my firewall (which is 990), but i cannot understand why it try to open port > 30000
It let my user login correctly but after the login it try to open ports that is not allowed to open.

if i place the TLS Encryption Settings on "Optional", the server will use correctly the port 21 for the command and 20 for the data, and everything works fine.

Can you pls help me to fix this problem with TLS Encryption?
Recently there have been to many password steal and we cannot anymore allow login with clear password.

Thanks,
Max

 

[cPanelMichael]

Hello

It's likely the user has enabled passive FTP mode in their FTP client, or passive mode is enabled automatically in the FTP client. The default port range for passive mode with PureFTPd is:

# PassivePortRange          30000 50000

You will need to configure the FTP client to use active mode only if you prefer to keep the passive ports blocked by your firewall.

Thank you.

 

[phoenixweb]

I'm using Filezilla and set ACTIVE MODE.
But it always switch automatically to PASSIVE MODE.

Is it possible?
Does TTLS/SSL support active mode?
Which is the data/command port?

 

[cPanelMichael]

FTPS should work with active mode. Try modifying your FTP client to always use active mode if you prefer that method.

Thank you.

 

[phoenixweb]

The problem is that my connection ask to open 192.168.1.128
Why this doesn't occur with simple FTP without SSL?

Stato: Il server non supporta caratteri non ASCII.
Comando: PBSZ 0
Risposta: 200 PBSZ=0
Comando: PROT P
Risposta: 200 Data protection level set to "private"
Stato: Connesso
Stato: Lettura elenco cartelle...
Comando: PWD
Risposta: 257 "/" is your current location
Comando: TYPE I
Risposta: 200 TYPE is now 8-bit binary
Comando: PORT 192,168,1,128,240,189
Risposta: 500 I won't open a connection to 192.168.1.128 (only to 93.35.83.92)
Comando: PASV
Risposta: 227 Entering Passive Mode (81,29,220,19,56,52)

 

[cPanelMichael]

You may want to check your firewall rules to ensure they are not blocking traffic related to FTP. If you continue to experience issues, feel free to submit a ticket so we can check further:

Submit A Ticket

You can post the ticket number here so we can track the issue.

Thank you.

 

[phoenixweb]

You may want to check your firewall rules to ensure they are not blocking traffic related to FTP. If you continue to experience issues, feel free to submit a ticket so we can check further:

Submit A Ticket

You can post the ticket number here so we can track the issue.

Thank you.

Hi Micheal,

thank you.
Of course is firewall related problem.
I already checked port 20,21 and 990.

FTP command: 21
FTP data: 20
FTP TTL: 990

these port are already open and they works correctly.
If I run the standard FTP without TTLs the connection works perfectly in active mode.
Is there any other port used by active mode with TTLs that i don't know?

Let me know.

 

[cPanelMichael]

During active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. NAT configurations block this connection request. The following document better explains this with diagrams:

Active/Passive FTP - cPanel Docs

You will need to open additional ports if your FTP client is defaulting to passive mode. There is a guide on this at:

FTP Ports for Passive Mode - cPanel Docs

Thank you.