Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PureFTP doesn't work with Explicit over TLS

Discussion in 'General Discussion' started by Mise, Jun 18, 2018.

  1. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    I'm using Filezilla, passive mode.

    With plain authentication all works right.


    However, with Explicit over TLS, the login is succesful but later it hangs displaying this error:
    Code:
    227 Entering Passive Mode (...
    MLSD
    Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out
    

    I have firewall ports 60000:60100 open for passive mode

    Also I have tried with 30000:35000 ports, with same result.


    Please, some help to solve this issue
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,341
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Not only do you have to have the appropriate inbound TCP ports open in the firewall, but you must also have pureFTPD set up to use those ports.

    1. In csf.conf, make sure you have 30000:35000 or 60000:60100 added to the TCP_IN line

    2. In /etc/pureftpd.conf make sure you have PassivePortRange uncommented and set

    ex:

    PassivePortRange 30000 35000

    or

    PassivePortRange 60000:60100

    3. /scripts/restartsrv_pureftpd

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    yes.. I have:

    Code:
    # cat /var/cpanel/conf/pureftpd/local
    
    ForcePassiveFTP: ~
    PassivePortRange: 60000 60100
    
    
    #/scripts/restartsrv_pureftpd
    
    Waiting for “pureftpd” to restart ………waiting for “pureftpd” to initialize ………finished.
    
    Service Status
            pure-ftpd (pure-ftpd (SERVER)) is running as root with PID 8380 (pidfile+/proc check method).
    
    Startup Log
            Starting pure-config.pl: [  OK  ]
            Starting pure-authd:
    
    pureftpd restarted successfully
    

    inside /etc/csf/csf.conf
    Code:
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2078,2080,2083,2087,2096,60000:60100"
    
    # Allow outgoing TCP ports
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,465,587,2078,2080,2083,2087"
    
    
    PORTS_ftpd = "20,21"
    
    Is this right?


    thanks!
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,341
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Yes, that is right. Just do it and test it.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,341
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Oh, I forgot -- You need to restart CSF as well, if you haven't already.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    I restart csf but it doesn't work ..

    Code:
    Logged in
    Retrieving directory listing of "/public_html"...
    CWD /public_html
    250 OK. Current directory is /public_html
    TYPE I
    200 TYPE is now 8-bit binary
    PASV
    227 Entering Passive Mode (x.x.x.x.)
    MLSD
    Error:    The data connection could not be established: ETIMEDOUT - Connection attempt timed out
    Error:    Connection timed out after 40 seconds of inactivity
    

    inside /var/log/messages there is no problem with TLS:

    Code:
    #tail -f /var/log/messages
    Jun 18 21:41:10 host pure-ftpd: (?@x.x.x.x) [INFO] New connection from x.x.x.x
    Jun 18 21:41:10 host pure-ftpd: (?@x.x.x.x) [INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
    

    Some idea or help or more things to check?

    thanks for your help!
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,341
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No more from me. It's a pretty simple process. (1) add PassivePortRange in FTP and restart FTP server and (b) add those ports in TCP_IN in CSF and restart CSF.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    714
    Likes Received:
    120
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Does it work if you disable CSF?

    Code:
    csf -x
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    mttindor thanks anyway for your time :)

    Don't know what happens with this..
     
  10. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    I don't know really. My server is under constant attacks all the time and I do not dare to disable csf&lfd. Some users keeps very weak passwords.


    I have changed the passive ports to a wider range of 53000:55000
    and now I can retrieve the directory list with Filezilla. However, when I go to other folders there is a long delay in some folders, and sometimes the connection is lost

    I'm not sure if pureftpd is returning the passive ports connections with ipv6:
    (server: 11.11.11.11 / my ip: 22.22.22.22 )

    Code:
    # netstat -atpn | grep ftp
    tcp        0      0 11.11.11.11:61814           0.0.0.0:*                   LISTEN      3312/proftpd: class
    tcp        0      0 :::21                       :::*                        LISTEN      31225/proftpd
    tcp        0      0 ::ffff:11.11.11.11:21       ::ffff:22.22.22.22:53295 ESTABLISHED 3312/proftpd: class
    
    What do you think? I'm not sure about the netstat output.

    I ask this because I have the ipv6 disabled in the server and perhaps it can be the cause.
     
  11. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    714
    Likes Received:
    120
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Instead of disabling CSF, just whitelist your IP address like so:

    Code:
    csf -a 2.2.2.2
    This will bypass CSF for that IP alone, does the issue persist?

    basically, you want to narrow down the issue, is it CSF or not, then go from there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    yes, my ip is inside csf white list and the issue persist.

    I believe the point is the plain connection works flawlessly, the only problem is with TLS. However, the starting TLS connection is established without problems. And passive ports are well configured. The Csf is well configured otherwise the plain connection also would suffer the same problem with passive ports

    The problem is in the TLS communication itself which is very slow. There is no enough time to retrieve the folder contents and the communication is ended even with "keep alive". And later the Filezilla try to connect again to recover the last operation. A nightmare

    Maybe the solution can be in some pureftp parameters, although this ftp software is really a shame both in structure and documentation. I wonder why such anti-human software is allowed in the world. Seems to be a dark design for the author and his friends, to talk about its problems in the launch time

    "When TLS has been successfully negociated for a connection, you'll see
    something similar to this in log files :
    <<
    TLS: Enabled TLSv1.2 with AES256-SHA, 256 secret bits cipher
    >>"

    https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

    end of help. Good luck

    I'm quite frustrated with this. I will leave it for another day or maybe I will install Proftp or another thing. Problem is when quite users are forced to use plain connection although not really an urgency at alll.


    Anyway, thanks a lot for you help! :)
     
  13. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,835
    Likes Received:
    134
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Mise

    CSF should automatically enable the passive FTP ports, though this issue does sound like there's an issue with passive mode over TLS. Would you mind opening a ticket using the link in my signature so that we can take a closer look? In this instance, it would be easier to troubleshoot the issue with access to the server. Once the ticket is open please reply with the ticket ID so we can update this thread with the outcome.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. IndicHosts.net

    IndicHosts.net Active Member

    Joined:
    Mar 11, 2006
    Messages:
    37
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Check the pure-ftpd.conf and check if the value of ForcePassiveIP is set. If enable it should be set to your public ip address. Remember to restart pure-ftp after saving any changes
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Mise

    Mise Active Member

    Joined:
    May 15, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    51
    just to say, all was solved after change to ProFtpd, without need to change any thing in the config except passive ports to 30000:35000. Both Filezilla modes "simple" and "explicit over TLS" works well.
    I assume the problem was Pureftpd with TLS. I don't know the cause. No more time to waste with pureftpd
     
  16. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,835
    Likes Received:
    134
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Mise

    Thanks for letting us know, though if you do ever need to switch back to PureFTPd and you encounter the same issue please feel free to open a ticket in regard to this.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice