PureFTP doesn't work with Explicit over TLS

[Mise]

I'm using Filezilla, passive mode.

With plain authentication all works right.


However, with Explicit over TLS, the login is succesful but later it hangs displaying this error:

227 Entering Passive Mode (...
MLSD
Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out

I have firewall ports 60000:60100 open for passive mode

Also I have tried with 30000:35000 ports, with same result.


Please, some help to solve this issue

 

[mtindor]

Not only do you have to have the appropriate inbound TCP ports open in the firewall, but you must also have pureFTPD set up to use those ports.

1. In csf.conf, make sure you have 30000:35000 or 60000:60100 added to the TCP_IN line

2. In /etc/pureftpd.conf make sure you have PassivePortRange uncommented and set

ex:

PassivePortRange 30000 35000

or

PassivePortRange 60000:60100

3. /scripts/restartsrv_pureftpd

Mike

 

[Mise]

yes.. I have:

# cat /var/cpanel/conf/pureftpd/local

ForcePassiveFTP: ~
PassivePortRange: 60000 60100


#/scripts/restartsrv_pureftpd

Waiting for “pureftpd” to restart ………waiting for “pureftpd” to initialize ………finished.

Service Status
        pure-ftpd (pure-ftpd (SERVER)) is running as root with PID 8380 (pidfile+/proc check method).

Startup Log
        Starting pure-config.pl: [  OK  ]
        Starting pure-authd:

pureftpd restarted successfully

inside /etc/csf/csf.conf

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2078,2080,2083,2087,2096,60000:60100"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,465,587,2078,2080,2083,2087"


PORTS_ftpd = "20,21"

Is this right?


thanks!

 

[mtindor]

Yes, that is right. Just do it and test it.

M

 

[mtindor]

Oh, I forgot -- You need to restart CSF as well, if you haven't already.

M

 

[Mise]

I restart csf but it doesn't work ..

Logged in
Retrieving directory listing of "/public_html"...
CWD /public_html
250 OK. Current directory is /public_html
TYPE I
200 TYPE is now 8-bit binary
PASV
227 Entering Passive Mode (x.x.x.x.)
MLSD
Error:    The data connection could not be established: ETIMEDOUT - Connection attempt timed out
Error:    Connection timed out after 40 seconds of inactivity

inside /var/log/messages there is no problem with TLS:

#tail -f /var/log/messages
Jun 18 21:41:10 host pure-ftpd: ([email protected]) [INFO] New connection from x.x.x.x
Jun 18 21:41:10 host pure-ftpd: ([email protected]) [INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher

Some idea or help or more things to check?

thanks for your help!

 

[mtindor]

No more from me. It's a pretty simple process. (1) add PassivePortRange in FTP and restart FTP server and (b) add those ports in TCP_IN in CSF and restart CSF.

M

 

[Jcats]

Does it work if you disable CSF?

csf -x

 

[Mise]

mttindor thanks anyway for your time

Don't know what happens with this..

 

[Mise]

Does it work if you disable CSF?

csf -x

I don't know really. My server is under constant attacks all the time and I do not dare to disable csf&lfd. Some users keeps very weak passwords.


I have changed the passive ports to a wider range of 53000:55000
and now I can retrieve the directory list with Filezilla. However, when I go to other folders there is a long delay in some folders, and sometimes the connection is lost

I'm not sure if pureftpd is returning the passive ports connections with ipv6:
(server: 11.11.11.11 / my ip: 22.22.22.22 )

# netstat -atpn | grep ftp
tcp        0      0 11.11.11.11:61814           0.0.0.0:*                   LISTEN      3312/proftpd: class
tcp        0      0 :::21                       :::*                        LISTEN      31225/proftpd
tcp        0      0 ::ffff:11.11.11.11:21       ::ffff:22.22.22.22:53295 ESTABLISHED 3312/proftpd: class

What do you think? I'm not sure about the netstat output.

I ask this because I have the ipv6 disabled in the server and perhaps it can be the cause.

 

[Jcats]

Instead of disabling CSF, just whitelist your IP address like so:

csf -a 2.2.2.2

This will bypass CSF for that IP alone, does the issue persist?

basically, you want to narrow down the issue, is it CSF or not, then go from there.

 

[Mise]

yes, my ip is inside csf white list and the issue persist.

I believe the point is the plain connection works flawlessly, the only problem is with TLS. However, the starting TLS connection is established without problems. And passive ports are well configured. The Csf is well configured otherwise the plain connection also would suffer the same problem with passive ports

The problem is in the TLS communication itself which is very slow. There is no enough time to retrieve the folder contents and the communication is ended even with "keep alive". And later the Filezilla try to connect again to recover the last operation. A nightmare

Maybe the solution can be in some pureftp parameters, although this ftp software is really a shame both in structure and documentation. I wonder why such anti-human software is allowed in the world. Seems to be a dark design for the author and his friends, to talk about its problems in the launch time

"When TLS has been successfully negociated for a connection, you'll see
something similar to this in log files :
<<
TLS: Enabled TLSv1.2 with AES256-SHA, 256 secret bits cipher
>>"

https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
end of help. Good luck

I'm quite frustrated with this. I will leave it for another day or maybe I will install Proftp or another thing. Problem is when quite users are forced to use plain connection although not really an urgency at alll.


Anyway, thanks a lot for you help!

 

[cPanelLauren]

Hi @Mise

CSF should automatically enable the passive FTP ports, though this issue does sound like there's an issue with passive mode over TLS. Would you mind opening a ticket using the link in my signature so that we can take a closer look? In this instance, it would be easier to troubleshoot the issue with access to the server. Once the ticket is open please reply with the ticket ID so we can update this thread with the outcome.


Thanks!

 

[IndicHosts.net]

Check the pure-ftpd.conf and check if the value of ForcePassiveIP is set. If enable it should be set to your public ip address. Remember to restart pure-ftp after saving any changes

 

[Mise]

just to say, all was solved after change to ProFtpd, without need to change any thing in the config except passive ports to 30000:35000. Both Filezilla modes "simple" and "explicit over TLS" works well.
I assume the problem was Pureftpd with TLS. I don't know the cause. No more time to waste with pureftpd

 

[cPanelLauren]

Hi @Mise

Thanks for letting us know, though if you do ever need to switch back to PureFTPd and you encounter the same issue please feel free to open a ticket in regard to this.

Thanks!