The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure TLS for Pure-FTPd

Discussion in 'General Discussion' started by dezignguy, Oct 26, 2004.

  1. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    I'm trying to get TLS secured connections for pure-ftp going... since the new pure-ftpd is supposed to support it.

    I've followed the application instructions here

    basically, just making sure to start pureftpd with the flag '--tls=1' and having 'TLS 1' in the /etc/pure-ftpd.conf file. Restarted pure-ftpd... now I can login with tls from my client (the latest Filezilla)...

    Command: AUTH TLS
    Response: 234 AUTH TLS OK.
    Status: SSL connection established. Waiting for welcome message...


    It keeps going... I login successfully... it's all fine until it gets to the directory listing... then it dies there...

    Command: LIST -a
    Error: Timeout detected!
    Error: Could not retrieve directory listing

    So I figure, ok... it must be a passive vs active issue, perhaps with a firewall or the fxp connection. However, setting the connection to passive still fails the directory listing... though it doesn't actually disconnect the connection then.

    Command: LIST -a
    Response: 150 Accepted data connection
    Error: Can't establish SSL connection
    Error: Could not retrieve directory listing
    Response: 226-Options: -a -l
    Response: 226 20 matches total

    I also disabled the server firewall and my local firewall... still no joy.

    Anyone have any ideas? Does anyone have tls working for pure-ftp and cpanel? I'm thinking of possibly trying another client... but filezilla seems to have support for TLS.
     
  2. sleddog

    sleddog Active Member

    Joined:
    Jun 13, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Labrador, Canada
    I ran into exactly the same issue with Filezilla. Then I tried Core FTP -- http://www.coreftp.com -- which also supports TLS. Works just fine.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I believe the issue is to do with PASV, you cannot use passive mode when connecting using SSL secured FTP as the protocol simply doesn't understand it. Try turning PASV mode off for your connection in your FTP client, then try again.
     
  4. sleddog

    sleddog Active Member

    Joined:
    Jun 13, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Labrador, Canada
    Turning passive mode off is not an option for me as I'm behind a firewall. Using Core FTP, PASV works fine with AUTH TLS.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Quite right too - I should have qualifies that: You wouldn't be able to USE FTP over SSL and PASV mode if you had a fully configured iptables firewall on your server - at least that's how it's always been.
     
  6. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Yes, I figured the directory listing problem was something to do with PASV mode on/off... however, it still doesn't work either way. I also turned off every firewall.. locally, and on the server.

    Using active mode under filezilla, the directory listing times out and the connection is dropped.

    Using PASV mode... the directory listing times out, but it appears to remain connected.

    I've tried all the SSL/TLS and Implicit/Explicit modes in various combinations as well.

    I still haven't figured it out... haven't really put much time into it... but I'll try it with CoreFTP.
     
  7. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Well CoreFTP doesn't work for me either... I'm wondering if it has a problem with the FXP transfer. I'm always on a local lan, so my computer has an internal ip address, never a public ip. I wonder if that might have something to do with it. Though normal ftp is fine, without PASV mode.

    I don't know what's up with it... perhaps I need to look more carefully at the server configuration.
     
  8. sleddog

    sleddog Active Member

    Joined:
    Jun 13, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Labrador, Canada
    I'm also on an internal network, behind a firewall and a NAT box. Are you sure you have 'AUTH TLS' selected for the connection in Core FTP's Site Manager? (I think 'AUTH SSL' is the default setting, which doesn't work). My pure-ftpd is a default, out-of-the-box cPanel setup.
     
  9. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Yep... Auth TLS is the only one that even starts to work.

    I have a few things still to try, so I'll work on those and see if I can get it working.
     
  10. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    207
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So has anyone figured out how to use FTP with TLS through a firewall?
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    My posts are as relevant today as they were a year ago before you dug up this thread. You cannot use FTP over SSL/TLS with an SPI firewall. For it to work you would have to open a static ephemeral port range and thus effectively disable SPI and reduce your security to a static firewall instead.
     
  12. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    207
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks. Is there a way then to have any sort of secure FTP on Cpanel servers using pure-FTPd without providing SSH access?
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, by using a static firewall instead of an SPI one. Otherwise SFTP is your only solution, which if you don't want to allow shell access, you could use an restrictive shell such as rssh:
    http://www.pizzashack.org/rssh/index.shtml
     
  14. spector

    spector Well-Known Member

    Joined:
    Jun 27, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    I have same probem. I try to use TLS auth. Login goes ok, but then timeout after any listing dir command.

    My firewall block (almost) every incoming and outgoing ports.

    So passive mode will not work because ports incoming ports are blocked, active because outgoing are blocked.

    When not ussing TLS my SPI firewall guess well when to open a port and when not. But after autorization in TLS it does not... but it sould be. Only authorization was made in TLS (you can set it in FTP client). File listing isint made in TLS so smart SPI firewall should be able to catch it and open port. However I dont know such a firewall. Perhaps YOU does?

    it sounds so easy.. to crypt passwords passed on port 21, but such complicated matter

    If anyone wants to run ftp with TLS with passive connections then he must unblock some wide range for his passive ports (set it in /etc/...). Every connections needs new port so it should be a lot...

    If anyone wants to run ftp with TLS with active connections then he must unlock all outgoing ports or say to his customers to set their FTP clients to make server connect on active mode on their local port XXX (port commands).

    Note that not every customer will be able to use active connectin, because not everybody have access to public IP for their own or port specified by you for their own (they can be behind NAT and NAT can be out of their conroll to port forward)



    Someone smart could also write something to patch-up spi firewall with static open ports... lets say I've opened ports 2000-2400 for ftp (passive) connections. Why should I do it? because some aplication out of my controll can bind to these ports and start to listen on it. So this program would need to bind onto all ports 2000-2400, disallowing to listen on these ports, but relese port as soon as ftp program requests it. Then again bind onto it. Dont know if it would be possible, and probably ftp program whould need separate connectin to this binding program. Guess nobody will do it... so lets forget.
     
    #14 spector, Aug 18, 2005
    Last edited: Aug 18, 2005
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You simply cannot use FTP over SSL/TLS with an SPI firewall, it won't work by design, even if you're only using it for authentication.
     
  16. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    shorewall firewall could be considered an SPI firewall ?

    While ftp connects using port 21 I noticed that ftp over tls need an opened random port between 1000 to 65535 .... (I have seen monitoring shorewall log) .

    How could I force ftp over tls to use always the same port for example port 1000 ?

    Thanks
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You would need to edit the configuration file, e.g. /etc/pure-ftpd.conf and comment in a passive port range (there's an example in there). You should pick a range, not a single port, as each connection needs its own port. Around 500 ports should be more than enough. You then need to leave them open in your firewall configuration, which does indeed make it effectivelky a static firewall, but there's little option if you want FTP over SSL/TLS.
     
  18. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I tried in that way too but it doesn't work ..

    I set a range of

    50000 50400

    passive port on pureftp conf file and restarted pureftpd

    then on firewall I opened outbound 50000 50400

    Now , I tried to login using ftp over tls but ftp timeout at LIST

    Monitoring with shorewall logwatch I have seen that setting a pureftp passive range
    ftp "over tls" now uses a random port also for source port SPT=2111 (!)
    and a port on range (50000-50400) for destination port DPT=50344

    So to login now I should open inbound ports (SPT) from 1024 to 65535 !

    :confused:
     
    #18 Radio_Head, Sep 30, 2005
    Last edited: Sep 30, 2005
  19. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    instead to open for outbound I opened for inbound and as it seems it works ;)


    So ,the "how-to use ftp over tls using shorewall firewall" is to add this rule
    on /etc&shorewall/rules

    #inbound
    ACCEPT net fw tcp 40000:40100

    (100 ports should be enough)

    and on pure-fptd.conf file

    PassivePortRange 40000 40100

    Of course restart ftp and firewall

    On your ftp client choose "ftp over tls" and choose Passive mode (don't use auto or active mode!) . With filezilla this howto works !
     
    #19 Radio_Head, Sep 30, 2005
    Last edited: Sep 30, 2005
  20. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Whaddya know... it works for me now (all firewalls up, so passive mode). I made NO changes though, at least to any config files.

    New versions of Filezilla, as well as pure-ftpd are used. So maybe there was a bugfix in one of those.
     
Loading...

Share This Page