dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
I'm trying to get TLS secured connections for pure-ftp going... since the new pure-ftpd is supposed to support it.

I've followed the application instructions here

basically, just making sure to start pureftpd with the flag '--tls=1' and having 'TLS 1' in the /etc/pure-ftpd.conf file. Restarted pure-ftpd... now I can login with tls from my client (the latest Filezilla)...

Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: SSL connection established. Waiting for welcome message...


It keeps going... I login successfully... it's all fine until it gets to the directory listing... then it dies there...

Command: LIST -a
Error: Timeout detected!
Error: Could not retrieve directory listing

So I figure, ok... it must be a passive vs active issue, perhaps with a firewall or the fxp connection. However, setting the connection to passive still fails the directory listing... though it doesn't actually disconnect the connection then.

Command: LIST -a
Response: 150 Accepted data connection
Error: Can't establish SSL connection
Error: Could not retrieve directory listing
Response: 226-Options: -a -l
Response: 226 20 matches total

I also disabled the server firewall and my local firewall... still no joy.

Anyone have any ideas? Does anyone have tls working for pure-ftp and cpanel? I'm thinking of possibly trying another client... but filezilla seems to have support for TLS.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I believe the issue is to do with PASV, you cannot use passive mode when connecting using SSL secured FTP as the protocol simply doesn't understand it. Try turning PASV mode off for your connection in your FTP client, then try again.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Quite right too - I should have qualifies that: You wouldn't be able to USE FTP over SSL and PASV mode if you had a fully configured iptables firewall on your server - at least that's how it's always been.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
Yes, I figured the directory listing problem was something to do with PASV mode on/off... however, it still doesn't work either way. I also turned off every firewall.. locally, and on the server.

Using active mode under filezilla, the directory listing times out and the connection is dropped.

Using PASV mode... the directory listing times out, but it appears to remain connected.

I've tried all the SSL/TLS and Implicit/Explicit modes in various combinations as well.

I still haven't figured it out... haven't really put much time into it... but I'll try it with CoreFTP.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
Well CoreFTP doesn't work for me either... I'm wondering if it has a problem with the FXP transfer. I'm always on a local lan, so my computer has an internal ip address, never a public ip. I wonder if that might have something to do with it. Though normal ftp is fine, without PASV mode.

I don't know what's up with it... perhaps I need to look more carefully at the server configuration.
 

sleddog

Active Member
Jun 13, 2004
44
0
156
Labrador, Canada
I'm also on an internal network, behind a firewall and a NAT box. Are you sure you have 'AUTH TLS' selected for the connection in Core FTP's Site Manager? (I think 'AUTH SSL' is the default setting, which doesn't work). My pure-ftpd is a default, out-of-the-box cPanel setup.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
Yep... Auth TLS is the only one that even starts to work.

I have a few things still to try, so I'll work on those and see if I can get it working.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
My posts are as relevant today as they were a year ago before you dug up this thread. You cannot use FTP over SSL/TLS with an SPI firewall. For it to work you would have to open a static ephemeral port range and thus effectively disable SPI and reduce your security to a static firewall instead.
 

Valetia

Well-Known Member
Jun 20, 2002
216
10
168
cPanel Access Level
Root Administrator
chirpy said:
My posts are as relevant today as they were a year ago before you dug up this thread. You cannot use FTP over SSL/TLS with an SPI firewall. For it to work you would have to open a static ephemeral port range and thus effectively disable SPI and reduce your security to a static firewall instead.
Thanks. Is there a way then to have any sort of secure FTP on Cpanel servers using pure-FTPd without providing SSH access?
 

spector

Well-Known Member
Jun 27, 2005
51
0
156
I have same probem. I try to use TLS auth. Login goes ok, but then timeout after any listing dir command.

My firewall block (almost) every incoming and outgoing ports.

So passive mode will not work because ports incoming ports are blocked, active because outgoing are blocked.

When not ussing TLS my SPI firewall guess well when to open a port and when not. But after autorization in TLS it does not... but it sould be. Only authorization was made in TLS (you can set it in FTP client). File listing isint made in TLS so smart SPI firewall should be able to catch it and open port. However I dont know such a firewall. Perhaps YOU does?

it sounds so easy.. to crypt passwords passed on port 21, but such complicated matter

If anyone wants to run ftp with TLS with passive connections then he must unblock some wide range for his passive ports (set it in /etc/...). Every connections needs new port so it should be a lot...

If anyone wants to run ftp with TLS with active connections then he must unlock all outgoing ports or say to his customers to set their FTP clients to make server connect on active mode on their local port XXX (port commands).

Note that not every customer will be able to use active connectin, because not everybody have access to public IP for their own or port specified by you for their own (they can be behind NAT and NAT can be out of their conroll to port forward)



Someone smart could also write something to patch-up spi firewall with static open ports... lets say I've opened ports 2000-2400 for ftp (passive) connections. Why should I do it? because some aplication out of my controll can bind to these ports and start to listen on it. So this program would need to bind onto all ports 2000-2400, disallowing to listen on these ports, but relese port as soon as ftp program requests it. Then again bind onto it. Dont know if it would be possible, and probably ftp program whould need separate connectin to this binding program. Guess nobody will do it... so lets forget.
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
You simply cannot use FTP over SSL/TLS with an SPI firewall, it won't work by design, even if you're only using it for authentication.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,048
1
343
shorewall firewall could be considered an SPI firewall ?

While ftp connects using port 21 I noticed that ftp over tls need an opened random port between 1000 to 65535 .... (I have seen monitoring shorewall log) .

How could I force ftp over tls to use always the same port for example port 1000 ?

Thanks
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
You would need to edit the configuration file, e.g. /etc/pure-ftpd.conf and comment in a passive port range (there's an example in there). You should pick a range, not a single port, as each connection needs its own port. Around 500 ports should be more than enough. You then need to leave them open in your firewall configuration, which does indeed make it effectivelky a static firewall, but there's little option if you want FTP over SSL/TLS.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,048
1
343
I tried in that way too but it doesn't work ..

I set a range of

50000 50400

passive port on pureftp conf file and restarted pureftpd

then on firewall I opened outbound 50000 50400

Now , I tried to login using ftp over tls but ftp timeout at LIST

Monitoring with shorewall logwatch I have seen that setting a pureftp passive range
ftp "over tls" now uses a random port also for source port SPT=2111 (!)
and a port on range (50000-50400) for destination port DPT=50344

So to login now I should open inbound ports (SPT) from 1024 to 65535 !

:confused:
 
Last edited:

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,048
1
343
instead to open for outbound I opened for inbound and as it seems it works ;)


So ,the "how-to use ftp over tls using shorewall firewall" is to add this rule
on /etc&shorewall/rules

#inbound
ACCEPT net fw tcp 40000:40100

(100 ports should be enough)

and on pure-fptd.conf file

PassivePortRange 40000 40100

Of course restart ftp and firewall

On your ftp client choose "ftp over tls" and choose Passive mode (don't use auto or active mode!) . With filezilla this howto works !
 
Last edited:

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
Whaddya know... it works for me now (all firewalls up, so passive mode). I made NO changes though, at least to any config files.

New versions of Filezilla, as well as pure-ftpd are used. So maybe there was a bugfix in one of those.