Hello, I have tried to establish a secure FTP connection to my ISPConfig managed server but to no avail: - if I tell Filezilla to use "plain FTP" everything works as it should - if I set Filezilla to use "explicit FTP over TLS" it connects but shortly afterwards the connection times out with the message "failed to retrieve directory listing" - setting Filezilla to use "implicit FTP over TLS" does not connect at all - "Connection attempt failed with "ECONNREFUSED - Connection refused by server" - although I have opened ports 989 and 990 on the firewall (bastille) Any ideas?
If you run a firewall on your Linux server and want to use passive FTP connections, you have to define the passive port range in pure-ftpd and your firewall to ensure that the connections dont get blocked. The following example is for pure-ftpd on Debian or Ubuntu Linux and ISPConfig 3: 1) Configure pure-ftpd echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange /etc/init.d/pure-ftpd-mysql restart 2) Configure the firewall. If you use ISPConfig 3 on my server to configure the bastille firewall, you can add the nescessera port range in the ISPConfig firewall settings. Change the list of Open TCP ports from: 20,21,22,25,53,80,110,143,443,3306,8080,10000 to: 20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210 and then click on “Save”.
It Works! Thanks a lot for your quick answer, It is working like a charm now... I need one more thing though in order to better secure pure-ftpd, and that is to set it to accept only SSL/TLS authentication. Where/how can I set the --tls switch in order to achieve that? I have looked in the start-script of pure-ftpd but I'm not sure what to do. Thanks in advance, Tanaka PS. BTW, running Debian Wheezy with ISPConfig 3.0.5.3 (updated with the 3053_ftpuser patch)
I have the same question - how to enforce SSL/TLS connections for pure-ftpd. I've made a guess and tried "echo 2 > /etc/pure-ftpd/conf/TLS" then restarted. But the server still responds to a normal FTP client (Mac OSX) on the usual port number, so it seems to be a clear-text connection. Thanks for any advice.
OK syslog file shows: > Aug 25 12:29:43 localhost pure-ftpd-mysql[18341]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -O clf:/var/log/pure-ftpd/transfer.log -D -u 1000 -A -J ALL:!aNULL:!SSLv3 -E -8 UTF-8 -Y 2 -H -b -B Which looks like TLS-only is enabled (-Y 2). And when I login using a regular client I get: > 421 Sorry, cleartext sessions are not accepted on this server. > ftp: Login failed Now to find a client and test whether the secure connection works...
just run: echo 2 > /etc/pure-ftpd/conf/TLS and resatrt pure-ftpd. Sure, ftp over tls is on the ame port and all normal ftp clients support it.
When I connect to my server using the Mac ftp client, I get this: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 13:13. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. 421 Sorry, cleartext sessions are not accepted on this server. ftp: Login failed ftp> I've tried 2 different Mac clients which support FTPS - Fetch and Viper. Neither of them work in SSL/TLS mode. I've opened ports 20 and 21, also 989 and 990 (the official FTPS ports) on the firewall.
So it works correctly, the server disconnected you as tls is enforced. Which errors do you get in the client and the pure ftp log?
Still can't get any success with other Mac clients - Transmit and RBrowser - which are listed supposed to be compatible according to: http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS Maybe there's a certificate issue, but I've followed those instructions too, and in any case there is no message from any client about any certificate issue. So I'm at a complete loss. If not with FTP what other secure method is available for ISPconfig clients to manage files on their websites? Thanks for any further advice!
I've increased the log level: echo “yes” > /etc/pure-ftpd/conf/VerboseLog /etc/init.d/pure-ftpd-mysql restart I tried 4 clients which support "FTP with TLS/SSL" - Transmit, Viper, Fetch and RBrowser. In every case the syslog shows the same condition: Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [INFO] New connection from 122.105.125.199 Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS] Aug 25 23:42:41 localhost pure-ftpd: ([email protected]) [WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms. Finally tried FileZilla and I get further. It identified the certificate and asked me to accept it. syslog shows: Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [INFO] New connection from 122.105.125.199 Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS] Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher Aug 26 00:12:12 localhost pure-ftpd: ([email protected]) [DEBUG] Command [user] [admin] Aug 26 00:12:13 localhost pure-ftpd: ([email protected]) [DEBUG] Command [pass] [<*>] Aug 26 00:12:13 localhost pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Aug 26 00:12:13 localhost systemd[1]: Started Session c5 of user admin. Now I guess I just have to open the right ports and it should work.
Finally, it works! Here are some notes on the experience. 1. Documentation This page is not complete: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ In addition, need to look at the documentation here: https://www.howtoforge.com/how-to-configure-pureftpd-to-accept-tls-sessions-on-debian-lenny http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/ I suggest to update the "Perfect Server" docs because TLS security really is essential for FTP, and it has not been easy to set it up. 2. FTP-TLS Clients Out of 5 MAC OSX clients tried, only one worked: FileZilla Warning on FileZilla download: https://filezilla-project.org/download.php?type=client The Sourceforge link points to a client which is corrupt and which apparently contains spyware. The link to FileZilla_3.13.1_macosx-x86.app.tar.bz2 is the one that worked for me. 3. Other Make sure FTP transfer mode (in client) is Passive not Active. Beware NAT: your FTP client cannot access FTP through a NAT. If you have a NATted connection, you'll need to fire up a VPN to get FTP to work. FileZilla apparently support IPv6, so that may be a better option if you ISP gives it to you.
1) The documentation is complete, it configures FTP to allow connections with and without TLS. Enforcing TLS might be fine for your own purpose but that's nothing to be enforced in general as this would lead to many complaints when software without TLS support is used for an FTP connection. I verified that on the server that's is the exact copy/paste version of the tutorial, connections with and without TLS are working out of the box when you followed the perfect server guide. 3) FTP connections are working fine in both modes and you don't need a VPN. All you have to do is to ensure that the passive port range of your FTP client http://www.faqforge.com/linux/contr...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/ matches the passive port range that you opened for FTP in your firewall.
