Unable to connect via FTP

Discussion in 'Installation/Configuration' started by rezz, Apr 25, 2024.

Tags:
  1. rezz

    rezz New Member HowtoForge Supporter

    Hello,
    For some reason, I am able to connect via unencrypted FTP but when I attempt to connect via explicit TLS, I receive the following error:
    Code:
    Status:    Connection established, waiting for welcome message...
    Status:    Initializing TLS...
    Status:    TLS connection established.
    Status:    Logged in
    Status:    Retrieving directory listing...
    Command:    PWD
    Response:    257 "/" is your current location
    Command:    TYPE I
    Response:    200 TYPE is now 8-bit binary
    Command:    PASV
    Response:    227 Entering Passive Mode (135,148,232,37,156,209)
    Command:    MLSD
    Error:    GnuTLS error -110: The TLS connection was non-properly terminated.
    Status:    Server did not properly shut down TLS connection
    Error:    The data connection could not be established: ECONNABORTED - Connection aborted
    Error:    Connection timed out after 20 seconds of inactivity
    Error:    Failed to retrieve directory listing
    Here are the logs from the server side:
    Code:
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] New connection from 1.2.3.4
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] SNI: [website.com]
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] SNI: [website.com]
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [user] [user]
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pass] [<*>]
    Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] user is now logged in
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [opts] [UTF8 ON]
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pbsz] [0]
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [prot] [P]
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pwd] []
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [type] [I]
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pasv] []
    Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [mlsd] []
    I have configured PassivePorts in /etc/pure-ftpd/conf/PassivePortRange to 40110 40210

    Additionally, there is no firewall currently configured. I have whitelisted my IP on the provider side (ovh US) to allow all connections instead.

    Finally, I've ensured an ssl cert is properly symlinked here: /etc/ssl/private/pure-ftpd.pem

    I've also restarted pure-ftpd-mysql several times at this point (after each change performed).

    Can anyone give me a hand? I really appreciate it!


    Here is the output of htf_reports.txt:
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 22.04.4 LTS
     
    [INFO] uptime:  14:56:54 up 13:02,  3 users,  load average: 0.70, 1.12, 1.65
     
    [INFO] memory:
                   total        used        free      shared  buff/cache   available
    Mem:            28Gi       3.6Gi        21Gi       158Mi       3.8Gi        24Gi
    Swap:             0B          0B          0B
     
    [INFO] systemd failed services status:
      UNIT                      LOAD   ACTIVE SUB    DESCRIPTION
    ● snap.lxd.activate.service loaded failed failed Service for snap application lxd.activate
    
    LOAD   = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB    = The low-level unit activation state, values depend on unit type.
    1 loaded units listed.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.11p2
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 8.1.28
    [INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.28
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Unknown process (nginx:) (PID 148840)
    [INFO] I found the following mail server(s):
        Postfix (PID 1720)
    [INFO] I found the following pop3 server(s):
        Dovecot (PID 661)
    [INFO] I found the following imap server(s):
        Dovecot (PID 661)
    [INFO] I found the following ftp server(s):
        PureFTP (PID 171760)
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [anywhere]:4190        (661/dovecot)
    [anywhere]:8080        (148840/nginx:)
    [anywhere]:8081        (148840/nginx:)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    ***.***.***.***:53        (750/named)
    [localhost]:10023        (1054/postgrey)
    ***.***.***.***:40145        (191890/pure-ftpd)
    ***.***.***.***:40189        (191743/pure-ftpd)
    [anywhere]:587        (1720/master)
    [anywhere]:993        (661/dovecot)
    [anywhere]:995        (661/dovecot)
    [localhost]:9090        (663/grafana-agent)
    [localhost]:9091        (663/grafana-agent)
    [anywhere]:143        (661/dovecot)
    [anywhere]:80        (148840/nginx:)
    [anywhere]:110        (661/dovecot)
    [anywhere]:21        (171760/pure-ftpd)
    [anywhere]:22        (191526/sshd:)
    [anywhere]:25        (1720/master)
    [anywhere]:465        (1720/master)
    [anywhere]:443        (148840/nginx:)
    [localhost]:11334        (1002/rspamd:)
    [anywhere]:3306        (4462/mariadbd)
    [localhost]:11332        (1002/rspamd:)
    [localhost]:11333        (1002/rspamd:)
    [localhost]:11211        (669/memcached)
    [localhost]:6379        (707/redis-server)
    [anywhere]:8887        (1871/bdsecd)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:953        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    [localhost]:53        (750/named)
    ***.***.***.***:53        (622/systemd-resolve)
    *:*:*:*::*:4190        (661/dovecot)
    *:*:*:*::*:8080        (148840/nginx:)
    *:*:*:*::*:8081        (148840/nginx:)
    *:*:*:*::*:6379        (707/redis-server)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*:953        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*9:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:53        (750/named)
    *:*:*:*::*:587        (1720/master)
    *:*:*:*::*:993        (661/dovecot)
    *:*:*:*::*:995        (661/dovecot)
    [localhost]43        (661/dovecot)
    *:*:*:*::*:80        (148840/nginx:)
    [localhost]10        (661/dovecot)
    *:*:*:*::*:21        (171760/pure-ftpd)
    *:*:*:*::*:22        (191526/sshd:)
    *:*:*:*::*:25        (1720/master)
    *:*:*:*::*:465        (1720/master)
    *:*:*:*::*:443        (148840/nginx:)
    *:*:*:*::*:3306        (4462/mariadbd)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    *:*:*:*::*f816:3eff:fe83:53        (750/named)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    Bitdefender-21-in  all  --  [anywhere]/0            [anywhere]/0           
    Bitdefender-22-in  all  --  [anywhere]/0            [anywhere]/0           
    ufw-before-logging-input  all  --  [anywhere]/0            [anywhere]/0           
    ufw-before-input  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-input  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-logging-input  all  --  [anywhere]/0            [anywhere]/0           
    ufw-reject-input  all  --  [anywhere]/0            [anywhere]/0           
    ufw-track-input  all  --  [anywhere]/0            [anywhere]/0           
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ufw-before-logging-forward  all  --  [anywhere]/0            [anywhere]/0           
    ufw-before-forward  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-forward  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-logging-forward  all  --  [anywhere]/0            [anywhere]/0           
    ufw-reject-forward  all  --  [anywhere]/0            [anywhere]/0           
    ufw-track-forward  all  --  [anywhere]/0            [anywhere]/0           
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    Bitdefender-21-out  all  --  [anywhere]/0            [anywhere]/0           
    Bitdefender-22-out  all  --  [anywhere]/0            [anywhere]/0           
    ufw-before-logging-output  all  --  [anywhere]/0            [anywhere]/0           
    ufw-before-output  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-output  all  --  [anywhere]/0            [anywhere]/0           
    ufw-after-logging-output  all  --  [anywhere]/0            [anywhere]/0           
    ufw-reject-output  all  --  [anywhere]/0            [anywhere]/0           
    ufw-track-output  all  --  [anywhere]/0            [anywhere]/0           
    
    Chain Bitdefender-21-in (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8887 mark match ! 0x3887
    
    Chain Bitdefender-21-out (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  [anywhere]/0            [localhost]            tcp dpt:8887 ! owner GID match 998 mark match ! 0x3887
    
    Chain Bitdefender-22-in (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8887 mark match ! 0x3887
    
    Chain Bitdefender-22-out (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  [anywhere]/0            [localhost]            tcp dpt:8887 ! owner GID match 998 mark match ! 0x3887
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination         
    
    
    
    
    ##### LET'S ENCRYPT #####
    acme.sh is installed in /root/.acme.sh/acme.sh
    
    
    
     
  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    I had this issue with my boss, oftentimes :D He uses some weird ftp client on a mac which seems incompatible with anything out there as... well he never did an upgrade on that because the new version looks ugly or something :D
    Lesson learned on this; have you tried a different ftp client? Different settings?

    My note for that specific server where this is an issue is:
     
  3. rezz

    rezz New Member HowtoForge Supporter

    I just tried with winscp (was using filezilla) and I'm getting the same issue.
    TLS/SSL Implicit encryption -- I cant connect at all
    TLS/SSL Explicit encryption -- unable to list home directory
     
  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Hmm, ok. Might be a different thing then, the person I was referring to was able to connect using filezilla, anyone else in the team anyway haha. For him I had to diasble implicit, he had the same results as you have.
    But as it was a client issue for him and this seems a server issue for you, I doubt this is related much, though always worthy a try maybe.

    unless this is an issue for you.
    If you use ports in the ephemeral port range 32768–60999 it can be a firewall issue. I know some people here are using Hetzner for example.
    They have a default setting if you enable the firewall on these ports. I do not know top of my head if those could be an issue though.

    Maybe you want to check your
    sysctl net.ipv4.ip_local_port_range
    to look for free port ranges
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    ztk.me likes this.
  6. rezz

    rezz New Member HowtoForge Supporter

    I added a firewall rule at the provider level to allow all tcp traffic from my IP already but I will update the passive range to 40110 - 40112 and will add a rule to allow traffic from my IP going to those ports. I'm only using 3 ports for it because OVH doesnt allow me to do port ranges, I would need to configure a rule for each port :(

    Will report back, thanks @till @ztk.me !
     
    ztk.me likes this.
  7. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

  8. rezz

    rezz New Member HowtoForge Supporter

  9. rezz

    rezz New Member HowtoForge Supporter

    Still no go after adding those rules...
    OVH config below:
    upload_2024-4-25_12-25-35.png


    I should probably have mentioned this initially, but I migrated to this host from an old ispconfig3 server. Old one was debian, the new one is ubuntu...
     
  10. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Am I right in the assumption you added an firewall rule to allow all and used white marker to redact your IP? looks like a bug, very second rule
     
  11. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Did you do the migration on the same server by apt upgrade or did you do a new setup and used migration tool?
    If you did an upgrade inplace, maybe your default configurations for pure-ftp are off maybe.

    Permissions on the users directory could be a potential issue aswell
     
  12. rezz

    rezz New Member HowtoForge Supporter

    Sorry, yes, there's actually an IP there that I just whited out
     
  13. rezz

    rezz New Member HowtoForge Supporter

    It was a migration to an entirely different host via the migration tool

    About the permissions, I'm not sure that is it because If I connect via unencrypted ftp, everything works just fine
     
    ztk.me likes this.
  14. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Do you see any setting on your ftp client to turn on or off concurrent data transfer or similar?
    I guess you used your IP for the port range, so there is no exhaustion due to bots? Same for 2nd rule above?
    And you matched the config in pure ftp to the firewall if you did not open all ports, just in case, making sure?
     
    Last edited: Apr 25, 2024
  15. rezz

    rezz New Member HowtoForge Supporter

    Looks like there is, I'll limit it to 1 connection for now

    I had a rule in there to allow all traffic from my IP, that one really should allow all connections from me without the need to list ports.
    Yeah, I don't need the ports open to the whole internet so I locked the additional rules to my IP + the same passive ports configured on the pure-ftpd side.
     
    ztk.me likes this.
  16. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    I wonder if this actually worked for you, but I assume it did?
     
  17. rezz

    rezz New Member HowtoForge Supporter

    It did not :(
     
  18. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

  19. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    and if I had scrolled down, I'd seen this
    For implicit TLS / SSL using lftp please do these commands:
    connect ftps://ftp.domain.tld
    Note that this will connect you to port 990 directly using TLS.

    For explicit TLS / SSL:

    set ftp:ssl-force true
    connect ftp://ftp.domain.tld
     
  20. rezz

    rezz New Member HowtoForge Supporter

    Looks like this worked so I guess this is indeed a port issue?
    I was even able to ls and see all the directories when logged into the user.
     

Share This Page