Hello - Time to ask for some real help as I have been deeply troubleshooting this issue for longer than I care to admit. Basic issue is FTP broke and I appear unable to fix it or know what to do next. ISPConfig 3 latest version Pure FTPD with many user accounts that used to work Traffic is reaching the server, but connection is being rejected. Here's the details and thanks in advance: Summary of Issue: FTP Server Rejection: The FTP server (Pure-FTPd) is consistently sending TCP reset (RST) packets in response to connection attempts on passive FTP ports (e.g., 40110), indicating that the FTP server is rejecting connections. Traffic reaches the server successfully, as confirmed via tcpdump on both the WAN (external) and LAN (internal) interfaces of the router. Firewall & Port Forwarding: Both the router and the server's firewall have been configured to allow traffic on ports 40110-41110 (the passive FTP range). We have confirmed that port forwarding and NAT rules are correctly configured, and traffic is being routed to the FTP server. Fail2Ban is enabled but no IP addresses are currently banned, so Fail2Ban is not causing the issue. TLS Configuration: The FTP server is configured for FTP over TLS, with the following relevant configuration: bash CertFileAndKey "/usr/local/ispconfig/interface/ssl/ispserver.pem" "/usr/local/ispconfig/interface/ssl/ispserver.pem" Both the certificate and private key are in the same file (ispserver.pem), located in the ISPConfig directory. We suspect this could be a point of failure. Steps Taken: We have checked that the TLS certificate and passive port range are configured correctly in /etc/pure-ftpd/pure-ftpd.conf: bash PassivePortRange 40110 41110 VerboseLog yes The server is set to use explicit FTP over TLS (Require explicit FTP over TLS in FileZilla), but connections stall and time out, or are immediately rejected. ISPConfig Integration: We have also ensured that ISPConfig is managing the Pure-FTPd configuration. The TLS certificates being used by Pure-FTPd appear to be tied to the ISPConfig SSL setup. Request for Guidance: TLS/SSL Configuration: Could there be an issue with the way Pure-FTPd is using the ISPConfig SSL certificate (ispserver.pem)? Should we reconfigure or regenerate the certificate, or verify further steps with ISPConfig integration? Any Additional Steps: Can you suggest any further diagnostics to ensure Pure-FTPd is correctly integrated with ISPConfig and functioning with the firewall and passive FTP setup?
A little more information: SSH into the server using a standard Debian user works fine, but if I create an SSH/SFTP user and try to log into that specific domain, then that fails too. I get to the point where it asks if I want to trust the Server SSH Fingerprint, but then say's permission denied.
1) Have you tested locally on the server with a command-line FTP client? If this works, then you know the issue is not pure-ftpd but a firewall in front of the server. Have you tried to stop the Firewall on the server, does it work then? Does it work for other websites on the server?
Yikes another full day and slight success but really messed up for some reason. In any case, here's a partial summary of todays work and results. At this point can I uninstall pure-ftps and just start over? I don't mind making new accounts. It has been difficult using scp for many many month without ftp access. LOL painful. 1) Tested locally on the server with firewall off using command line ftp. It did not work 2) Permission denied was across the board, noit limited to a specific domain. But here's the addtional info: A) It seemed after a while the /etc/pure-ftpd.conf file was just not loading correctly, and no $OPTIONS were specified in the /etc/init.d/pure-ftpd.mysql so I added OPTIONS="-c /etc/pure-ftpd/pure-ftpd.conf" to the file, restarted the Daemon and Pure-FTPd and it then did seem to load the conf file. B) With the conf file aparently loading correclty, the firewalls still off, IPTables cleared, and Fail2ban turned off, I loaded up my AWS Cloud Shell and use lftp to login and set passive-mode on as follow: lftp [email protected] set ftpassive-mode on I try to ls and find out I seem to have an issue with my certificate, so I: set ssl:verify-certificate no I try "ls" again and voila!! I get a directory listing finally! I then "cd web" and I get into the web directory! However, I then "ls" in the web directory and I get connection refused. All of this interaction is below. [cloudshell-user@ip-10-144-110-197 ~]$ lftp [email protected] Password: lftp [email protected]:~> set ftpassive-mode on lftp [email protected]:~> ls ls: Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘serinehealth.com’ (15:30:B7:09:66:E4:6A:56:E8A:9C:1E:CD:E4:9F:58:09:EE:5A:7A) lftp [email protected]:~> set ssl:verify-certificate no lftp [email protected]:~> ls drwxr-xr-x 16 0 0 4096 Oct 22 20:03 . drwxr-xr-x 16 0 0 4096 Oct 22 20:03 .. -rwxr-x--- 1 5030 client1 0 Oct 22 20:03 .bash_history -rw-r--r-- 1 5030 client1 0 Oct 22 20:03 .profile drwx------ 2 5030 client1 4096 Oct 22 20:03 .ssh drwxr-xr-x 2 5030 client1 4096 Oct 22 12:39 backup drwxr-xr-x 2 0 0 4096 Oct 23 00:10 bin drwxr-xr-x 2 5030 client1 4096 Oct 22 12:39 cgi-bin drwxr-xr-x 2 0 0 4096 Oct 22 12:53 dev drwxr-xr-x 6 0 0 4096 Oct 23 00:10 etc drwxr-xr-x 5 0 0 4096 Oct 22 20:03 home drwxr-xr-x 6 0 0 4096 Oct 23 00:10 lib drwxr-xr-x 2 0 0 4096 Oct 23 00:10 lib64 drwxr-xr-x 2 0 0 4096 Oct 23 00:12 log drwx--x--- 2 5030 client1 4096 Oct 22 12:39 private drwxr-xr-x 2 0 0 4096 Oct 22 12:39 ssl drwxrwx--- 2 5030 client1 4096 Oct 22 12:39 tmp drwxr-xr-x 7 0 0 4096 Oct 22 12:53 usr drwxr-xr-x 4 0 0 4096 Oct 22 12:53 var drwx--x--x 4 5030 client1 4096 Oct 22 12:39 web drwx--x--- 2 5030 client1 4096 Oct 22 12:39 webdav lftp [email protected]:/> cd web lftp [email protected]:/web> ls ls' at 0 [Connection refused] So yeah, I am tired and I have edits to files I am not sure I remember and way too many things turned off that should not be off. LOL There has to be an easier way to resolve this. Thanks for any thoughts, especially if they include instructions on how to reinstall ftp and link it properly to ispconfig even if I have to recreate the ftp accounts again.
So one other weirdness. I turned my Firewall back on via "ufw enable" and it killed my remote sessions and ... well everything including the websites. So I used the console on my VM and turn it back off and everything worked again. I then used ISPConfig to turn it back on, and while it was coming up I was checking its status using my remote console and as it came up it did in fact show the ports that should be open, but it killed everytthing again! I must be tired. The remote session is below. One thing to note is they one of the things I tried was to see if I was incorrectly specifying the range of passive ports because I was using 40110:41110 and though maybe I would try 40110-41110 which is why you only see 40110 open below. However .. remember that I had ufw turned off (and still off) for all of this troubleshooting so that was not and is not the issue. root@webserver6:~# ufw status Status: inactive root@webserver6:~# ufw status Status: active To Action From -- ------ ---- 21/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere 25/tcp ALLOW Anywhere 53/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 110/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 3306/tcp ALLOW Anywhere 4190/tcp ALLOW Anywhere 8080/tcp ALLOW Anywhere 8081/tcp ALLOW Anywhere 53/udp ALLOW Anywhere 20/tcp ALLOW Anywhere 2120/tcp ALLOW Anywhere 40110/tcp ALLOW Anywhere 21/tcp (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 53/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 110/tcp (v6) ALLOW Anywhere (v6) 143/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6) 3306/tcp (v6) ALLOW Anywhere (v6) 4190/tcp (v6) ALLOW Anywhere (v6) 8080/tcp (v6) ALLOW Anywhere (v6) 8081/tcp (v6) ALLOW Anywhere (v6) 53/udp (v6) ALLOW Anywhere (v6) 20/tcp (v6) ALLOW Anywhere (v6) 2120/tcp (v6) ALLOW Anywhere (v6) 40110/tcp (v6) ALLOW Anywhere (v6)
Which operating system do you use? Your VPS is on AWS? In this case, you should consider not using the UFW firewall but relying on the AWS firewall instead.
That is one error. What hostnames are in that certificate? You could try connecting to hostname that hostname -f shows on that server. I would not do that. My guess is reinstalling ftp would not help here.
I use Debian Bookworm and it's hosted on a home server. I just used my AWS account for remote troubleshooting.
so you're using NAT behind your firewall... Have you created a file ForcePassiveIP in /etc/pure-ftpd/conf which contains just the public ip of your firewall/NAT server?
Actuyally my Ubiquiti router is in front of the firewall and I have verified all traffic is passing and the proper ports and port ranges forwarded on to my Debian LAMP/Web Server. On my web server I do have ForcePassiveIP set to my external IP address and everything seems to resolve ok and traffic on 21 is fine. Right now the web server has the ufw firewall turned off and all traffic is passing there as well. It's the passive port range I am having difficulty with I think. I am using a non-standard range of 40110-41110 but it is defined in my .conf file and forwarded everywhere it needs to be forwarded but something is still wrong. Thanks
Thanks all - Quick question - I redid my UFW from the command line and ensured my ip tables are being managed by UFW and it all works perfectly as expected (from a firewall perspective) EXCEPT ISPCONFIG is not recognizing the current status of the firewall nor the ports that are currently enabled. It's not properly picking up when it is active or not-active and the port ranges I have enabled one by one on the command line such as (ufw allow 21/tcp) are not reflected in the "Open TCP Ports:" or "Open UDP Ports:" fields in ISPCONFIG meaning it is picking up its data from somewhere else other than where my command line settings took effect. How do I tell ISPCONFIG to use the correct rules/config files instead of whatever incorrect ones it appears to be looking at now? If I disable or enable the firewall inside of ISPCONFIG right now it blocks all the ports and does something wonkly that causes me to reboot and turn the firewall off from the command line. Something is out of sync. While this has all been part of trying to get the FTP issues resolved I am now wondering if I should be posting this as a separate comment or request? Thanks again TO ADD SOME SPECIFIC CLARITY I had port range 40110:41110/tcp enabled via the ISPCONFIG interface, and this port range is still what it shows now. However, when I explicitly set the port ranges using the command line, I expanded the range by one (mostly for troubleshooting purposes) to be 40110:41111. This is what the firewall currently reports and being enabled. I decided to search for the strings 40110 and 41111 as this might tell me which file ISPCONFIG is looking at and which file UFW is actually using. Here's the results. The second section is what UFW reports as being in use, I think ISPCONFIG thinks the first section is correct. root@webserver6:/# find /etc -type f -exec grep -Hn '41110' {} \; /etc/pure-ftpd/pure-ftpd.conf:177assivePortRange 40110 41110 /etc/ufw/user6.rules.20241024_120749:77:### tuple ### allow tcp 40110:41110 ::/0 any ::/0 in /etc/ufw/user6.rules.20241024_120749:78:-A ufw6-user-input -p tcp -m multiport --dports 40110:41110 -j ACCEPT /etc/ufw/user.rules.20241024_120749:77:### tuple ### allow tcp 40110:41110 0.0.0.0/0 any 0.0.0.0/0 in /etc/ufw/user.rules.20241024_120749:78:-A ufw-user-input -p tcp -m multiport --dports 40110:41110 -j ACCEPT root@webserver6:/# find /etc -type f -exec grep -Hn '41111' {} \; /etc/ufw/user.rules:74:### tuple ### allow tcp 40110:41111 0.0.0.0/0 any 0.0.0.0/0 in /etc/ufw/user.rules:75:-A ufw-user-input -p tcp -m multiport --dports 40110:41111 -j ACCEPT /etc/ufw/user6.rules:74:### tuple ### allow tcp 40110:41111 ::/0 any ::/0 in /etc/ufw/user6.rules:75:-A ufw6-user-input -p tcp -m multiport --dports 40110:41111 -j ACCEPT
as far as i'm aware, ispconfig does not, and never has picked up ufw settings applied to a server from the cli. you create a firewall rule in ispconfig that specifies the ports you want open, and ispconfig applies that to the target server.
