Pure-FTPD rejecting incoming connection requests

Discussion in 'ISPConfig 3 Priority Support' started by dnieweg, Oct 23, 2024.

  1. dnieweg

    dnieweg New Member

    Hello - Time to ask for some real help as I have been deeply troubleshooting this issue for longer than I care to admit. Basic issue is FTP broke and I appear unable to fix it or know what to do next.
    • ISPConfig 3 latest version
    • Pure FTPD with many user accounts that used to work
    • Traffic is reaching the server, but connection is being rejected.
    Here's the details and thanks in advance:
    Summary of Issue:
    1. FTP Server Rejection:
      • The FTP server (Pure-FTPd) is consistently sending TCP reset (RST) packets in response to connection attempts on passive FTP ports (e.g., 40110), indicating that the FTP server is rejecting connections.
      • Traffic reaches the server successfully, as confirmed via tcpdump on both the WAN (external) and LAN (internal) interfaces of the router.
    2. Firewall & Port Forwarding:
      • Both the router and the server's firewall have been configured to allow traffic on ports 40110-41110 (the passive FTP range).
      • We have confirmed that port forwarding and NAT rules are correctly configured, and traffic is being routed to the FTP server.
      • Fail2Ban is enabled but no IP addresses are currently banned, so Fail2Ban is not causing the issue.
    3. TLS Configuration:
      • The FTP server is configured for FTP over TLS, with the following relevant configuration:
        bash
        CertFileAndKey "/usr/local/ispconfig/interface/ssl/ispserver.pem" "/usr/local/ispconfig/interface/ssl/ispserver.pem"

      • Both the certificate and private key are in the same file (ispserver.pem), located in the ISPConfig directory. We suspect this could be a point of failure.
    4. Steps Taken:
      • We have checked that the TLS certificate and passive port range are configured correctly in /etc/pure-ftpd/pure-ftpd.conf:
        bash
        PassivePortRange 40110 41110
        VerboseLog yes

      • The server is set to use explicit FTP over TLS (Require explicit FTP over TLS in FileZilla), but connections stall and time out, or are immediately rejected.
    5. ISPConfig Integration:
      • We have also ensured that ISPConfig is managing the Pure-FTPd configuration. The TLS certificates being used by Pure-FTPd appear to be tied to the ISPConfig SSL setup.
    Request for Guidance:
    • TLS/SSL Configuration: Could there be an issue with the way Pure-FTPd is using the ISPConfig SSL certificate (ispserver.pem)? Should we reconfigure or regenerate the certificate, or verify further steps with ISPConfig integration?
    • Any Additional Steps: Can you suggest any further diagnostics to ensure Pure-FTPd is correctly integrated with ISPConfig and functioning with the firewall and passive FTP setup?
     
  2. dnieweg

    dnieweg New Member

    A little more information:
    SSH into the server using a standard Debian user works fine, but if I create an SSH/SFTP user and try to log into that specific domain, then that fails too. I get to the point where it asks if I want to trust the Server SSH Fingerprint, but then say's permission denied.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Have you tested locally on the server with a command-line FTP client? If this works, then you know the issue is not pure-ftpd but a firewall in front of the server.
    Have you tried to stop the Firewall on the server, does it work then?

    Does it work for other websites on the server?
     
    dnieweg likes this.
  4. dnieweg

    dnieweg New Member

    Yikes another full day and slight success but really messed up for some reason. In any case, here's a partial summary of todays work and results. At this point can I uninstall pure-ftps and just start over? I don't mind making new accounts. It has been difficult using scp for many many month without ftp access. LOL painful.
    1) Tested locally on the server with firewall off using command line ftp. It did not work
    2) Permission denied was across the board, noit limited to a specific domain.

    But here's the addtional info:
    A) It seemed after a while the /etc/pure-ftpd.conf file was just not loading correctly, and no $OPTIONS were specified in the /etc/init.d/pure-ftpd.mysql so I added OPTIONS="-c /etc/pure-ftpd/pure-ftpd.conf" to the file, restarted the Daemon and Pure-FTPd and it then did seem to load the conf file.
    B) With the conf file aparently loading correclty, the firewalls still off, IPTables cleared, and Fail2ban turned off, I loaded up my AWS Cloud Shell and use lftp to login and set passive-mode on as follow:
    lftp [email protected]
    set ftp:passive-mode on
    I try to ls and find out I seem to have an issue with my certificate, so I:
    set ssl:verify-certificate no
    I try "ls" again and voila!! I get a directory listing finally! I then "cd web" and I get into the web directory!
    However, I then "ls" in the web directory and I get connection refused. All of this interaction is below.
    [cloudshell-user@ip-10-144-110-197 ~]$ lftp [email protected]
    Password:
    lftp [email protected]:~> set ftp:passive-mode on
    lftp [email protected]:~> ls
    ls: Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘serinehealth.com’ (15:30:B7:09:66:E4:6A:56:E8:DA:9C:1E:CD:E4:9F:58:09:EE:5A:7A)
    lftp [email protected]:~> set ssl:verify-certificate no
    lftp [email protected]:~> ls
    drwxr-xr-x 16 0 0 4096 Oct 22 20:03 .
    drwxr-xr-x 16 0 0 4096 Oct 22 20:03 ..
    -rwxr-x--- 1 5030 client1 0 Oct 22 20:03 .bash_history
    -rw-r--r-- 1 5030 client1 0 Oct 22 20:03 .profile
    drwx------ 2 5030 client1 4096 Oct 22 20:03 .ssh
    drwxr-xr-x 2 5030 client1 4096 Oct 22 12:39 backup
    drwxr-xr-x 2 0 0 4096 Oct 23 00:10 bin
    drwxr-xr-x 2 5030 client1 4096 Oct 22 12:39 cgi-bin
    drwxr-xr-x 2 0 0 4096 Oct 22 12:53 dev
    drwxr-xr-x 6 0 0 4096 Oct 23 00:10 etc
    drwxr-xr-x 5 0 0 4096 Oct 22 20:03 home
    drwxr-xr-x 6 0 0 4096 Oct 23 00:10 lib
    drwxr-xr-x 2 0 0 4096 Oct 23 00:10 lib64
    drwxr-xr-x 2 0 0 4096 Oct 23 00:12 log
    drwx--x--- 2 5030 client1 4096 Oct 22 12:39 private
    drwxr-xr-x 2 0 0 4096 Oct 22 12:39 ssl
    drwxrwx--- 2 5030 client1 4096 Oct 22 12:39 tmp
    drwxr-xr-x 7 0 0 4096 Oct 22 12:53 usr
    drwxr-xr-x 4 0 0 4096 Oct 22 12:53 var
    drwx--x--x 4 5030 client1 4096 Oct 22 12:39 web
    drwx--x--- 2 5030 client1 4096 Oct 22 12:39 webdav
    lftp [email protected]:/> cd web
    lftp [email protected]:/web> ls
    ls' at 0 [Connection refused]


    So yeah, I am tired and I have edits to files I am not sure I remember and way too many things turned off that should not be off. LOL
    There has to be an easier way to resolve this.

    Thanks for any thoughts, especially if they include instructions on how to reinstall ftp and link it properly to ispconfig even if I have to recreate the ftp accounts again.
     
    Last edited: Oct 24, 2024
  5. dnieweg

    dnieweg New Member

    So one other weirdness. I turned my Firewall back on via "ufw enable" and it killed my remote sessions and ... well everything including the websites. So I used the console on my VM and turn it back off and everything worked again. I then used ISPConfig to turn it back on, and while it was coming up I was checking its status using my remote console and as it came up it did in fact show the ports that should be open, but it killed everytthing again! I must be tired. The remote session is below.

    One thing to note is they one of the things I tried was to see if I was incorrectly specifying the range of passive ports because I was using 40110:41110 and though maybe I would try 40110-41110 which is why you only see 40110 open below. However .. remember that I had ufw turned off (and still off) for all of this troubleshooting so that was not and is not the issue.

    root@webserver6:~# ufw status
    Status: inactive
    root@webserver6:~# ufw status
    Status: active

    To Action From
    -- ------ ----
    21/tcp ALLOW Anywhere
    22/tcp ALLOW Anywhere
    25/tcp ALLOW Anywhere
    53/tcp ALLOW Anywhere
    80/tcp ALLOW Anywhere
    110/tcp ALLOW Anywhere
    143/tcp ALLOW Anywhere
    443/tcp ALLOW Anywhere
    465/tcp ALLOW Anywhere
    587/tcp ALLOW Anywhere
    993/tcp ALLOW Anywhere
    995/tcp ALLOW Anywhere
    3306/tcp ALLOW Anywhere
    4190/tcp ALLOW Anywhere
    8080/tcp ALLOW Anywhere
    8081/tcp ALLOW Anywhere
    53/udp ALLOW Anywhere
    20/tcp ALLOW Anywhere
    2120/tcp ALLOW Anywhere
    40110/tcp ALLOW Anywhere
    21/tcp (v6) ALLOW Anywhere (v6)
    22/tcp (v6) ALLOW Anywhere (v6)
    25/tcp (v6) ALLOW Anywhere (v6)
    53/tcp (v6) ALLOW Anywhere (v6)
    80/tcp (v6) ALLOW Anywhere (v6)
    110/tcp (v6) ALLOW Anywhere (v6)
    143/tcp (v6) ALLOW Anywhere (v6)
    443/tcp (v6) ALLOW Anywhere (v6)
    465/tcp (v6) ALLOW Anywhere (v6)
    587/tcp (v6) ALLOW Anywhere (v6)
    993/tcp (v6) ALLOW Anywhere (v6)
    995/tcp (v6) ALLOW Anywhere (v6)
    3306/tcp (v6) ALLOW Anywhere (v6)
    4190/tcp (v6) ALLOW Anywhere (v6)
    8080/tcp (v6) ALLOW Anywhere (v6)
    8081/tcp (v6) ALLOW Anywhere (v6)
    53/udp (v6) ALLOW Anywhere (v6)
    20/tcp (v6) ALLOW Anywhere (v6)
    2120/tcp (v6) ALLOW Anywhere (v6)
    40110/tcp (v6) ALLOW Anywhere (v6)
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Which operating system do you use?

    Your VPS is on AWS? In this case, you should consider not using the UFW firewall but relying on the AWS firewall instead.
     
    dnieweg likes this.
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That is one error. What hostnames are in that certificate?
    You could try connecting to hostname that hostname -f shows on that server.
    I would not do that. My guess is reinstalling ftp would not help here.
     
    dnieweg likes this.
  8. dnieweg

    dnieweg New Member

    I use Debian Bookworm and it's hosted on a home server. I just used my AWS account for remote troubleshooting.
     
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    so you're using NAT behind your firewall...
    Have you created a file ForcePassiveIP in /etc/pure-ftpd/conf which contains just the public ip of your firewall/NAT server?
     
    dnieweg and till like this.
  10. dnieweg

    dnieweg New Member

    Actuyally my Ubiquiti router is in front of the firewall and I have verified all traffic is passing and the proper ports and port ranges forwarded on to my Debian LAMP/Web Server. On my web server I do have ForcePassiveIP set to my external IP address and everything seems to resolve ok and traffic on 21 is fine. Right now the web server has the ufw firewall turned off and all traffic is passing there as well. It's the passive port range I am having difficulty with I think. I am using a non-standard range of 40110-41110 but it is defined in my .conf file and forwarded everywhere it needs to be forwarded but something is still wrong.
    Thanks
     
  11. dnieweg

    dnieweg New Member

    Thanks all - Quick question - I redid my UFW from the command line and ensured my ip tables are being managed by UFW and it all works perfectly as expected (from a firewall perspective) EXCEPT ISPCONFIG is not recognizing the current status of the firewall nor the ports that are currently enabled. It's not properly picking up when it is active or not-active and the port ranges I have enabled one by one on the command line such as (ufw allow 21/tcp) are not reflected in the "Open TCP Ports:" or "Open UDP Ports:" fields in ISPCONFIG meaning it is picking up its data from somewhere else other than where my command line settings took effect.

    How do I tell ISPCONFIG to use the correct rules/config files instead of whatever incorrect ones it appears to be looking at now?

    If I disable or enable the firewall inside of ISPCONFIG right now it blocks all the ports and does something wonkly that causes me to reboot and turn the firewall off from the command line. Something is out of sync.
    While this has all been part of trying to get the FTP issues resolved I am now wondering if I should be posting this as a separate comment or request?

    Thanks again

    TO ADD SOME SPECIFIC CLARITY
    I had port range 40110:41110/tcp enabled via the ISPCONFIG interface, and this port range is still what it shows now.
    However, when I explicitly set the port ranges using the command line, I expanded the range by one (mostly for troubleshooting purposes) to be 40110:41111. This is what the firewall currently reports and being enabled.
    I decided to search for the strings 40110 and 41111 as this might tell me which file ISPCONFIG is looking at and which file UFW is actually using. Here's the results. The second section is what UFW reports as being in use, I think ISPCONFIG thinks the first section is correct.

    root@webserver6:/# find /etc -type f -exec grep -Hn '41110' {} \;
    /etc/pure-ftpd/pure-ftpd.conf:177:passivePortRange 40110 41110
    /etc/ufw/user6.rules.20241024_120749:77:### tuple ### allow tcp 40110:41110 ::/0 any ::/0 in
    /etc/ufw/user6.rules.20241024_120749:78:-A ufw6-user-input -p tcp -m multiport --dports 40110:41110 -j ACCEPT
    /etc/ufw/user.rules.20241024_120749:77:### tuple ### allow tcp 40110:41110 0.0.0.0/0 any 0.0.0.0/0 in
    /etc/ufw/user.rules.20241024_120749:78:-A ufw-user-input -p tcp -m multiport --dports 40110:41110 -j ACCEPT

    root@webserver6:/# find /etc -type f -exec grep -Hn '41111' {} \;
    /etc/ufw/user.rules:74:### tuple ### allow tcp 40110:41111 0.0.0.0/0 any 0.0.0.0/0 in
    /etc/ufw/user.rules:75:-A ufw-user-input -p tcp -m multiport --dports 40110:41111 -j ACCEPT
    /etc/ufw/user6.rules:74:### tuple ### allow tcp 40110:41111 ::/0 any ::/0 in
    /etc/ufw/user6.rules:75:-A ufw6-user-input -p tcp -m multiport --dports 40110:41111 -j ACCEPT
     
    Last edited: Oct 24, 2024
  12. dnieweg

    dnieweg New Member

    I think I'll hire schaal to take a look. I feel a bit over-challenged and under-knowledged. LOL
     
  13. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    as far as i'm aware, ispconfig does not, and never has picked up ufw settings applied to a server from the cli.

    you create a firewall rule in ispconfig that specifies the ports you want open, and ispconfig applies that to the target server.
     
    dnieweg likes this.

Share This Page