Pure-FTPD connection unstable

I am running Pure-FTPD on my web server (using ISPConfig), and I can connect, but my connection is very unstable. I have enabled the PassivePortRange and did open the ports in UFW, but this doesn't fix it. I tried disabling the firewall, but that did not work either. What am I missing?

 

Any errors in your FTP client or the pure-ftpd log files? The instability happens during file transfer or at login or when being idle?

 

Went through the log files, couldn't find anything special. I can see the FTP account logs in again, but nothing more. It happens when transferring files.

 

Some extra info on my setup:
pure-ftpd-mysql on debian 10
UFW enabled, but I have tested this with UFW disabled
TLS enabled, there is a certificate for servername.example.com, but clients connect to ftp.clientdomain.com. I have tried connecting to the hostname to make sure it's not because of the cert mismatch, but that didn't help.
Tried FTP without any encryption and with explicit encryption.

 

Can you post the ftp log from your mail client? Most clients show a kind of command log on what they send to the server.

 

Code:

> 2020-06-17 18:19:48.382 MFMT 20171006192014 notulen 6 oktober.docx
. 2020-06-17 18:19:48.385 TLS layer changed state from connected to aborted
. 2020-06-17 18:19:48.385 Verbinding met server verbroken
. 2020-06-17 18:19:48.386 Het kopiëren van bestanden naar de externe computer is mislukt.
. 2020-06-17 18:19:48.386 Got reply 1004 to the command 4
. 2020-06-17 18:19:48.386 Transfer progress: Transferred: 32.060.061, Left: 0:01:01, CPS: 10.577.387/s
. 2020-06-17 18:19:48.386 Connection was lost, asking what to do.
. 2020-06-17 18:19:48.386 Asking user:
. 2020-06-17 18:19:48.386 **Verbinding verbroken.** ("Verbinding met server verbroken","Het kopiëren van bestanden naar de externe computer is mislukt.")
. 2020-06-17 18:19:52.965 Bezig met verbinding maken met ftp.companyname.nl...
. 2020-06-17 18:19:52.965 TLS layer changed state from unconnected to connecting
. 2020-06-17 18:19:52.965 TLS layer changed state from connecting to connected
. 2020-06-17 18:19:52.965 Verbonden met ftp.companyname.nl, TLS verbinding negotiëren
< 2020-06-17 18:19:52.965 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 2020-06-17 18:19:52.965 220-You are user number 1 of 50 allowed.
< 2020-06-17 18:19:52.965 220-Local time is now 18:19. Server port: 21.
< 2020-06-17 18:19:52.965 220-This is a private system - No anonymous login
< 2020-06-17 18:19:52.965 220 You will be disconnected after 15 minutes of inactivity.
> 2020-06-17 18:19:52.965 AUTH TLS
< 2020-06-17 18:19:52.966 234 AUTH TLS OK.
. 2020-06-17 18:19:52.980 TLS connect: SSLv3/TLS write client hello
. 2020-06-17 18:19:52.980 TLS connect: SSLv3/TLS read server hello
. 2020-06-17 18:19:52.982 TLS connect: SSLv3/TLS read server certificate
. 2020-06-17 18:19:52.985 TLS connect: SSLv3/TLS read server key exchange
. 2020-06-17 18:19:52.985 TLS connect: SSLv3/TLS read server done
. 2020-06-17 18:19:52.996 TLS connect: SSLv3/TLS write client key exchange
. 2020-06-17 18:19:52.996 TLS connect: SSLv3/TLS write change cipher spec
. 2020-06-17 18:19:52.996 TLS connect: SSLv3/TLS write finished
. 2020-06-17 18:19:53.000 TLS connect: SSLv3/TLS write finished
. 2020-06-17 18:19:53.000 TLS connect: SSLv3/TLS read server session ticket
. 2020-06-17 18:19:53.000 TLS connect: SSLv3/TLS read change cipher spec
. 2020-06-17 18:19:53.000 TLS connect: SSLv3/TLS read finished
. 2020-06-17 18:19:53.000 Verifying certificate for "" with fingerprint f2:5f:b1:76:42:d0:e3:0e:fd:54:07:07:4e:86:71:12:5c:08:a2:4d and 20 failures
. 2020-06-17 18:19:53.000 Certificate common name "servername.companyname.net" does not match hostname
. 2020-06-17 18:19:53.000 Certificate subject alternative name "servername.companyname.net" does not match hostname
. 2020-06-17 18:19:53.000 Certificate for "" matches cached fingerprint and failures
. 2020-06-17 18:19:53.001 Using TLSv1.2, cipher TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-06-17 18:19:53.005 TLS verbinding gemaakt. Wachten op welkomst bericht.
> 2020-06-17 18:19:53.005 USER companynamenl
< 2020-06-17 18:19:53.005 331 User companynamenl OK. Password required
> 2020-06-17 18:19:53.005 PASS ********
< 2020-06-17 18:19:53.035 230 OK. Current restricted directory is /
> 2020-06-17 18:19:53.035 SYST
< 2020-06-17 18:19:53.043 215 UNIX Type: L8
> 2020-06-17 18:19:53.043 FEAT
< 2020-06-17 18:19:53.045 211-Extensions supported:
< 2020-06-17 18:19:53.045  EPRT
< 2020-06-17 18:19:53.045  IDLE
< 2020-06-17 18:19:53.045  MDTM
< 2020-06-17 18:19:53.045  SIZE
< 2020-06-17 18:19:53.045  MFMT
< 2020-06-17 18:19:53.045  REST STREAM
< 2020-06-17 18:19:53.045  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
< 2020-06-17 18:19:53.045  MLSD
< 2020-06-17 18:19:53.045  AUTH TLS
< 2020-06-17 18:19:53.045  PBSZ
< 2020-06-17 18:19:53.045  PROT
< 2020-06-17 18:19:53.045  UTF8
< 2020-06-17 18:19:53.045  ESTA
< 2020-06-17 18:19:53.045  PASV
< 2020-06-17 18:19:53.045  EPSV
< 2020-06-17 18:19:53.045  SPSV
< 2020-06-17 18:19:53.045  ESTP
< 2020-06-17 18:19:53.045 211 End.
> 2020-06-17 18:19:53.045 OPTS UTF8 ON
< 2020-06-17 18:19:53.049 200 OK, UTF-8 enabled
> 2020-06-17 18:19:53.049 PBSZ 0
< 2020-06-17 18:19:53.051 200 PBSZ=0
> 2020-06-17 18:19:53.051 PROT P
< 2020-06-17 18:19:53.055 200 Data protection level set to "private"
. 2020-06-17 18:19:53.058 Verbonden
. 2020-06-17 18:19:53.058 Got reply 1 to the command 1
. 2020-06-17 18:19:53.058 Doing startup conversation with host.
> 2020-06-17 18:19:53.063 PWD
< 2020-06-17 18:19:53.066 257 "/" is your current location
. 2020-06-17 18:19:53.066 Got reply 1 to the command 16
. 2020-06-17 18:19:53.066 Changing directory to "/web/folder/img".
> 2020-06-17 18:19:53.066 CWD /web/folder/img
< 2020-06-17 18:19:53.069 250 OK. Current directory is /web/folder/img
. 2020-06-17 18:19:53.069 Got reply 1 to the command 16
. 2020-06-17 18:19:53.069 Getting current directory name.
> 2020-06-17 18:19:53.069 PWD
< 2020-06-17 18:19:53.072 257 "/web/folder/img" is your current location
. 2020-06-17 18:19:53.072 Got reply 1 to the command 16
. 2020-06-17 18:19:53.072 Startup conversation with host finished.
. 2020-06-17 18:19:53.086 Transfer progress: Transferred: 32.060.061, Left: 0:01:01, CPS: 10.577.387/s

This is the log entry from the moment the connection fails. This is in WinSCP, but happens with all ftp clients and OS distro's.

 

Please double check that the configured port ranges match in pure-ftpd config and the firewall. If the server is behind a router or external firewall, then the same range must be opened in the router/firewall as well. Besides that, there is also a passive IP setting in pure-ftpd. maybe it helps to set that as well, but only in case, the server is behind a NAT router.

Do the errors occur also when you choose active FTP mode, or just in passive FTP mode?

 

Server is not behind a router or external firewall, it has it's own public IP. I will contact my provider to see if they block the ports.

 

Seems like they don't. I got a feeling it's something with the certificate... But I could be wrong.

 

Hmm, strange. I'm a bit out of ideas at the moment as I did not had such an issue on my systems yet. Maybe someone else has an Idea what might cause this.

 

Very weird, hope someone else has a idea

 

Well, glad to know I am not alone

 

Just saw a error message popping up and leaving as fast as it came, but it seemed like it was trying to connect on port 15000 (while Passive Port Range is set). Weird...

 

Okay, when disabling the firewall, it works now. But I can see that Pure-FTPD is not using the PassivePortRange: the connections are on ports that are below or above the specified range.

 

Which Linux distribution do you use on that server?

 

Debian 10, everything is up to date.

 

Please run these commands:

systemctl restart pure-ftpd-mysql
systemctl status pure-ftpd-mysql

and post the result of the second command.

 

Code:

root@servername:/home/user# systemctl restart pure-ftpd-mysql
root@servername:/home/user# systemctl status pure-ftpd-mysql
● pure-ftpd-mysql.service
   Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated)
   Active: active (running) since Tue 2020-06-23 14:09:42 CEST; 976ms ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4557 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4701)
   Memory: 1.5M
   CGroup: /system.slice/pure-ftpd-mysql.service
           └─4568 pure-ftpd (SERVER)

Jun 23 14:09:42 servername systemd[1]: Starting pure-ftpd-mysql.service...
Jun 23 14:09:42 servername pure-ftpd-mysql[4557]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pu
Jun 23 14:09:42 servername systemd[1]: Started pure-ftpd-mysql.service.

 

Hmm, are you able to resize the screen so we can get the full line, or maybe there is a systemctl option for that:

Jun 23 14:09:42 servername pure-ftpd-mysql[4557]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pu

because there we should be able to see if pure-ftpd recognized the port settings.