Hello, For some reason, I am able to connect via unencrypted FTP but when I attempt to connect via explicit TLS, I receive the following error: Code: Status: Connection established, waiting for welcome message... Status: Initializing TLS... Status: TLS connection established. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (135,148,232,37,156,209) Command: MLSD Error: GnuTLS error -110: The TLS connection was non-properly terminated. Status: Server did not properly shut down TLS connection Error: The data connection could not be established: ECONNABORTED - Connection aborted Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listing Here are the logs from the server side: Code: Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] New connection from 1.2.3.4 Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS] Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] SNI: [website.com] Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] SNI: [website.com] Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [user] [user] Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pass] [<*>] Apr 25 15:05:55 webapi2 pure-ftpd: ([email protected]) [INFO] user is now logged in Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [opts] [UTF8 ON] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pbsz] [0] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [prot] [P] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pwd] [] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [type] [I] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [pasv] [] Apr 25 15:05:56 webapi2 pure-ftpd: ([email protected]) [DEBUG] Command [mlsd] [] I have configured PassivePorts in /etc/pure-ftpd/conf/PassivePortRange to 40110 40210 Additionally, there is no firewall currently configured. I have whitelisted my IP on the provider side (ovh US) to allow all connections instead. Finally, I've ensured an ssl cert is properly symlinked here: /etc/ssl/private/pure-ftpd.pem I've also restarted pure-ftpd-mysql several times at this point (after each change performed). Can anyone give me a hand? I really appreciate it! Here is the output of htf_reports.txt: Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 22.04.4 LTS [INFO] uptime: 14:56:54 up 13:02, 3 users, load average: 0.70, 1.12, 1.65 [INFO] memory: total used free shared buff/cache available Mem: 28Gi 3.6Gi 21Gi 158Mi 3.8Gi 24Gi Swap: 0B 0B 0B [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● snap.lxd.activate.service loaded failed failed Service for snap application lxd.activate LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.11p2 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.1.28 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.28 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (nginx:) (PID 148840) [INFO] I found the following mail server(s): Postfix (PID 1720) [INFO] I found the following pop3 server(s): Dovecot (PID 661) [INFO] I found the following imap server(s): Dovecot (PID 661) [INFO] I found the following ftp server(s): PureFTP (PID 171760) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:4190 (661/dovecot) [anywhere]:8080 (148840/nginx:) [anywhere]:8081 (148840/nginx:) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) ***.***.***.***:53 (750/named) [localhost]:10023 (1054/postgrey) ***.***.***.***:40145 (191890/pure-ftpd) ***.***.***.***:40189 (191743/pure-ftpd) [anywhere]:587 (1720/master) [anywhere]:993 (661/dovecot) [anywhere]:995 (661/dovecot) [localhost]:9090 (663/grafana-agent) [localhost]:9091 (663/grafana-agent) [anywhere]:143 (661/dovecot) [anywhere]:80 (148840/nginx:) [anywhere]:110 (661/dovecot) [anywhere]:21 (171760/pure-ftpd) [anywhere]:22 (191526/sshd:) [anywhere]:25 (1720/master) [anywhere]:465 (1720/master) [anywhere]:443 (148840/nginx:) [localhost]:11334 (1002/rspamd:) [anywhere]:3306 (4462/mariadbd) [localhost]:11332 (1002/rspamd:) [localhost]:11333 (1002/rspamd:) [localhost]:11211 (669/memcached) [localhost]:6379 (707/redis-server) [anywhere]:8887 (1871/bdsecd) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:953 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) [localhost]:53 (750/named) ***.***.***.***:53 (622/systemd-resolve) *:*:*:*::*:4190 (661/dovecot) *:*:*:*::*:8080 (148840/nginx:) *:*:*:*::*:8081 (148840/nginx:) *:*:*:*::*:6379 (707/redis-server) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*:953 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*9:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:53 (750/named) *:*:*:*::*:587 (1720/master) *:*:*:*::*:993 (661/dovecot) *:*:*:*::*:995 (661/dovecot) [localhost]43 (661/dovecot) *:*:*:*::*:80 (148840/nginx:) [localhost]10 (661/dovecot) *:*:*:*::*:21 (171760/pure-ftpd) *:*:*:*::*:22 (191526/sshd:) *:*:*:*::*:25 (1720/master) *:*:*:*::*:465 (1720/master) *:*:*:*::*:443 (148840/nginx:) *:*:*:*::*:3306 (4462/mariadbd) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) *:*:*:*::*f816:3eff:fe83:53 (750/named) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination Bitdefender-21-in all -- [anywhere]/0 [anywhere]/0 Bitdefender-22-in all -- [anywhere]/0 [anywhere]/0 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy ACCEPT) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Bitdefender-21-out all -- [anywhere]/0 [anywhere]/0 Bitdefender-22-out all -- [anywhere]/0 [anywhere]/0 ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain Bitdefender-21-in (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8887 mark match ! 0x3887 Chain Bitdefender-21-out (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [localhost] tcp dpt:8887 ! owner GID match 998 mark match ! 0x3887 Chain Bitdefender-22-in (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8887 mark match ! 0x3887 Chain Bitdefender-22-out (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [localhost] tcp dpt:8887 ! owner GID match 998 mark match ! 0x3887 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination Chain ufw-after-logging-forward (1 references) target prot opt source destination Chain ufw-after-logging-input (1 references) target prot opt source destination Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination Chain ufw-before-input (1 references) target prot opt source destination Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
I had this issue with my boss, oftentimes He uses some weird ftp client on a mac which seems incompatible with anything out there as... well he never did an upgrade on that because the new version looks ugly or something Lesson learned on this; have you tried a different ftp client? Different settings? My note for that specific server where this is an issue is:
I just tried with winscp (was using filezilla) and I'm getting the same issue. TLS/SSL Implicit encryption -- I cant connect at all TLS/SSL Explicit encryption -- unable to list home directory
Hmm, ok. Might be a different thing then, the person I was referring to was able to connect using filezilla, anyone else in the team anyway haha. For him I had to diasble implicit, he had the same results as you have. But as it was a client issue for him and this seems a server issue for you, I doubt this is related much, though always worthy a try maybe. unless this is an issue for you. If you use ports in the ephemeral port range 32768–60999 it can be a firewall issue. I know some people here are using Hetzner for example. They have a default setting if you enable the firewall on these ports. I do not know top of my head if those could be an issue though. Maybe you want to check your sysctl net.ipv4.ip_local_port_range to look for free port ranges
When the Listing of files fails after switching to passive mode, this is usually a passive port range issue. The passive range can also be blocked by a firewall in front of your server, the firewall does not has to be running on the server itself. https://www.faqforge.com/linux/dist...ange-in-pure-ftpd-on-debian-and-ubuntu-linux/
I added a firewall rule at the provider level to allow all tcp traffic from my IP already but I will update the passive range to 40110 - 40112 and will add a rule to allow traffic from my IP going to those ports. I'm only using 3 ports for it because OVH doesnt allow me to do port ranges, I would need to configure a rule for each port Will report back, thanks @till @ztk.me !
Shouldn't the all ports + TCP status established rule work for this already on your OVH firewall? https://help.ovhcloud.com/csm/en-de...?id=kb_article_view&sysparm_article=KB0043448 Configuration example mid bottom
Still no go after adding those rules... OVH config below: I should probably have mentioned this initially, but I migrated to this host from an old ispconfig3 server. Old one was debian, the new one is ubuntu...
Am I right in the assumption you added an firewall rule to allow all and used white marker to redact your IP? looks like a bug, very second rule
Did you do the migration on the same server by apt upgrade or did you do a new setup and used migration tool? If you did an upgrade inplace, maybe your default configurations for pure-ftp are off maybe. Permissions on the users directory could be a potential issue aswell
It was a migration to an entirely different host via the migration tool About the permissions, I'm not sure that is it because If I connect via unencrypted ftp, everything works just fine
Do you see any setting on your ftp client to turn on or off concurrent data transfer or similar? I guess you used your IP for the port range, so there is no exhaustion due to bots? Same for 2nd rule above? And you matched the config in pure ftp to the firewall if you did not open all ports, just in case, making sure?
Looks like there is, I'll limit it to 1 connection for now I had a rule in there to allow all traffic from my IP, that one really should allow all connections from me without the need to list ports. Yeah, I don't need the ports open to the whole internet so I locked the additional rules to my IP + the same passive ports configured on the pure-ftpd side.
Does it work if you are on the server itself? For example using lftp? Code: $ lftp lftp :~> set ftp:ssl-force true lftp :~> connect ftp.domain.tld lftp ftp.domain.tld:~> login <username> https://unix.stackexchange.com/questions/71525/how-do-i-use-implicit-ftp-over-tls also noting lftp :~> set ssl:verify-certificate no if your ftp server has a not registered with some company certificate.
and if I had scrolled down, I'd seen this For implicit TLS / SSL using lftp please do these commands: connect ftps://ftp.domain.tld Note that this will connect you to port 990 directly using TLS. For explicit TLS / SSL: set ftp:ssl-force true connect ftp://ftp.domain.tld
Looks like this worked so I guess this is indeed a port issue? I was even able to ls and see all the directories when logged into the user.
