Issue Always FTP error: 425 Unable to build data connection: Permission denied

[fferraro87]

Hi,
i'm sorry i know that there is many other thread like this but i've try all solutions but anything solve that problem.

if i try to connect with active mode and i've the error on subject.

Instead on passive mode i've connection time out.

My plesk server is behind NAT so i've follow that link Unable to connect to a Plesk server via FTP in the passive mode

But i've always same error, i've added MasqueradeAddress, Passive Ports range on proftpd configuration file and on plesk firewall, but i've always same error.

Do you know why?

I'm with plesk 17.8.11 Update #7 on centos 7

Thanks

 

[AYamshanov]

Hi fferraro87,

Could you post FTP-client's log? Anyway, I think you didn't allow somewhere "ftp-data" traffic. I suggest checking all one more time.

 

[ChristophRo]

if active FTP is not working, it's almost always because of:

a) module nf_conntrack_ftp not loaded
b) nf_conntrack_helper is not enabled (cat /proc/sys/net/netfilter/nf_conntrack_helper)

 

[fferraro87]

Hi,
thanks for your support, i've loaded nf_conntrack_ftp and enabled nf_conntrack_helper
Now i've that error :

Jun  1 10:31:46 gold2 proftpd[17412]: 0.0.0.0 (93.44.187.3[93.44.187.3]) - Refused PORT 100,102,152,185,128,3 (address mismatch)

that's my /etc/proftpd.conf

ServerName"ProFTPD"
#ServerTypestandalone
ServerTypeinetd
DefaultServeron
MasqueradeAddress185.96.217.37
<Global>
DefaultRoot     ~psacln
AllowOverwriteon
PassivePorts49152 65534
<IfModule mod_tls.c>
# common settings for all virtual hosts
TLSEngine on
TLSRequired off

TLSLog /var/log/plesk/ftp_tls.log

TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off

# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none

# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

DefaultTransferMode     binary
UseFtpUserson

TimesGMToff
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /var/log/plesk/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner      psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile   /etc/group

Include /etc/proftpd.d/*.conf

and that's /etc/proftpd.d/55-passive-ports.conf

<Global>
PassivePorts 49152 65534
<IfModule mod_tls.c>
# common settings for all virtual hosts
TLSEngine on
TLSRequired off

TLSLog /var/log/plesk/ftp_tls.log

TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off

# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none

# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

 

[ChristophRo]

Maybe you need to enable AllowForeignAddress in your proftpd config. (http://www.proftpd.org/docs/directives/linked/config_ref_AllowForeignAddress.html)