• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved FTP NAT Firewall

W

weelow

Basic Pleskian
Hello,
I tried searching for weeks on this problem without finding a solution
I am unable to get directory listing using the local IP example 192.168.1.10 or the external server ip
to narrow the problem down i connected locally and i ensured plesk firewall rule for ports
20-21 and 60000-65534
i even disabled the firewall completely using
sudo systemctl stop firewalld

I also made sure to add a pasv.conf file with
<Global>
.... added the passive ports here
</Global>

I checkted the ftp tls log file on the server and there was no issues
Filezila could connect to the server but could never get the directory listing using either the active or passive connection methods from a local ip address.

I managed to get SFTP working from a system user account charooted but that is not what i want.
I want to disable SFTP to make the server more secure and only make SSH port avaialbe through a VPN connection for the server admins. As for FTP its driving me nuts to set it up on linux. I got it working on a windows machine on the same network.

I appreciate all the help i can get. Thank you.

Here is a log from FileZilla

15:35:40 Status: Resolving address of xXX.XXxx.com
15:35:40 Status: Connecting to XX.XX.XX.XX:21...
15:35:40 Status: Connection established, waiting for welcome message...
15:35:40 Trace: CFtpControlSocket::OnReceive()
15:35:40 Response: 220 ProFTPD 1.3.5b Server (ProFTPD) [XX.XX.XX.XX]
15:35:40 Trace: CFtpControlSocket::SendNextCommand()
15:35:40 Command: AUTH TLS
15:35:40 Trace: CFtpControlSocket::OnReceive()
15:35:40 Response: 234 AUTH TLS successful
15:35:40 Status: Initializing TLS...
15:35:40 Trace: CTlsSocket::Handshake()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: About to send CLIENT HELLO
15:35:40 Trace: TLS handshake: Sent CLIENT HELLO
15:35:40 Trace: CTlsSocket::OnSend()
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: Received SERVER HELLO
15:35:40 Trace: TLS handshake: Processed SERVER HELLO
15:35:40 Trace: TLS handshake: Received CERTIFICATE
15:35:40 Trace: TLS handshake: Processed CERTIFICATE
15:35:40 Trace: TLS handshake: Received SERVER KEY EXCHANGE
15:35:40 Trace: TLS handshake: Processed SERVER KEY EXCHANGE
15:35:40 Trace: TLS handshake: Received CERTIFICATE REQUEST
15:35:40 Trace: TLS handshake: Processed CERTIFICATE REQUEST
15:35:40 Trace: TLS handshake: Received SERVER HELLO DONE
15:35:40 Trace: TLS handshake: Processed SERVER HELLO DONE
15:35:40 Trace: TLS handshake: About to send CERTIFICATE
15:35:40 Trace: TLS handshake: Sent CERTIFICATE
15:35:40 Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
15:35:40 Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
15:35:40 Trace: TLS handshake: About to send FINISHED
15:35:40 Trace: TLS handshake: Sent FINISHED
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: Received FINISHED
15:35:40 Trace: TLS handshake: Processed FINISHED
15:35:40 Trace: TLS Handshake successful
15:35:40 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
15:35:40 Status: Verifying certificate...
15:35:40 Status: TLS connection established.
15:35:40 Trace: CFtpControlSocket::SendNextCommand()
15:35:40 Command: USER whmcs_support
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 331 Password required for whmcs_support
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PASS ******************
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 230 User whmcs_support logged in
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: OPTS UTF8 ON
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 UTF8 set to on
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PBSZ 0
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 PBSZ 0 successful
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PROT P
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 Protection set to Private
15:35:41 Status: Logged in
15:35:41 Trace: CFtpControlSocket::ResetOperation(0)
15:35:41 Trace: CControlSocket::ResetOperation(0)
15:35:41 Trace: CFileZillaEnginePrivate::ResetOperation(0)
15:35:41 Trace: Measured latency of 107 ms
15:35:41 Status: Retrieving directory listing...
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::ChangeDirSend()
15:35:41 Command: PWD
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 257 "/" is the current directory
15:35:41 Trace: CFtpControlSocket::ResetOperation(0)
15:35:41 Trace: CControlSocket::ResetOperation(0)
15:35:41 Trace: CFtpControlSocket::parseSubcommandResult(0)
15:35:41 Trace: CFtpControlSocket::ListSubcommandResult()
15:35:41 Trace: state = 1
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 1
15:35:41 Command: TYPE I
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 Type set to I
15:35:41 Trace: CFtpControlSocket::TransferParseResponse()
15:35:41 Trace: code = 2
15:35:41 Trace: state = 1
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 2
15:35:41 Command: PORT 41,33,6,210,199,10
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 PORT command successful
15:35:41 Trace: CFtpControlSocket::TransferParseResponse()
15:35:41 Trace: code = 2
15:35:41 Trace: state = 2
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 4
15:35:41 Command: MLSD
15:36:01 Error: Connection timed out after 20 seconds of inactivity
15:36:01 Trace: CControlSocket::DoClose(2050)
15:36:01 Trace: CFtpControlSocket::ResetOperation(2114)
15:36:01 Trace: CControlSocket::ResetOperation(2114)
15:36:01 Trace: CFtpControlSocket::ResetOperation(2114)
15:36:01 Trace: CControlSocket::ResetOperation(2114)
15:36:01 Error: Failed to retrieve directory listing
15:36:01 Trace: CFileZillaEnginePrivate::ResetOperation(2114)
 
SBDavid said:
Hello,

Are you forwarding the passive ports on the router?
Click to expand...
I have and i get connected which means port forwarding rules are working fine for the main ports 21-20 so the passive ports should be working properly.

I even tried connecting locally directly to the server without any routers and disabled the Linux firewall and restarted the service and tried connecting and again i get the same error when listing the directories
 
Hi,

Did you see KB https://support.plesk.com/hc/en-us/...ge-for-ProFTPd-on-a-server-behind-a-firewall?

In passive mode, the second channel for data creates a client to a server. A client uses the port from server's answer.

PASSIVE (PASV)

This command requests the server-DTP to "listen" on a data
port (which is not its default data port) and to wait for a
connection rather than initiate one upon receipt of a
transfer command. The response to this command includes the
host and port address this server is listening on.

weelow said:
15:35:41 Command: PORT a,b,c,d,199,10
Click to expand...
Four first digits - IP;
199 and 10 (server's port) = (199)*256 + (10) = 50954

So, in this session client make two connection:
- first (control) to port 21;
- second (data) to port 50954.

Could you check proftpd settings and iptables? Do you wrote "60000-65534" but server answers port 50954 - this is strange.
 
AYamshanov said:
Hi,

Did you see KB https://support.plesk.com/hc/en-us/...ge-for-ProFTPd-on-a-server-behind-a-firewall?

In passive mode, the second channel for data creates a client to a server. A client uses the port from server's answer.

PASSIVE (PASV)

This command requests the server-DTP to "listen" on a data
port (which is not its default data port) and to wait for a
connection rather than initiate one upon receipt of a
transfer command. The response to this command includes the
host and port address this server is listening on.


Four first digits - IP;
199 and 10 (server's port) = (199)*256 + (10) = 50954

So, in this session client make two connection:
- first (control) to port 21;
- second (data) to port 50954.

Could you check proftpd settings and iptables? Do you wrote "60000-65534" but server answers port 50954 - this is strange.
Click to expand...
You are right. I think this is the problem. I have everything set for port range 60000-65534 and i just used netstat on the server and it is using ports below that range for some reason. Although i followed guide lines to configure proftpd.conf files and everything seams to be in the right place unless plesk is reading from a different conf file.

I am going to try to find all file names with .conf and check them out. Maybe there is another file overwriting my settings.
 
Perfect, there was a config file with the wrong port range. I deleted it and made sure the correct conf file was imported and included in the main conf file. and now i got a working ftp server.

Thanks
 
You must log in or register to reply here.

Similar threads

tobias888
Resolved FTP connection
Replies
3
Views
2K
tobias888
tobias888
Epic Voyage
Issue PHP imap_open + ADDTrust External CA Root Expiration
Replies
1
Views
2K
Epic Voyage
Epic Voyage
websavers
Forwarded to devs PHP libcurl fails to populate certinfo array
Replies
2
Views
4K
websavers
websavers
D
Resolved LetsEncrypt licence renewal fails
Replies
6
Views
2K
Dimitri Bailo Saksybaev
D
A
Issue Server shut down randomly
Replies
12
Views
8K
adijeff
A
Back
Top