FTP and TLS on 10.10 Perfect Server with ISPC3

Discussion in 'Installation/Configuration' started by MattJo., Oct 19, 2010.

  1. MattJo.

    MattJo. New Member

    Hello,

    I recently upgrade to 10.10 and 3.0.3 and was able to get most errors resolved, but I have run into a problem after enabling TLS is PureFTP. I get the following in Filezilla

    Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response: 220-You are user number 1 of 50 allowed.
    Response: 220-Local time is now 10:45. Server port: 21.
    Response: 220-This is a private system - No anonymous login
    Response: 220-IPv6 connections are also welcome on this server.
    Response: 220 You will be disconnected after 15 minutes of inactivity.
    Trace: CFtpControlSocket::SendNextCommand()
    Command: AUTH TLS
    Trace: CFtpControlSocket::OnReceive()
    Response: 234 AUTH TLS OK.
    Status: Initializing TLS...
    Trace: CTlsSocket::Handshake()
    Trace: CTlsSocket::ContinueHandshake()
    Trace: CTlsSocket::OnSend()

    I checked some of the forum posts and thought doing what bolek2000 suggests here would work: http://www.howtoforge.com/forums/showthread.php?t=39949&highlight=FTP TLS

    but that didn't do the trick either. I also tried re-installing ISPC 3 and that didn't solve anything either.

    I have both ports 20 and 21 open and am using Active so I am at a loss.

    Please help,

    thanks,

    Matt
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you try passive mode as well? Which FTP client do you use?
     
  3. MattJo.

    MattJo. New Member

    falko,

    I tried from a Mac and a Windows machine (one local and one remote) both with Filezilla with both active and passive. I checked the firewalls on the server and the gateway can't see anything I am missing. Below is as much and as far as I got from Filezilla.

    thanks in advance,

    Matt

    Status: Connecting to xxx.xxx.xx.xx:21...
    Status: Connection established, waiting for welcome message...
    Trace: CFtpControlSocket::OnReceive()
    Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response: 220-You are user number 1 of 50 allowed.
    Response: 220-Local time is now 23:44. Server port: 21.
    Response: 220-This is a private system - No anonymous login
    Response: 220-IPv6 connections are also welcome on this server.
    Response: 220 You will be disconnected after 15 minutes of inactivity.
    Trace: CFtpControlSocket::SendNextCommand()
    Command: AUTH TLS
    Trace: CFtpControlSocket::OnReceive()
    Response: 234 AUTH TLS OK.
    Status: Initializing TLS...
    Trace: CTlsSocket::Handshake()
    Trace: CTlsSocket::ContinueHandshake()
    Trace: CTlsSocket::OnSend()
    Trace: CControlSocket::DoClose(10)
    Trace: CFtpControlSocket::ResetOperation(74)
    Trace: CControlSocket::ResetOperation(74)
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Are there any errors in your logs?
     
  5. MattJo.

    MattJo. New Member

    None. I also had problems trying to get TLS to work correctly with postfix as well as it happens.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Did you get any errors when you created the certificate? Did you accept the default values, or did you enter your own values?
     
  7. MattJo.

    MattJo. New Member

    Falko,

    I use a linux based UTM that was scanning FTP traffic--I turned this off and was able to get more info from Filezilla--its still failing to connect but it looks like the FTP server is replying with the server's LAN ip and not the external WAN ip. I have tried active and passive modes and same issue as below.

    Command: PASV
    Trace: CTlsSocket::OnRead()
    Trace: CFtpControlSocket::OnReceive()
    Response: 227 Entering Passive Mode (192,168,xxx,xxx,xx,xxx)
    Trace: CFtpControlSocket::TransferParseResponse()
    Trace: code = 2
    Trace: state = 2
    Status: Server sent passive reply with unroutable address. Using server address instead.
    Trace: Reply: 192.168.xxx.xxx, peer: xxx.xxx.xxx.xxx
    Trace: CFtpControlSocket::SendNextCommand()
    Trace: CFtpControlSocket::TransferSend()
    Trace: state = 4
    Command: MLSD
    Trace: CTransferSocket::OnConnect
    Trace: CTlsSocket::Handshake()
    Trace: CTlsSocket::ContinueHandshake()
    Trace: CTlsSocket::Failure(-53, 53)
    Error: GnuTLS error -53: Error in the push function.
    Trace: CTransferSocket::TransferEnd(3)
    Trace: CFtpControlSocket::TransferEnd()

    thanks,

    Matt
     
  8. MattJo.

    MattJo. New Member

    Do I set the passive response ip with this command:

    sudo pure-ftpd -P xxx.xxx.xxx.xxx


    ?

    thanks,

    Matt
     
  9. MattJo.

    MattJo. New Member

    OK so I set ForcePassiveIP and PassivePortRange in /etc/pure-ftpd/conf/ and restarted pure-ftpd and also rebooted the server.

    I also opened the appropriate ports in ISPConfig and my router, but I still can't get a directory listing in Filezilla

    thanks,

    Matt

    The only error I can see is in Filezilla:

    Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,234,195)
    Trace: CFtpControlSocket::TransferParseResponse()
    Trace: code = 2
    Trace: state = 2
    Trace: CFtpControlSocket::SendNextCommand()
    Trace: CFtpControlSocket::TransferSend()
    Trace: state = 4
    Command: MLSD
    Trace: CTransferSocket::OnConnect
    Trace: CTlsSocket::Handshake()
    Trace: CTlsSocket::ContinueHandshake()
    Trace: CTlsSocket::Failure(-53, 53)
    Error: GnuTLS error -53: Error in the push function.
    Trace: CTransferSocket::TransferEnd(3)
    Trace: CFtpControlSocket::TransferEnd()
    Trace: CTlsSocket::OnRead()
    Trace: CFtpControlSocket::OnReceive()
    Response: 421 Timeout
    Trace: CFtpControlSocket::TransferParseResponse()
    Trace: code = 4
    Trace: state = 6
    Trace: CFtpControlSocket::ResetOperation(2)
    Trace: CControlSocket::ResetOperation(2)
    Trace: CFtpControlSocket::parseSubcommandResult(2)
    Trace: CFtpControlSocket::ListSubcommandResult()
    Trace: state = 3
    Trace: CFtpControlSocket::ResetOperation(2)
    Trace: CControlSocket::ResetOperation(2)
    Error: Failed to retrieve directory listing
    Trace: CFileZillaEnginePrivate::ResetOperation(2)
    Trace: CTlsSocket::Failure(-9, 0)
    Error: GnuTLS error -9: A TLS packet with unexpected length was received.
    Status: Server did not properly shut down TLS connection
    Error: Could not read from socket: ECONNABORTED - Connection aborted
    Error: Disconnected from server
    Trace: CControlSocket::DoClose(64)
    Trace: CFtpControlSocket::ResetOperation(66)
    Trace: CControlSocket::ResetOperation(66)
    Trace: CFileZillaEnginePrivate::ResetOperation(66)

    Here is what I get from the server system log at this time:

    Oct 26 16:50:33 server pure-ftpd: (?@xxx.xxx.xxx.xxx) [INFO] New connection from xxx.xxx.xxx.xxx
    Oct 26 16:50:34 server pure-ftpd: (?@xxx.xxx.xxx.xxx) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES128-SHA, 128 secret bits cipher
    Oct 26 16:50:34 server pure-ftpd: (?@xxx.xxx.xxx.xxx) [INFO] *user* is now logged in
    Oct 26 16:55:01 server pure-ftpd: (?@::1) [INFO] New connection from ::1
    Oct 26 16:55:01 server pure-ftpd: (?@::1) [INFO] Logout.
    Oct 26 17:00:02 server pure-ftpd: (?@::1) [INFO] New connection from ::1
    Oct 26 17:00:02 server pure-ftpd: (?@::1) [INFO] Logout.
    Oct 26 17:02:20 server pure-ftpd: (*user*@xxx.xxx.xxx.xxx) [INFO] Timeout
    Oct 26 17:05:01 server pure-ftpd: (?@::1) [INFO] New connection from ::1
    Oct 26 17:05:01 server pure-ftpd: (?@::1) [INFO] Logout.
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Hm, not sure what the problem is. Have you tried from within your LAN and from the outside? Maybe it's a problem with your router.
     
  11. MattJo.

    MattJo. New Member

    I have tried from within the LAN on which the server resides and have the same problem (although maybe the forced IP has something to do with it?)

    I will try offsite access today.

    Should it not work what's the best course of action to reinstall Pure-FTP and start from scratch without a complete reinstall of Ubuntu and ISPConfig?

    thanks,

    Matt
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Try
    Code:
    apt-get purge pure-ftpd-common pure-ftpd-mysql
     
  13. MattJo.

    MattJo. New Member

    So I did that, rebooted, and reinstalled per the instructions for FTP without TLS and I am getting the same problem as prior to uninstall and I can't access my FTP account for my site even via normal FTP. Do I need to purge it and then reinstall ISPConfig as well?

    I've concluded that the problem is in part the router the server is located on--a Netgear FVS-318G--even though the ports are open it is modifying the communication somehow between the server and the client.

    How robust is the perfect server firewall if I set it up with a public ip directly? And, assuming I get the FTP working again, just change eth0 to a the public ip without any problems?

    thanks,

    Matt
     
  14. falko

    falko Super Moderator ISPConfig Developer

    It's a normal iptables firewall, so it's very robust.
     

Share This Page