FTP timeout

Discussion in 'Installation/Configuration' started by Sheshman, May 15, 2020.

  1. Sheshman

    Sheshman Member

    Hi,
    Using latest version of ISP config on Ubuntu 18.04.4 LTS(virtual machine work sunder oracle vm), 21 and 22 ports are reachable from LAN and WAN, SFTP works fine but FTP returns operation timeout when i try to connect, followed this article to solve it https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/ but didn't help.
    Tried with 3 different FTP software on two different PC both LAN and WAN ip addresses but no luck so far,what am i missing?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Sheshman likes this.
  3. Sheshman

    Sheshman Member

    You are right, about i didn't provide much information, sorry about that.
    there are no error messages on the server side, but the FTP client saying;
    Status: 192.168.1.16:21 conecting...

    Status: Connected, greetings list waiting...

    Status: Plain FTP is not safe Please switch to FTP over TLS

    Status: Successfully logged in

    Status: Retrieving folder list

    Command: PWD

    Response: 257 "/" is your current location

    Command: TYPE I

    Response: 200 TYPE is now 8-bit binary

    Command: PASV

    Response: 227 Entering Passive Mode (1,2,3,4,157,4)

    Command: MLSD

    Error: Connection terminated due to process not completed in 20 seconds

    Error: Folder list couldn't retrieved
    My Filezilla client in Turkish so i translated logs, excuse my poor english.
    Also i've created a log file with wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php
    as attached.
     

    Attached Files:

  4. nhybgtvfr

    nhybgtvfr Active Member

    ports 21 and 22 are for ftp command channel and ssh.
    you also need to open port 20 for ftp data channel in passive mode, or supply a range of ports in the pure-ftpd config, and the firewall, for the ftp data channel in active mode.
    which it looks like you've done following that tutorial, with one problem:

    you've actually used the example ip 1.2.3.4:
    you need to replace that with the real public ip for that server and then restart the service again.
     
  5. Sheshman

    Sheshman Member

    thanks for the heads up, i did correct the 1.2.3.4 to my external ip address but problem still remains.
    I did check the port 20 and it seems like it's not accessible from LAN or WAN please see attached screenshots, i've double checked the tutorial and seems like this time i did it correctly but ispconfig server doesn't respond to port 20 because it's still un-reachable.

    Disabled ISPCONFIG's firewall and tried but no luck.

    Update : it seems like server is not listening port 20
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 13903/pure-ftpd (SE
    tcp 0 0 192.168.1.16:53 0.0.0.0:* LISTEN 670/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 670/named
    tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 566/systemd-resolve
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 822/sshd
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 577/cupsd
    tcp 0 0 192.168.1.16:40185 0.0.0.0:* LISTEN 15321/pure-ftpd (ID
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1182/master
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 670/named
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 839/dovecot
    tcp 0 0 192.168.1.16:40162 0.0.0.0:* LISTEN 15588/pure-ftpd (ID
    tcp 0 0 192.168.1.16:40194 0.0.0.0:* LISTEN 15299/pure-ftpd (ID
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 839/dovecot
    tcp 0 0 192.168.1.16:40199 0.0.0.0:* LISTEN 15287/pure-ftpd (ID
    tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 1090/postgrey --pid
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 1341/amavisd-new (m
    tcp 0 0 192.168.1.16:40201 0.0.0.0:* LISTEN 15950/pure-ftpd (ID
    tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 1182/master
    tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 1341/amavisd-new (m
    tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 1182/master
    tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 671/memcached
    tcp 0 0 192.168.1.16:40174 0.0.0.0:* LISTEN 13960/pure-ftpd (ID
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 839/dovecot
    tcp 0 0 192.168.1.16:40111 0.0.0.0:* LISTEN 15581/pure-ftpd (ID
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 839/dovecot
    tcp 0 0 192.168.1.16:40208 0.0.0.0:* LISTEN 15579/pure-ftpd (ID
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1182/master
    tcp 0 0 192.168.1.16:40178 0.0.0.0:* LISTEN 13965/pure-ftpd (ID
    tcp 0 0 192.168.1.16:40180 0.0.0.0:* LISTEN 15323/pure-ftpd (ID
    tcp6 0 0 :::21 :::* LISTEN 13903/pure-ftpd (SE
    tcp6 0 0 :::53 :::* LISTEN 670/named
    tcp6 0 0 :::22 :::* LISTEN 822/sshd
    tcp6 0 0 ::1:631 :::* LISTEN 577/cupsd
    tcp6 0 0 :::25 :::* LISTEN 1182/master
    tcp6 0 0 ::1:953 :::* LISTEN 670/named
    tcp6 0 0 :::443 :::* LISTEN 756/apache2
    tcp6 0 0 :::993 :::* LISTEN 839/dovecot
    tcp6 0 0 :::995 :::* LISTEN 839/dovecot
    tcp6 0 0 ::1:10024 :::* LISTEN 1341/amavisd-new (m
    tcp6 0 0 ::1:10026 :::* LISTEN 1341/amavisd-new (m
    tcp6 0 0 :::3306 :::* LISTEN 809/mysqld
    tcp6 0 0 :::110 :::* LISTEN 839/dovecot
    tcp6 0 0 :::143 :::* LISTEN 839/dovecot
    tcp6 0 0 :::8080 :::* LISTEN 756/apache2
    tcp6 0 0 :::80 :::* LISTEN 756/apache2
    tcp6 0 0 :::8081 :::* LISTEN 756/apache2
    tcp6 0 0 :::465 :::* LISTEN 1182/master
     

    Attached Files:

    Last edited: May 15, 2020
  6. nhybgtvfr

    nhybgtvfr Active Member

    sorry, got active/passive the wrong way around in my 1st post. active mode uses port 20, passive mode uses the ports you specify in the config file.
    just need to clear that up to avoid any possible confusion.


    and the server doesn't need to listen on port 20. in both modes, the client connects to the server on port 21. in active mode the client sends a PORT command telling the server what client port to connect to, and the server initiates a data channel connection FROM port 20 on the server, to the specified port on the client. this means the client side firewall as to allow inbound connections from the server ip with a source port of 20, which is seems is too hard for most customers to configure themselves :(, hence it's declining use.
     
  7. Sheshman

    Sheshman Member

    i'm doing my tests at the office and our gateway is PfSENSE maybe that causing the problem huh?
     
  8. nhybgtvfr

    nhybgtvfr Active Member

    any firewalls / nat / loadbalancing on or anywhere between your pc and the remote server could be causing the problem.
     
  9. Sheshman

    Sheshman Member

    ok, my ispconfig works on oracle vm, i'll shutdown and take files to home to see wil it cause any problem with direct connection. Thanks for your time.
     
  10. Sheshman

    Sheshman Member

    i found the problem. Problem cause of PfSENSE, when i move the virtual machine to my home (my pc at home connects internet directly) then ftp works without any problem, according to my research PfSENSE is blocking plain ftp connections,i send a ticket to PfSENSE to find out is there any solution for it,i'll publish solution here if i find it.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    You need to set up a range of ports for passive FTP connections, and allow that same range of your firewall, and forward that same range to your server through any nat.
     
  12. Sheshman

    Sheshman Member

    all necessary ports including passive ftp is forwarded to server (please see attached screenshot)
    when i check through ping.eu seems like 21&22 is accessible but server is not listening or responding to 40110 & 40210 and ftp client keep stucks at retrieving folder list.

    iptables -L output:
    Chain INPUT (policy DROP)
    target prot opt source destination
    ufw-before-logging-input all -- anywhere anywhere
    ufw-before-input all -- anywhere anywhere
    ufw-after-input all -- anywhere anywhere
    ufw-after-logging-input all -- anywhere anywhere
    ufw-reject-input all -- anywhere anywhere
    ufw-track-input all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- anywhere anywhere
    ufw-before-forward all -- anywhere anywhere
    ufw-after-forward all -- anywhere anywhere
    ufw-after-logging-forward all -- anywhere anywhere
    ufw-reject-forward all -- anywhere anywhere
    ufw-track-forward all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- anywhere anywhere
    ufw-before-output all -- anywhere anywhere
    ufw-after-output all -- anywhere anywhere
    ufw-after-logging-output all -- anywhere anywhere
    ufw-reject-output all -- anywhere anywhere
    ufw-track-output all -- anywhere anywhere

    Chain ufw-after-forward (1 references)
    target prot opt source destination

    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
    ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

    Chain ufw-after-logging-input (1 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

    Chain ufw-after-logging-output (1 references)
    target prot opt source destination

    Chain ufw-after-output (1 references)
    target prot opt source destination

    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp parameter-problem
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ufw-user-forward all -- anywhere anywhere

    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ufw-logging-deny all -- anywhere anywhere ctstate INVALID
    DROP all -- anywhere anywhere ctstate INVALID
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp parameter-problem
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
    ufw-not-local all -- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
    ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
    ufw-user-input all -- anywhere anywhere

    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination

    Chain ufw-before-logging-input (1 references)
    target prot opt source destination

    Chain ufw-before-logging-output (1 references)
    target prot opt source destination

    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    ufw-user-output all -- anywhere anywhere

    Chain ufw-logging-allow (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

    Chain ufw-logging-deny (2 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
    DROP all -- anywhere anywhere

    Chain ufw-reject-forward (1 references)
    target prot opt source destination

    Chain ufw-reject-input (1 references)
    target prot opt source destination

    Chain ufw-reject-output (1 references)
    target prot opt source destination

    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain ufw-track-forward (1 references)
    target prot opt source destination

    Chain ufw-track-input (1 references)
    target prot opt source destination

    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere ctstate NEW
    ACCEPT udp -- anywhere anywhere ctstate NEW

    Chain ufw-user-forward (1 references)
    target prot opt source destination

    Chain ufw-user-input (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
    ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
    ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
    ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT tcp -- anywhere anywhere multiport dports 40110:40210
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql

    Chain ufw-user-limit (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    when i try to connect trhtough SFTP it returns Access Denied, but i can connect through SSH with the same user
     

    Attached Files:

    Last edited: May 24, 2020
  13. Sheshman

    Sheshman Member

    FTP Client output:
    Status: Disconnected from server
    Status: Resolving address of gorselpackaging.com
    Status: Connecting to 176.236.135.163:21...
    Status: Connection established, waiting for welcome message...
    Status: Plain FTP is insecure. Please switch to FTP over TLS.
    Status: Logged in
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is your current location
    Command: TYPE I
    Response: 200 TYPE is now 8-bit binary
    Command: PASV
    Response: 227 Entering Passive Mode (176,236,135,163,157,7)
    Command: MLSD
    Error: Connection timed out after 20 seconds of inactivity
    Error: Failed to retrieve directory listing
    Status: Disconnected from server
    Status: Resolving address of gorselpackaging.com
    Status: Connecting to 176.236.135.163:21...
    Status: Connection established, waiting for welcome message...
    Status: Plain FTP is insecure. Please switch to FTP over TLS.
    Status: Logged in
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is your current location
    Command: TYPE I
    Response: 200 TYPE is now 8-bit binary
    Command: PASV
    Response: 227 Entering Passive Mode (176,236,135,163,157,14)
    Command: MLSD
    Error: Directory listing aborted by user
     
  14. nhybgtvfr

    nhybgtvfr Active Member

    ok, i'm not familiar with the pfsense firewalls, but looking at ports.png, it looks like there's two separate rules, one for individual port 40110, and one for individual port 40210, when what you should have is one rule for ports 40110-40210, so that every port from 40110 to 40210 inclusive are open/port-forwarded.

    https://www.outsideopen.com/pfsense-asterisk/
     
  15. Sheshman

    Sheshman Member

    ok once more it's definitely causing by pfsense,when i delete all specific port rules and add one rule as "forward all possible ports to the server" it started to work, what if i use it this way? is there any security problem with it?
     
  16. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    If you have a firewall enabled on your server, it's not a big problem. But as @nhybgtvfr already pointed out, it seems that you have 2 rules which both apply to one port, so you don't have the whole range forwarded. So if you resolve this, you don't have to forward all ports.
    I don't use PfSense, but if you share a screenshot of the wizard where you create a new rule, we are probably able to help you out.
     
  17. Sheshman

    Sheshman Member

    screenshots of wizard screens has been attached.
     

    Attached Files:

  18. nhybgtvfr

    nhybgtvfr Active Member

    well the port settings on the screenshot look ok to me, not sure about the nat reflection part, but then again, I don't know the pfsense firewalls, so I don't know what the system default is anyway.
     
  19. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Are you sure you set up the correct ports on your server?
     
  20. Sheshman

    Sheshman Member

    Attached Files:

Share This Page