FTPS not working

Discussion in 'Installation/Configuration' started by teves, Sep 2, 2013.

  1. teves

    teves Member

    Hello,

    I am trying to use FTPS with ispconfig 3 but I don't get it to work;
    I followed the howto inside the manual to enable FTPS. Then I tried to connect to an ftp account with both FileZilla and WinSCP.

    Both clients give me the message "ECONNREFUSED - Connection refused by server".

    When I use the setting 'SSL/TLS implicit enryption' (Port 990) in WinSCP, I get "ECONNREFUSED - Connection refused by server". Also, no entry appears in syslog about the connection attempt.

    When I try the setting "TLS explicit encryption" (Port 21), WinSCP asks me to accept the SSL key and the following entry is made to the syslog:
    But after accepting the ssl key I get the message:
    "Transfer channel can't be opened. Reason: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte."

    Does someone have an idea what might be going wrong here?

    Thank you very much,
    regards, Tom
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This looks like a firewal issue. ftp tries to change the port after starting the encrypted connection and this port seems to be closed on your server. You should consider to define a port range in pure-ftpd and then pen this port range in yur firewall as well.
     
  3. teves

    teves Member

    Hi Till,

    I checked that now, but it does not seem to be the (only) reason.

    When I do a
    Code:
    [email protected]:/etc/pure-ftpd/conf# netstat -npl | grep ftp
    I get:
    So pure-ftpd does not seem to listen to any other port than 21 (that does not change when I define a PassivePortRange setting).

    Any other ideas perhaps?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats ok, as the other ports are only used dynamically for the running ftp conection. there are no listeners on these ports as the connection is initiated trough port 21 and then handed over to the other port.
     
  5. teves

    teves Member

    Hello,

    still have not solved this, but I have some more information now:

    I tried to create a new certificate and the result was strange behaviour of pureftpd. With the new certificate I did not get a ftp connection at all, not even unencrypted.

    "netstat -npl | grep ftp" resulted in no output

    switching back to the old certificate made ftp work again immediately.

    doing a "netstat -npl | grep ftp" then resulted in
    Where does the port 54980 come from? I have not created any ports for pureftpd. If any, shouln't that be port 990?

    What might be wrong with the new certificate? I followed the instructions on page 313 of the ispconfig manual version 1.3. Also, I entered the correct FQDN into the certificate.

    Any ideas?

    Thank you,
    regards, Tom
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely there was a ftp user connected to the server at the time you run the netstat command. active ftp user sessions are handed over to other ports.
     
  7. teves

    teves Member

    Ok,

    I defined a PassivePortRange between 50110 and 50310, re-checked the firewall and restarted pureftpd.

    FTPs is now partly working, but still cannot be used. This is what is happening:

    1. I start the connection from the FTP client, filezilla in this case. I use explicit TLS (port 21)
    2. Filezilla asks me to accept the certificate, which I do.
    3. The connection is initiated, and port negotiation takes place. When I execute "netstat -npl | grep ftp" I get

    As far as I understand it this means that port 50150 is used for the secure ftp connection.

    4. With "tail -f /var/log/syslog" I follow what is happening:


    At this point, the process simply stops. The MLSD command fails and the directory content can not be listed.

    5. I try setting filezilla to active mode; in the active mode settings I define the local ports (50110 to 50310) and enter the external IP of the client pc - but I get the same result.

    In the forum people solved the MLSD issue by defining a port range, opening their firewalls and /or using active FTP connections. I tried all that, but without success.

    Any more ideas?
    Thank you very much,
    regards, Tom
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you sure that ther is no other firewall between your server and the desktop?
     
  9. teves

    teves Member

    Alas, yes.
     

Share This Page