Can't create Secure FTP backup - CSF blocking it

[anay]

Hi,
I have been trying to schedule backup from Admin Tools--> Admin Backup/ Transfer but can't do it.
My FTP server support
FTP/FTPS over port 21
SFTP port 22

If I try with Secure FTP enabled port 21, It gives me error :

Error during Backup Creation
FTP information invalid.

If I try with Secure FTP enabled port 22 , it gives :

/usr/local/bin/curl returned error code 67
curl: (67) Access denied: 530
FTP information invalid.

But I can access all from my FTP client.

I further checked from cmd on server, found that CSF is blocking CURL calls...

 curl --ssl-reqd ftp://server.name --user user-name

I hope DA is also using similar method for curl backup as using "curl ftps://" will not allow to use port 21 .

So I disabled CSF and can create backup over Secure FTP from DA admin backup. However, if I see csf.conf , port 21 and port 22, both are open (IN / OUT) for IPv4 as well as IPv6.

Any idea how to make it work with CSF not disabled ?

 

[Richard G]

if I see csf.conf , port 21 and port 22, both are open (IN / OUT) for IPv4 as well as IPv6.

Same for port 20? Because if you leave that one out, you're in trouble anyway.

 

[anay]

Port 20 is not opened.
All I am saying that if curl is making ftp request on port 21 and I have opened it In/Out in CSF then why its not working with firewall On.

 

[Richard G]

I already answered that question. Port 20 is the dataport and needs to be open if you make requests to port 21.
Also it might even be you need to open the PASV ftp ports when using curl.

Two connections - Everything curl

ec.haxx.se

 

[anay]

Alright, I get that, port 20 opened in/out . Not working.
I can telnet from this server cmd to my ftp server storage on port 21 .

So back to square one..

 

[Richard G]

Did you also read about the passive port range? Because as far as I can see (now ports 20 and 21 are open both ways) that's the only difference with CSF enabled and disabled. Not sure if port 443 is needed.

I never used SFTP with pure-ftpd, I thought this was only possible with pro-ftpd. I did use FTPS with pure-ftpd server side and flashfxp client side.

Just I wonder about something. Did you not use ./install-directadmin.sh when installing CSF? Because that would normally open all needed ports automatically.

 

[anay]

Richard, thanks for the help, see my understanding is that its something with outgoing ports, CSF only allows limited number ports, and request made for backup in DA is passive request. It means I get to figure out what port range for out going is being used. Unless someone else more informed about the process helps.. may be @smtalk can shed some light.

 

[anay]

Update:
Fixed it, it was indeed out going port range issue, since DA using curl in PASV mode, I was required to open outgoing PASV port range. In my case, my ftp server was using "41000-45000" port. Added that to CSF outgoing port : 41000:45000.

 

[Richard G]

since DA using curl in PASV mode

What I've read from the link I posted is that curl is using PASV mode anyway, so not only DA.

So I was correct about the pasv portrange which needed to be opened.
DA by default is using 35000:35999 but if you use a non-DA servers, you have to figure out which pasv ports that ftp server is using.
In your case it's 41000:45000 so indeed you have t open that.

Nice you found out which pasv ports to open. However, do not close port 20 again because that is still needed also since that is the data port.

 

[Zhenyapan]

Just solved same issue on fresh install Ubuntu 18, by adding 35000:35999 to TCP-OUT in CSF

 

[Freddy]

-- removed post --

[Fixed] Never mind. I completely overlooked that the default FTP passv port range was not added in the list of CSF's outgoing ports. Really stupid because the post above me stated the same fix.