FTP over TLS

[nservices]

still not working for me

If you're running CSF, they way to add 35000:35999 in CSF is to go to:

Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration:

IPv4 Settings -> TCP_IN: Add:
,35000:35999

IPv6 Port Settings -> TCP6_IN: Add:
,35000:35999

and click "Change" at the bottom, then click "Restart csf+lfd".

Good to confirm you see the range in you iptables rules using:

iptables -nL | grep dpts

where you're looking to see:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:35000:35999

and you may or may not see one for IPv6 (depending if CSF has that enabled or not). IPv4/tcp above is likely the main entry you'll be after.

John

See my screenshot and Logs:
Firewall settings Screenshot: http://awesomescreenshot.com/0794fpa4ad

SSH log for iptables -nL | grep dpts:
[root@shared101 ~]# iptables -nL | grep dpts
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:35000:35999
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139

Ftp Log:
Status: Connecting to 198.23.141.240:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PORT 192,168,1,119,224,129
Response: 200-FXP transfer: from 77.125.139.137 to 192.168.1.119
Response: 200 PORT command successful
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

 

[Fred.]

It would also be nice if we could transfer the admin backup over a safe connection.

 

[DirectAdmin Support]

Unless I'm mistaken, FXP refers to a remote ftp transfer between servers.
It's entirely possible that the remote ftp server may have it's ports blocked.. I'm not sure.

To test your DA box, make sure you're doing a regular ftp transfer from your own ftp client, uploading to the server.. and not between 2 remote ftp servers (that would be the next step).

John

 

[DirectAdmin Support]

It would also be nice if we could transfer the admin backup over a safe connection.

Yes, I'm on the verge of changing the ftp_upload.php over to curl, and adding a TLS checkbox in the backup settings. Got a few other things to do first though.

But for now, this may be useful to add extra ftp_upload.php code, where a specific checked item (like ip or backup id) can call a different script.. like scp, or curl+tls, etc..
http://help.directadmin.com/item.php?id=585

John

 

[Fred.]

Ok, Thanks John.

 

[harro]

Although this is an old post, I just (re)installed four DA servers with CSF and none of them can do FTP backups or restores to/from external FTP servers. All give time-out messages. When I disable CSF (csf -x) it works again.

Checking whether the ports are open that you mentioned above, they are open as you note in your instructions:

# iptables -nL | grep dpts
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpts:35000:35999

Port 20 and 21 are also open (it is a default install):

TCP_IN: 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999
TCP_OUT: 20,21,22,25,53,80,110,113,443,587,993,995,2222

So what could the problem then be? Seems unlikely that CSF is broken on all servers?

Kind regards,

Harro


p.s. this was never a problem on any of my previous DA servers running CSF

 

[Richard G]

There is so many things changed in 5 years. Please do not up ancient topics. It's better to start a new one then.
In your case. Try opening pasv ports outgoing.

 

[Ziyad yusuf]

Lot of our servers have this issue, we using pureftpd + CSF
I diabled the CSF at all but still getting

Status: Connecting to 192.117.12.168:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PORT 192,168,1,119,210,220
Response: 200-FXP transfer: from 77.125.139.137 to 192.168.1.119
Response: 200 PORT command successful
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

With plain text Login it's work well but I don't what to start explain to all new filzilla client change the settings, it's better to change pureftpd settings…
Please a

 

[Ziyad yusuf]

Ziyad yusuf
Gmail
[email protected]