FTP over TLS

That is right. There are a few clients complaining they can not use FTP.

Will this be enabled/updated in CustomBuild soon?
 
By default FileZilla now uses explicit FTP over TLS if it is available, so it should still work even if you don't support explicit.
I don't know about ProFTPD but Pure-FTPD supports it when installed using CB2, just place your key, certificate and chain in /etc/pure-ftpd.pem in the following format
Code:
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: from_cert_provider.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: from_cert_provider.crt)
-----END CERTIFICATE-----
 
By default FileZilla now uses explicit FTP over TLS if it is available, so it should still work even if you don't support explicit.
I don't know about ProFTPD but Pure-FTPD supports it when installed using CB2, just place your key, certificate and chain in /etc/pure-ftpd.pem in the following format

It is in Dutch (i have translated errors in the bottom), however the error I recieve with Filezilla and lastest ProFTPd version (using quick connect, when connecting with unencrypted, plain, FTP everything works fine):

Status: Verbinding aangemaakt, welkomsbericht afwachten...
Status: TLS initialiseren...
Status: Certificaat controleren....
Status: TLS connection established.
Status: Verbonden
Status: Mappenlijst ophalen...
Opdracht: PWD
Antwoord: 257 "/" is the current directory
Opdracht: TYPE I
Antwoord: 200 Type set to I
Opdracht: PASV
Antwoord: 227 Entering Passive Mode (,,,,).
Opdracht: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
 
Basically, we can either -
- disable ProFTPd TLS, or
- open passive ports in iptables (ip_conntrack_ftp cannot see the TLS-encrypted traffic)
 
Basically, we can either -
- disable ProFTPd TLS, or
- open passive ports in iptables (ip_conntrack_ftp cannot see the TLS-encrypted traffic)
Filezilla will throw a not-so-nice welcome message that the Server's Certificate is unknown.
 
Hi @ all,

I am using pure-ftpd form CB2.0 and have the problem, that directory listing is not working when TLS enabled in Filezilla.

Anyone an idea what is causing the problem?

Regards
Andreas
 
Filezilla will throw a not-so-nice welcome message that the Server's Certificate is unknown.
What kind of Crtificate are you using? If commercial, have you installed the Vendor's CA Root Certificate(s)?

Jeff
 
By default FileZilla now uses explicit FTP over TLS if it is available, so it should still work even if you don't support explicit.
I don't know about ProFTPD but Pure-FTPD supports it when installed using CB2, just place your key, certificate and chain in /etc/pure-ftpd.pem in the following format
Instructins in the CSF read-me say to open passive ports 30000:35000 in pure-ftpd.conf as well as in CSF firewall. But our CustomBuild 2 servers don't have a copy of pure-ftpd.conf.

Does anyone have a definitive answer for making this work with pure-ftpd? Or do we need DirectAdmin staff to make some kind of change? Or must we use proftpd?

Thanks.

Jeff
 
The config for Pure-FTPD is in /usr/libexec/pureftpd_startscript, by default it passes "-p 35000:35999" so you should open that range (not 30000:35000) in CSF.
 
For /etc/init.d/pure-ftpd, the boot script should already have the port range set
Code:
OPTIONS="-B -A -C 4 -E -H -k 95 -L 10000:8 -O stats:${LOG} -l puredb:${DB} [B]-p 35000:35999[/B] -u 100 -U 133:022 -w -Z"
note the range is set with "-p 35000:3599".

I believe the issue is probably with firewalls needing to explicitly set those ranges to be open.
I'm not sure about CSF, but the block_ip /etc/init.d/iptables might need you to add this code:
Code:
$IPTABLES -A INPUT -p tcp  --dport 35000:35999 -j ACCEPT
right after the line:
Code:
$IPTABLES -A INPUT -p tcp  --dport 20 -j ACCEPT
I'm a little hesitant to do that by default, as we don't want clients running their own servers on those ports.. The ip_conntrack_ftp was key for that,b ut doesn't work with TLS+PASV, as we know... so manually opening the ports ahead of time is currently the only solution to allow PASV + TLS.

Of course, you could just change your ftp client to use ACTIVE ftp instead of PASV, so it just uses port 20, which we don't need to be scared of keeping open (it's already open too), since clients cannot bind to ports below 100.

We're a little bit hooped with TLS and PASV unless we always keep the 35000-35999 open, all the time.

John
 
I can verify that once I adjusted the firewall to allow 35000:35999 FTP over TLS with Filezilla works for me.

Thanks, John.

Jeff
 
Lot of our servers have this issue, we using pureftpd + CSF
I diabled the CSF at all but still getting

Status: Connecting to 192.117.12.168:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PORT 192,168,1,119,210,220
Response: 200-FXP transfer: from 77.125.139.137 to 192.168.1.119
Response: 200 PORT command successful
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

With plain text Login it's work well but I don't what to start explain to all new filzilla client change the settings, it's better to change pureftpd settings…
Please advise,
 
Would be related to this fix (3 posts up):
http://forum.directadmin.com/showthread.php?t=50759&p=262346#post262346

where the ip_conntrack_ftp iptables module cannt decipher the ftp data, because it's encrypted.. thus cannot open the ftp data ports.
The solution is to either permanently open ports 35000-35999, else you'd have to use ACTIVE mode, instead of PASV mode, so it uses port 20, which should already be open.

John
 
Yep, opening those ports is the fix. Many cPanel users are having the same problem. The server tells Filezilla it supports FTPS, but then times out. Or you could switch FileZilla to FTP-only. Or get SFTP working.
 
If you're running CSF, they way to add 35000:35999 in CSF is to go to:
Code:
Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration:

IPv4 Settings -> TCP_IN: Add:
,35000:35999

IPv6 Port Settings -> TCP6_IN: Add:
,35000:35999
and click "Change" at the bottom, then click "Restart csf+lfd".

Good to confirm you see the range in you iptables rules using:
Code:
iptables -nL | grep dpts
where you're looking to see:
Code:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpts:35000:35999
and you may or may not see one for IPv6 (depending if CSF has that enabled or not). IPv4/tcp above is likely the main entry you'll be after.

John
 
Back
Top