Pure-FTPD Can't connect via FTP to newly built Centmin server.

fly · May 13, 2023

Please fill in any relevant information that applies to you:
CentOS Version: CentOS 7 64bit

Centmin Mod Version Installed: 130.00beta01

Nginx Version Installed: i.e. 1.23.4

PHP Version Installed: 7.2

MariaDB MySQL Version Installed: 10.3

When was last time updated Centmin Mod code base ? : today
Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
Code (Text):
cat /etc/centminmod/custom_config.inc
LETSENCRYPT_DETECT='y'
MARCH_TARGETNATIVE='n'
I built a server a couple of weeks ago and can log in fine via FTP. On a server I built yesterday, FileZilla simply times out after authentication. And the pureftpd log is empty. I looked over the Github commit forum and didn't see anything obvious related in the last couple of weeks. Suggestions?

(Also, there's no thread prefix tag for Pureftpd.)

eva2000 · May 14, 2023

Added prefix for Pure-FTPD. As to your issue, have you double checked Pure-FTPD session is using explicit SSL mode with passive connections to port 21 as outlined at Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS ? You can also enable verbose logging on Filezilla client side too.

Have you tried simple virtual FTP user password change Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS ?

Enable TLS/SSL

I went one step further beyond just adding pure-ftpd virtual user support, I also enabled and forced TLS SSL only mode by creating a self-signed SSL certificate for pure-ftpd. So there's enforced encryption for more secure FTP connection.

As such you need to set your FTP client to use FTP explicit SSL mode and enable and check Passive connections (PASV) and connect via your server's ip address for hostname and use FTP port 21 (not actually used in PASV mode with FTP TLS/SSL).

You also have to disable in your FTP client SSL validation as a self-signed certificate was used.

Note passive ports if needed to be set in FTP client are in range between 3000 to 3050 for Centmin Mod 123.08stable or 30001 to 50011 for Centmin Mod 123.09 beta and higher i.e. for Filezilla. Upgrades to Centmin Mod 123.09 beta and higher auto reconfigure CSF Firewall to the larger passive TCP ftp passive port range. However, if you are using a web host with their own internal firewall in place, you may need to whitelist these respective passive port ranges for TCP protocol (either 3000 to 3050 or 30001 to 50011). Otherwise, you will not be able to connect to your server via Pure-FTPD details provided by Centmin Mod.

Click to expand...

Other Firewalls

Note passive TCP ports in range between 3000 to 3050 for Centmin Mod 123.08stable or 30001 to 50011 for Centmin Mod 123.09 beta and higher are required to be open for Pure-ftpd server to accept connections. CSF Firewall installed by Centmin Mod takes care of this on server side.

However, if you have other firewalls between your connecting computer and the Centmin Mod server, they may block connections as well. Some web hosts such as Amazon AWS EC2, Google Cloud Compute, Vultr and OVH (OVH Gaming servers) may have their own firewall in front of your server which you can either turn off or configure to whitelist the required TCP ports. CSF Firewall config file /etc/csf/csf.conf has a list of default ports in comma separated listing that are whitelisted for variables TCP_IN, TCP_OUT, TCP6_IN, TCP6_OUT, UDP_IN, UDP_OUT, UDP6_IN and UDP6_OUT that you can reference. If your local PC or router has restricted ports, you may also need to whitelist them at that level as well.

For Vultr Firewall, there is a guide for using Vultr API to replicate CSF Firewall minimum ruleset for inbound access here.

Click to expand...

fly · May 31, 2023

Sorry for the delay, circling back to this now. Filezilla is setup correctly. These servers were built about a week apart. The old one works with Filezilla, the new one does not. I just created a brand new vhost on the server and...

Here's the Filezilla log on the older server (installed 4/17/23):

Code:

Status:    Connecting to 1.1.1.1:21...
Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Status:    TLS connection established.
Status:    Logged in
Status:    Retrieving directory listing...
Status:    Server sent passive reply with unroutable address. Using server address instead.
Status:    Directory listing of "/" successful

And the newer server (installed 5/10/23):

Code:

Status:    Connecting to 2.2.2.2:21...
Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Status:    TLS connection established.
Status:    Logged in
Status:    Retrieving directory listing...
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    MLSD
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing

eva2000 · May 31, 2023

fly said: ↑

I just created a brand new vhost on the server and...
Click to expand...

Filezilla try with debug verbose logging

Also does the server have more than one IP address? Is it a NAT based server?

what's output for the following commands
Code (Text):
egrep '^TCP_IN|^TCP6_IN' /etc/csf/csf.conf | grep -o '30001:50011'
and
Code (Text):
egrep -i '^PassivePortRange|ForcePassiveIP' /etc/pure-ftpd/pure-ftpd.conf

fly · May 31, 2023

Debug: Trace: CRealControlSocket::DoClose(66)Trace: CControlSocket::DoClose(66)Trac - Pastebin.com

Single IP address. Its AWS, so yeah, its NATd.
Code:
egrep '^TCP_IN|^TCP6_IN' /etc/csf/csf.conf | grep -o '30001:50011'
Result: Nothing
Code:
egrep -i '^PassivePortRange|ForcePassiveIP' /etc/pure-ftpd/pure-ftpd.conf
Result:
Code:
PassivePortRange    30001 50011
# ForcePassiveIP               192.168.0.1

fly · May 31, 2023

I see my older server has those csf.conf entries, so I'm guessing that's the issue. Seems very unlikely that I would have somehow deleted those, but if you didn't have a commit that removed them - I guess that has to be the answer.

edit: In comparing the files between the servers, there's quite a few missing under TCP_IN on the new server.

eva2000 · May 31, 2023

You can check initial install log for references to passive ports to see if they were set initially

Code (Text):

cat /root/centminlogs/installer_*-*.log | egrep -B1 '30001:50011|50011'

would give something like

Code (Text):

cat /root/centminlogs/installer_*-*.log | egrep -B1 '30001:50011|50011'
CSF adding memcached, varnish ports to csf.allow list...
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
Before RPC/NFS port tweak
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP6_OUT = "20,21,53,113,123"
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
After RPC/NFS port tweak
TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UDP_OUT = "67,68,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UnixAuthentication           yes                                                                   |    # UnixAuthentication           yes
PassivePortRange    30001 50011                                                                    |    # PassivePortRange             30000 50000
--
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
PassivePortRange    30001 50011
--
CSF adding memcached, varnish ports to csf.allow list...
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
Before RPC/NFS port tweak
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP6_OUT = "20,21,53,113,123"
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
--
UDP_OUT = "67,68,2049,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2049,81,9418,30001:50011"
TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UDP_OUT = "67,68,111,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
After RPC/NFS port tweak
TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UDP_OUT = "67,68,1110,33434:33534,44320,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
--
UnixAuthentication           yes                                                                   |    # UnixAuthentication           yes
PassivePortRange    30001 50011                                                                    |    # PassivePortRange             30000 50000
--
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
PassivePortRange    30001 50011

fly · May 31, 2023

Nope, not in there.

Code:

cat /root/centminlogs/installer_*-*.log | egrep -B1 '30001:50011|50011'
UnixAuthentication           yes                                                                   |    # UnixAuthentication           yes
PassivePortRange    30001 50011                                                                    |    # PassivePortRange             30000 50000
--
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
PassivePortRange    30001 50011
--
UnixAuthentication           yes                                                                   |    # UnixAuthentication           yes
PassivePortRange    30001 50011                                                                    |    # PassivePortRange             30000 50000
--
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
PassivePortRange    30001 50011

While adding in the FTP ports into CSF fixed the issue, now I'm concerned that something else could be wrong with this server.

eva2000 · May 31, 2023

If you have both servers' Centmin Mod initial install log for each run https://community.centminmod.com/threads/how-to-troubleshoot-centmin-mod-initial-install-issues.102/ you can use a diff comparison tool to compare what differed between the 2 install runs. You can save logs to Dropbox too https://community.centminmod.com/th...in-mod-initial-install-issues.102/#post-91365

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Pure-FTPD Can't connect via FTP to newly built Centmin server.

fly Member

eva2000 Administrator Staff Member

fly Member

eva2000 Administrator Staff Member

fly Member

fly Member

eva2000 Administrator Staff Member

fly Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Pure-FTPD Can't connect via FTP to newly built Centmin server.

fly Member

eva2000 Administrator Staff Member

fly Member

eva2000 Administrator Staff Member

fly Member

fly Member

eva2000 Administrator Staff Member

fly Member

eva2000 Administrator Staff Member

.