Pure ftp disconnect issue

pamamolf · Jun 1, 2016

Hi

I notice that some times i got a disconnect status or it is hard to connect using FTP

I am using Filezilla:

Protocol: FTP and Encryption to: Require Explicit over TLS
and then on Transfer settings tab select Transfer Mode: Passive
Click to expand...

I think it looks like a limit for the same time connected users somewhere?

We try to use about 5 users and maybe we try to use it the same time....

eva2000 · Jun 1, 2016

in pure-ftpd.conf file

Code (Text):

grep -C3 MaxClients /etc/pure-ftpd/pure-ftpd.conf

# Maximum number of simultaneous users

MaxClientsNumber            500



--

# Maximum number of sim clients with the same IP address

MaxClientsPerIP             200

pamamolf · Jun 1, 2016

Then something else is wrong

pamamolf · Jun 2, 2016

On a new server (not public) just for development a site that i use Centminmod latest beta on Centos 7 the user just report the same error
When he is log in and start to upload files after about 10 minutes he got disconnected but it looks like there is no network issues as many users report the same thing

He just try to upload opencart files one by one (don't like that way as it is easier to pack them and transfer only one file) but anyway and he got disconnected

Don't know if there is any newer version of pure ftpd to use or any firewall setting or any time limit or don't know what else

eva2000 · Jun 2, 2016

take note of users ip addresses and check /var/log/messages for ip and pure-ftpd tagged messages and and check csf firewall's lfd log at /var/log/lfd.log

pamamolf · Jun 3, 2016

From the logs there is nothing related only this:
Code:
server pure-ftpd: (userftp@123.45.678.999) [INFO] Timeout - try typing a little faster next time
How can i increase the timeout value?

But this is not related as many users upload a folder with hundred of files inside and got kicked

Csf firewall logs also have nothing related....

Maybe a problem with Cloudflare in front?

It will be an issue if this same ftp account be used by 3-4 users at the same time?

I increase also the timeout and will see....

pamamolf · Jun 3, 2016

Report from a user that he is the only one connected and he upload a file with many files inside and he has a very fast and stable net connection and he report this:
Code:
Status:       File transfer successful, transferred 3,409 bytes in 1 second
Status:       Starting upload of /Users/userx/Downloads/wordpress 2/wp-comments-post.php
Status:       File transfer successful, transferred 1,531 bytes in 1 second
Status:       Disconnected from server
Status:       Disconnected from server
Status:       Delaying connection for 5 seconds due to previously failed connection attempt...
Status:       Delaying connection for 5 seconds due to previously failed connection attempt...
Status:       Connecting to 123.123.123.123:21...
Status:       Connecting to 123.123.123.123:21...
Status:       Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
Error:         Could not connect to server
Status:       Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
Error:         Could not connect to server
Status:       Starting upload of /Users/userx/Downloads/wordpress 2/wp-blog-header.php
Status:       Starting upload of /Users/userx/Downloads/wordpress 2/wp-links-opml.php
He can produce that error anytime by connecting and start uploading files and in 2 minutes maximum he get that error

Something is wrong damn

Searching around i found this that may help?

KB Plesk: Cannot connect to FTP storage via FileZilla 3.10: ETIMEDOUT - Connection attempt timed out

Maybe something change/wrong with the mode or encryption that we use on Centminmod Pureftpd ?

eva2000 · Jun 3, 2016

enable verbose logging

and timestamps

should give a more detailed log of what's going on and the times

pamamolf · Jun 3, 2016

new verbose log:

Code:

07:21:40 Status:       Connecting to 123.123.123.123:21...
07:21:50 Status:       Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
07:21:50 Trace:        CRealControlSocket::OnClose(60)
07:21:50 Trace:        CFtpControlSocket::ResetOperation(66)
07:21:50 Trace:        CControlSocket::ResetOperation(66)
07:21:50 Error:         Could not connect to server
07:21:50 Status:       Waiting to retry...

How can i disable any security measures just to test it?

eva2000 · Jun 3, 2016

should be more entries in log starting from the welcome pure-ftpd banner onwards

i.e.

Code (Text):

23:42:59    Response:    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
23:42:59    Response:    220-You are user number 1 of 500 allowed.
23:42:59    Response:    220-Local time is now 13:43. Server port: 21.
23:42:59    Response:    220-IPv6 connections are also welcome on this server.
23:42:59    Response:    220 You will be disconnected after 15 minutes of inactivity.
23:42:59    Trace:    CFtpControlSocket::SendNextCommand()
23:42:59    Command:    AUTH TLS
23:42:59    Trace:    CFtpControlSocket::OnReceive()
23:42:59    Response:    234 AUTH TLS OK.
23:42:59    Status:    Initializing TLS...
23:42:59    Trace:    CTlsSocket::Handshake()
23:42:59    Trace:    CTlsSocket::ContinueHandshake()
23:42:59    Trace:    CTlsSocket::ContinueHandshake()
23:42:59    Trace:    CTlsSocket::ContinueHandshake()
23:43:00    Trace:    CTlsSocket::ContinueHandshake()
23:43:00    Trace:    TLS Handshake successful
23:43:00    Trace:    Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-128-GCM, MAC: AEAD
23:43:00    Status:    Verifying certificate...
23:43:00    Status:    TLS connection established.

Code (Text):

23:45:06    Response:    227 Entering Passive Mode (111,222,333,444,192,159)
23:45:06    Trace:    CFtpControlSocket::TransferParseResponse()
23:45:06    Trace:    CFtpControlSocket::SendNextCommand()
23:45:06    Trace:    CFtpControlSocket::TransferSend()

but ensure you have require explicit FTP over TLS set

also error can be related to end user's own router and desktop/pc firewalls, anti-virus or internet security suites etc too

pamamolf · Jun 4, 2016

Ok i found the issue

All problems was because i had disable csf firewall !!!!!

I enable it and now all are ok

But i thought it was better to use csfstop for testing to avoid any blocks....

I was keep it close as i am using this server to get some remote backups and i was looking to avoid any block for it ....

eva2000 · Jun 4, 2016

pamamolf said: ↑

All problems was because i had disable csf firewall !!!!!
Click to expand...

haha yes CSF is needed to properly get pure-ftpd using passive mode and passive ports range defined by pure-ftpd

Jon Snow · May 3, 2018

@eva2000 Is there anything in CSF that might disconnect someone for uploading too many files via pure ftp user?

My limit was higher than what was in the first post.
Code (Text):
# Maximum number of simultaneous users

MaxClientsNumber            1000

--

# Maximum number of sim clients with the same IP address

MaxClientsPerIP             500
The only way I've ever had no problem uploading was when I whitelisted the IP.

Edit: Alright, whitelisting my IP didn't help. I tried uploading and the server disconnected me after XX uploads then it said it was retrying to connect.

Jon Snow · May 3, 2018

Code (Text):

May  2 blah kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=fblah SRC=IP-Address DST=IP-Address LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=18802 DF PROTO=TCP SPT=53006 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0

eva2000 · May 3, 2018

You're hitting CSF Firewall Port Flood protection limits. Ideally, you want to limit your FTP clients max concurrent transfer limits and/or instead of uploading individual files, upload a zip file with all files then extract and move the files in place on server via SSH. Example of extracting a zip file via SSH can be seen in step 3 of Xenforo 2 setup. You can practice doing zip upload/extraction etc on test site domain until you are familiar with it.

See Insights guide I just wrote at CSF - Insight Guide - CSF Firewall Port Flood Blocking Pure-FTP Connections

Jon Snow · May 4, 2018

eva2000 said: ↑

You're hitting CSF Firewall Port Flood protection limits. Ideally, you want to limit your FTP clients max concurrent transfer limits and/or instead of uploading individual files, upload a zip file with all files then extract and move the files in place on server via SSH. Example of extracting a zip file via SSH can be seen in step 3 of Xenforo 2 setup. You can practice doing zip upload/extraction etc on test site domain until you are familiar with it.

See Insights guide I just wrote at CSF - Insight Guide - CSF Firewall Port Flood Blocking Pure-FTP Connections
Click to expand...

I already know about zips but in some cases, I'd like to just upload through the pure ftp user. I've already changed the ftp settings to a much lower number but I still hit the limit.

That link was exactly part of what I was looking for. From that link:
Code (Text):
PORTFLOOD = "21;tcp;5;300"
My FTP setting is lower than 5. I guess 300 means seconds and it's crossing the timeframe or something to hit the limit? So should I just increase 300 drastically and will that affect the server in any negative way?

Is there a way to whitelist an ftp user or IP address to avoid getting hit by this limit?

eva2000 · May 4, 2018

Did you restart FTP client (close/reopen) ?

maybe change it from 5 hit count to 20 instead
Code (Text):
PORTFLOOD = "21;tcp;20;300"
from CSF - Insight Guide - CSF Firewall Port Flood Blocking Pure-FTPD Connections
is the ip getting listed in /proc/net/xt_recent/21 ?
Code (Text):
cat /proc/net/xt_recent/21
during pure-ftpd uploads what's out output of
Code (Text):
echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))

Jon Snow · May 4, 2018

eva2000 said: ↑

Did you restart FTP client (close/reopen) ?
Click to expand...

I did not close & re-open the program after changing it but I did press OK.

I have it set to 2 and it shows 2 but when I ran the command you mentioned from your post after I got disconnected by it, it was at 3. Weird. Why did it increase if all of my settings were set to 2?

It's disconnecting me (and delaying me until next reconnect) after I upload a couple of files from xenForo's largest folder.
eva2000 said: ↑
is the ip getting listed in /proc/net/xt_recent/21 ?
Code (Text):
cat /proc/net/xt_recent/21
Click to expand...
Yeah the IP is listed there.

So my only option is increasing the 21;tcp;20;300 limit, right?

pamamolf · May 4, 2018

I had almost always that issue too.Nice to have the value of 20 as default !!!!

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Pure ftp disconnect issue

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

pamamolf Well-Known Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Pure ftp disconnect issue

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

Jon Snow Active Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

pamamolf Well-Known Member

.