Want more timely Centmin Mod News Updates?
Become a Member

Pure-FTPD Pure-FTPD timeout when trying to access from ipV6 public ip?

Discussion in 'Other Centmin Mod Installed software' started by Benjamin74, Aug 24, 2023.

  1. Benjamin74

    Benjamin74 Member

    72
    6
    8
    May 2, 2016
    Ratings:
    +15
    Local Time:
    9:45 PM
    Hello guys,

    Very weird issue:

    Server installed a couple weeks ago, pure-ftpd was working perfectly fine at my homeoffice (using forklift client on mac OS, which has always worked on CMM these past years).

    Trying today to connect : timeout

    I think I may have updated some server packages yesterday or so.

    After changing the pure-ftpd password I have been able to connect from my homeoffice macmini... no clue why, the old password has worked fine for days and days...

    But I still get "The item can't be opened / Operation timed out" when trying to connect from my current location (which is an ipV6 DSL routeur, i.e. my public IP is ipV6).

    Trying from my current location with Filezilla (FTP explicit on TLS, passive mode enable, I'm not 100% sure of the settings needed because I don't usually use filezilla) : I do get the SSL certificate pop-up that I need to confirm but then I still get:

    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is your current location
    Command: TYPE I
    Response: 200 TYPE is now 8-bit binary
    Command: PASV
    Response: 227 Entering Passive Mode (78,XX,XXX,XXX,188,193)
    Command: MLSD
    Error: The data connection could not be established: ETIMEDOUT - Connection attempt timed out


    Any of you has seen this before?

    Thanks a lot,


    • CentOS Version: i.e. CentOS Linux release 7.9.2009 (Core)
    • Centmin Mod Version Installed: i.e. 130.00beta01.b382
    • Nginx Version Installed: 1.25.1
    • PHP Version Installed: PHP 8.2.9
    • MariaDB MySQL Version Installed: N/A
    • When was last time updated Centmin Mod code base ? : today august 23
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      LETSENCRYPT_DETECT='y'
      AUTODETECPHP_OVERRIDE='y'
      PHP_BROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      NGINX_LIBBROTLI='y'
      PHPFINFO='y'
      MARCH_TARGETNATIVE='n'
      
      

      Post output in CODE tags.
     
  2. eva2000

    eva2000 Administrator Staff Member

    51,969
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    5:45 AM
    Nginx 1.25.x
    MariaDB 10.x
    Does the Centmin Mod server even support IPv6 or is it IPv4 only? AFAUK, Pure-ftpd by default listens for both IPv4 and IPv6 connections (provided server is setup to support IPv6). You can check what pure-ftpd addresses are being listened on via command
    Code (Text):
    netstat -plantu | grep -i pure
    

    example shows both IPv6 and IPv4 TCP/TCP6 port listeners
    Code (Text):
    netstat -plantu | grep -i pure
    tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      4159345/pure-ftpd   
    tcp6       0      0 :::21                   :::*                    LISTEN      4159345/pure-ftpd
    


    Ensure pure-ftpd passive port range is in TCP_IN and TCP6_IN comma separated list of allowed incoming TCP ports for 30001:50011 range and port 21 for passive port by checking CSF Firewall's /etc/csf/csf.conf config file using egrep
    Code (Text):
    egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
    

    You can check if IPv6 IP address you're connecting from is blocked in CSF Firewall using csf grep
    Code (Text):
    csf -g YOUR_IP_ADDRESS


    tried pure-ftpd service restart?
    Code (Text):
    systemctl restart pure-ftpd
    

    You can see settings for Filezilla config at Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS. But does this work on IPv4 and IPv6 connecting IPs from either of your locations?
     
  3. Benjamin74

    Benjamin74 Member

    72
    6
    8
    May 2, 2016
    Ratings:
    +15
    Local Time:
    9:45 PM
    Thanks Eva for the tips.

    Yes the server is apparently listening to v4 and v6

    Code:
    tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      22266/pure-ftpd (SE
    tcp6       0      0 :::21                   :::*                    LISTEN      22266/pure-ftpd (SE
    In the CSF I can see port 21 everywhere so it looks normal

    Code:
    TCP_IN = "20,21,78,25,53,853,80,110,143,443,465,587,993,995"
    TCP_OUT = "8080,2525,465,1110,1194,9418,3306,20,21,22,25,53,853,80,110,113,443,587,993,995"
    UDP_IN = "67,68,1110,33434:33534,20,21,53,853,80,443"
    UDP_OUT = "67,68,1110,33434:33534,443,20,21,53,853,113,123"
    TCP6_IN = "20,21,78,25,53,853,80,110,143,443,465,587,993,995"
    TCP6_OUT = "8080,2525,465,3306,20,21,22,25,53,853,80,110,113,443,587,993,995"
    UDP6_IN = "20,21,53,853,80,443"
    UDP6_OUT = "20,21,53,853,113,123"
    Checking that my current ipV6 ip wasn't blacklisted was one of my first idea and no it's not.

    I reinstalled centOS on 2 servers and I don't have this really weird behavior (i.e. pute-ftp is working perfectly fine from my ipv6 location)... really no clue what's going on with this precise VPS (all these servers are at Hetzner and I never got weird things with them).

    I also tried Filezilla from my homeoffice (ipv4) and it's working as expected.

    I don't think debugging this is worth our time, I'll move along and use one of the new CMM server I just installed unless someone has an idea but google-fooing this kind of problem doesn't return much results so it looks like a really sporadic issue.
     
  4. eva2000

    eva2000 Administrator Staff Member

    51,969
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    5:45 AM
    Nginx 1.25.x
    MariaDB 10.x
    you're missing 30001:50011 pure-ftpd passive port ranges in TCP_IN and TCP6_IN comma separated lists
    Code (Text):
    TCP_IN = "20,21,78,25,53,853,80,110,143,443,465,587,993,995,30001:50011"
    TCP6_IN = "20,21,78,25,53,853,80,110,143,443,465,587,993,995,30001:50011"
    

    if you check the working servers /etc/csf/csf.conf egrep check, do you see 30001:50011 ? If so, on problematic server re-add 30001:50011 to comma separated list for TCP_IN and TCP6_IN and restart CSF Firewall
    Code (Text):
    csf -ra


    edit: just noticed port 78 there, so you changed SSHD port via centmin.sh menu option 16 right?

    edit: so looks like you came across a bug in Centmin Mod's initial CSF Firewall install and configure routine due to changes in CSF Firewall's default TCP_IN and TCP6_IN port list adding a port 853 to the list so Centmin Mod CSF Firewall routine wasn't expecting the 853 port in the list of ports that triggers adding Centmin Mod required ports like pure-ftpd passive port range

    Centmin Mod expected CSF Firewall defaults to be
    Code (Text):
    20,21,22,25,53,80,110,143,443,465,587,993,995
    

    but new defaults are with 853 added
    Code (Text):
    20,21,22,25,53,853,80,110,143,443,465,587,993,995
    

    so Centmin Mod initial install didn't add it's ports including 30001:50011

    FYI, port 853 is used for DNS over TLS (DoT).

    CSF Firewall added port 853 in v14.18 - current version is v14.19 https://download.configserver.com/csf/changelog.txt
    Code (Text):
    ChangeLog:
    
    14.19 - Switch to using iptables-nft if it exists in /usr/sbin/iptables-nft
    
            Added IO::Handle::clearerr() call before reading data from a log file
    
        Added "Require all granted" to the MESSENGER .htaccess file
    
        Added UID/GID rules to IPv6 if enabled
    
        Modified dovecot regex to look for "failed: Connection reset by peer"
    
    14.18 - Added port 853 for DoT to all new installs
    
            Added exe wpt-panopticon on cPanel servers to csf.pignore
    
        Updated list of EOL PHP versions
       
        Modified HTACCESS regex to include "remote" as well as "client" log
        lines
    
        Implemented DA POST workaround for saving large text files via the UI
    
        Modified MESSENGER to only send unblock email if a valid IP is
        requested
    
        Modified DA server check to look for multiple php versions in
        /usr/local/php*
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    51,969
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    5:45 AM
    Nginx 1.25.x
    MariaDB 10.x
    FYI, I just updated Centmin Mod 124.00stable and 130.00beta01 with a fix for missing pure-ftpd passive port range config in CSF Firewall due to CSF v14.18 default changes which came out ~August 18, 2023. You can run cmupdate command on your Centmin Mod install to update the code and then run and exit centmin.sh menu once to auto apply the fix and then run command
    Code (Text):
    egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf

    to check if TCP_IN and TCP6_IN now show in comma separated list of whitelisted ports the pure-ftpd passive port range entry = 30001:50011
     
  6. Benjamin74

    Benjamin74 Member

    72
    6
    8
    May 2, 2016
    Ratings:
    +15
    Local Time:
    9:45 PM
    Hello Eva:

    1) I can confirm that both working an not working server didn't have the 30001:50011 ranges you mention. Both had exactly the same list of ports (appart from SSH that has been customized on one server as you noticed)

    2) running cmupdate it says "Already up-to-date." maybe you didn't push the fix yet(?)

    edit: manually added 30001:50011 to TCP6_IN and TCP_IN in /etc/csf/csf.conf and then restarting csf -ra corrected the issue as you expected

    Cheers,
     
    Last edited: Aug 24, 2023
  7. eva2000

    eva2000 Administrator Staff Member

    51,969
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    5:45 AM
    Nginx 1.25.x
    MariaDB 10.x
    did you run centmin.sh and exit once after cmupdate? You need to run centmin.sh once to apply the fix

    try removing manually added 30001:50011 entry and then run cmupdate command again and see.

    or check the last update made via these commands
    Code (Text):
    cmdir
    git log -1 | grep -v Author

    which should show
    Code (Text):
    git log -1 | grep -v Author
    commit baaa1dcc13590a7b0537a3528e7e379171f2cd8b
    Date:   Thu Aug 24 20:17:02 2023 +1000
        chmod +x tools/fix-csf-ftp-ports.sh in 130.00beta01
    

    thanks for confirmation
     
  8. Benjamin74

    Benjamin74 Member

    72
    6
    8
    May 2, 2016
    Ratings:
    +15
    Local Time:
    9:45 PM
    I can confirm that the cmupdate fixes everything, I had the issue on another old CMM install and running the cmupdate solved it.

    Looks like I'm the only one connecting from an ipV6 lol ;-)