Applicable to:
- Plesk Onyx for Linux
Symptoms
- Passive FTP connection (plain, non-SSL/TLS) does not work after enabling Plesk Firewall Tools & Settings > Firewall > Enable
- Cannot list directory when connecting in passive mode:
# ftp> dir
227 Entering Passive Mode (192,0,2,2,176,121).
ftp: connect: Connection timed out - The following errors appear in
/var/log/messages:
CONFIG_TEXT: xinetd[2457]: START: ftp pid=4513 from=::ffff:203.0.113.2
proftpd[4513]: processing configuration directory '/etc/proftpd.d'
proftpd[4513]: FTP session opened.
named[3167]: error (network unreachable) resolving - The following errors appear in
/var/log/secure:
CONFIG_TEXT: proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
proftpd[4513]: (203.0.113.2) - USER username: Login successful. - passive FTP ports are configured and allowed in firewall
- nf_conntrack_ftp module is not loaded:
# lsmod | grep conntrack_ftp
#
Cause
The described behavior is expected if nf_conntrack_ftp module is not loaded.
This is Plesk bug with ID PPPM-6187: the notification in Plesk UI will be added in future Plesk updates.
Resolution
Note: This article may require additional administrative knowledge to apply. If any help required, contact server’s administrator or hosting support.
- Make sure all above symptoms present.
- Log in to Plesk server via SSH
-
Enable the kernel modules in the system:
Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.
2.1. Add the modules to the configuration file:
# echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
# echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf2.2. On CentOS/RHEL-based distributions, add the modules to the
IPTABLES_MODULESline in the/etc/sysconfig/iptables-configfile as follows:# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
Comments
10 comments
This worked for us. It should be noted in the release notes.
@Tomas As soon as bug with ID # PPPM-6187 will be fixed it will be noted in release notes
Half year later and this bug is not fixed? Wow...
@Dudebaker, work on bugs is performed in accordance with their priority and impact.
Plesk Development Team does its best to resolve the issue in upcoming updates.
Please fix this bug as soon as possible. I can not use the firewall, although I desperately need it.@Domenico Gruhn
Have you used the described workaround?
@Alisa Kasyanova
it don't list the directory
@Domenico Gruhn
Just checked my test Deb9 Onyx 17.8: FTP with TLS is working properly.
Please check this article, and if it doesn't help, feel free to submit a support request.
@Alisa Kasyanova: i make it work by this two steps:
specify a passive ports range in /etc/proftpd.conf (https://support.plesk.com/hc/en-us/articles/213902285)
and adding a Custom Rule to firewall (https://support.plesk.com/hc/en-us/articles/213368589-Troubleshooting-connections-to-a-Plesk-server-via-FTP-in-the-passive-mode)
@Domenico Gruhn
Great! Good to know that you have figured it out!
Please sign in to leave a comment.