How to configure a passive ports range for ProFTPd on a server behind a firewall?

Follow

Comments

10 comments

  • Avatar
    Simeon Ivaylov Petrov

    Hello, I've followed this article step by step, but I still receive this error:

    Status: Connection established, waiting for welcome message...
    Status: Initializing TLS...
    Status: Verifying certificate...
    Status: TLS connection established.
    Status: Logged in
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is the current directory
    Command: TYPE I
    Response: 200 Type set to I
    Command: PASV
    Response: 227 Entering Passive Mode (..............................).
    Command: MLSD
    Error: Connection timed out after 20 seconds of inactivity
    Error: Failed to retrieve directory listing

  • Avatar
    Konstantin Annikov

    Hello, 

    I recommend you to double-check the firewall (that it is configured to allow all range of passive ports). 

    If you are sure that firewall allows connections to passive ports, please contact our support at 

    https://support.plesk.com/hc/en-us/requests/new

  • Avatar
    Simeon Ivaylov Petrov

    Hi @Konstantin!

    I have the Plesk WEB ADMIN EDITION and haven't installed any third party Firewall. My server is on Digital Ocean and there is no Firewall installed as well. What other firewall could generate the problem?

     

    Thanks

  • Avatar
    Konstantin Annikov (Edited )

    Simeon, 

    Let's confirm if it is a firewall or not. Please perform the following: 

    On the server:

    1. Install netcat utility for troubleshooting

    # yum install nc

    2. launch the utility with -l option to start listening on specific port (from passive ftp port range)

    # nc -l 57001

    3. Try to connect to the server using the telnet utility from external machine (from the local machine for example): 

    # telnet <server IP> 57001

    If the connection is successful, all the text you are writing in telnet session will be transferred to remote host.  

    If the connection is not successful, it means that there is a firewall between the server and the client. 

    Can you share the results of this troubleshooting? 

  • Avatar
    Simeon Ivaylov Petrov

    You are right, the output is this:

    Connecting To <server IP>...Could not open connection to the host, on port 57001: Connect failed

    I've installed PLESK on my Digital Ocean Droplet using the One-Click installer operation described here:  https://support.plesk.com/hc/en-us/articles/213928265-How-to-install-Plesk-on-Digital-Ocean-cloud-infrastructure-instance-

    I have not installed any Firewall in Plesk and in my Digital Ocean account.

    Does this means that the One-Click installer installs a firewall anyway?
    In this case what should I do to make the Passive ports to work?

    Thank you

  • Avatar
    Konstantin Annikov

    Simeon, 

    Yes, we confirmed the the cause is firewall. 

    Could you please check several points: 

    1. Have you configured the Firewall in Digital Ocean to open needed range of ports? Introduction to DO firewall described here: 

    https://www.digitalocean.com/community/tutorials/an-introduction-to-digitalocean-cloud-firewalls

    2. Do you have plesk-firewall installed? 

    # rpm -qa | grep psa | grep fire
    psa-firewall-17.5.3-cos7.build1705170317.16.x86_64

    3. If Plesk firewall is installed, you can configure it under Plesk > Tools&Settings > Firewall

    4. If Plesk Firewall is not installed, please check iptables on the server: 

    # iptables -L 

    If there are rules inside, it is needed to add a rule to accept packets which are coming to passive ports with the command like that: 

    # iptables -A INPUT -p tcp --match multiport --dports 57000:58000 -j ACCEPT

  • Avatar
    Simeon Ivaylov Petrov

    Hi Konstantin:

    1) No, I have no firewall configured on my digital ocean account for the server droplet:

    2) No, I have no plesk-firewall installed on the server. The command you suggested returns empty result.

    3) I don't have such an option inside my Plesk > Tools&Settings page

    4) Yes, the command returns me a list of rules

    5) I've already done this following the article steps. I've done it again, but when I try to listen the port with the suggested command from you and if I try to connect via telnet from my local computer, there is still a Connect failed response.

    My PLESK is installed on a Centos7 OS and the command # firewall-cmd --get-active-zones returns me "FirewallD is not running" as well

  • Avatar
    Alexandr Zubtsovsky

    Hello Simeon,

    The connection may be blocked by an intermediate firewall: such as  firewall on network router or internet provider firewall).

    Please review the entire network route: from source machine to the target server and ensure that there is no firewall blocking passive port range (TCP 57000-58000).

    In addition, since firewalld is disabled on the server with CentOS 7 please ensure that iptables rules are saved after server reboot.

    Please refer to the article:

    https://support.plesk.com/hc/en-us/articles/115000497953-Iptables-rules-get-reset-after-server-reboot-on-CentOS-7

     

     

  • Avatar
    Simeon Ivaylov Petrov

    Hello Alexandr,

    I was not able to make it work, but when I activated the SSH access to the FTP user and used SFTP instead of FTP, it works... I think there is some problem with the insecure FTP port or something like that...

  • Avatar
    Bulat Tsydenov

    @Simeon, as for SFTP, it works because it uses SSH port. As for passive ports, I would recommend you contact service provider support to find the cause and rectify the issue.

Please sign in to leave a comment.

Have more questions? Submit a request