Table of Contents
While trying to connect, to FTP by using Passive Mode + explicit FTP over TLS, I was getting the following timeouts:
Error: Connection timed out Error: Failed to retrieve directory listing Status: Connecting to XXX.yyy.XXX.yyy:21... Status: Connection established, waiting for welcome message... Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Response: 220-You are user number 1 of 50 allowed. Response: 220-Local time is now 11:55. Server port: 21. Response: 220-This is a private system - No anonymous login Response: 220-IPv6 connections are also welcome on this server. Response: 220 You will be disconnected after 15 minutes of inactivity. Command: AUTH TLS Response: 234 AUTH TLS OK. Status: Initializing TLS... Status: Verifying certificate... Command: USER firstname.lastname@example.org Status: TLS/SSL connection established. Response: 331 User XXXXX@EXAMPLE.COM OK. Password required Command: PASS ************ Response: 230 OK. Current restricted directory is / Status: Server does not support non-ASCII characters. Command: PBSZ 0 Response: 200 PBSZ=0 Command: PROT P Response: 200 Data protection level set to "private" Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX) Command: MLSD Error: Connection timed out Error: Failed to retrieve directory listing
And the problem was in the Pure-FTPD itself with its PassivePorts range, which wasn’t set and permitted on Firewall.
In the current fix I will use the default passive port range: 30 000 to 50 000. You can choose whatever you like (make sure the ports are above 1024).
If you choose different port range, make sure write the right values in iptables rule and pure-ftpd configs.
1. Edit pure-ftpd.conf and uncomment the passive port range section
# vim /etc/pure-ftpd.conf
.... PassivePortRange 30000 50000 ....
# /etc/init.d/pure-ftpd restart
2. Make the changes in cPanel pure-ftpd template
In order to make sure, that cPanel won’t overwrite your changes during next pure-ftpd.conf regeneration, you must edit it’s pure-ftpd.conf template:
# vim /var/cpanel/conf/pureftpd/main
... PassivePortRange: '30000 50000' ...
3. Open the port range in Firewall
# iptables -t filter -I INPUT -p tcp –dport 30000:50000 -j ACCEPT
You could add this rule in: /etc/sysconfig/iptables in order to make it persistent after server restart.