cPanel – Pure-FTPD – Timeout connecting to ftp using explicit FTP over TLS

Published on Author gryzli

The problem

While trying to connect, to FTP by using Passive Mode + explicit FTP over TLS, I was getting the following timeouts:

Error:	Connection timed out
Error:	Failed to retrieve directory listing
Status:	Connecting to XXX.yyy.XXX.yyy:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 50 allowed.
Response:	220-Local time is now 11:55. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220-IPv6 connections are also welcome on this server.
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER
Status:	TLS/SSL connection established.
Response:	331 User XXXXX@EXAMPLE.COM OK. Password required
Command:	PASS ************
Response:	230 OK. Current restricted directory is /
Status:	Server does not support non-ASCII characters.
Command:	PBSZ 0
Response:	200 PBSZ=0
Command:	PROT P
Response:	200 Data protection level set to "private"
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is your current location
Command:	TYPE I
Response:	200 TYPE is now 8-bit binary
Command:	PASV
Response:	227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX)
Command:	MLSD
Error:	Connection timed out
Error:	Failed to retrieve directory listing

And the problem was in the Pure-FTPD itself with its PassivePorts range, which wasn’t set and permitted on Firewall.



In the current fix I will use the default passive port range: 30 000 to 50 000. You can choose whatever you like (make sure the ports are above 1024).

If you choose different port range, make sure write the right values in iptables rule and pure-ftpd configs.

1. Edit pure-ftpd.conf and uncomment the passive port range section

# vim /etc/pure-ftpd.conf

PassivePortRange          30000 50000

# /etc/init.d/pure-ftpd restart


2. Make the changes in cPanel pure-ftpd template

In order to make sure, that cPanel won’t overwrite your changes during next pure-ftpd.conf regeneration, you must edit it’s pure-ftpd.conf template:


# vim /var/cpanel/conf/pureftpd/main

PassivePortRange: '30000 50000'

3. Open the port range in Firewall

# iptables -t filter -I INPUT -p tcp –dport 30000:50000 -j ACCEPT


You could add this rule in: /etc/sysconfig/iptables in order to make it persistent after server restart.