Discussion of ProFTPD configuration/problems

Nikolaos Milas | 28 Apr 2012 12:09

Picon

[Proftpd-user] Unable to build data connection

Hello,

On a proftpd 1.3.3g server (on a virtual CentOS 5.8 64bit) where 
everything works fine, I have a client device (a data logger) which 
connects/authenticates successfully over simple FTP, but cannot transfer 
data; stored files have zero size. (Other clients have no problem *with 
the same account*.) This client connects every hour over the cell (GSM) 
mobile network (Greece) to upload collected data.

When debugging (with DebugLevel 9) I noticed that the process goes fine, 
then "freezes" temporarily at the following point:

"Apr 28 01:05:11 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): dispatching CMD command 
'STOR 0000286203_20120427200000.MIS' to mod_xfer"

and then, after some time:

Apr 28 01:08:20 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): Transfer aborted after 0 
bytes in 0.00 seconds
Apr 28 01:08:20 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): dispatching POST_CMD_ERR 
command 'STOR 0000286203_20120427200000.MIS' to mod_quotatab
Apr 28 01:08:20 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): dispatching LOG_CMD_ERR 
command 'STOR 0000286203_20120427200000.MIS' to mod_log
Apr 28 01:08:20 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): dispatching LOG_CMD_ERR 
command 'STOR 0000286203_20120427200000.MIS' to mod_xfer

(Continue reading)

Nikolaos Milas | 28 Apr 2012 14:17

Picon

Re: [Proftpd-user] Unable to build data connection

On 28/4/2012 1:09 μμ, Nikolaos Milas wrote:

> (Other clients have no problem *with the same account*.)

Researching further, I found that other clients also have problem with 
active FTP:

Status: Starting to send D:\temp\5\test1.txt
Command: CWD /
Reply: 250 CWD command successful
Εντολή: PWD
Reply: 257 "/" is the current directory
Command: TYPE A
Reply: 200 Type set to A
Command: PORT 192,168,1,10,253,46
Reply: 500 Illegal PORT command
Command: PASV
Reply: 227 Entering Passive Mode (195,251,204,231,81,226).
Command: STOR test1.txt
...

and continues successfully with Passive mode. But why Port command (and 
consequently active mode) fails?

Thanks,
Nick

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and

(Continue reading)

Nikolaos Milas | 28 Apr 2012 16:26

Picon

Re: [Proftpd-user] Unable to build data connection

On 28/4/2012 3:17 μμ, Nikolaos Milas wrote:

> Command: PORT 192,168,1,10,253,46
> Reply: 500 Illegal PORT command
>
> But why Port command (and consequently active mode) fails?

Hmm, I guess in that case it would be expected for active FTP to fail, 
because I tried from a client with a private IP address behind NAT DSL 
device.

But from a client with a public IP address (that from a client in our 
own network):

# ftp ftp.noa.gr 9098
Connected to ftp.noa.gr.
220 FTP Server ready.
500 AUTH not understood
500 AUTH not understood
KERBEROS_V4 rejected as an authentication type
Name (ftp.noa.gr:root): Lousios-Datalogger
331 Password required for Lousios-Datalogger
Password:
230 User Lousios-Datalogger logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> passive
Passive mode off.
ftp> rhelp

(Continue reading)

Nikolaos Milas | 28 Apr 2012 20:00

Picon

Re: [Proftpd-user] Unable to build data connection

On 28/4/2012 5:26 μμ, Nikolaos Milas wrote:

> This behaves as the remote Datalogger device.

Further investigation showed that the problem of active FTP from a 
client (on our LAN) we experimented with was a Firewall issue.

So, the focus is again on the datalogger device or on the mobile 
operator network.

Things show that data from server port 9097 are not received on the client.

We'll see....

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Nikolaos Milas | 1 May 2012 11:06

Picon

Re: [Proftpd-user] Unable to build data connection

On 28/4/2012 9:00 μμ, Nikolaos Milas wrote:

> So, the focus is again on the datalogger device or on the mobile
> operator network.
>
> Things show that data from server port 9097 are not received on the client.

In the end, the Datalogger device was switched to use passive FTP only 
and the problem was solved (actually circumvented).

We never found out why the datalogger device would not accept incoming 
connections from server:9097 (so that active ftp would work).

In any case, nothing wrong with ProFTPd behavior.

Regards,
Nick

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

TJ Saunders | 30 Apr 2012 17:41

Re: [Proftpd-user] Unable to build data connection


> ---> TYPE A
> 200 Type set to A
> ---> PORT 195,251,204,232,164,36
> 200 PORT command successful
> ---> LIST
> 425 Unable to build data connection: No route to host

The "no route to host" error means that the server cannot create a TCP 
connection to 195.251.204.232, port 41984.  Most likely cause is a 
firewall/NAT/router configuration, in front of that client machine, which 
prevents the connection to that high-numbered port.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Never underestimate the potency, and the brevity, of novelty.

     -TJ Saunders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________

(Continue reading)

Nikolaos Milas | 1 May 2012 11:00

Picon

Re: [Proftpd-user] Unable to build data connection

On 30/4/2012 6:41 μμ, TJ Saunders wrote:

> Most likely cause is a
> firewall/NAT/router configuration

Thanks TJ,

As I also mentioned on my last message on 28/4, this one was indeed a 
firewall issue.

Regards,
Nick

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

TJ Saunders | 30 Apr 2012 17:35

Re: [Proftpd-user] Unable to build data connection


> Command: PORT 192,168,1,10,253,46
> Reply: 500 Illegal PORT command
> Command: PASV
> Reply: 227 Entering Passive Mode (195,251,204,231,81,226).
> Command: STOR test1.txt
> ...
> 
> and continues successfully with Passive mode. But why Port command (and 
> consequently active mode) fails?

In this particular case, the PORT command sent by the client includes a 
non-public IP address (192.168.1.10); it is not possible for an FTP server 
on a public IP address to connect to that non-public IP address.  Remember 
that for active FTP transfers, the server connects to the address/port 
specified by the client in the PORT (or EPRT) command -- many client 
machines are residing in a LAN, or have client-side firewalls that reject 
the incoming connection from the FTP server (usually because the data 
transfer is using a high-numbered port on the client machine, which will 
be blocked by the firewall/NAT/router in front of the client).

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   The power of accurate observation is commonly called cynicism
   by those who have not got it.

     -George Bernard Shaw

(Continue reading)

Nikolaos Milas | 28 Apr 2012 15:50

Picon

Re: [Proftpd-user] Unable to build data connection

On 28/4/2012 1:09 μμ, Nikolaos Milas wrote:

> When debugging (with DebugLevel 9) I noticed that the process goes 
> fine, then "freezes" temporarily at the following point:
>
> "Apr 28 01:05:11 ftp.noa.gr proftpd[3122] 195.251.204.231 
> (::ffff:109.178.2.46[::ffff:109.178.2.46]): dispatching CMD command 
> 'STOR 0000286203_20120427200000.MIS' to mod_xfer"

For reference, I include the log of the whole session.

Also, iptables rules:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20:21 
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
9097:9098 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
49152:65534 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
20000:22000 -j ACCEPT

==================
Session Log
======================================================================================================
Apr 28 01:05:05 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): connected - local : 
::ffff:195.251.204.231:9098
Apr 28 01:05:05 ftp.noa.gr proftpd[3122] 195.251.204.231 
(::ffff:109.178.2.46[::ffff:109.178.2.46]): connected - remote :

(Continue reading)

Return

Return to gmane.network.proftpd.user.

Project Web Page

Discussion of ProFTPD configuration/problems

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane