Resolved FTP EXPLICIT NOT WORKING

[Peter_R]

Hello
I have been Running Onyx Plesk 17 Web Admin Edition. LINUX (centos 7 x64)

Per plesk Instructions here it states "plesk supports explicit FTPS only"
https://support.plesk.com/hc/en-us/...secure-FTP-SFTP-or-FTPS-in-Plesk-for-Windows-

I followed instructions and also changed the settings to Use FTP Secured only in settings.

However i can not get it to work - see image it fails.

I enabled ports on ftp and port 21 is available
however i can not initiate the ftp explicit connection !

How can this be done ?

Please help me to get it working...

does it require passive ports as well ?

How is FTPS Explicit working ? i can not get it to work.

Thanks

 

[Bitpalast]

Please have a look at /var/log/messages and identify error messages when you try to login via FTP to find more details on why a login fails.

 

[Peter_R]

here is what shows in my log when i tried to log in 3 times

xx.xxx.xx.xxx = My External IP

Jan 23 11:35:23 servers systemd: Starting Session 5278 of user root.
Jan 23 11:36:19 servers xinetd[847]: START: ftp pid=58895 from=::ffff:xx.xxx.xx.xxx
Jan 23 11:36:19 servers proftpd[58895]: processing configuration directory '/etc/proftpd.d'
Jan 23 11:36:19 servers proftpd[58895]: 0.0.0.0 (xx.xxx.xx.xxx[xx.xxx.xx.xxx]) - FTP session opened.
Jan 23 11:36:20 servers drwebd.real: 127.0.0.1 [58900] /var/spool/drweb/spool/drweb.tmp.Eo2izt - archive MAIL
Jan 23 11:36:20 servers drwebd.real: 127.0.0.1 [58900] >/var/spool/drweb/spool/drweb.tmp.Eo2izt/1.part - Ok
Jan 23 11:36:20 servers drwebd.real: 127.0.0.1 [58900] /var/spool/drweb/spool/drweb.tmp.Eo2izt - Ok
Jan 23 11:37:33 servers xinetd[847]: START: ftp pid=58915 from=::ffff:xx.xxx.xx.xxx
Jan 23 11:37:33 servers proftpd[58915]: processing configuration directory '/etc/proftpd.d'
Jan 23 11:37:33 servers proftpd[58915]: 0.0.0.0 (xx.xxx.xx.xxx[xx.xxx.xx.xxx]) - FTP session opened.
Jan 23 11:37:33 servers drwebd.real: 127.0.0.1 [52123] /var/spool/drweb/spool/drweb.tmp.t4jGWE - archive MAIL
Jan 23 11:37:33 servers drwebd.real: 127.0.0.1 [52123] >/var/spool/drweb/spool/drweb.tmp.t4jGWE/1.part - Ok
Jan 23 11:37:33 servers drwebd.real: 127.0.0.1 [52123] /var/spool/drweb/spool/drweb.tmp.t4jGWE - Ok
Jan 23 11:37:56 servers xinetd[847]: START: ftp pid=58927 from=::ffff:xx.xxx.xx.xxx
Jan 23 11:37:56 servers proftpd[58927]: processing configuration directory '/etc/proftpd.d'
Jan 23 11:37:56 servers proftpd[58927]: 0.0.0.0 (xx.xxx.xx.xxx[xx.xxx.xx.xxx]) - FTP session opened.
Jan 23 11:37:56 servers drwebd.real: 127.0.0.1 [58900] /var/spool/drweb/spool/drweb.tmp.MT1on1 - archive MAIL
Jan 23 11:37:56 servers drwebd.real: 127.0.0.1 [58900] >/var/spool/drweb/spool/drweb.tmp.MT1on1/1.part - Ok
Jan 23 11:37:56 servers drwebd.real: 127.0.0.1 [58900] /var/spool/drweb/spool/drweb.tmp.MT1on1 - Ok

does that help ?

 

[Bitpalast]

No, not sufficient. Can you enable a more detailed log on your FTP client? In Filezilla for instance you can use Edit > Settings > Debug > choose "3" or "4", then try connection again and see why the connection is not getting established.

 

[Peter_R]

here is filezilla debug

ftp filezilla debug

12:17:37 Status: Resolving address of cwxservers.com
12:17:37 Status: Connecting to xx.xxx.xx.xxx:21...
12:17:37 Status: Connection established, waiting for welcome message...
12:17:37 Trace: CFtpControlSocket::OnReceive()
12:17:37 Response: 220 ProFTPD 1.3.5b Server (ProFTPD) [xx.xxx.xx.xxx]
12:17:37 Trace: CFtpControlSocket::SendNextCommand()
12:17:37 Command: AUTH TLS
12:17:37 Trace: CFtpControlSocket::OnReceive()
12:17:37 Response: 234 AUTH TLS successful
12:17:37 Status: Initializing TLS...
12:17:37 Trace: CTlsSocket::Handshake()
12:17:37 Trace: CTlsSocket::ContinueHandshake()
12:17:37 Trace: TLS handshake: About to send CLIENT HELLO
12:17:37 Trace: TLS handshake: Sent CLIENT HELLO
12:17:37 Trace: CTlsSocket::OnSend()
12:17:56 Trace: CTlsSocket::OnRead()
12:17:56 Trace: CTlsSocket::ContinueHandshake()
12:17:56 Trace: CTlsSocket::Failure(-54)
12:17:56 Trace: GnuTLS could not read from socket: ETIMEDOUT - Connection attempt timed out
12:17:56 Trace: CRealControlSocket::OnClose(60)
12:17:56 Trace: CControlSocket:oClose(64)
12:17:56 Trace: CFtpControlSocket::ResetOperation(66)
12:17:56 Trace: CControlSocket::ResetOperation(66)
12:17:56 Error: Could not connect to server
12:17:56 Trace: CFileZillaEnginePrivate::ResetOperation(66)
12:17:56 Status: Waiting to retry...
12:18:01 Trace: CControlSocket:oClose(64)
12:18:01 Trace: CControlSocket:oClose(64)

Question is there a Plesk Firewall LOG File? i would like to see if filezilla Firewall does not interfere
but Plesk KB only has Config location and Service start/stop for Plesk Firewall.. and do not show log location
There is No log on Plesk Firewall Activity ? i would like to check it too..

 

[Bitpalast]

There is no log. It is possible to add a ruleset to iptables to write a log temporarily, but it is probably much easier to deactivate the Plesk firewall module for a a few seconds and to test again with deactivated firewall. I suggest to do that instead of messing with iptables rules directly.

From the information so far and my background I must admit that I have absolutely no idea why the issue is happening as described. I think your guess at a firewall issue is the next likely thing that could be the cause, because for passive connections port 21 is used for negotiating authentication and commands, but data is sent through data ports above 1024. If you have a firewall activated, it is a good idea to add a "passive FTP" rule, because you will need that anyway if you use external FTP storage for Plesk backups. I'll attach a screenshot how such a rule looks like.



You will need an additional FTP configuration file, too. Create a text file in /etc/proftdd.d, name it however you like (but it should end on .conf, e.g. pasv.conf) with this content:

<Global>
PassivePorts 57000 59000
</Global>

 

[Peter_R]

Great Thanks i will look into /etc/proftdd.d and make the changes

i found that some of the problems are Related to my Office Hardware Firewall and just found out that outgoing ftp connections were dropped by IPS module on hardware firewall.
I added a port rule to allow traffic and now Finally i got Certificate Question popup in filezilla asking to accept connection, However ftp is timing out on file directory list..
I need to add passive ports as you instructed
so i will update that post when its done

 

[Peter_R]

Ok Problem solved
1 - my outgoing firewall was blocking connections on port 21
2 - added PassivePorts to FTP configuration /etc/proftdd.d - shouldn't that be done by Plesk by Default ?

seems to be working now so if anybody has issues please check all the firewalls first and allow passive ports too.