2

I installed pureftpd on a VPS (ovh). I can list a small directory (by small I mean a directory with just some files) but if I try to list a big one containing maybe thousands of files, including directories I have a "Failed to retrieve directory listing" error message from filezilla client when I click on the "ps" directory :

Command:    USER xxxxx
Response:   331 User xxxxx OK. Password required
Command:    PASS ************
Response:   230 OK. Current directory is /
Command:    OPTS UTF8 ON
Response:   200 OK, UTF-8 enabled
Status: Connected
Status: Retrieving directory listing...
Command:    CWD /ps
Response:   250 OK. Current directory is /ps
Command:    TYPE I
Response:   200 TYPE is now 8-bit binary
Command:    PASV
Response:   227 Entering Passive Mode (<my_vps_ip>,156,188)
Command:    MLSD
Response:   150 Accepted data connection
Response:   226-Options: -a -l 
Response:   226 33 matches total
Error:  Connection timed out
Error:  Failed to retrieve directory listing

From the command line I just have a never ending wait :

ftp> cd ps
250 OK. Current directory is /ps
ftp> ls
200 PORT command successful
150 Connecting to port 38359

I added this rules to iptables since I read it could fix the problem on my server :

root@vpsxxx:/var/www/html# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate RELATED,ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* Allow passive inbound connections */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpts:1024:65535 ctstate RELATED,ESTABLISHED /* Allow passive inbound connections */

I Added a fix port range for passive mode in pureftpd :

root@xxx:/var/www/html# cat /etc/pure-ftpd/conf/PassivePortRange
40110 40210
root@xxx:/var/www/html#

These are the permissions on my ps directory I'm trying to list :

drwxr-xr-x 25 root    root         4096 May  9 08:29 ps

This is the iptables on my client os (Debian 8) :

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

It looks like everything I tried is useless and has no effect. I tried to analyse the traffic with wireshark and it looks like I get part of my directory listing in a FTP-DATA protocol packet but then something is going wrong but I don't know what...

Just noticed I had the same problem with proftpd, I thought it would work better with pureftpd, but no :)

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Laurent
  • 121
  • 4
  • Can you download a small file (less than 1KB)? Can you download a large file (more than 2KB)? – roaima May 09 '17 at 08:13
  • What OS are you running on your client? – roaima May 09 '17 at 08:16
  • I can download a small file of 96KB, it works. I tried with a 21MB one and got : "Error: Connection timed out" and "Error: File transfer failed" – Laurent May 09 '17 at 08:19
  • my os is a Debian Jessie, client and server – Laurent May 09 '17 at 08:19
  • How long does it take to list the directory locally with `ls -al` (`time ls -al > /dev/null`)? If it takes a very long time this could point to a timeout, if it is only large, it may be the data size. – Ned64 May 09 '17 at 08:52
  • It says `real 0m0.003s` . It's the root directory of Prestashop cms. – Laurent May 09 '17 at 09:00
  • It thought maybe it could be a firewall problems, maybe the server opens more connections to handle larger files ? but for me everything looks ok on this point, but since i'm far away to be an expert... – Laurent May 09 '17 at 09:15
  • Have you checked `dmesg` output (or better something like `dmesg | grep -i firewall | tail -20`) for firewall blockages right after you tried to make the connection? Also, do you use AppArmor or other features that may keep `pureftp` from doing what it should (again, check `dmesg` or any log file -- see `ls -ltr /var/log` for candidate files). – Ned64 May 09 '17 at 22:08
  • No i didn't try that yet. I just found out that it's a local problem. I tried to download linux isos from several official ftp servers, i have the same problem... I just realize my internet box has been change for quite short time. I didn't configure anything to download from ftp in all boxes I had before, looks like I have to do something on this one... I guess, maybe open 20 and 21 ports. – Laurent May 09 '17 at 23:49
  • OK, I'll turn that into a more readable answer... – Ned64 May 10 '17 at 18:27

1 Answers1

0

According to your problem description, including your comments, your firewall (iptables) blocks connections from/to TCP ports 20 and 21. You need these even if you use passive ftp (incoming 21 is apparently already open).

In order to find out more, please search the logs for Firewall blocks, e.g. by

dmesg | grep -i firewall | tail -40

right after you have tried - and failed - to download the file.

Additionally, AppArmor or other security features could also prevent your pureftpd process for serving those files. So, if the above does not show port blocks that can be unblocked to solve the problem also see your the log files (try ls -ltr /var/log for candidate log files to examine, in addition to dmesg output without greps).

Ned64
  • 8,486
  • 9
  • 48
  • 86
  • The problem was not in iptables. I actually doesn't have the problem anymore for now and for several month since I change of flat and don't use the same internet box (router) anymore. The problem was really in my local router configuration. Anyway I don't have a chance to try out again with the same connection equipment before 3 months... – Laurent May 20 '17 at 07:50