FTP connection LIST timeout for certain users after changing tcp port number

To discourage some of attackers, I changed the ProfFTPD config to use another port (someting around 20000.
I changed the firewall accordingly, and this seemed to work for me and other users but one.
This unlucky guy tried to connect using 3 different internet access providers and 2 different computers with no success.
The login is accepted, but th list command times out. Using passive mode does not help.

Any help would be appreciated.

Passive mode should help if you specify the “PASV port range” in ProFTPD’s configuration (Webmin -> Servers -> ProFTPD Server -> Virtual Servers Default Server -> Networking Options), and open the respective ports in your firewall. Active mode will not work if the client is behind a router.

I tried that, but it does not help. This user still cannot use FTP with another port than 21.
Anything else to look at?


Please explain “cannot use FTP”, what exactly happens? Is the data connection still timing out?

If the user has his FTP client configured to use passive mode, and you’re sure that you e.g. configured passive mode port range to 20001-20019, and also opened these ports in the firewall, it should work. Note though that, if you have Virtualmin installed, Usermin is also using port 20000!

I can’t really guess what else could be wrong without more details. So I’d need more information (e.g. protocol transcripts, possibly tcpdump/Wireshark captures).

To test it myself, I’d need to know the IP address and login details.

I have asked the person to send me more info, I also have set up another FTP account for him on the same virtual server - who knows?

I have configurer the passive port range to 50000-50009
Of course, I did not use the Usermin port 20000 - something around not to reveal this port number publicly.

I can send you the login info if you give me your email address

Thank you very much for your responsive help

Okay, you can contact me under ********** (removed to prevent spam)!

I just tried connecting with the login data you provided via email.

I can confirm the problems your one user is having: While login (i.e. connection to the control port) is okay, Passive Mode (i.e. user connects to the server) fails to connect the data port.

The PASV command is returning the correct information - your server’s IP address and a port in the 50000-50009 range. But the connect fails. So my assumption still is that you do not have this port range properly forwarded/opened in a firewall/router before or on your server.

The fact that you and other users don’t have problems is probably due to you using Active Mode (server connects to the user), which works if your home router has support for that. But passive mode is clearly not working on your server.

It is possible that it worked when you had FTP on port 21if you have an FTP kernel support module loaded. That module will monitor traffic on port 21 and open the required ports automatically. But if you move FTP to another port, you need to open the respective ports manually in any firewalls.

I never care about passive mode before… While setting port 5000-5009, I should really had to think about the firewall!

I did it. TCP_IN, TCP_OUT, UDP_IN, UDP_OUT not sure all are needed though.
I’ll ask the guy if it gets better

Passive mode is required if the client is behind a router (most home connections are) and the router does not have explicit FTP support.

I mentioned the firewall in my first post. :wink:

Data connection on your server works now; the LIST command succeeded.

Yes, it works now!
I should have read more carefully :frowning:

Many thanks

Okidoki, and you’re welcome!