FTP errors

Every site on the server has issues when i FTP… there is a login delay when i try to open the connection

I think the issue has to do with PASV failed but i’m not sure how to fix it… my LOG

[code:1]
*** CuteFTP 8.0 - build Aug 22 2006 ***

STATUS:> [12/21/2007 7:11:42 AM] Getting listing “”…
STATUS:> [12/21/2007 7:11:43 AM] Connecting to FTP server… 111.111.111.111:21 (ip = 111.111.111.111)…
STATUS:> [12/21/2007 7:11:44 AM] Socket connected. Waiting for welcome message…
[12/21/2007 7:11:44 AM] 220 FTP Server ready.
STATUS:> [12/21/2007 7:11:44 AM] Connected. Authenticating…
COMMAND:> [12/21/2007 7:11:45 AM] USER user_name
[12/21/2007 7:11:45 AM] 331 Password required for user_name.
COMMAND:> [12/21/2007 7:11:45 AM] PASS *****
[12/21/2007 7:11:45 AM] 230 User user_name logged in.
STATUS:> [12/21/2007 7:11:45 AM] Login successful.
COMMAND:> [12/21/2007 7:11:45 AM] PWD
[12/21/2007 7:11:45 AM] 257 “/” is current directory.
STATUS:> [12/21/2007 7:11:45 AM] Home directory: /
COMMAND:> [12/21/2007 7:11:45 AM] FEAT
[12/21/2007 7:11:45 AM] Informational Message Only:
211-Features:
MDTM
REST STREAM
SIZE
211 End
STATUS:> [12/21/2007 7:11:45 AM] This site supports features.
STATUS:> [12/21/2007 7:11:45 AM] This site supports SIZE.
STATUS:> [12/21/2007 7:11:45 AM] This site can resume broken downloads.
COMMAND:> [12/21/2007 7:11:46 AM] REST 0
[12/21/2007 7:11:46 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
COMMAND:> [12/21/2007 7:11:46 AM] PASV
[12/21/2007 7:11:46 AM] 227 Entering Passive Mode (207,190,241,114,93,235).
COMMAND:> [12/21/2007 7:11:46 AM] LIST
STATUS:> [12/21/2007 7:11:46 AM] Connecting FTP data socket… 111.111.111.111:24043…
ERROR:> [12/21/2007 7:12:07 AM] Can’t connect to remote server. Socket error = #10065.
ERROR:> [12/21/2007 7:12:07 AM] PASV failed, trying PORT.
STATUS:> [12/21/2007 7:12:07 AM] Waiting 0 seconds…
STATUS:> [12/21/2007 7:12:07 AM] Getting listing “/”…
STATUS:> [12/21/2007 7:12:07 AM] Connecting to FTP server… 111.111.111.111:21 (ip = 111.111.111.111)…
STATUS:> [12/21/2007 7:12:07 AM] Socket connected. Waiting for welcome message…
[12/21/2007 7:12:07 AM] 220 FTP Server ready.
STATUS:> [12/21/2007 7:12:08 AM] Connected. Authenticating…
COMMAND:> [12/21/2007 7:12:08 AM] USER user_name
[12/21/2007 7:12:08 AM] 331 Password required for user_name.
COMMAND:> [12/21/2007 7:12:08 AM] PASS *****
[12/21/2007 7:12:08 AM] 230 User user_name logged in.
STATUS:> [12/21/2007 7:12:08 AM] Login successful.
COMMAND:> [12/21/2007 7:12:08 AM] PWD
[12/21/2007 7:12:08 AM] 257 “/” is current directory.
STATUS:> [12/21/2007 7:12:08 AM] Home directory: /
STATUS:> [12/21/2007 7:12:08 AM] This site supports features.
STATUS:> [12/21/2007 7:12:08 AM] This site supports SIZE.
STATUS:> [12/21/2007 7:12:08 AM] This site can resume broken downloads.
COMMAND:> [12/21/2007 7:12:08 AM] REST 0
[12/21/2007 7:12:08 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
COMMAND:> [12/21/2007 7:12:08 AM] PORT 111,111,111,111,15,173
[12/21/2007 7:12:08 AM] 200 PORT command successful
COMMAND:> [12/21/2007 7:12:08 AM] LIST
[12/21/2007 7:12:08 AM] 150 Opening ASCII mode data connection for file list
[12/21/2007 7:12:09 AM] 226 Transfer complete.
STATUS:> [12/21/2007 7:12:10 AM] Directory listing completed.
[/code:1]

how can i fix PASV failed at the server level?

Anytime you see slow logins, it’s almost certainly DNS. The PASV thing might be an issue, but I bet it isn’t.

Try turning off IdentLookups and UseReverseDNS in proftpd.conf, and restarting ProFTPd.

i changed this to ON and restarted the service

[code:1]

Do not perform ident nor DNS lookups (hangs when the port is filtered)

IdentLookups off
UseReverseDNS ON
[/code:1]

and still have this error

[code:1]
COMMAND:> [12/22/2007 7:54:39 AM] REST 0
[12/22/2007 7:54:39 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
COMMAND:> [12/22/2007 7:54:39 AM] PASV
[12/22/2007 7:54:39 AM] 227 Entering Passive Mode (111,111,111,111,111,111).
COMMAND:> [12/22/2007 7:54:39 AM] LIST
STATUS:> [12/22/2007 7:54:39 AM] Connecting FTP data socket… 111.111.111.111:35957…
ERROR:> [12/22/2007 7:55:00 AM] Can’t connect to remote server. Socket error = #10065.
ERROR:> [12/22/2007 7:55:00 AM] PASV failed, trying PORT.
STATUS:> [12/22/2007 7:55:00 AM] Waiting 0 seconds…
STATUS:> [12/22/2007 7:55:00 AM] Getting listing “/”…
STATUS:> [12/22/2007 7:55:00 AM] Connecting to FTP server… 111.111.111.111:21 (ip = 111.111.111.111)…
STATUS:> [12/22/2007 7:55:00 AM] Socket connected. Waiting for welcome message…
[12/22/2007 7:55:01 AM] 220 FTP Server ready.
STATUS:> [12/22/2007 7:55:01 AM] Connected. Authenticating…

[/code:1]

anyone???

Why would you turn ReverseDNS on, when I suggested turning it OFF? I just wanted to make sure you weren’t waiting on DNS timeouts before embarking on more complicated procedures. :wink:

To get rid of the PASV errors, you’ll want to open up the high ports on your server…you may still have problems, if there is a firewall or a poorly behaved NAT device between the client and server.

I usually just open all high ports, but you may prefer something like the default rule on Red Hat systems that allows "RELATED" connections.

My iptables rules include opening all high ports:

iptables -I INPUT -p tcp --dport 1024:65535 -j ACCEPT

Or, if you prefer to make it open only for related connections:

iptables -I INPUT -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

Actually, I use a rule like that for all ports:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Remember to save your changes, once you’ve got a rule set you like, which can usually be done with:

iptables-save

SUSE is a notable exception to this…and Debian/Ubuntu use a variety of iptables configuration files, and I’m not entirely sure how to use them…they aren’t very well documented. Red Hat based systems can always use “service iptables save” and the right thing will happen, no matter what version you’re using (as long as you aren’t using some non-standard firewall scripts).

You can, of course, add rules like this in the Webmin Linux Firewall module. It makes getting the syntax right a lot easier, and also generally knows the right way to save stuff to your iptables configuration file(s), including on Debian/Ubuntu, where it is quite intimidating to figure out…but it’s harder to describe in a forum post.

this is my config file
as you can see looks ups are off already:

[code:1]

This is the ProFTPD configuration file

$Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off

Use this to excude users from the chroot

DefaultRoot ~ !adm

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c

Do not perform ident nor DNS lookups (hangs when the port is filtered)

IdentLookups off
UseReverseDNS off

Port 21 is the standard FTP port.

Port 21

Umask 022 is a good standard umask to prevent new dirs and files

from being group and world writable.

Umask 022

Default to show dot files in directory listings

ListOptions "-a"

See Configuration.html for these (here are the default values)

#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP

Allow to resume not only the downloads but the uploads too

AllowRetrieveRestart on
AllowStoreRestart on

To prevent DoS attacks, set the maximum number of child processes

to 30. If you need to allow more than 30 concurrent connections

at once, simply increase this value. Note that this ONLY works

in standalone mode, in inetd mode you should use an inetd server

that allows you to limit maximum number of processes per service

(such as xinetd)

MaxInstances 20

Set the user and group that the server normally runs at.

User nobody
Group nobody

Disable sendfile by default since it breaks displaying the download speeds in

ftptop and ftpwho

UseSendfile no

This is where we want to put the pid file

ScoreboardFile /var/run/proftpd.score

Normally, we want users to do a few things.

<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>

Define the log formats

LogFormat default "%h %l %u %t &quot;%r&quot; %s %b"
LogFormat auth "%v [%P] %h %t &quot;%r&quot; %s"

[/code:1]