The data connection could not be established: EHOSTUNREACH - No route to host

SYSTEM INFORMATION
OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17
Related products version: Apache 2.4.6
Related products version: ProFTPD 1.35

Hello and sorry if this is obvious, but I was not able to make ftp to work properly.

  1. I created a user with virtualmin with FTP access, the user is not an administrator, he will upload files to /public_html/

  2. Testing the user with Filezilla gives me the error:

The data connection could not be established: EHOSTUNREACH - No route to host

Searching forum for EHOSTUNREACH gives only this topic with no viable solution: FTP not working after upgrade [SOLVED]

  1. Checked firewall rules and they are fine

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

  1. Tested with:

telnet mydomain.com 21
Trying ServerIP
Connected to mydomain.com.
Escape character is ‘^]’.
220 FTP Server ready.
quit
221 Goodbye.
Connection closed by foreign host.

  1. Tested with Konqueror I get connected and I see a blank page, then I uploaded a test.html and a test.php files and I got:

could not write the file Server said “”

  1. Checked with Virtualmin filemanager and found in:
    home/mydomain/homes/user/
    test.php
    test.html
    both files with 0 bytes (empty)

  2. I changed permissions to 0775 for directory
    home/mydomain/homes/user/
    And same problem, it creates empty files.

  3. I need the user to have access to home/mydomain/public_html/ directory not home/mydomain/homes/user/

  4. This is the contents of: etc/proftpd.conf

#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# Security-Enhanced Linux (SELinux) Notes:
#
# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux
# in order to mitigate the effects of an attacker taking advantage of an
# unpatched vulnerability and getting control of the ftp server. By default,
# ProFTPD cannot read or write most files on a system nor connect to many
# external network services, but these restrictions can be relaxed by
# setting SELinux booleans as follows:
#
# setsebool -P allow_ftpd_anon_write=1
#   This allows the ftp daemon to write to files and directories labelled
#   with the public_content_rw_t context type; the daemon would only have
#   read access to these files normally. Files to be made available by ftp
#   but not writeable should be labelled public_content_t.
#
# setsebool -P allow_ftpd_full_access=1
#   This allows the ftp daemon to read and write all files on the system.
#
# setsebool -P allow_ftpd_use_cifs=1
#   This allows the ftp daemon to read and write files on CIFS-mounted
#   filesystems.
#
# setsebool -P allow_ftpd_use_nfs=1
#   This allows the ftp daemon to read and write files on NFS-mounted
#   filesystems.
#
# setsebool -P ftp_home_dir=1
#   This allows the ftp daemon to read and write files in users' home
#   directories.
#
# setsebool -P ftpd_connect_all_unreserved=1
#   This setting is only available from Fedora 16/RHEL-7 onwards, and is
#   necessary for active-mode ftp transfers to work reliably with non-Linux
#   clients (see http://bugzilla.redhat.com/782177), which may choose to
#   use port numbers outside the "ephemeral port" range of 32768-61000.
#
# setsebool -P ftpd_connect_db=1
#   This setting allows the ftp daemon to connect to commonly-used database
#   ports over the network, which is necessary if you are using a database
#   back-end for user authentication, etc.
#
# setsebool -P ftpd_is_daemon=1
#   This setting is available only in Fedora releases 4 to 6 and Red Hat
#   Enterprise Linux 5. It should be set if ProFTPD is running in standalone
#   mode, and unset if running in inetd mode.
#
# setsebool -P ftpd_disable_trans=1
#   This setting is available only in Fedora releases 4 to 6 and Red Hat
#   Enterprise Linux 5, and when set it removes the SELinux confinement of the
#   ftp daemon. Needless to say, its use is not recommended.
#
# All of these booleans are unset by default.
#
# See also the "ftpd_selinux" manpage.
#
# Note that the "-P" option to setsebool makes the setting permanent, i.e.
# it will still be in effect after a reboot; without the "-P" option, the
# effect only lasts until the next reboot.
#
# Restrictions imposed by SELinux are on top of those imposed by ordinary
# file ownership and access permissions; in normal operation, the ftp daemon
# will not be able to read and/or write a file unless *all* of the ownership,
# permission and SELinux restrictions allow it.

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html

# Trace logging, disabled by default for performance reasons
# (http://www.proftpd.org/docs/howto/Tracing.html)
#TraceLog			/var/log/proftpd/trace.log
#Trace				DEFAULT:0

ServerName			"ProFTPD server"
ServerIdent			on "FTP Server ready."
ServerAdmin			root@localhost
DefaultServer			on

# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot			~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig			proftpd
AuthOrder			mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd		off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS			off

# Set the user and group that the server runs as
User				nobody
Group				nobody

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile			off

# Define the log formats
LogFormat			default	"%h %l %u %t \"%r\" %s %b"
LogFormat			auth	"%v [%P] %h %t \"%r\" %s"

# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
#   LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
#   LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
#   LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
#   LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
#   LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
#   LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
#   LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
#   LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
#   LoadModule mod_quotatab_radius.c
#
# SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be
# used to copy files/directories from one place to another on the server
# without having to transfer the data to the client and back
# (http://www.castaglia.org/proftpd/modules/mod_copy.html)
#   LoadModule mod_copy.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
LoadModule mod_ctrls_admin.c
#
# Support for MODE Z commands, which allows FTP clients and servers to
# compress data for transfer
# (http://www.castaglia.org/proftpd/modules/mod_deflate.html)
#   LoadModule mod_deflate.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
#   LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
#   LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
#   LoadModule mod_geoip.c
#
# Allow for version-specific configuration sections of the proftpd config file,
# useful for using the same proftpd config across multiple servers where
# different proftpd versions may be in use
# (http://www.castaglia.org/proftpd/modules/mod_ifversion.html)
#   LoadModule mod_ifversion.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
#   LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
#   LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution 
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
#   LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
#   LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
#   LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
#   LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
#   LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
#   LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
#   LoadModule mod_tls_shmcache.c
#
# Provide a memcached-based implementation of an external SSL session cache
# (contrib/mod_tls_memcache.html)
#   LoadModule mod_tls_memcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
#   LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
#   LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
#   LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
#   LoadModule mod_wrap2_sql.c
#
# Implement a virtual chroot capability that does not require root privileges
# (http://www.castaglia.org/proftpd/modules/mod_vroot.html)
# Using this module rather than the kernel's chroot() system call works
# around issues with PAM and chroot (http://bugzilla.redhat.com/506735)
LoadModule mod_vroot.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
#   LoadModule mod_ifsession.c

# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded
# (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs)
ModuleControlsACLs		insmod,rmmod allow user root
ModuleControlsACLs		lsmod allow user *

# Enable basic controls via ftpdctl
# (http://www.proftpd.org/docs/modules/mod_ctrls.html)
ControlsEngine			on
ControlsACLs			all allow user root
ControlsSocketACL		allow user *
ControlsLog			/var/log/proftpd/controls.log

# Enable admin controls via ftpdctl
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
<IfModule mod_ctrls_admin.c>
  AdminControlsEngine		on
  AdminControlsACLs		all allow user root
</IfModule>

# Enable mod_vroot by default for better compatibility with PAM
# (http://bugzilla.redhat.com/506735)
<IfModule mod_vroot.c>
  VRootEngine			on
</IfModule>

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine			on
  TLSRequired			on
  TLSRSACertificateFile		/etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile	/etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite		ALL:!ADH:!DES
  TLSOptions			NoCertRequest
  TLSVerifyClient		off
  #TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
  TLSLog			/var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache		shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule			mod_ban.c
  BanEngine			on
  BanLog			/var/log/proftpd/ban.log
  BanTable			/var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent			MaxLoginAttempts 2/00:10:00 01:00:00

  # Inform the user that it's not worth persisting
  BanMessage			"Host %a has been banned"

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs		all allow user ftpadm
</IfDefine>

# Set networking-specific "Quality of Service" (QoS) bits on the packets used
# by the server (contrib/mod_qos.html)
<IfDefine QOS>
  LoadModule			mod_qos.c
  # RFC791 TOS parameter compatibility
  QoSOptions			dataqos throughput ctrlqos lowdelay
  # For a DSCP environment (may require tweaking)
  #QoSOptions			dataqos CS2 ctrlqos AF41
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask				022

  # Allow users to overwrite files and change permissions
  AllowOverwrite		yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
MaxLoginAttempts 100
DefaultRoot /home/mydomain mydomain

</Global>

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User			ftp
    Group			ftp
    AccessGrantMsg		"Anonymous login ok, restrictions apply."

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias			anonymous ftp

    # Limit the maximum number of anonymous logins
    MaxClients			10 "Sorry, max %m users -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir		/pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin		/welcome.msg
    DisplayChdir		.message
    DisplayReadme		README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser			on ftp
    DirFakeGroup		on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    # An upload directory that allows storing files but not retrieving
    # or creating directories.
    #
    # Directory specification is slightly different if mod_vroot is in
    # use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
    #          https://bugzilla.redhat.com/show_bug.cgi?id=1045922
    <IfModule mod_vroot.c>
      <Directory /uploads/*>
        AllowOverwrite		no
        <Limit READ>
          DenyAll
        </Limit>
  
        <Limit STOR>
          AllowAll
        </Limit>
      </Directory>
    </IfModule>
    <IfModule !mod_vroot.c>
      <Directory uploads/*>
        AllowOverwrite		no
        <Limit READ>
          DenyAll
        </Limit>
  
        <Limit STOR>
          AllowAll
        </Limit>
      </Directory>
    </IfModule>

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog			off

    # Logging for the anonymous transfers
    ExtendedLog			/var/log/proftpd/access.log WRITE,READ default
    ExtendedLog			/var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>


#LoadModule mod_sftp.c
#TLSRSACertificateFile /etc/proftpd.cert
#TLSRSACertificateKeyFile /etc/proftpd.key
#TLSCACertificateFile /etc/proftpd.ca
#TLSEngine on
#<IfModule mod_sftp.c>

#    SFTPEngine on
#    Port 2222
#    SFTPLog /var/log/proftpd/sftp.log

    # SFTPHostKey /etc/ssh/ssh_host_rsa_key
    # SFTPHostKey /etc/ssh/ssh_host_dsa_key

<VirtualHost IP>
ServerName otherdomain.com
<Anonymous /home/otherdomain/ftp>
User ftp
Group ftp
UserAlias anonymous ftp
<Limit WRITE>
DenyAll
</Limit>
RequireValidShell off
ExtendedLog /home/otherdomain/logs/ftp.log
</Anonymous>
</VirtualHost>

What am I doing wrong? I appreciate a lot your help
Thanks and regards

Other ftp accounts work OK?. Has it ever worked? Could be active/passive mode.

Thanks for your answer @Whoops
There is only one additional FTP account and this is what Filezilla shows:

Status: Flat FTP is insecure. Please change an FTP over TLS.
Command: USER otherdomain
Answer: 331 Password required for otherdomain
Command: PASS ***********
Response: 530 Bad login.
Error: Critical Error: Could not connect to the server

Sorry, I did not make tests for otherdomain, anyone uses FTP in the VPS except mydomain account. I do not want to touch otherdomain because it has a website done with a complex script that I am not familiar with that.

Is there anything else that I can try?
Thanks and regards

For this domain, has ssl been enabled and lets encrypt issued a certificate?

In your FileZilla using Site Manager. The entry you have for the server account, there are several tabs on the right General, Advanced, Transfer Settings and Charset.

In General:
Protocol: FTP - File Transfer Protocol
Host: your own server port leave blank
Encryption: Use explicit FTP over TLS if available
Logon type: Normal
User: your username
Password: your password

In Advanced:
Leave default

In Transfer Settings:
Transfer mode: Default

Can you try above?

1 Like

Also when you create a user. Avoid manually set permission(s) as system will do that for you. Can delete the user you created. Re-create account and try above to connect.

1 Like

Thanks a lot @Whoops I will try with the self signed certificate that Virtuamin provides. I will let you know.
Regards

Hello, @Whoops, I did:
1.- Created Lets’ Encrypt SSL Certificate for:

mydomain.com
www.mydomain.com

2.- Edit Virtual Server > SSL Website enabled marked ✓

3.- Deleted user, created user again, not touched permissions

4.- Restarted Apache and ProFTPD

5.- Connection attempt using all the standard Filezilla setting you propose, but I got same error:


|Comand:|PWD|
|---|---|
|Response:|257 / is the current directory|
|Comand:|TYPE I|
|Response:|200 Type set to I|
|Comand:|PASV|
|Response:|227 Entering Passive Mode (45,15,168,196,160,88).|
|Comand:|MLSD|
The data connection could not be established: EHOSTUNREACH - No route to host

5.1 The same result as before with Konqueror, the 2 test file names are created but both are empty in the homes/user directory

6.- I checked: Server configuration > Manage SSL Certificate and noticed:

Used by services: Webmin (mydomain.com), Usermin (host mydomain.com), Dovecot (guest mydomain.com)

I do not see ProFTPD, I do not know if this is fine or not.

What else do I have to check?
Thanks and regards

Did you try IP address, use ftp and not sftp to test. Did you try with active mode mode to test?. It does say no route to host. Did you make any changes to the Virtualmin system manually, permission changes or moving directories? Do you have both ipv4 and ipv6 enabled, disable ipv6 to test. Is there another firewall between your server and outside? Sometimes with VPS’s, there is a central firewall in place in addition to local. Can you connect to ftp using from command line/shell.

1 Like

In Transfer Settings:
Transfer mode: Active

I had to disable temporarily my Desktop Firewall and it worked!

As a note, the user has to be create with the option on the upper right hand corner of Virtualmin > Edit User: Add a website FTP access user
https://archive.virtualmin.com/comment/786334#comment-786334
Add a website FTP access user

The key points were:

  1. Installation of Lets’ Encrypt certificate
  2. Create the user using Add a website FTP access user not using the “Add a user to this server” button
  3. Transfer mode: Active
  4. Set the local computer firewall to accept incoming connections for FTP

Thank you for your kind help and patience @Whoops :handshake:
Best regards
joejac

Glad it’s working for you. Yes, sometimes troubleshooting can take time - but you got there which is the main thing.

Thanks to your advice @Whoops I was able to connect, transfer and delete files. But I get the message “Not secure server, does not support FTP over TLS” despite I have a Let’s Encrypt certificate successfully installed. I still have to find why I do not get a secure connection over FTP, the website URL shows a valid and secure certificate. Regards.

Make sure that main primary domain has SSL certificate. Self generated or Lets Encrypt. Under the primary domain → server configuration → SSL Certificate. Check ‘Current Certificate’ tab, if default it will say ‘used by services’ webmin, usermin etc. That is OK and what we want.

If its not default click on ‘set as default services certificate’ . It will enable SSL certificate as the default for Webmin, Usermin, Dovecot, Postfix and ProFTPD.

Your other domain with lets encrypt will be fine as is for now. When filezilla connects, it will ask you to accept the certificate of primary domain.

When you connect using IP address of server versus domain.com does it make any difference?