Virtualmin FTP backup ports - not port 21?

Brook · August 2, 2024, 9:44pm

SYSTEM INFORMATION
OS type and version	Rocky Linux 8.10
Webmin version	2.111
Usermin version	2.010
Virtualmin version	7.10.0
Theme version	21.10

I keep getting reports of connection refused when the scheduled backup is setup to copy the backup to another server - and it looks like this might be because the firewall is blocking those ports. But, it appears virtualmin is using different ports.

Here are the ports it is trying to connect to from a single email report (where it is trying to back up 8 domains):

  Uploading archive to FTP server myusername.mybackupserver.com...
   .. upload failed! Failed to connect to my.ip.add.ress:58591 : Connection refused

:57662 : Connection refused
:63880 : Connection refused
:52249 : Connection refused
:61259 : Connection refused
:53369 : Connection refused
:50365 : Connection refused
:62127 : Connection refused

Should this be happening? Am I missing something?

stefan1959 · August 2, 2024, 11:42pm

Is this Virtualmin Backup and Restore?

Can you connect to myusername.mybackupserver.com with a client like filezilla?

Brook · August 3, 2024, 1:26am

I can sftp (and lftp) to the backup server from the main server without issue Stefan.

Should virtualmin be using random ports like those in the post above? I only have certain ports open in the firewall…

Joe · August 3, 2024, 4:48am

That indicates passive FTP, and you’re blocking those ports on the client (the Virtualmin system). You need to open the passive FTP range of ports.

Or stop using FTP. ssh/scp is superior in all regards.

Brook · August 3, 2024, 2:47pm

What are the passive FTP ports Joe? And can I restrict them so I don’t have to open so many via the firewall?

EDIT: Found it Webmin > Networking Options > PASV port range

Brook · August 3, 2024, 9:13pm

This doesn’t seem to work - I set the port range to 50000 to 50001, and stopped and started proFTP via webmin, but the virtualmin backup is still trying to use port :63751

Joe · August 3, 2024, 9:44pm

That’s only two ports (50000 and 50001). You need any port that might be used for the connection. It can be pretty much any port in that very high range (so, maybe 50000 to 65535).

You can probably also add a rule for established and related connections without having to specify a port, if you load the nf_conntrack_ftp module. linux - Appropriate iptables rules for an FTP server in active \ passive mode - Stack Overflow

I haven’t used FTP in 20 years, at least, so I’m not an expert on this. (And, I continue to recommend you use ssh/scp. It’s simpler and historically more secure.)

Brook · August 4, 2024, 2:06am

Thanks Joe, I ended up adding ports 49152 to 65534 to tcp out and it all seems to be working fine now

system · August 12, 2024, 2:07am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.