plugout.net

[danidrach]

I tried several modes, PASV, EPSV, with Implicit and Explicit SSL

Code: Select all

2020-10-23 00:59:38,652 mod_tls/2.7[18953]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 00:59:38,747 mod_tls/2.7[18953]: client supports secure renegotiations
2020-10-23 00:59:38,747 mod_tls/2.7[18953]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 00:59:38,865 mod_tls/2.7[18953]: Protection set to Private
2020-10-23 01:00:14,907 mod_tls/2.7[18978]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 01:00:15,080 mod_tls/2.7[18978]: client supports secure renegotiations
2020-10-23 01:00:15,080 mod_tls/2.7[18978]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 01:00:15,170 mod_tls/2.7[18978]: Protection set to Private
2020-10-23 01:00:35,734 mod_tls/2.7[18991]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 01:00:35,815 mod_tls/2.7[18991]: client supports secure renegotiations
2020-10-23 01:00:35,815 mod_tls/2.7[18991]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 01:00:35,932 mod_tls/2.7[18991]: Protection set to Private
2020-10-23 01:01:12,871 mod_tls/2.7[19017]: TLSOption UseImplicitSSL in effect, starting SSL/TLS handshake
2020-10-23 01:01:30,710 mod_tls/2.7[19017]: unable to accept TLS connection: received EOF that violates protocol
2020-10-23 01:01:30,711 mod_tls/2.7[19017]: unable to accept TLS connection: usually this indicates an FTP-aware router, NAT, or firewall interfering with the TLS handshake
2020-10-23 01:01:30,711 mod_tls/2.7[19017]: implicit SSL/TLS negotiation failed on control channel
2020-10-23 01:01:30,711 xxxxx.Home proftpd[19017] 192.168.1.38 (62.83.xxx.xx[62.83.xxx.xx]): mod_tls.c: error initializing session: Permission denied
2020-10-23 01:01:53,623 mod_tls/2.7[19045]: TLSOption UseImplicitSSL in effect, starting SSL/TLS handshake
2020-10-23 01:02:11,481 mod_tls/2.7[19045]: unable to accept TLS connection: received EOF that violates protocol
2020-10-23 01:02:11,482 mod_tls/2.7[19045]: unable to accept TLS connection: usually this indicates an FTP-aware router, NAT, or firewall interfering with the TLS handshake
2020-10-23 01:02:11,482 mod_tls/2.7[19045]: implicit SSL/TLS negotiation failed on control channel
2020-10-23 01:02:11,482 xxxxx.Home proftpd[19045] 192.168.1.38 (62.83.xxx.xx[62.83.xxx.xx]): mod_tls.c: error initializing session: Permission denied
2020-10-23 01:02:23,072 mod_tls/2.7[19065]: TLSOption UseImplicitSSL in effect, starting SSL/TLS handshake
2020-10-23 01:02:40,919 mod_tls/2.7[19065]: unable to accept TLS connection: received EOF that violates protocol
2020-10-23 01:02:40,919 mod_tls/2.7[19065]: unable to accept TLS connection: usually this indicates an FTP-aware router, NAT, or firewall interfering with the TLS handshake
2020-10-23 01:02:40,920 mod_tls/2.7[19065]: implicit SSL/TLS negotiation failed on control channel
2020-10-23 01:02:40,920 xxxxx.Home proftpd[19065] 192.168.1.38 (62.83.xxx.xx[62.83.xxx.xx]): mod_tls.c: error initializing session: Permission denied

I tried with (opened ports) 20, 21, 2121 (FTPES) and 990 (FTPS). If I disable the TLS option in NAS I can access through 21 as "insecure" FTP

And with Filezilla the problem is always at

Code: Select all

Status:   Connecting to xx.x.xx.xxx:2121...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   Verifying certificate...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is the current directory
Command:   TYPE I
Response:   200 Type set to I
Command:   PASV
Response:   227 Entering Passive Mode (xx,x,xx,xxx,218,194).
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing

It may be necessary to open PASV port range? (FTPES or FTPS are not working in "active"?)

[Jocko]

Hi

Indeed on first attempts, it is usual to have issues as several options must be rightly understood.

It may be necessary to open PASV port range? (FTPES or FTPS are not working in "active"?)

Yes if you want to use the passive mode, you also need to open the PASV port range. These PASV port range is common for the FTP/FTPES/FTPS servers.

Now it is not easy to write some common rules when you want to connect from Internet because it depends what features are supported by your router. For example, many router lock the loop back with your public IP address: try to connect from your LAN by using your public IP address or someone replace the local IP address of the server by the public ip when you use the insecure FTP server which may occur conflict with the 'Masquerade Address' option

Here some behaviours if you enable FTPS/FTPS servers (from the help page, I advice strongly to read it) :

When you select "Connect with TLS / SSL protocol", some additional controls are displayed and 3 FTP servers are available.

Three servers :
- The first is the standard FTP server without securing data transferred. It is accessible only from your LAN with the following FTP address :
ftp://your-nas-name:ftpport (passive and active mode)

-The second is a FTPES server using the TLS/SSL security protocol. It is accessible with the following FTP address :
ftp://your-DDNS:ftpesport (passive and active mode from a remote host . From your local network, with only passive mode)

DDNS : your domain name declared in a Dynamic DNS service

PS : From your local network, this server is also available with the following address:
ftp://Your-NAS-Name:ftpesport (with only active mode)

-Since version 15.1, the last is a FTPS server using an implicit connection as some FTP client doesn't support the explicit connection.
With this last server, when a client tries to connect, login is not encrypted but only the password. If connection successful, of course data exchange is also encrypted.

As you see active/passive mode is not always available according to the client location (LAN/WAN).
But an easy rule is the standard FTP server must be used only from LAN and FTPES/FTPS from WAN.

Now about data ports, if you want to use the active mode from WAN, you also have to open their related data ports. So for example, with FTPES open 2020 (if the control port is 2121) and 989 with FTPS

Other point, some ftp clients as filezilla swaps the data exchange mode if the selected mode fails so may create confuse when you try to understand the server behaviour or checks your configuration

[danidrach]

Ok, then I'll try opening 989 and 2020, maybe that's the reason why doesn't work

[Jocko]

Yes because if you did not open also the PASV range port then no data exchange mode could not work

[danidrach]

Nothing... I opened 2020, 989 and PASV range (I set up from 55536 to 55559), always fails at same point, in the LIST command

Code: Select all

Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   Verifying certificate...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is the current directory
Command:   TYPE I
Response:   200 Type set to I
Command:   PORT 192,168,1,50,216,55
Response:   200 PORT command successful
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing

In the NAS I have checked the "Some FtpUsers can escape if they are allowed to do it" and the user with I'm trying to access via FTPS/FTPES home is "/" directory

And some logs from the NAS

Code: Select all

2020-10-23 22:07:49,947 mod_tls/2.7[23330]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 22:07:50,019 mod_tls/2.7[23330]: client supports secure renegotiations
2020-10-23 22:07:50,019 mod_tls/2.7[23330]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 22:07:50,263 mod_tls/2.7[23330]: Protection set to Private
2020-10-23 22:08:10,605 mod_tls/2.7[23343]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 22:08:10,662 mod_tls/2.7[23343]: client supports secure renegotiations
2020-10-23 22:08:10,662 mod_tls/2.7[23343]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 22:08:10,793 mod_tls/2.7[23343]: Protection set to Private
2020-10-23 22:08:39,812 xxxx.Home proftpd[23460] 192.168.1.38: ProFTPD 1.3.7rc1 (git) (built Sat Jul 15 2017 22:59:15 CEST) standalone mode STARTUP
2020-10-23 22:08:53,038 mod_tls/2.7[23517]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 22:08:53,108 mod_tls/2.7[23517]: client supports secure renegotiations
2020-10-23 22:08:53,108 mod_tls/2.7[23517]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 22:08:53,285 mod_tls/2.7[23517]: Protection set to Private
2020-10-23 22:09:13,642 mod_tls/2.7[23530]: TLS/TLS-C requested, starting TLS handshake
2020-10-23 22:09:13,714 mod_tls/2.7[23530]: client supports secure renegotiations
2020-10-23 22:09:13,714 mod_tls/2.7[23530]: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
2020-10-23 22:09:13,894 mod_tls/2.7[23530]: Protection set to Private
2020-10-23 22:11:08,460 xxxx.Home proftpd[23688] 192.168.1.38: ProFTPD 1.3.7rc1 (git) (built Sat Jul 15 2017 22:59:15 CEST) standalone mode STARTUP
2020-10-23 22:11:42,340 xxxx.Home proftpd[23829] 192.168.1.38: ProFTPD 1.3.7rc1 (git) (built Sat Jul 15 2017 22:59:15 CEST) standalone mode STARTUP
2020-10-23 22:12:45,300 xxxx.Home proftpd[23970] 192.168.1.38: ProFTPD 1.3.7rc1 (git) (built Sat Jul 15 2017 22:59:15 CEST) standalone mode STARTUP


EDIT: It's VERY strange, I tried with Net2FTP and now it worked through SSL and 2121....
I'm thinking that maybe is by the router's firewall is interrupting outgoing connections (the server is in a place that it work's from net2ftp, now I'm trying to connect from another location -with mikrotik router-, and I think the router is touching something). Anyway, thanks after opening 2020-989, it works (excer from other site, but that's not firmware fault xD). The strange things is that logs OK, but ir fails when LISTing

EDIT AGAIN:
No, it's not by my output config, I tried with demo server with implicit/990, and OK, then, I tried with the NAS and same config (implicit/990) and KO at "LIST" (failed to retrieve directory listing). I'm going crazy...the NAS works from "web2ftp" but not from my filezilla, but another SFTP demo server (concretely the one from https://www.wftpserver.com/onlinedemo.htm) works OK from my filezilla client with same config...
Tomorrow I'll try to running a Filezilla Server with TLS/SSL in same location, let's see if I clarify something

[danidrach]

Finally it was my fault.
Caused by a firewall rule in router (Mikrotik)
[ img ], It was in conflict because the same ports are in local and remote NAS (i have one on my net, and another in other location). I need to fine tune the firewall rules. Thanks for all!

[Jocko]

Hi

Thank you for your feedback. It is what I expected the issue is on your network settings