I have a "vsftpd" server running on a RHEL machine which is configured for anonymous communication.
I am trying to connect to it from a AIX 7.1 machine using ftp client.
ftp -snv host 8043
Connected to host
220 secure FTP service
ftp> user anonymous mypass
234 Proceed with negotiation.
TLS Auth Entered.
Certificate:
....
....
TLSv1/SSLv3 ( ECDHE-RSA-AES256-GCM-SHA384 ), 256 bits
331 Please specify the password.
230 Login successful.
200 PBSZ set to 0.
200 PROT now Private.
ftp> passive
Passive mode on.
ftp> cd /incoming
250 Directory successfully changed.
ftp> quote pwd
257 "/incoming"
ftp> ls -r
227 Entering Passive Mode (XXX,XXX,XXX,XX,XXX,XX).
ftp: connect: Connection timed out
ftp>
As seen above, the cd and quote pwd command seems to work fine. But ls -r and mput commands fail with Connection timed out error.
No real helpful messages on the server logs also.
Please help on debugging and identifying the issue.
PS: The lftp clients from RHEL work fine connecting to the server.
FTP needs to open two connections to work properly. One for control and one for data.
Whenever you get "cd works but ls doesn't", the data connection is not getting established.
Troubleshooting tips:
look for any firewalls/NATs along the way
try toggling active/passive mode, this opens the data connection from the other side
look at what is happening using network debugging tools like tcpdump/wireshark
Related
This question already has an answer here:
Telnet and passive FTP
(1 answer)
Closed 4 years ago.
I installed FileZilla ftp server on one of local server in local network. I can successfully list folders for user user using ftp command (actually I installed Ubuntu in windows 10 through Microsoft store).
ftp -p 192.168.11.24 21
Connected to 192.168.11.24.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse#filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.11.24:ms): user
331 Password required for user
Password:
230 Logged on
Remote system type is UNIX.
ftp> nlist /
227 Entering Passive Mode (192,168,11,24,203,217)
150 Opening data channel for directory listing of "/"
/crm-offers-browse-2018-03-08.xlsx
/log_file.txt
/model.png
226 Successfully transferred "/"
If I try the same with telnet (I sniffed the commands using Wireshark) command nlist does not work. It returns 425 Can't open data connection. What am I missing here?
telnet -e _ 192.168.11.24 21
Telnet escape character is '_'.
Trying 192.168.11.24...
Connected to 192.168.11.24.
Escape character is '_'.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse#filezilla-project.org)
220 Please visit https://filezilla-project.org/
USER user
331 Password required for user
PASS user
230 Logged on
SYST
215 UNIX emulated by FileZilla
PASV
227 Entering Passive Mode (192,168,11,24,205,245)
NLST /
425 Can't open data connection for transfer of "/"
The answer is described in this post: Telnet and passive FTP.
You cannot retrieve files over FTP protocol using a Telnet client.
While you can simulate the FTP client by typing FTP commands on a Telnet console, you cannot do file transfers this way. It's because for file transfer you need a separate data transfer connection, what the Telnet client cannot do.
That's why the FTP server fails. In an active mode, it fails to connect back to your client machine, because there's nothing listening. In a passive more, it timeouts waiting for the client to connect to its data port.
I have a FTP server on a Windows Server 2012 machine and I am trying to get setup.exe from it.
CMD.EXE log:
C:\>ftp 1.2.3.4
Connected to 1.2.3.4.
220-FileZilla Server version 0.9.45 beta
220-written by Tim Kosse (tim.kosse#filezilla-project.org)
220 Please visit http://sourceforge.net/projects/filezilla/
User (1.2.3.4:(none)): my_username
331 Password required for my_username
Password:
230 Logged on
ftp> get setup.exe
200 Port command successful
150 Opening data channel for file download from server of "/setup.exe"
.. and stays like this
CMD.EXE log 2:
C:\>ftp 1.2.3.4
Connected to 1.2.3.4.
220-FileZilla Server version 0.9.45 beta
220-written by Tim Kosse (tim.kosse#filezilla-project.org)
220 Please visit http://sourceforge.net/projects/filezilla/
User (1.2.3.4:(none)): my_username
331 Password required for my_username
Password:
230 Logged on
ftp> quote cwd /
250 CWD successful. "/" is current directory.
ftp> quote TYPE I
200 Type set to I
ftp> QUOTE PASV
227 Entering Passive Mode (185,7,63,37,115,151)
ftp> RETR setup.exe
Invalid command.
ftp> QUOTE RETR setup.exe
425 Can't open data connection for transfer of "/setup.exe"
ftp> get setup.exe
200 Port command successful
150 Opening data channel for file download from server of "/setup.exe"
Aborting any active data connections...
Aborting any active data connections...
Connection closed by remote host.
ftp> quote get setup.exe
Not connected.
ftp>
FileZilla log:
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.45 beta
Response: 220-written by Tim Kosse (tim.kosse#filezilla-project.org)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: AUTH TLS
Response: 502 SSL/TLS authentication not allowed
Command: AUTH SSL
Response: 502 SSL/TLS authentication not allowed
Status: Insecure server, it does not support FTP over TLS.
Command: USER my_username
Response: 331 Password required for my_username
Command: PASS **************
Response: 230 Logged on
Status: Logged in
Status: Starting download of /setup.exe
Command: CWD /
Response: 250 CWD successful. "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (185,7,63,37,98,242)
Command: RETR setup.exe
Response: 150 Opening data channel for file download from server of "/setup.exe"
Response: 226 Successfully transferred "/setup.exe"
Status: File transfer successful, transferred 5,120 bytes in 1 second
Why it works with FileZilla but not with Windows FTP from command-line?
More than that I would want a command that executed one time would download this file from that FTP without asking the password.
Any ideas?
Thanks.
It works in FileZilla, because FileZilla defaults to the passive FTP mode, which is more firewall/NAT friendly. The Windows FTP command-line client (ftp.exe) not only defaults to the active mode, it does not even support the passive mode, on any version of Windows. It makes it pretty useless nowadays due to ubiquitous firewalls and NATs.
Read my article about the active and passive FTP connection modes to understand why the passive mode is a must.
Use any other Windows FTP command-line client instead. Most other support the passive mode.
For example WinSCP defaults to the passive mode and there's a guide available for converting Windows FTP script to WinSCP script.
Your can specifically use a batch file (.bat) like:
winscp.com /command ^
"open ftp://my_username:password#1.2.3.4/" ^
"get setup.exe" ^
"exit"
(I'm the author of WinSCP)
220 Microsoft FTP Service
user user
331 Password required for user.
pass pass
230-Directory has 543,777,456,128 bytes of disk space available.
230 User logged in.
pwd
257 "/" is current directory.
cwd aa6
250 cwd command successful.
pwd
257 "/aa6" is current directory.
pasv
227 Entering Passive Mode (*,*,*,*,201,182).
stor sampleprogram
150 Opening ASCII mode data connection.
425 Data channel timed out.
The above is the FTP done using command-line. When I check with FTP client there is a file with 0 size created.
There's a firewall or NAT between the client and the server that prevents a connection to the port 51638 (= 201 * 2^8 + 182).
If you are not able to transfer files to/from the server from anywhere/any other FTP client, the server was most likely not set up correctly. Particularly the Windows server firewall was not configured with a rule for a data port range. Another option is that the server is not aware of its external IP address. That would be the case, if the part you obfuscated (*,*,*,*) is not the same IP address you connected to.
See my article on FTP Connection Modes for explanation of the network issues with FTP data connection.
And particularly see my article on configuring IIS FTP Server for instructions on configuring the firewall and/or the external IP address.
I created a custom FTP server using .NET 4.0. I am running both the client and server on the same Windows 7 machine, and my firewall is entirely disabled. I can connect to it using both FileZilla and FtpUse, establish PASV mode, and browse the contents of folders just fine. The problem comes in when attempting to connect via Windows Explorer. I can log in successfully, but when Explorer sends the PASV command (see client/server exchange below) Explorer pops up a message box that says "FTP Folder Error", "An error occurred opening that folder on the FTP Server. Make sure you have permission to access that folder". The details that follow are the last two responses it received from the server. I found this (http://support.microsoft.com/kb/2754804/en-us) update and installed it, but it didn't help. Anyone have any ideas what this could be? I open the TCP listener before returning a response from the PASV command, so I don't think it's a question of timing.
<< 220 ***********.
>> USER Domain\******
<< 331 Password required.
>> PASS *******
<< 230 Domain\****** logged in.
>> opts utf8 on
<< 200 OPTS UTF8 command successful - UTF8 encoding now on.
>> syst
<< 215 Windows_NT.
>> site help
<< 200
<< 200 End of help.
>> PWD
<< 257 "/".
>> TYPE A
<< 200 Type set to A.
>> PASV
<< 227 Entering Passive Mode (10,0,0,4,7,100)
Originally, I thought the problem might be related to
Windows explorer hangs up FTP connection after PASV command
But I tried opening the passive port ahead of time and it didn't help. Instead, the problem is related to the strictness of Windows Explorer. The IP address supplied as part of the 227 response must be identical to the address of the FTP site the client initially connected. In other words, if the client connects using
ftp://localhost
(which resolves to 127.0.0.1), the IP address provided with the PASV response MUST be 127.0.0.1 - otherwise, Windows Explorer will error. This is not to say that the passive port can't be opened with IPAddress.Any - it can:
var listener = new TcpListener(IPAddress.Any, 0)
However, the address returned with the result must still be 127.0.0.1 (using the above as an example). If the client initially connects with the IP of the machine, say 10.x.x.x for example, the IP address returned with the 227 response must also be 10.x.x.x.
FileZilla must somehow be more forgiving.
I am trying to connect to an FTP server using:
ftp = Net::FTPFXPTLS.new
ftp.passive=true
ftp.debug_mode=true
ftp.connect('200.111.111.11',21)
ftp.login('Username','Pass')
ftp.chdir('inbound')
ftp.putbinaryfile("./#{filename}", "/#{filename}")
ftp.close()
For the purposes of this example 200.111.111.11 is the correct IP and 10.1.1.1 is the fake IP.
When I connect via an FTP client such as Transmit I connect fine and everything works as normal but in the transcript it states:
Cmd: PASV
227: Entering Passive Mode (10,1,1,1,47,79).
Fixing bogus PASV data address from 10.1.1.1:12111 to 200.111.111.11:12111.
Then when it tries to connect via the ruby script:
get: 425 Failed to establish connection.
When it tries to do any action like LIST or STOR because the PASV command always returns 10.1.1.1:12111.
So is there anyway to ensure the PASV command uses 200.111.111.11 and not what is sent back to it?
This seems to be more of an issue with the gem, there is a solution for it but woud take a little while to implement. In order to save time we simply switched the protocol to use SFTP which works flawlessly. (Switched both server and code)