ivanvega
asked on
550 Access denied. Why I cannot upload to FTP?
Hi,
This one is rather weird for me. It seems something related to my firewall, because if I try what I'm about to explain in my home PC, it works fine (and it is firewalled too).
So, I'm behind a hardware firewall (Linksys BEFSX41) and then behind ISA Server 2004. In ISA, I have opened FTP connections TO ports 21 and 20.
When I try to connect to an FTP server (with write permissions of course), I can login and retrieve files, but I cannot upload, rename, delete, or create dirs/files.
Any ideas why this might be?
Thanks in advance!
PS: I tried PASV, PORT, EPSV, and EPRT to no avail... And with IE, CuteFTP and WS_FTP...
This one is rather weird for me. It seems something related to my firewall, because if I try what I'm about to explain in my home PC, it works fine (and it is firewalled too).
So, I'm behind a hardware firewall (Linksys BEFSX41) and then behind ISA Server 2004. In ISA, I have opened FTP connections TO ports 21 and 20.
When I try to connect to an FTP server (with write permissions of course), I can login and retrieve files, but I cannot upload, rename, delete, or create dirs/files.
Any ideas why this might be?
Thanks in advance!
PS: I tried PASV, PORT, EPSV, and EPRT to no avail... And with IE, CuteFTP and WS_FTP...
Are you connecting to an IIS server?
By write permissions do you mean you have set the folder permissions on the IIS FTP Directory?
In the IIS management console you also have to set the ftp settings to allow uploads
By write permissions do you mean you have set the folder permissions on the IIS FTP Directory?
In the IIS management console you also have to set the ftp settings to allow uploads
That is ...uploads by authenticated not anonymous users
ASKER
Hi guys,
I'm not connecting to an IIS server. It's Linux, although I don't know which flavor.
As I said, from my home I can upload/whatever just fine, but not from my office, so if it's not a firewall issue, I certainly wouldn't know what it is.
What works fine:
Any client in Windows XP Pro SP2 -> Dell TrueMobile Router -> FTP server
What doesn't:
Any client in Windows XP Pro SP2 -> Win2k3Std/ISAServer2004 -> Linksys BEFSX41 Firewall/Router -> FTP server
The server is liberty.dnsprotect.com in case you need to know, although it doesn't allow anon logins. If needed I could create an account for you to test (but I'm pretty sure you won't find any problems as this doesn't seem a server issue).
The message returned by the server is the one I wrote in the subject: 550 Access denied. Here's a log:
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 16:47. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
STATUS:> Connected. Authenticating...
COMMAND:> USER *****
331 User ***** OK. Password required
COMMAND:> PASS *****
230-User ***** has group access to: *****
230 OK. Current restricted directory is /
STATUS:> Login successful.
COMMAND:> PWD
257 "/" is your current location
STATUS:> Home directory: /
COMMAND:> FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;
MLSD
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
STATUS:> This site supports features.
STATUS:> This site supports SIZE.
STATUS:> This site can resume broken downloads.
COMMAND:> REST 0
350 Restarting at 0
COMMAND:> PASV
227 Entering Passive Mode (209,51,158,82,78,11)
COMMAND:> LIST
STATUS:> Connecting FTP data socket 209.51.158.82:19979...
150 Accepted data connection
226-Options: -a -l
226 43 matches total
STATUS:> Directory listing completed.
STATUS:> Checking directory existence: "/test".
COMMAND:> CWD /test
550 Can't change directory to /test: No such file or directory
STATUS:> Requested action not taken (e.g., file or directory not found, no access).
STATUS:> Checking directory existence: "/".
COMMAND:> CWD /
250 OK. Current directory is /
STATUS:> PWD skipped. Current folder: "/".
COMMAND:> MKD test
550 Access is denied.
Thanks!
I'm not connecting to an IIS server. It's Linux, although I don't know which flavor.
As I said, from my home I can upload/whatever just fine, but not from my office, so if it's not a firewall issue, I certainly wouldn't know what it is.
What works fine:
Any client in Windows XP Pro SP2 -> Dell TrueMobile Router -> FTP server
What doesn't:
Any client in Windows XP Pro SP2 -> Win2k3Std/ISAServer2004 -> Linksys BEFSX41 Firewall/Router -> FTP server
The server is liberty.dnsprotect.com in case you need to know, although it doesn't allow anon logins. If needed I could create an account for you to test (but I'm pretty sure you won't find any problems as this doesn't seem a server issue).
The message returned by the server is the one I wrote in the subject: 550 Access denied. Here's a log:
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 16:47. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
STATUS:> Connected. Authenticating...
COMMAND:> USER *****
331 User ***** OK. Password required
COMMAND:> PASS *****
230-User ***** has group access to: *****
230 OK. Current restricted directory is /
STATUS:> Login successful.
COMMAND:> PWD
257 "/" is your current location
STATUS:> Home directory: /
COMMAND:> FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;
MLSD
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
STATUS:> This site supports features.
STATUS:> This site supports SIZE.
STATUS:> This site can resume broken downloads.
COMMAND:> REST 0
350 Restarting at 0
COMMAND:> PASV
227 Entering Passive Mode (209,51,158,82,78,11)
COMMAND:> LIST
STATUS:> Connecting FTP data socket 209.51.158.82:19979...
150 Accepted data connection
226-Options: -a -l
226 43 matches total
STATUS:> Directory listing completed.
STATUS:> Checking directory existence: "/test".
COMMAND:> CWD /test
550 Can't change directory to /test: No such file or directory
STATUS:> Requested action not taken (e.g., file or directory not found, no access).
STATUS:> Checking directory existence: "/".
COMMAND:> CWD /
250 OK. Current directory is /
STATUS:> PWD skipped. Current folder: "/".
COMMAND:> MKD test
550 Access is denied.
Thanks!
Shall I assume that your access "from home" is on the same network as the FTP server, and that the TrueMobile router is just bridging (likely via wireless), not routing or NATing, your access? One of your routing diagrams should include "<the Internet>" somewhere, shouldn't it? These clearly aren't both local access.
I'm not an expert on Pure-FTPd nor ISA Server, but here's a few ideas:
1. Something in the FTP server config is restricting access by IP range, and your "from home" access is within that range.
2. Many FTP servers by default disable directory creation regardless of user permissions to the directory. So your example is not a good one. I'm assuming since you stated that file uploads fail that the error returned is similar.
3. ISA Server may have some application-level restrictions on FTP. I'd look at its log files of your attempted access. I'd also turn on verbose command logging for the FTP server and see if it's logs correspond to what you've sent. This could indicate if ISA Server is intercepting something at the FTP command level.
I'm not an expert on Pure-FTPd nor ISA Server, but here's a few ideas:
1. Something in the FTP server config is restricting access by IP range, and your "from home" access is within that range.
2. Many FTP servers by default disable directory creation regardless of user permissions to the directory. So your example is not a good one. I'm assuming since you stated that file uploads fail that the error returned is similar.
3. ISA Server may have some application-level restrictions on FTP. I'd look at its log files of your attempted access. I'd also turn on verbose command logging for the FTP server and see if it's logs correspond to what you've sent. This could indicate if ISA Server is intercepting something at the FTP command level.
ASKER
Hi,
Your assumption although understandable, is incorrect. Here's a new "diagram":
What works fine:
Any client in Windows XP Pro SP2 -> Dell TrueMobile Router -> Internet (DSL) -> FTP server
What doesn't:
Any client in Windows XP Pro SP2 -> Win2k3Std/ISAServer2004 -> Linksys BEFSX41 Firewall/Router -> Internet (DSL) -> FTP server
Sorry for the error. Here are my notes on your suggestions:
1. That seems unlikely because it's the same ISP I'm using on both locations. Also, I asked my hosting provider and they say there's nothing special about the server that blocks anything.
2. I don't think that's relevant to this case, since the set of permissions I'm denied on my office is the same set I'm allowed in my home. The error is exactly the same for every case (MKD, PUT, DELE...).
3. There's nothing in this regard on the ISA logs ;-( Nothing I can do on the server because I'm not the owner.
I'm thinking of using a packet sniffer, but I wouldn't know what to look for, nor where to install it (my workstation or the ISA Server).
Thanks for your help!
Your assumption although understandable, is incorrect. Here's a new "diagram":
What works fine:
Any client in Windows XP Pro SP2 -> Dell TrueMobile Router -> Internet (DSL) -> FTP server
What doesn't:
Any client in Windows XP Pro SP2 -> Win2k3Std/ISAServer2004 -> Linksys BEFSX41 Firewall/Router -> Internet (DSL) -> FTP server
Sorry for the error. Here are my notes on your suggestions:
1. That seems unlikely because it's the same ISP I'm using on both locations. Also, I asked my hosting provider and they say there's nothing special about the server that blocks anything.
2. I don't think that's relevant to this case, since the set of permissions I'm denied on my office is the same set I'm allowed in my home. The error is exactly the same for every case (MKD, PUT, DELE...).
3. There's nothing in this regard on the ISA logs ;-( Nothing I can do on the server because I'm not the owner.
I'm thinking of using a packet sniffer, but I wouldn't know what to look for, nor where to install it (my workstation or the ISA Server).
Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you efforts in helping me out!
I knew what you point out, but I thought it only applied to published servers, not access rules!!! God damnit!!!
It always is so simple isn't it?
Well, thanks a lot! You saved me from utter frustration...
I knew what you point out, but I thought it only applied to published servers, not access rules!!! God damnit!!!
It always is so simple isn't it?
Well, thanks a lot! You saved me from utter frustration...
If you can connect to the FTP server, then it is likely not a firewall issue. Firewalls don't generally restrict specific FTP commands. What error are your receiving exactly? If you can tell us the actual error response returned by the FTP server (a 3-digit number followed by some text), that would help out.
PASV, PORT, EPSV, EPRT, LPSV, LPRT are only used for file transfers. They are not involved in file rename, delete, or directory creation. It also probably doesn't matter what client you use, except that you may be interpreting the results differently.
When you say "with write permissions of course" are you meaning that you log in as a real user? If you didn't specify this in the client than you are logging in as "anonymous", which servers almost always restrict to download only. Have you verified that the user you've logged in as has permission to write to the directories you're trying to upload to or otherwise modify?