Solved

Can't FTP in?

Posted on 2008-10-08
16
812 Views
Last Modified: 2013-12-02
Hi everyone,

For some reason my FTP has stopped working. I can still FTP into the server when I am inside my network, but whenever I am outside of it I get the message saying that it "timed out". However I get the timeout message within about 5 seconds which isn't normal.

This is a ubuntu 8.04 server and i'm using proftpd

I have checked the firewall, and all ports for FTP are unblocked (20 & 21). I looked at the proftpd logs and when I try to ftp in, the logs say it worked. As you can see from the ip addresses 99.999.999.999 and 88.888.888.888 Anyways, the logs are attached. Can anyone help me troubleshoot what is going on?

Thanks
Oct 08 07:24:21 myserver.mydomain.com proftpd[5230] localhost: ProFTPD 1.3.1 (stable) (built Thu Feb 21 04:21:14 UTC 2008) standalone mode STARTUP

Oct 08 07:30:01 myserver.mydomain.com proftpd[5361] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 07:30:01 myserver.mydomain.com proftpd[5361] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 08:00:01 myserver.mydomain.com proftpd[5900] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 08:00:01 myserver.mydomain.com proftpd[5900] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 08:30:01 myserver.mydomain.com proftpd[6397] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 08:30:01 myserver.mydomain.com proftpd[6397] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 09:00:01 myserver.mydomain.com proftpd[6925] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 09:00:01 myserver.mydomain.com proftpd[6925] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 09:30:01 myserver.mydomain.com proftpd[7398] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 09:30:01 myserver.mydomain.com proftpd[7398] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 10:00:01 myserver.mydomain.com proftpd[7856] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 10:00:01 myserver.mydomain.com proftpd[7856] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 10:30:01 myserver.mydomain.com proftpd[8367] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 10:30:01 myserver.mydomain.com proftpd[8367] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 11:00:01 myserver.mydomain.com proftpd[8907] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 11:00:01 myserver.mydomain.com proftpd[8907] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 11:30:01 myserver.mydomain.com proftpd[9377] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 11:30:01 myserver.mydomain.com proftpd[9377] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 12:00:01 myserver.mydomain.com proftpd[9836] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 12:00:01 myserver.mydomain.com proftpd[9836] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 12:30:01 myserver.mydomain.com proftpd[10304] localhost (127.0.0.1[127.0.0.1]): FTP session opened.

Oct 08 12:30:01 myserver.mydomain.com proftpd[10304] localhost (127.0.0.1[127.0.0.1]): FTP session closed.

Oct 08 12:34:52 myserver.mydomain.com proftpd[10383] 99.999.999.999 (88.888.888.888[88.888.888.888]): FTP session opened.

Oct 08 12:34:52 myserver.mydomain.com proftpd[10383] 99.999.999.999 (88.888.888.888[88.888.888.888]): FTP session closed.

Oct 08 12:34:56 myserver.mydomain.com proftpd[10384] 99.999.999.999 (88.888.888.888[88.888.888.888]): FTP session opened.

Oct 08 12:34:56 myserver.mydomain.com proftpd[10384] 99.999.999.999 (88.888.888.888[88.888.888.888]): FTP session closed.

Oct 08 12:37:44 myserver.mydomain.com proftpd[5230] localhost: ProFTPD killed (signal 15)

Oct 08 12:37:44 myserver.mydomain.com proftpd[5230] localhost: ProFTPD 1.3.1 standalone mode SHUTDOWN

Oct 08 12:37:52 myserver.mydomain.com proftpd[10458] localhost: ProFTPD 1.3.1 (stable) (built Thu Feb 21 04:21:14 UTC 2008) standalone mode STARTUP

Open in new window

0
Comment
Question by:bswinnerton
  • 9
  • 7
16 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22677249
What type of firewall do you have?

What ftp client are you using?

Are you timing out attempting to login to the ftp server, or are you timing out trying to do the actual GET or PUT?

Port 21 is used for the command/control session.  If you can't login then something is blocking port 21.  If you can login, then it deals with the data connection.

Port 20 is used for the data connection when using active FTP and is the source, not destination port.  So you don't need to allow that port into the server, you must allow it out though.

Most ftp clients today default to passive ftp and if your firewall is not configured to allow it, or it does not do "ftp snooping" then passive ftp session would die.
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22679062
As for the firewall, it is the standard ADSL modem that comes from my ISP.  I have not made any changes to it since it has stopped working.  The FTP client I am using is dreamweaver for Mac OS X, however the built in FTP client for windows does not work either.

The timeout occurs for the get, it cannot display any of the contents and as soon as i click connect, within a few seconds it times out.

I have tried to connect via passive FTP, but it still didn't work.

The odd thing is that when i'm inside my network it works fine.  This is a ubuntu server, so could it have something to do with iptables?  I also have fail2ban installed, but again i haven't made any changes to the server that would stop FTP.  Unless the server was comprimised.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22679466
So, port 21 is fine.  It is the data connection that is causing the problems.

iptables could stop this, it is a firewall.  What you need to look at is what you have configured in iptables, using the iptables -L command.

The Windows default ftp client can only do active ftp.
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22680111
Here is the output of iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-proftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-apache  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-sasl  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-courierimap  tcp  --  anywhere             anywhere            multiport dports imap2
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-courierpop3  tcp  --  anywhere             anywhere            multiport dports pop3
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Chain fail2ban-courierimap (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Chain fail2ban-courierpop3 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Chain fail2ban-proftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Chain fail2ban-sasl (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22680140
I've also looked through the fail2ban logs, it isn't blocking the ip address that i'm trying to ftp in with.
This is a very odd problem..
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22680505
Have you just recently installed fail2ban?  What you may want to try is remove all of the iptables changes and then try to ftp from the outside and see what happens.
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22681839
No, oddly enough fail2ban has been installed for about 6 months now.  If i remove the iptables, will it ruin fail2ban?

How can I go about removing them?  Do you know the command off hand?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22682526
I use Fedora and on it I can issue /etc/init.d/iptables stop to stop iptables.  If that works for you, then you run the test after you stop iptables.  Then issue /etc/init.d/iptables start to restart it.

If you can't stop/start iptables that way I'll have to find out a safe way disable iptables and restore it.

What ftp server are you runing?  Could have updated allow or deny host for the ftp server?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 5

Author Comment

by:bswinnerton
ID: 22683350
=/ Unfortunately /etc/init.d/iptables stop doesn't work.  There is no script there for it.

The FTP server is called proftpd. I'm thinking that maybe there is a allow or deny in there somewhere, i just don't know where.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22683580
After thinking about it, it would no be in the ftp server config.  If it was there, they you would not be allowed to login.

I am going to assume that you have re-booted the box since you installed fail2ban and that the it come back, so what you can do is issue the command:

    iptables -F

which flushes (removes) all of the access lists.  Then test and then re-boot the box to put things back.
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22683740
=( Still no luck! Here is the current iptables -L (After the -F)

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain fail2ban-apache (0 references)
target     prot opt source               destination        

Chain fail2ban-courierimap (0 references)
target     prot opt source               destination        

Chain fail2ban-courierpop3 (0 references)
target     prot opt source               destination        

Chain fail2ban-proftpd (0 references)
target     prot opt source               destination        

Chain fail2ban-sasl (0 references)
target     prot opt source               destination        

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22683775
And just to confirm, yes it is definitely port 20, i can try a simple telnet hostname.com 20 and get a connection refused message.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22683869
No port 20 is not the issue and you should get that.

When you use active ftp the ftp server actually initiates the connect to the ftp client using port 20 as the source.  That is


FTP SERVER                               FTP CLIENT

  20 --------------------------> 1023 or higher

is what happens when now, when using passive ftp you have:

FTP SERVER                               FTP CLIENT

  1023 <-------------------------- 1023 or higher

what you would expect normally, the ftp client uses a high port to connect to a high port on the server.    I would suggest that you start looking at the ADSL modem and its firewall.



0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22700064
Alright, I've made a bit of progress.  I've narrowed it down that neither the program CyberDuck or Dreamweaver CS3's FTP client work for connecting to my server.  Using the normal connect to however does.  

So my question is, are there any caches or settings that would be stored that would be blocking access?

P.S. this is on a mac
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 22701563
What I would suggest at this time is doing a packet capture from both the server and the client computers,  I use wireshark (http://www.wireshark.org).

This will show you what tcp flows are being seen by both sides.
0
 
LVL 5

Author Comment

by:bswinnerton
ID: 22704311
I'll give that a try.  Thanks giltjr
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now