Solved

How can I get this server to allow FTP connections again?

Posted on 2008-10-14
8
443 Views
Last Modified: 2013-12-09
This is a bit complicated.  Here is the setup.

1) Server - running FileZilla FTP Server and running GREAT.
2) Client 1 - running ftp.exe to connect through the web via a batch file and running GREAT.
3) Client 2 - running ftp.exe to connect through the web via a batch file and running GREAT.
4) Client 3 - Cannot connect via ftp.exe

I inherited the machine in question from a security nut who ONLY wanted files coming to and from the server (Client 3 is running a ColdFusion app) via shared drives in remote desktop.  I think he has tried to completely block FTP usage in OR out from that machine.  It is running Windows 2003 Standard Edition with SP1.

Unfortunately, the ColdFusion application has gotten WAY to big to manage with the unreliable connection provided by RDC.  It's slow as well, but I can live with that.  What I CAN'T live with is the fact that if it fails during any part of a file copy it gives the same stupid error as when copying files in windows, and just stops where it is.  It is now taking 4-5 one hour tries to get everything.

So, the solution (and this is IMPORTANT becuase the machine is ancient and I need backups of the SQL server data) is to schedule a .bat file that zips up the needed data and FTP's it off site.  BUT, no ftp client will connect from the server in either active or passive mode.

The FTP server is running in active mode, and only has port 21 open to it.  Both of the other machines I am running this process on (which I built) are humming right along, but this one fails every time.

Here is what I am doing:

Command Line:
FTP
Open [servername]
[username]
[password]
DIR

The server acknowledged the connection, and shows me as being logged in, but I cannot LIST or change directories or get or put files.

I also cannot find any Symantec or Norton or other firewall that would be blocking stuff and Windows Firewall is disable for now, so I am suspicious that the registry holds the answer, but obvously uncertain, or why post this.

I have also tried several windows command line clients.  Cannot connect via FTP to ANY server successfully and get so muich as a DIR or LIST to work.  Forget about GET and PUT.

Any help MUCH appreciated.  This is low-level difficult stuff, so high points.

Thanks Experts!
0
Comment
Question by:climberboy
  • 5
  • 3
8 Comments
 
LVL 1

Expert Comment

by:buzzle74
Comment Utility
FTP is generally a pain in arse protocol that doesnt really run on only port 21.
From memory FTP requires either the Server or the client to allow incoming connections on ports above 1024. This is because port 21 is only used for the initial connection and FTP command. Data transfer occurs on an additional connection between server and client on a port somewhere above port 1024.

If the server is to support passive mode from clients then it should be configured to allow incoming connections on ports above 1024. Passive mode returns the risk of opening ports above 1024 back to the server. If the server does not support passive then it expects to be able to connect back to the client on ports above 1024 to transfer data. Either way incoming connections on ports above 1024 need to be open on either the server or the client for the FTP connection to work.

if you research FTP ports on the net you will find some nice diagrams to give you a better idea of how the ftp process works. It can get complicated when you have source and destination ports as well as the direction of traffic to consider so it might take a little while to get your head around it.

Judging your situation the server does not support passive therefore the client is not allowing connections back to ports above 1024.  It has to be a firewall somewhere blocking this for the client. Also check the Win2k3 security configuration wizard as there may be a policy applied through it filtering connections


 
0
 

Author Comment

by:climberboy
Comment Utility
I appreciate the detailed information buzzle74.  However, I must state the two other machines, both outside my network, are working perfectly with the same client.  Therefore, the problem must be on the 3rd client machine.  This FTP server has been up and running as is for a very long time, with no issues whatsoever until now.

My opinion is that the person in charge of the 3rd client before me (2+ years ago now)  must have excluded FTP traffic somehow.  I am looking for clues along those lines.

Thanks,

Eric.
0
 

Author Comment

by:climberboy
Comment Utility
Sorry, I commented before I read the whole post.  The Security Configuration Wizard is not where it should be, under administrative tools.  Also, the windir\security\msscw folder containing the command line wizard is missing.

There is no physical firewall running and Windows firewall is disabled.  There are no KNOWN other firewalls, but I'd be open to looking for them if I knew where to start.

Any other ideas?
0
 
LVL 1

Expert Comment

by:buzzle74
Comment Utility
OK, i guess it depends where this 3rd machine is in relation to the server and whats in between.
Most clients on the web cant access non-passive FTP servers
as even most standard home ADSL modem routers block incoming FTP connections by default
Couple things I would try from the 3rd machine would be to

- find out if there is a router in front of it before it reaches the internet
- try to connect to other ftp sites, see if you have the same prob
- check tcp/ip properties-advanced-options-tcp/ip filtering.. to see if any filters are in place.

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:climberboy
Comment Utility
Let's see here...  All three client machines are on the internet.  In fact, all three of them are in a colocation at NeoSpire in Dallas, TX.  Each of them has a free and clear internet connection with no router in between them and the web.  NeoSpire does not use firewalls... you have to provide your own, and we do not use a hardware firewall.  As I mentioned before, Windows Firewall is turned off for troubleshooting, so really, there should not be any firewall, unless there is hidden software on the server that I do not know about.

I CAN connect to one other FTP server at a client's office, but only with a Win32 client... not with ftp.exe.  It has the same problem.  However, that same Win32 app CANNOT connect to the server in question, regardless of whether I turn passive mode on or off.  I have checked all the settings countless times.  They are correct.

Under TCP/IP Properties --> Internet Protocol Properties --> Advacned TCP/IP Settings --> Options tab --> TCP/IP Filtering all ports (TCP, UDP, and IP Protocols) are set to permit all.  Also, the "Enable TCP/IP Filtering (All Adapters) check box is unchecked.

So the other client is new.  I have tried tons of servers with it, and just happened across one that worked.  Seems I can transfer files up/down as well as list directory conents.  Regardless, I still cannot do anything useful on that server with ftp.exe... just connect and timeout on LIST, just like all other servers.

Also, that Win32 client cannot connect to the server in question, even though EVERYTHING works from any other box.  Even my machine at home on FIOS works with that one in any way, shape, or form I can throw at it, and from any client.

WEIRD.
0
 
LVL 1

Accepted Solution

by:
buzzle74 earned 500 total points
Comment Utility
I guess u could try

https://www.grc.com/x/ne.dll?bh0bkyd2

 to test that its internet address is actually what u think it should be and also what ports are visible from the internet.

0
 

Author Comment

by:climberboy
Comment Utility
Nothing has worked so far.  Any other things to try?
0
 

Author Comment

by:climberboy
Comment Utility
Nothing worked, and no further help from anyone.  Points go to buzzle74 for the effort.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
YESTERDAY YESTERDAY.BAT is inspired by a previous article I wrote entitled: TOMORROW.BAT (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/MS_DOS/A_4196-Advanced-Batch-File-Programming-TOMORROW-BAT.html). The crux of this batch f…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now