We help IT Professionals succeed at work.

Why Are There Random Ports When Attempting to Connect via FTP after I Bound IIS to Port 21?

Tessando
Tessando asked
on
Medium Priority
129 Views
Last Modified: 2020-01-29
I am troubleshooting an existing FTP Connection in Windows Server 2016. This FTP connection has it's bindings in IIS set to port 21:

bindings-to-21.jpg
I can Telnet to that server from the client via Port 21.

I am getting the same errors on both the client and the server, but what's really strange is that there is a random port at the attempt of connect. Things like:

2020-01-24 14:49:14.389 Connecting to 10.0.10.200:1069 ...

Open in new window

2020-01-24 14:49:14.389 Connecting to 10.0.10.200:1064 ...

Open in new window


Is there some sort of dynamic port range that I missed? These numbers seem low for that, but I need a sanity check from someone who has seen this before.

I figured that the FTP would connect over Port 21, as I bound that in IIS.

Thanks for your help!
Comment
Watch Question

Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
FTP listens on port 21.  However, the port used outgoing from the client to the server is chosen from the available ports list.  Also, once the connection is established, the connection on the server is "handed off" and uses a port from the available ports list.  Whether either of these apply in this case is not clear as there's not enough information.

If you show us a full session log it will be helpful.
TessandoIT Administrator

Author

Commented:
Thanks Dr. Klahn - Here's the log from the moment I start until it bombs out. Hopefully there are a few clues in here:

. 2020-01-24 15:47:44.873 --------------------------------------------------ttessandori------------------------
. 2020-01-24 15:47:44.873 WinSCP Version 5.15.9 (Build 10071) (OS 10.0.17763 - Windows Server 2019 Standard)
. 2020-01-24 15:47:44.873 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2020-01-24 15:47:44.873 Log level: Normal
. 2020-01-24 15:47:44.873 Local account: AMA-19\ama
. 2020-01-24 15:47:44.873 Working directory: C:\Program Files (x86)\WinSCP
. 2020-01-24 15:47:44.873 Process ID: 1924
. 2020-01-24 15:47:44.884 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" 
. 2020-01-24 15:47:44.884 Time zone: Current: GMT-8, Standard: GMT-8 (Pacific Standard Time), DST: GMT-7 (Pacific Daylight Time), DST Start: 3/8/2020, DST End: 11/1/2020
. 2020-01-24 15:47:44.884 Login time: Friday, January 24, 2020 3:47:44 PM
. 2020-01-24 15:47:44.884 --------------------------------------------------------------------------
. 2020-01-24 15:47:44.884 Session name: @ftp(Site)
. 2020-01-24 15:47:44.884 Host name: hostname.com (Port: 21)
. 2020-01-24 15:47:44.884 User name: DOMAIN\ama (Password: No, Key file: No, Passphrase: No)
. 2020-01-24 15:47:44.884 Transfer Protocol: FTP
. 2020-01-24 15:47:44.884 Ping type: Off, Ping interval: 30 sec; Timeout: 180 sec
. 2020-01-24 15:47:44.884 Disable Nagle: No
. 2020-01-24 15:47:44.884 Proxy: None
. 2020-01-24 15:47:44.884 Send buffer: 262144
. 2020-01-24 15:47:44.884 UTF: Auto
. 2020-01-24 15:47:44.884 FTPS: Explicit TLS/SSL [Client certificate: No]
. 2020-01-24 15:47:44.884 FTP: Passive: Yes [Force IP: On]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2020-01-24 15:47:44.884 Session reuse: Yes
. 2020-01-24 15:47:44.884 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-01-24 15:47:44.884 Local directory: C:\Users\ama\Documents, Remote directory: /, Update: Yes, Cache: Yes
. 2020-01-24 15:47:44.884 Cache directory changes: Yes, Permanent: Yes
. 2020-01-24 15:47:44.884 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2020-01-24 15:47:44.884 Timezone offset: 0h 0m
. 2020-01-24 15:47:44.884 --------------------------------------------------------------------------
. 2020-01-24 15:47:45.004 Connecting to hostname.com ...
. 2020-01-24 15:47:45.493 Connected with hostname.com, negotiating TLS connection...
< 2020-01-24 15:47:45.597 220 Microsoft FTP Service
> 2020-01-24 15:47:45.597 AUTH TLS
< 2020-01-24 15:47:45.688 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-01-24 15:47:46.178 Verifying certificate for "" with fingerprint b4:8b:76:7d:1c:2e:ef:78:0b:e6:3c:16:dc:f9:6d:21:d4:79:db:01 and 20 failures
. 2020-01-24 15:47:46.178 Certificate common name "*.amareinc.com" matches hostname
. 2020-01-24 15:47:46.277 Certificate verified against Windows certificate store
. 2020-01-24 15:47:46.277 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
. 2020-01-24 15:47:46.287 TLS connection established. Waiting for welcome message...
> 2020-01-24 15:47:46.287 USER DOMAIN\ama
< 2020-01-24 15:47:46.367 331 Password required
> 2020-01-24 15:47:49.152 PASS *********
< 2020-01-24 15:47:49.315 230 User logged in.
> 2020-01-24 15:47:49.315 SYST
. 2020-01-24 15:47:49.419 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-01-24 15:47:49.419 215 Windows_NT
> 2020-01-24 15:47:49.419 FEAT
< 2020-01-24 15:47:49.506 211-Extended features supported:
< 2020-01-24 15:47:49.506  LANG EN*
< 2020-01-24 15:47:49.506  UTF8
< 2020-01-24 15:47:49.506  AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-01-24 15:47:49.506  PBSZ
< 2020-01-24 15:47:49.506  PROT C;P;
< 2020-01-24 15:47:49.506  CCC
< 2020-01-24 15:47:49.506  HOST
< 2020-01-24 15:47:49.506  SIZE
< 2020-01-24 15:47:49.506  MDTM
< 2020-01-24 15:47:49.506  REST STREAM
< 2020-01-24 15:47:49.506 211 END
> 2020-01-24 15:47:49.506 OPTS UTF8 ON
< 2020-01-24 15:47:49.598 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2020-01-24 15:47:49.598 PBSZ 0
< 2020-01-24 15:47:49.686 200 PBSZ command successful.
> 2020-01-24 15:47:49.696 PROT P
< 2020-01-24 15:47:49.784 200 PROT command successful.
. 2020-01-24 15:47:49.800 Connected
. 2020-01-24 15:47:49.808 --------------------------------------------------------------------------
. 2020-01-24 15:47:49.808 Using FTP protocol.
. 2020-01-24 15:47:49.808 Doing startup conversation with host.
> 2020-01-24 15:47:49.818 PWD
< 2020-01-24 15:47:49.909 257 "/" is current directory.
. 2020-01-24 15:47:49.909 Changing directory to "/".
> 2020-01-24 15:47:49.909 CWD /
< 2020-01-24 15:47:50.005 250 CWD command successful.
. 2020-01-24 15:47:50.005 Getting current directory name.
> 2020-01-24 15:47:50.005 PWD
< 2020-01-24 15:47:50.087 257 "/" is current directory.
. 2020-01-24 15:47:50.158 Retrieving directory listing...
> 2020-01-24 15:47:50.158 TYPE A
< 2020-01-24 15:47:50.247 200 Type set to A.
> 2020-01-24 15:47:50.247 PASV
< 2020-01-24 15:47:50.338 227 Entering Passive Mode (10,0,30,200,75,178).
> 2020-01-24 15:47:50.338 LIST -a
. 2020-01-24 15:47:50.338 Connecting to 10.0.10.20:19378 ...
< 2020-01-24 15:47:50.428 150 Opening ASCII mode data connection.
. 2020-01-24 15:48:11.539 Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
. 2020-01-24 15:48:11.539 Could not retrieve directory listing
< 2020-01-24 15:48:29.237 550 Data channel timed out.
. 2020-01-24 15:48:29.237 LIST with -a failed, will try pure LIST
. 2020-01-24 15:48:29.237 Retrieving directory listing...
> 2020-01-24 15:48:29.237 TYPE A
< 2020-01-24 15:48:29.336 200 Type set to A.
> 2020-01-24 15:48:29.336 PASV
< 2020-01-24 15:48:29.437 227 Entering Passive Mode (10,0,30,200,75,183).
> 2020-01-24 15:48:29.437 LIST
. 2020-01-24 15:48:29.437 Connecting to 10.0.10.20:19383 ...
< 2020-01-24 15:48:29.527 150 Opening ASCII mode data connection.
. 2020-01-24 15:48:50.452 Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
. 2020-01-24 15:48:50.452 Could not retrieve directory listing
< 2020-01-24 15:49:09.236 550 Data channel timed out.
* 2020-01-24 15:49:09.317 (ECommand) Error listing directory '/'.
* 2020-01-24 15:49:09.317 Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
* 2020-01-24 15:49:09.317 Could not retrieve directory listing
* 2020-01-24 15:49:09.317 Data channel timed out.
. 2020-01-24 15:49:21.544 Startup conversation with host finished.

Open in new window


Thanks for your help.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Well, it looks to me like a) the Windows FTP server is not doing the connection handoff to the secondary port properly once the session has been established or b) the handoff to the secondary port is occurring, but is being blocked by a firewall or antivirus.

a) Is there a firewall between the two systems?

b) Are both systems configured identically as to which ports in the dynamic and ephemeral ranges can be used?

I've asked that another expert who knows quite a bit about the FTP protocol have a look at this thread.

Side note:  I would require Secure FTP (e.g., PuTTY psftp) rather than FTP regardless of whether the files being sent were important or not.
TessandoIT Administrator

Author

Commented:
a) There is a firewall managed by SEP (Symantec Endpoint Protection) that I have temporarily disabled in order to run this testing. Less than a month ago this was working as expected (this is in a Private Subnet and requires VPN to access).

b). I wasn't aware that the client required the same dynamic and ephemeral ranges. Where can I check that in Windows Server 2019?

Thanks!

And yes, thanks for the recommendation of SFTP. I'm building a case for setting that up. This FTP setup isn't a first choice, but it's what I inherited. Thanks again for the assist.
KimputerIT Manager
CERTIFIED EXPERT

Commented:

That's why you don't want to use IIS FTP. Just use Filezilla Server, where you have FULL control over the dynamic ports (and hence, can easily fill them in your firewall/NAT settings)


Passive Mode Settings > Custom Port Range


For a server with only medium traffic, about 20 ports are already enough.

TessandoIT Administrator

Author

Commented:
Okay, thanks Kimputer. How do I find or configure those? Would those be direct entries in the Firewall?

Even in the example log file I sent, ports 19378 and 19383 were used for the two different attempts. So, these really are random.

Is this as simple as: Configure the Client Outbound IP's on the firewall and configure the Server Inbound IP's on the firewall?

Thanks again.
TessandoIT Administrator

Author

Commented:
I found a range on the server that works of 1024-65535. Seems a bit permissive, but it does ring a bell.
KimputerIT Manager
CERTIFIED EXPERT

Commented:

As I said, that's the reason I use FIlezilla Server. And as I said that, you kept hammering on IIS.

Opening the full range just for FTP is quite ill advised, and the main reason not to use IIS FTP.

What about antihammering feature? No thanks, FIlezilla will do that for you.

And the list of features goes on and on and on.

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There is a way through the registry to barrow the passive FTP ports  though your 1024-65536 is too broad. If not mistaken the FTP data port on the server range is from -45000-65536

To grant authorization and gave the Windows firewall the dynamic port access authorization, instead of going the explicit port/port range authorization rule instead, add the iis FTP component as the program on whose basis the incoming rules are permitted. This way the port the service binds to will automatically be accepted/allowed through the windows firewall.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The following is an older reference, but I think can be used to adjust your setup/settings.

https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
On pasv command the remote server randomly picks a port from a range and provides it to the client
In the form Ipaddress,p1,p2

,https://support.plesk.com/hc/en-us/articles/360002460954-How-is-port-for-passive-ftp-connection-generated-

The client to determine the data port to which it needs to connect is determined by calculation of
P1*256+p2

The earlier comment provided a ref for you to narrow the range o random data port.
TessandoIT Administrator

Author

Commented:
Thanks for everyone's assistance. This has been helpful. I am not able to work on the machine for a couple days and am building a case for SFTP. Does anyone have a good recipe that plays nicely with Windows Server 2016?

I still plan on attempting the port change in the registry, as I've got to get this handled this week.

I do appreciate your responses and look forward to reading your favorite directions for Win2k16.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not fully clear what you are asking.
Iis FTP has a firewall config option through which it can add the requisite rules on the Windows firewall to support the service.
Sftp is an openssh ......which is different from ftps
TessandoIT Administrator

Author

Commented:
Oh, thanks for the clarification Arnold. I was just asking if someone had a favorite set of directions they use for setting up SFTP on Windows, that's all. My intention wasn't to collapse those into each other, rather just get documentation suggestions.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sftp is commonly through either use of cygwin with openssl or other means of getting a windows based opening server.

If you are looking for an ftp server thatcommunicates over secure tunnel. Fiezilla server or using a linux system vfsyp proftpd....
TessandoIT Administrator

Author

Commented:
Following these directions I setup SFTP on a Windows machine: https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/

I disregarded the part about the Netscaler because that's not part of my infrastructure.

What I loved about those directions is the ability to login using a Domain account. That also seems to be the area where I get hung up.

I can Telnet to Port22 on the server, but when I attempt to use WinSCP I get the following Authentication failure. Does anything here ring a bell? I would appreciate a point in the right direction.

--------------------------------------------------------------------------
. 2020-01-27 16:06:17.019 Looking up host "10.0.10.20" for SSH connection
. 2020-01-27 16:06:17.019 Connecting to 10.0.10.20 port 22
. 2020-01-27 16:06:17.342 We claim version: SSH-2.0-WinSCP_release_5.15.9
. 2020-01-27 16:06:17.817 Server version: SSH-2.0-OpenSSH_for_Windows_8.1
. 2020-01-27 16:06:17.817 Using SSH protocol version 2
. 2020-01-27 16:06:17.817 Have a known host key of type ssh-ed25519
. 2020-01-27 16:06:18.328 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2020-01-27 16:06:18.978 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2020-01-27 16:06:18.978 Host key fingerprint is:
. 2020-01-27 16:06:18.978 ssh-ed25519 256 3e:53:ff:a3:ce:0e:2b:c9:22:f8:13:08:db:41:ec:8b rEbLd9ms12WMn3Lyuez2BuGUc5GrzXCaKLs1Aw1FtC8=
. 2020-01-27 16:06:18.998 Host key matches cached key
. 2020-01-27 16:06:18.998 Initialised AES-256 SDCTR client->server encryption
. 2020-01-27 16:06:18.998 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2020-01-27 16:06:18.998 Initialised AES-256 SDCTR server->client encryption
. 2020-01-27 16:06:18.998 Initialised HMAC-SHA-256 server->client MAC algorithm
! 2020-01-27 16:06:19.582 Using username "domain\user".
. 2020-01-27 16:06:19.673 Network error: Software caused connection abort
* 2020-01-27 16:06:19.713 (EFatal) Network error: Software caused connection abort
* 2020-01-27 16:06:19.713 Authentication log (see session log for details):
* 2020-01-27 16:06:19.713 Using username "domain\user".
* 2020-01-27 16:06:19.713 
* 2020-01-27 16:06:19.713 Authentication failed.
. 2020-01-27 16:06:19.974 Network error: Software caused connection abort
* 2020-01-27 16:06:19.984 (EFatal) Network error: Software caused connection abort
* 2020-01-27 16:06:19.984 Authentication log
* 2020-01-27 16:06:19.984 Using username "domain\user".
* 2020-01-27 16:06:19.984 
* 2020-01-27 16:06:19.984 Authentication failed.

Open in new window


Thanks for your help.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
\ might be misinterpreted. Try user@domain to se.
Another option, might be to make the domai. Implicitly included in the sftp server's configuration.
TessandoIT Administrator

Author

Commented:
Thank you, arnold. I have changed the user@domain in the client and am getting the same results.

Do you have an example of how I'd "implicitly include the SFTP Server's configuration"?

Thanks!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I've not the setup recently, \ is usually an escape.
Check the configuration whether there is a different parameter used as realm separator.

Try domain\\username and see if you get a different response.
CERTIFIED EXPERT

Commented:
Whens the last time you updated curve?
They have updated there key exchange issue over 2 years ago.
TessandoIT Administrator

Author

Commented:
The configuration for the AllowGroups directive does require the slash:

https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config

I even tried creating a local group, but still can't get Authentication to pass.

Rounding back to my original question, does anyone have a favorite "go to" set of directions for setting up SFTP on Windows Server 2016? I'm sure the directions I'm using [1] are good, they just aren't working for me. Which is frustrating.

Even when I attempt to use Putty, I'm getting the same issue. If it's helpful, I can telnet into the Server using Port 22.

Thanks for your help.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You have it setup, but it will use local users (to the server) not domain based.
CERTIFIED EXPERT

Commented:
Well it points to software as the issue.
Is there a firewall or antivirus software installed?
Try disabling and try again.