Announcement

Collapse
No announcement yet.

[question] Proftpd in SFTP mode

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [question] Proftpd in SFTP mode

    Hi All,

    Actually I change all my service to using TLS/SSL. So I want to enable SFTP on proftpd. I enable it in Nodeworx but when I test it, this is the error return in filezilla :

    Status: Connecting to ftp.e4y.fr...
    Response: fzSftp started
    Command: open "ftp@espace4you.com@ftp.e4y.fr" 22
    Command: Pass: **********
    Error: Authentication failed.
    Error: Critical error
    Error: Could not connect to server
    Port 22 is open and running SSH, searching on the iworx forum's but no solution. If you have an idea ? Option to enable it ? specificaly mod ?

    Thank you :)
    French Webhoster
    SOS-Data - Backup - Hosting - Infrastructure

  • #2
    Gimly,

    You probably want to try and connect via FTPES instead of SFTP in Filezilla to utilize encrypted FTP TLS/SSL transmission with the SiteWorx FTP accounts.

    SFTP in Filezilla is for FTP over the SSH protocol which I believe only works with unix shell accounts.
    Daniel Motles
    Technical Support
    InterWorx-CP | http://interworx.com/

    Comment


    • #3
      Originally posted by IWorx-Dan View Post
      Gimly,

      You probably want to try and connect via FTPES instead of SFTP in Filezilla to utilize encrypted FTP TLS/SSL transmission with the SiteWorx FTP accounts.

      SFTP in Filezilla is for FTP over the SSH protocol which I believe only works with unix shell accounts.
      I agree with Dan, recently activated TLS/SSL, didn't really want to offer SFTP (Shell Access) via port 22. So we are having all our clients FTP using FTPES over PORT 21 (optional at the moment but mandatory in the future), as mentioned above, Filezilla works great (although I have heard that the FTPES connections details in Filezilla are encrpted on your local PC, haven't confirmed this yet. In SmartFTP you will need to select 'FTP over SSL (Explicit)', and in Ipswitch WS_FTP Professional (v12) you will need to select Server type 'FTP/SSL [AUTH SSL]

      I have made a post with links to some of the more popular FTP clients and FTP Client settings needed to connect via FTPES.

      Have not completed all the how to's as of the posting of this post.
      Roy
      KARTHOST.com
      [ KARTHOST Facebook FAN Page ]
      [ Follow KARTHOST on Twitter ]
      WordPress Training - KartHost University

      Comment


      • #4
        I used FTPES in Filezilla and the system work perfectly ! I've tested SFTP et FTPS but not FTPES. Thank you for your help Dan and RnR :)
        French Webhoster
        SOS-Data - Backup - Hosting - Infrastructure

        Comment


        • #5
          This thread is very useful, thanks guys! I'm going to make it sticky, since the secure FTP question comes up often :)

          Paul
          Paul Oehler
          InterWorx-CP | http://interworx.com
          InterWorx Control Panel

          Comment


          • #6
            Originally posted by R-n-R View Post
            I have made a post with links to some of the more popular FTP clients and FTP Client settings needed to connect via FTPES.
            Do you still have that post somewhere? Would save me some time.. ;-)

            Comment


            • #7
              Originally posted by mdeinhardt View Post
              Do you still have that post somewhere? Would save me some time.. ;-)
              I am sorry but I no longer have that list. I had gotten so busy I never were able to finish that list. Our business model changed and of course that link is no broken. Hopefully someone else might of created a list, even today it would be very useful.
              Roy
              KARTHOST.com
              [ KARTHOST Facebook FAN Page ]
              [ Follow KARTHOST on Twitter ]
              WordPress Training - KartHost University

              Comment


              • #8
                Hmm, I can't get this to work. I am trying to connect with Total Commander and get this

                230 User xxx@xxxx.xxx logged in
                SYST
                215 UNIX Type: L8
                FEAT
                211-Features:
                MDTM
                MFMT
                TVFS
                AUTH TLS
                MFF modify;UNIX.group;UNIX.mode;
                MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX .mode*;UNIX.owner*;
                PBSZ
                PROT
                REST STREAM
                SIZE
                211 End
                PBSZ 0
                200 PBSZ 0 successful
                PROT P
                200 Protection set to Private
                OPTS UTF8 ON
                500 OPTS UTF8 not understood
                Connect ok!
                PWD
                257 "/" is the current directory
                Verzeichnis einlesen
                TYPE A
                200 Type set to A
                PORT 192,168,11,12,221,235
                500 Illegal PORT command
                PASV
                227 Entering Passive Mode (xxx,xxx,xxx,xxx,197,38).
                MLSD
                SSL data connection error: 5, ERR_get_error=0
                ABOR
                In Filezilla this happens:

                Befehl: AUTH TLS
                Antwort: 234 AUTH TLS successful
                Status: Initialisiere TLS...
                Status: Überprüfe Zertifikat...
                Befehl: USER xxx@xxxxx.xxx
                Status: TLS/SSL-Verbindung hergestellt.
                Antwort: 331 Password required for xxx@xxxxx.xxx
                Befehl: PASS **********
                Antwort: 230 User xxx@xxxxx.xxx logged in
                Status: Der Server unterstützt keine Nicht-ASCII-Zeichen.
                Befehl: PBSZ 0
                Antwort: 200 PBSZ 0 successful
                Befehl: PROT P
                Antwort: 200 Protection set to Private
                Status: Verbunden
                Status: Empfange Verzeichnisinhalt...
                Befehl: PWD
                Antwort: 257 "/" is the current directory
                Befehl: TYPE I
                Antwort: 200 Type set to I
                Befehl: PASV
                Antwort: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,198,191).
                Befehl: MLSD
                Fehler: GnuTLS error -110: The TLS connection was non-properly terminated.
                Status: Server hat die TLS-Verbindung nicht ordnungsgemäß geschlossen
                Fehler: Transferverbindung unterbrochen: ECONNABORTED - Connection aborted
                Fehler: Zeitüberschreitung der Verbindung
                Fehler: Verzeichnisinhalt konnte nicht empfangen werden
                Also, where and how would I set the ports for FTPS? Shouldn't they be 989 and 990?

                Thanks

                Michael

                Comment


                • #9
                  Hi Michael

                  I hope you don't mind, but please see our 2 logs from Filezilla. I'm sorry, we do not use total commander.

                  I'm sure you have seen it already, but you appear to be trying to use TLS 110, and I think you set the ports in Nodeworx, system services, FTP, but I could be wrong sorry, as I have only read your post quickly.

                  I hope iy helps a little

                  Many thanks

                  John

                  NORMAL LOG

                  20:56:29 Status: Connecting to ftp.************.co.uk:24...
                  20:56:29 Response: fzSftp started
                  20:56:29 Command: open "testsftp@************.co.uk@ftp.************.co.u k" 24
                  20:56:30 Command: Pass: **********
                  20:56:32 Status: Connected to ftp.************.co.uk
                  20:56:32 Status: Retrieving directory listing...
                  20:56:32 Command: pwd
                  20:56:32 Response: Current directory is: "/"
                  20:56:32 Command: ls
                  20:56:32 Status: Listing directory /
                  20:56:32 Status: Directory listing successful
                  20:57:13 Status: Disconnected from server

                  DEBUG LOG

                  20:58:13 Status: Connecting to ftp.************.co.uk:24...
                  20:58:13 Trace: Going to execute "\FileZilla FTP Client\fzsftp.exe"
                  20:58:13 Response: fzSftp started
                  20:58:13 Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started)
                  20:58:13 Trace: CSftpControlSocket::SendNextCommand()
                  20:58:13 Trace: CSftpControlSocket::ConnectSend()
                  20:58:13 Command: open "testsftp@************.co.uk@ftp.************.co.u k" 24
                  20:58:13 Trace: Looking up host "ftp.************.co.uk"
                  20:58:13 Trace: Connecting to nnn.nnn.nnn.nnn port 24
                  20:58:13 Trace: Server version: SSH-2.0-mod_sftp/0.9.8
                  20:58:13 Trace: Using SSH protocol version 2
                  20:58:13 Trace: We claim version: SSH-2.0-PuTTY_Local:_Jun__1_2014_11:08:49
                  20:58:13 Trace: Doing Diffie-Hellman group exchange
                  20:58:13 Trace: Doing Diffie-Hellman key exchange with hash SHA-256
                  20:58:14 Trace: Host key fingerprint is:
                  20:58:14 Trace: ssh-rsa 2048 *******************************************
                  20:58:14 Trace: Initialised AES-256 SDCTR client->server encryption
                  20:58:14 Trace: Initialised HMAC-SHA1 client->server MAC algorithm
                  20:58:14 Trace: Initialised AES-256 SDCTR server->client encryption
                  20:58:14 Trace: Initialised HMAC-SHA1 server->client MAC algorithm
                  20:58:14 Command: Pass: **********
                  20:58:14 Trace: Sent password
                  20:58:16 Trace: Access granted
                  20:58:16 Trace: Opened channel for session
                  20:58:16 Trace: Started a shell/command
                  20:58:16 Status: Connected to ftp.************.co.uk
                  20:58:16 Trace: CSftpControlSocket::ConnectParseResponse()
                  20:58:16 Trace: CSftpControlSocket::ResetOperation(0)
                  20:58:16 Trace: CControlSocket::ResetOperation(0)
                  20:58:16 Trace: CFileZillaEnginePrivate::ResetOperation(0)
                  20:58:16 Status: Retrieving directory listing...
                  20:58:16 Trace: CSftpControlSocket::SendNextCommand()
                  20:58:16 Trace: CSftpControlSocket::ChangeDirSend()
                  20:58:16 Command: pwd
                  20:58:16 Response: Current directory is: "/"
                  20:58:16 Trace: CSftpControlSocket::ResetOperation(0)
                  20:58:16 Trace: CControlSocket::ResetOperation(0)
                  20:58:16 Trace: CSftpControlSocket::ParseSubcommandResult(0)
                  20:58:16 Trace: CSftpControlSocket::ListSubcommandResult()
                  20:58:16 Trace: state = 1
                  20:58:16 Trace: CSftpControlSocket::ResetOperation(0)
                  20:58:16 Trace: CControlSocket::ResetOperation(0)
                  20:58:16 Status: Directory listing successful
                  20:58:16 Trace: CFileZillaEnginePrivate::ResetOperation(0)

                  Comment


                  • #10
                    Hi Michael

                    Sorry, please see below for FTPS, however, explicit does not appear to work but I am thinking it is tied in with SSL cert perhaps.

                    Many thanks

                    John

                    21:21:56 Status: Resolving address of ftp.************.co.uk
                    21:21:56 Status: Connecting to nnn.nnn.nnn.nnn:21...
                    21:21:56 Status: Connection established, waiting for welcome message...
                    21:21:56 Trace: CFtpControlSocket::OnReceive()
                    21:21:56 Response: 220 FTP Server Ready
                    21:21:56 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:56 Command: AUTH TLS
                    21:21:56 Trace: CFtpControlSocket::OnReceive()
                    21:21:56 Response: 234 AUTH TLS successful
                    21:21:56 Status: Initializing TLS...
                    21:21:56 Trace: CTlsSocket::Handshake()
                    21:21:56 Trace: CTlsSocket::ContinueHandshake()
                    21:21:56 Trace: CTlsSocket::OnSend()
                    21:21:56 Trace: CTlsSocket::OnRead()
                    21:21:56 Trace: CTlsSocket::ContinueHandshake()
                    21:21:56 Trace: CTlsSocket::OnRead()
                    21:21:56 Trace: CTlsSocket::ContinueHandshake()
                    21:21:56 Trace: CTlsSocket::OnRead()
                    21:21:56 Trace: CTlsSocket::ContinueHandshake()
                    21:21:56 Trace: CTlsSocket::OnRead()
                    21:21:56 Trace: CTlsSocket::ContinueHandshake()
                    21:21:56 Trace: TLS Handshake successful
                    21:21:56 Trace: Protocol: TLS1.2, Key exchange: RSA, Cipher: AES-256-GCM, MAC: AEAD
                    21:21:56 Status: Verifying certificate...
                    21:21:56 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:56 Command: USER ftpstls@************.co.uk
                    21:21:56 Status: TLS/SSL connection established.
                    21:21:56 Trace: CTlsSocket::OnRead()
                    21:21:56 Trace: CFtpControlSocket::OnReceive()
                    21:21:56 Response: 331 Password required for ftpstls@************.co.uk
                    21:21:56 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:56 Command: PASS **********
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 230 User ftpstls@************.co.uk logged in
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Command: SYST
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 215 UNIX Type: L8
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Command: FEAT
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 211-Features:
                    21:21:59 Response: MDTM
                    21:21:59 Response: MFMT
                    21:21:59 Response: TVFS
                    21:21:59 Response: AUTH TLS
                    21:21:59 Response: MFF modify;UNIX.group;UNIX.mode;
                    21:21:59 Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX .mode*;UNIX.owner*;
                    21:21:59 Response: PBSZ
                    21:21:59 Response: PROT
                    21:21:59 Response: REST STREAM
                    21:21:59 Response: SIZE
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 211 End
                    21:21:59 Status: Server does not support non-ASCII characters.
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Command: PBSZ 0
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 200 PBSZ 0 successful
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Command: PROT P
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 200 Protection set to Private
                    21:21:59 Status: Connected
                    21:21:59 Trace: CFtpControlSocket::ResetOperation(0)
                    21:21:59 Trace: CControlSocket::ResetOperation(0)
                    21:21:59 Trace: CFileZillaEnginePrivate::ResetOperation(0)
                    21:21:59 Trace: Measured latency of 403 ms
                    21:21:59 Status: Retrieving directory listing...
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Trace: CFtpControlSocket::ChangeDirSend()
                    21:21:59 Command: PWD
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 257 "/" is the current directory
                    21:21:59 Trace: CFtpControlSocket::ResetOperation(0)
                    21:21:59 Trace: CControlSocket::ResetOperation(0)
                    21:21:59 Trace: CFtpControlSocket::ParseSubcommandResult(0)
                    21:21:59 Trace: CFtpControlSocket::ListSubcommandResult()
                    21:21:59 Trace: state = 1
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Trace: CFtpControlSocket::TransferSend()
                    21:21:59 Trace: state = 1
                    21:21:59 Command: TYPE I
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 200 Type set to I
                    21:21:59 Trace: CFtpControlSocket::TransferParseResponse()
                    21:21:59 Trace: code = 2
                    21:21:59 Trace: state = 1
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Trace: CFtpControlSocket::TransferSend()
                    21:21:59 Trace: state = 2
                    21:21:59 Command: PASV
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,235).
                    21:21:59 Trace: CFtpControlSocket::TransferParseResponse()
                    21:21:59 Trace: code = 2
                    21:21:59 Trace: state = 2
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Trace: CFtpControlSocket::TransferSend()
                    21:21:59 Trace: state = 4
                    21:21:59 Command: MLSD
                    21:21:59 Trace: CTransferSocket::OnConnect
                    21:21:59 Trace: CTlsSocket::Handshake()
                    21:21:59 Trace: Trying to resume existing TLS session.
                    21:21:59 Trace: CTlsSocket::ContinueHandshake()
                    21:21:59 Trace: CTlsSocket::OnSend()
                    21:21:59 Trace: CTlsSocket::OnSend()
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CTlsSocket::ContinueHandshake()
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 150 Opening ASCII mode data connection for MLSD
                    21:21:59 Trace: CFtpControlSocket::TransferParseResponse()
                    21:21:59 Trace: code = 1
                    21:21:59 Trace: state = 4
                    21:21:59 Trace: CFtpControlSocket::SendNextCommand()
                    21:21:59 Trace: CFtpControlSocket::TransferSend()
                    21:21:59 Trace: state = 5
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CTlsSocket::ContinueHandshake()
                    21:21:59 Trace: TLS Handshake successful
                    21:21:59 Trace: TLS Session resumed
                    21:21:59 Trace: Protocol: TLS1.2, Key exchange: RSA, Cipher: AES-256-GCM, MAC: AEAD
                    21:21:59 Trace: CTransferSocket::OnConnect
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CTransferSocket::OnReceive(), m_transferMode=0
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CTransferSocket::OnReceive(), m_transferMode=0
                    21:21:59 Trace: CTransferSocket::TransferEnd(1)
                    21:21:59 Trace: CFtpControlSocket::TransferEnd()
                    21:21:59 Trace: CTlsSocket::OnRead()
                    21:21:59 Trace: CFtpControlSocket::OnReceive()
                    21:21:59 Response: 226 Transfer complete
                    21:21:59 Trace: CFtpControlSocket::TransferParseResponse()
                    21:21:59 Trace: code = 2
                    21:21:59 Trace: state = 7
                    21:21:59 Trace: CFtpControlSocket::ResetOperation(0)
                    21:21:59 Trace: CControlSocket::ResetOperation(0)
                    21:21:59 Trace: CFtpControlSocket::ParseSubcommandResult(0)
                    21:21:59 Trace: CFtpControlSocket::ListSubcommandResult()
                    21:21:59 Trace: state = 3
                    21:21:59 Trace: CFtpControlSocket::ResetOperation(0)
                    21:21:59 Trace: CControlSocket::ResetOperation(0)
                    21:21:59 Status: Directory listing successful
                    21:21:59 Trace: CFileZillaEnginePrivate::ResetOperation(0)

                    Comment


                    • #11
                      Hi John,

                      thanks for the input. You are using SFTP, right? Which is fine for myself (and working), but I would like our customers to use FTPES (i.e. FTP through Explicit TLS/SSL), as I don't want to give them shell access.

                      I've never used it before though, that's why I am not 100% sure and that's why I asked Roy for that file ;-)

                      Cheers,

                      Michael

                      Comment


                      • #12
                        Lol, it took me so long to type, that you beat me to it ;-)

                        The cert is working, and the initial connect works too, so it must be some other setting I guess...

                        Comment


                        • #13
                          my log looks the same up to MSLD, but then the error occurs...

                          Befehl: MLSD
                          Trace: CTransferSocket::OnConnect
                          Trace: CTlsSocket::Handshake()
                          Trace: Trying to resume existing TLS session.
                          Trace: CTlsSocket::ContinueHandshake()
                          Trace: CTlsSocket::Failure(-110, 106)
                          Fehler: GnuTLS error -110: The TLS connection was non-properly terminated.
                          Status: Server hat die TLS-Verbindung nicht ordnungsgemäß geschlossen
                          Trace: CTransferSocket::TransferEnd(3)
                          Trace: CFtpControlSocket::TransferEnd()
                          Fehler: Zeitüberschreitung der Verbindung
                          Trace: CControlSocket::DoClose(2050)
                          Trace: CFtpControlSocket::ResetOperation(2114)
                          Trace: CControlSocket::ResetOperation(2114)
                          Trace: CFtpControlSocket::ResetOperation(2114)
                          Trace: CControlSocket::ResetOperation(2114)
                          Fehler: Verzeichnisinhalt konnte nicht empfangen werden
                          Trace: CFileZillaEnginePrivate::ResetOperation(2114)
                          Trace: CFileZillaEnginePrivate::ResetOperation(0)
                          Last edited by mdeinhardt; 07-02-2014, 03:50 PM.

                          Comment


                          • #14
                            Rereading your answer I stumbled over "explicit does not appear to work". It works or you, doesn't it?

                            Comment


                            • #15
                              Hi Michael

                              Sorry, it's late here and I have been onsite at a clients all day with openreach, resolving an issue.

                              There is 2 methods, explicit or implicit, one works and one fails, reason is additional tls packets which are not understood.

                              With this in mind, if you look at SSL version used, it is 0.9.8 but using tls 1.2, which maybe the issue then, as tls 1.2 requires a higher version of OpenSSL. I'm sure you have read over heartbleed bug.

                              I'm sorry, I cannot recall the one which works, but I'll let you know tommorow as I'm going to have a long cold cold beer 😃.

                              Many thanks

                              John

                              Comment

                              Working...
                              X