3

My server has an IPv4 address, and I cannot connect to FTP through ftp nor filezilla. I checked the configuration and all seems correct, the firewall is not blocking ports 21 or 22 but I cannot connect due to timed out connection. Cannot connect using FTP or SFTP, and I use the IP address of the server as server address. Using the domain that resolves to this IP also doesn't work.

Output of netstat -tlp | grep ftp shows this:

tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      1133/xinetd

No entry of tcp for FTP.

I use Plesk Onyx latest version, but I have SSH root access, so I can change things in terminal.

Update

Output of iptables -nvL

Chain INPUT (policy ACCEPT 31195 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 32658 packets, 56M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Update #2

What happens when I try to connect?

ftp
open plesk.signlab.es
=> Connection timed out

sftp signlab@signlab.es
Enter myuser's password:
=> Connection closed // After I type correct password

With Filezilla Using FTP with TLS: Connection timed out Using SFTP: Unexpected End-of-file from SFTP server

Update 3

Output of ifconfig -a

docker0   Link encap:Ethernet  HWaddr 02:42:60:f5:c0:26  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:50:56:3c:8b:bd  
          inet addr:82.223.71.90  Bcast:82.223.71.90  Mask:255.255.255.255
          inet6 addr: fe80::250:56ff:fe3c:8bbd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21745 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2328414 (2.3 MB)  TX bytes:36047414 (36.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:15914 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15914 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24604850 (24.6 MB)  TX bytes:24604850 (24.6 MB)

Output of telnet plesk.signlab.es 21

Trying 82.223.71.90...
telnet: Unable to connect to remote host: Conexión rehusada

Output of telnet localhost 21 from the server:

Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 ProFTPD 1.3.5d Server (ProFTPD) [127.0.0.1]
Community
  • 1
Pedro Adame Vergara
  • 133
  • 1
  • 4
  • processes listening on `[::]` usually listen on both ipv4 and ipv6. A timeout means dropped packets, which usually is a strong pointer to a firewall problem. If the server were not listening on that port, you would get a `connection rejected` error message. – Gerald Schneider May 08 '17 at 07:48
  • @GeraldSchneider I added the output of `iptables -nvL` to question. – Pedro Adame Vergara May 08 '17 at 08:02
  • The ftp daemon (well, xinetd) is running on the server whose firewall rules you showed us, not inside one of the containers thereon, yes? – MadHatter May 08 '17 at 08:04
  • Yes, is running on the server. The output of iptables was taken of ssh'd into the server. – Pedro Adame Vergara May 08 '17 at 08:06
  • Then I'm with Gerald, this looks like another firewall getting in the way. Could you give us the output of `ifconfig -a` on the server, and on the client from which you're trying to connect, and show us the connection attempt (`telnet server.ip.here 21` would be the most helpful)? Oh, and `telnet localhost 21` from the server would be quite helpful, too. – MadHatter May 08 '17 at 08:07
  • 1
    The redaction is unhelpful. You're within your rights to redact things, but I won't be putting any more effort into this question without full disclosure; it just takes too much time to guess around it. See [this meta question](https://meta.serverfault.com/questions/963/what-information-should-i-include-or-obfuscate-in-my-posts) for more information. – MadHatter May 08 '17 at 08:11
  • Added output of that commands, @MadHatter. How can I make it more helpful? – Pedro Adame Vergara May 08 '17 at 08:12
  • Don't redact information: show IP addresses, domain names, everything in the clear. Again, follow the link for more information: making it harder for possible answerers to help you doesn't give you the best chance of a quick answer. – MadHatter May 08 '17 at 08:14
  • I hope you find it better now. – Pedro Adame Vergara May 08 '17 at 08:16
  • Much, thank you. I can't connect to you on port 21, either. I think all the evidence is pointing towards your provider running a second firewall, like AWS does. You'll need to talk to your provider about this, or at least have a good poke around their provisioning system to see if there's some kind of "open-up-this-port" page. – MadHatter May 08 '17 at 08:19
  • Are you using arsys' VPS1, VPS2, VPS4 or cloud server? Or is it some other offering of theirs? – MadHatter May 08 '17 at 08:24
  • I have a 1and1 cloud server managed by myself running Ubuntu Linux with Plesk Onyx. I asked my boss to have a call with them. – Pedro Adame Vergara May 08 '17 at 08:26
  • Their cloud server offering explicitly says "IP, firewall and other advanced network features", so I'm quietly optimistic Gerald is going to turn out to be right. – MadHatter May 08 '17 at 08:33
  • @MadHatter Gerald was right. Added port 21 to firewall rule in provider's control panel and I can connect now. It cannot retrieve directories list if using FTP over TLS, but using FTP over SSH works flawless. – Pedro Adame Vergara May 08 '17 at 10:22
  • "FTP over SSH" is SFTP, which shouldn't be confused with FTP as it has nothing to do with it. FTP over SSL/TLS confuses adaptive firewalls, so no surprise that it doesn't work. I'm very glad you have FTP working in other respects; @GeraldSchneider, do you want to write up a short answer so that Pedro can accept it (Pedro, I hope that's OK with you)? If you don't, I will, just so we can get the question put to bed. – MadHatter May 08 '17 at 11:51
  • I just need to tweak that to have it working with normal FTP over TLS, and I'm OK with the answer idea. – Pedro Adame Vergara May 08 '17 at 11:57

1 Answers1

0

Processes listening on [::] usually listen on both ipv4 and ipv6, so this shouldn't be the problem. As a second indicator, if the server were not listening on that port, you would get a connection rejected error message.

A timeout means dropped packets, which usually is a strong pointer to a firewall problem. If your local firewall on the server doesn't block port 21 it is quite possible that there is another firewall at any point between your local machine and your server. The hosting provider of your server is a good place to start asking if they have another firewall running in front of your server.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79