Sudden lftp problem - poss authorisation related

dtw · 2005-08-01 16:48:50

Over the last few days I have been unable to use lftp with my server. However, gFTP seems to work fine and I am able to log in to other sites with lftp.

The problem is that when I run commands like ls or any mirror commands the connection then hangs at the [Making data connection] stage. cd commands seem to work fine and i can log in fine as well.

any ideas? I removed my lftp settings files on the off chance but that did not help

paranoos · 2005-08-01 19:01:35

i think i had this problem too... i don't really run ftp much though. i was using proftpd, and lftp wasn't playing nice with it i believe.

i think it worked nice when i tried connecting to localhost, but not with my external ip address.

i really don't remember if i fixed this or not. if i did, then it was by setting the PassivePorts in /etc/proftpd.conf, and getting my router to forward those to my box. but then again, if you're not doing this, then you shouldn't be able to connect via any means...

edit: i just noticed that you've only been having this problem recently. :? hmmmmm

xor · 2005-08-01 19:45:56

Hello,
having same problem when connecting to a "windows" ftp, use dir instead of ls and it would be fine I think.
Same problem every time connecting to my xbox hehe..

//xor

dtw · 2005-08-01 20:22:52

It's not either of those i think it's def a linux server at their end

Kern · 2005-08-01 21:29:38

tried lftp's verbose option, see if it yields any feedback?

(-d debug in the initial command line)

ie

lftp -d -u username,password -p 123 224.224.567.567

dtw · 2005-08-01 22:38:20

[~] : lftp -d -u dibble,PASS ftp.jiwe.org
---- Connecting to ftp.jiwe.org (216.32.69.106) port 21
<--- 220---------- Welcome to Pure-FTPd [TLS] ----------
<--- 220-You are user number 1 of 50 allowed.
<--- 220-Local time is now 22:29. Server port: 21.
<--- 220 You will be disconnected after 15 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTA
<---  AUTH TLS
<---  PBSZ
<---  PROT
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: C=US,ST=Unknown,L=Unknown,O=Unknown,OU=Unknown,CN=alpha.xs-host.com,EMAIL=ssl@cpanel.net
 Issued by: C=US,ST=Unknown,L=Unknown,O=Unknown,OU=Unknown,CN=alpha.xs-host.com,EMAIL=ssl@cpanel.net
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostname 'ftp.jiwe.org'

<--- 530 You aren't logged in
---> USER dibble
<--- 331 User dibble OK. Password required
---> PASS PASS
<--- 230-User dibble has group access to:  dibble  
<--- 230 OK. Current restricted directory is /
---> PWD
<--- 257 "/" is your current location
---> PBSZ 0
<--- 200 PBSZ=0
---> PROT P
<--- 534 Fallback to [C]
---> PASV
<--- 227 Entering Passive Mode (216,32,69,106,15,209)
---- Connecting data socket to (216.32.69.106) port 4049
**** Socket error (Connection timed out) - reconnecting
---> LIST
---> ABOR
---- Closing aborted data socket
---- Closing control socket

Hmmm

Kern · 2005-08-02 08:11:33

ive seen a similar probs reported before on the pure-ftp lists

altho my memory is a bit vague on this i think its a ssl / nat problem.
client side, gftp doesn't support ssl whereas lftp does. here lies the prob.

if you use lftp/ssl and theres a router between client and server thats doing NAT, it throws a wobbly as the other pc wont be able to track which port to use.

compare

---- Connecting to ftp.jiwe.org (216.32.69.106) port 21

Connecting data socket to (216.32.69.106) port 4049

maybe if it always specs 4049 try opening that port explicitly on your fw/router ?
or try explicitly setting a port at either side, if you can set that option.

Further reading do a google on NAT +pure-ftp

hth

dtw · 2005-08-02 09:26:56

I suspected exactly that too kern. I had an email from the admin saying that they had just had to firewall one of the clients sites and that could be causing the problem. It's certainly at their end anyway - no changes at this end recently

And that port you pointed out - i had already checked that too - it changes with every connection

Kern · 2005-08-02 12:35:39

grooveh, at least you're getting to solutions

Only other things i could suggest, although you probably are doing one of these already, are :

1. Use lftp/ssl and possibly allow all ports from that IP address to have access past your router / firewall.

2. Use a non ssl client as you did before like gftp etc.

3. make various colourful suggestions to the ISP admin regarding places he can shove it, just before you change host

dtw · 2005-08-02 12:48:08

I pay $5 a year for 20Gb of bandwidth a month and 500Mb of disk space - i'm not going anywhere! I have had probs in teh past that they fixed ok

dtw · 2005-08-03 11:26:40

Kern wrote:

---- Connecting to ftp.jiwe.org (216.32.69.106) port 21
Connecting data socket to (216.32.69.106) port 4049

This is exactly the problem - all ls commands that require data from the server are reconnected to a new port - if i stick to cd commands then it stays on port 21. As soon as I run ls it switches to a new port (4049) for instance which I believe is now firewall at that end.

216.32.69.106 - is their IP - not mine

iphitus · 2005-08-03 11:54:42

disable ssl in your lftp config?

put this in ~/.lftprc

set ftp:ssl-allow false

from the man page.

iphitus

dtw · 2005-08-03 12:06:06

This is really annoying. I have found people with similar issues - the solution is to turn ssl ON.

However, as I can see gFTP is using no AUTH commands at all and works fine but lftp will only use AUTH TLS - which is not SSL - it is very annoying - i'm sure I have the correct settings.

Ok - so i checked and the stock lftp version is not built with openssl support! So i rebuilt and guess what?

Still can only get AUTH TLS! Plus there are so many lftp config files i dunno which one it is reading! I don't even have an .lftp/rc file I just have .lftp/settings.

I have even port scanned my host server:

(The 1649 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
26/tcp    closed unknown
53/tcp    open   domain
80/tcp    open   http
110/tcp   open   pop3
143/tcp   open   imap
443/tcp   open   https
465/tcp   open   smtps
3306/tcp  open   mysql
27374/tcp closed subseven
27665/tcp closed Trinoo_Master

dtw · 2005-08-03 12:11:57

I have used this config file for all the possible lftp config - please tell me where I have made the inevitable mistake:

## some useful aliases
alias dir ls
alias less more
alias zless zmore
alias bzless bzmore
alias reconnect "close; cache flush; cd ."

## make prompt look better
set prompt "lftp S? u@h:w> "
## some may prefer colors (contributed by DA <mwormald@optushome.com.au>)
#set prompt "[e[1;30m][[e[0;34m]f[e[1m]t[e[37m]p[e[30m]] [e[34m]u[e[0;34m]@[e[1m]h[e[1;30m]:[e[1;34m]w[e[1;30m]>[e[0m] "
## Uncomment the following two lines to make switch cls and ls, making
## cls the default.
#alias ls command cls
#alias hostls command ls

## default protocol selection
#set default-protocol/ftp.*    ftp
#set default-protocol/www.*    http
#set default-protocol/localhost    file

## this makes lftp faster but doesn't work with some sites/routers
#set ftp:sync-mode off

## synchronous mode for broken servers and/or routers
set sync-mode/ftp.idsoftware.com on
set sync-mode/ftp.microsoft.com on
set sync-mode/sunsolve.sun.com on
## extended regex to match first server message for automatic sync-mode.
set auto-sync-mode "icrosoft FTP Service|MadGoat"

## if default ftp passive mode does not work, try this:
set ftp:passive-mode on

## Set this to follow http redirections
set xfer:max-redirections 10

## Terminal strings to set titlebars for terminals that don't
## properly specify tsl and fsl capabilities.
## Use cmd:set-term-status to enable this.
set cmd:term-status/*screen* "e_Te\"
set cmd:term-status/*xterm* "e[11;0]e]2;T07e[11]"
set cmd:term-status/*rxvt* "e[11;0]e]2;T07e[11]"
# set cmd:set-term-status on

## ssl settings
set ftp:ssl-allow on
set ftp:ssl-force on
set ftp:ssl-protect-data on

Kern · 2005-08-03 19:45:30

if as you mentioned, the probs at their end, i was thinking that they have firewalled stuff.
therefore it cant check the port settings due to NAT and ssh conflicts.
on reply, your setup may be blocking them cos the port is un associated.
did you try dropping your iptables, or accepting all on your fw/router, just temporarily to check this ?

dtw · 2005-08-03 21:34:36

my dsl connection is firewalled remotely

dtw · 2005-08-04 00:07:47

Sorry to be spamming your inbox with this - more success.

Connection with lftp yields this:

[~] : lftp -d -u dibble,PASS ftp.jiwe.org
lftp dibble@ftp.jiwe.org:~> ls                  
---- Connecting to ftp.jiwe.org (216.32.69.106) port 21
<--- 220---------- Welcome to Pure-FTPd [TLS] ----------
<--- 220-You are user number 2 of 50 allowed.
<--- 220-Local time is now 00:02. Server port: 21.
<--- 220 You will be disconnected after 15 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:  
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTA
<---  AUTH TLS
<---  PBSZ
<---  PROT
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.          
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate depth: 0; subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=alpha.xs-host.com/emailAddress=ssl@cpanel.net; issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=alpha.xs-host.com/emailAddress=ssl@cpanel.net
WARNING: Certificate verification: self signed certificate
<--- 530 You aren't logged in
---> USER dibble
<--- 331 User dibble OK. Password required
---> PASS PASS
<--- 230-User dibble has group access to:  dibble 
<--- 230 OK. Current restricted directory is /
---> PWD
<--- 257 "/" is your current location
---> PBSZ 0
<--- 200 PBSZ=0                     
---> PROT P
<--- 534 Fallback to [C]            
---> PASV
<--- 227 Entering Passive Mode (216,32,69,106,42,74)
---- Connecting data socket to (216.32.69.106) port 10826
Interrupt                             
---> LIST
---> ABOR
---- Closing aborted data socket

Same connection with ncftp

[~] : ncftp
NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
ncftp> debug
ncftp> open -u dibble ftp.jiwe.org        
> open -u dibble ftp.jiwe.org

LibNcFTP 3.1.9 (March 19, 2005) compiled for linux-x86                         
Uname: Linux|heaton|2.6.12-cko2-bleach|#1 SMP Wed Jul 13 11:23:32 BST 2005|i686
Glibc: 2.3.3 (stable)

--------- Welcome to Pure-FTPd [TLS] ----------
You are user number 3 of 50 allowed.
Local time is now 00:04. Server port: 21.
You will be disconnected after 15 minutes of inactivity.
220: --------- Welcome to Pure-FTPd [TLS] ----------                           
     You are user number 3 of 50 allowed.
     Local time is now 00:04. Server port: 21.
     You will be disconnected after 15 minutes of inactivity.
Connected to 216.32.69.106.
Cmd: USER dibble

Password requested by 216.32.69.106 for user "dibble".

    User dibble OK. Password required

Password: *******
331: User dibble OK. Password required
Cmd: PASS xxxxxxxx

User dibble has group access to:  dibble 
OK. Current restricted directory is /
230: User dibble has group access to:  dibble                                  
     OK. Current restricted directory is /
Cmd: PWD
257: "/" is your current location
Logged in to 216.32.69.106 as dibble.
Cmd: FEAT
211: Extensions supported:
      EPRT
      IDLE
      MDTM
      SIZE
      REST STREAM
      MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
      MLSD
      ESTP
      PASV
      EPSV
      SPSV
      ESTA
      AUTH TLS
      PBSZ
      PROT
     End.
Cmd: HELP SITE
214: The following SITE commands are recognized
      ALIAS
      CHMOD
      IDLE
     Pure-FTPd - http://pureftpd.org/
Logged in to ftp.jiwe.org.                                                     
Cmd: CLNT NcFTP 3.1.9 linux-x86
500: Unknown command
ncftp / > ls
> ls

Cmd: OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
500: Unknown command
Cmd: PASV
227: Entering Passive Mode (216,32,69,106,110,8)
Cmd: MLSD
150: Accepted data connection
226: Options: -a -l

...and it lists fine.

Conclusion - the lftp AUTH commands are causing the problem

Phil

dtw · 2005-08-04 00:46:04

OK! All sorted.

They got a firewall at the other end. Because lftp uses TLS to AUTH it was swicthing the port after logging in which was not work cos all the other ports were firewalled - I have disabled TLS in lftp with:

./configure --prefix=/usr --without-gnutls

and now it is working fine - so it wasn't that i need AUTH - I didn't need it.

I told em to fix the goddamn thing tho!

Kern · 2005-08-04 18:09:28

nice to know ur all sorted mister.

Sorry to be spamming your inbox ...

nah, feedback on solutions is always good.
im sure theres more folks than you had this problem and simply swapped client. i probably woiuld have

dtw · 2005-08-04 23:15:34

once you use the mirror command for maintaining files on a server you never go back

Arch Linux

#1 2005-08-01 16:48:50

Sudden lftp problem - poss authorisation related

#2 2005-08-01 19:01:35

Re: Sudden lftp problem - poss authorisation related

#3 2005-08-01 19:45:56

Re: Sudden lftp problem - poss authorisation related

#4 2005-08-01 20:22:52

Re: Sudden lftp problem - poss authorisation related

#5 2005-08-01 21:29:38

Re: Sudden lftp problem - poss authorisation related

#6 2005-08-01 22:38:20

Re: Sudden lftp problem - poss authorisation related

#7 2005-08-02 08:11:33

Re: Sudden lftp problem - poss authorisation related

#8 2005-08-02 09:26:56

Re: Sudden lftp problem - poss authorisation related

#9 2005-08-02 12:35:39

Re: Sudden lftp problem - poss authorisation related

#10 2005-08-02 12:48:08

Re: Sudden lftp problem - poss authorisation related

#11 2005-08-03 11:26:40

Re: Sudden lftp problem - poss authorisation related

#12 2005-08-03 11:54:42

Re: Sudden lftp problem - poss authorisation related

#13 2005-08-03 12:06:06

Re: Sudden lftp problem - poss authorisation related

#14 2005-08-03 12:11:57

Re: Sudden lftp problem - poss authorisation related

#15 2005-08-03 19:45:30

Re: Sudden lftp problem - poss authorisation related

#16 2005-08-03 21:34:36

Re: Sudden lftp problem - poss authorisation related

#17 2005-08-04 00:07:47

Re: Sudden lftp problem - poss authorisation related

#18 2005-08-04 00:46:04

Re: Sudden lftp problem - poss authorisation related

#19 2005-08-04 18:09:28

Re: Sudden lftp problem - poss authorisation related

#20 2005-08-04 23:15:34

Re: Sudden lftp problem - poss authorisation related

Board footer