Page 1 of 1

FTP over TLS / Plain FTP

Posted: 2018-08-29 15:15
by StandardTool
Is it possible to have both users on a system, ones connecting as FTP over TLS and the others Plain FTP. I have enabled FTP over TLS, set my Passive custom port range, certificate set and have no issues connecting using FTP over TLS. However with our China staff, they cannot have encryption through the Great china wall so I have unchecked "Disallow plain FTP" and unchecked Force PROT P but I cannot get those staff connecting, it simply gets stuck or timeouts on Directory listing.

I have tried myself and cannot connect using plain FTP, it never displays the directories. What am I am doing wrong, thank you.

Log on server:
000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> Connected on port 21, sending welcome message...
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> AUTH SSL
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 502 Explicit TLS authentication not allowed
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> AUTH TLS
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 502 Explicit TLS authentication not allowed
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> USER username
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 331 Password required for username
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> PASS ********
(000003)8/29/2018 10:57:57 AM - username (x.x.x.x)> 230 Logged on
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PWD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 257 "/" is current directory.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> FEAT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 211-Features:
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MDTM
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> REST STREAM
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> SIZE
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MLST type*;size*;modify*;
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MLSD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> UTF8
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> CLNT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MFMT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> EPSV
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> EPRT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 211 End
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> OPTS UTF8 ON
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 202 UTF8 mode is always enabled. No need to send this command.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PWD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 257 "/" is current directory.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PASV
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 227 Entering Passive Mode

Re: FTP over TLS / Plain FTP

Posted: 2018-08-29 15:51
by botg
The reply to the PASV command is incomplete. You have a piece of malware on your system that modifies the behavior of FileZilla Server, making it return incomplete replies.

Re: FTP over TLS / Plain FTP

Posted: 2018-08-29 19:13
by StandardTool
I don't think a malware issue but its the same issue with the thread above mine regarding Plain FTP not using the custom ports possibly. My firewall logs are showing ports being assigned are not the custom ports being forwarded.

Re: FTP over TLS / Plain FTP

Posted: 2018-08-30 03:37
by boco
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 227 Entering Passive Mode
That line is not complete, the IP and port proposed to the client is missing. Either you truncated the log (which you shouldn't), or it is really missing.

In any way, if the firewall/router tampers with the traffic, there's really not much we can do. You can try using a non-default port for FTP (not 21). Many routers enable the traffic tampering only for default service ports.

Re: FTP over TLS / Plain FTP

Posted: 2018-08-30 14:21
by StandardTool
Thank you. I probably did truncate it when copying, but appreciate your suggestion, I will try the non default port assignment and see if that does change, running the server behind a Sophos XG appliance. Just an FYI. When running just the non FTP over TLS, it works perfectly but just when trying to combine the 2 types of connections, plain FTP fails bu the other works flawlessly. Thanks again.

Re: FTP over TLS / Plain FTP

Posted: 2018-08-30 15:32
by boco
FTP over TLS is end-to-end encryption. That means no device/software along the way can decrypt and read the traffic, let alone modify it. For the firewall/router (acting as man-in-middle), the traffic looks like binary gibberish. No way to modify FTP over TLS traffic (unless the encryption is broken).

Re: FTP over TLS / Plain FTP

Posted: 2019-07-12 03:15
by sjgmbob
Is it possible to have both users on a system, ones connecting as FTP over TLS and the others Plain FTP. I have enabled FTP over TLS, set my Passive custom port range, certificate set and have no issues connecting using FTP over TLS. However with our China staff, they cannot have encryption through the Great china wall so I have unchecked "Disallow plain FTP" and unchecked Force PROT P but I cannot get those staff connecting, it simply gets stuck or timeouts on Directory listing.
I use an encrypted connection. Initial connection works fine. Problem is constant connection interruption. :(

Update: I managed to get rid of the problem by using a VPN, connect to VPN first, then connect FileZilla. With that even plain connection works I guess that's because the traffic is encrypted by the VPN altogether.