Plain Auth do not work, and Encrypted do

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Plain Auth do not work, and Encrypted do

#1 Post by Aniodon » 2020-08-22 08:51

hello,

i am currently migrating a working FZ server to a new datacenter
i am on the same version of FZ. I used an export of the settings of FZ server.

I use passive communication, and wrote rules as for my previous server datacenter fw/nat.
In settings i wrote the new external ip

it is installed on Windows Server 2019. Windows Firewall is off

now, if i connect through filezilla client to the new server with Explicit, it works fine.
But if i connect with plain authentification, it does not work.

Does anyone have an idea where to start looking ?
the issue is reproduced on two different clients


Client log when using Plain auth :

Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Statut : Le protocole FTP est non sécurisé. Basculez du protocole FTP au protocole TLS.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Erreur : Connection interrompue après 20 secondes d'inactivité
Erreur : Impossible de récupérer le contenu du dossier


Server log :
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> Connected on port 21, sending welcome message...
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> USER Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> 331 Password required for Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> PASS *********
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 230 Logged on
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PWD
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 257 "/" is current directory.
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> TYPE I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 200 Type set to I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PASV
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 227 Entering Passive Mode (82.65.62.137,117,92)
(000025)22/08/2020 10:33:08 - 82.65.62.137(82.65.62.137)> disconnected.




Example of working comm on new server with Explicit :

Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Commande : AUTH TLS
Réponse : 234 Using authentication type TLS
Statut : Initialisation de TLS...
Statut : Vérification du certificat...
Statut : Connexion TLS établie.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Commande : PBSZ 0
Réponse : 200 PBSZ=0
Commande : PROT P
Réponse : 200 Protection level set to P
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Réponse : 227 Entering Passive Mode (82.65.62.137,117,60)
Commande : MLSD
Réponse : 150 Opening data channel for directory listing of "/"
Réponse : 226 Successfully transferred "/"
Statut : Contenu du dossier "/" affiché avec succès
Last edited by Aniodon on 2020-08-24 08:25, edited 2 times in total.

User avatar
botg
Site Admin
Posts: 33128
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Plain Auth do not work, and Encrypted do

#2 Post by botg » 2020-08-24 06:35

Unfortunately all diagnostic information has been removed from the log. Please post complete and unmodified logs.

My best guess would be rogue firewall or NAT router.

Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Re: Plain Auth do not work, and Encrypted do

#3 Post by Aniodon » 2020-08-24 07:52

botg wrote:
2020-08-24 06:35
Unfortunately all diagnostic information has been removed from the log. Please post complete and unmodified logs.

My best guess would be rogue firewall or NAT router.
Hello, i edited my post to paste the full logs
tanks in advance

User avatar
botg
Site Admin
Posts: 33128
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Plain Auth do not work, and Encrypted do

#4 Post by botg » 2020-08-24 08:11

Are both client and server running on the very same machine?

Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Re: Plain Auth do not work, and Encrypted do

#5 Post by Aniodon » 2020-08-24 08:17

no, my client is on my ISP (at home), and the second client on which i tested is on my corporate network.

Both clients have the same issue : working on Explicit, and not working on Plain

Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Re: Plain Auth do not work, and Encrypted do

#6 Post by Aniodon » 2020-08-24 09:17

for the record, i do manage the NAT / FW in front of the filezilla server.

Is there anything different with ports between Plain and Explicit ?

User avatar
boco
Contributor
Posts: 25257
Joined: 2006-05-01 03:28
Location: Germany

Re: Plain Auth do not work, and Encrypted do

#7 Post by boco » 2020-08-24 10:03

No. FTPS is just using the TLS (Transport Layer Security) layer for encrypting the traffic end-to-end. Underneath, it's the same old FTP we all know and love. No differences in handling. What IS a problem is the level of tampering the firewalls and routers on the way can do. There is no way of tampering with encrypted traffic, but plain FTP can be read and modified along the way, even in malicious ways, without you ever knowing. That's why we strongly discourage plain FTP over any public routes.

Your firewall may try to modify IP or port information, usually you'll notice if comparing logs from client and server for the very same session. Turn off any special FTP handling the firewall might have. Try a port different from 21 (like 2100).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Re: Plain Auth do not work, and Encrypted do

#8 Post by Aniodon » 2020-08-24 10:33

boco wrote:
2020-08-24 10:03
No. FTPS is just using the TLS (Transport Layer Security) layer for encrypting the traffic end-to-end. Underneath, it's the same old FTP we all know and love. No differences in handling. What IS a problem is the level of tampering the firewalls and routers on the way can do. There is no way of tampering with encrypted traffic, but plain FTP can be read and modified along the way, even in malicious ways, without you ever knowing. That's why we strongly discourage plain FTP over any public routes.

Your firewall may try to modify IP or port information, usually you'll notice if comparing logs from client and server for the very same session. Turn off any special FTP handling the firewall might have. Try a port different from 21 (like 2100).
Hello boco and thanks,

i posted in my first post the logs you talked about : client and server in the same session
no ip seems to be modified, and no port also (it is in the range i asked : 30000-30050)

the firewall is PFSense, and it is working in a simple way (no IDS/IPS or antivirus), the ftp helper is uninstalled, i just forward the ports through nat.. i do not see anything relevant to ftp security

User avatar
boco
Contributor
Posts: 25257
Joined: 2006-05-01 03:28
Location: Germany

Re: Plain Auth do not work, and Encrypted do

#9 Post by boco » 2020-08-24 19:18

It does not need to be your firewall. Any firewall, router and other "network security" equipment can cause this. Unfortunately, it's very common among consumer devices.

Try to use port 2100 for testers. If plain will work with 2100 but not with 21, then it is definitely a malicious network device or software interfering (these do "work" only on 21).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Aniodon
504 Command not implemented
Posts: 6
Joined: 2020-08-22 08:39

Re: Plain Auth do not work, and Encrypted do

#10 Post by Aniodon » 2020-08-24 19:28

Hey,

Thanks, you are absolutely right, with 2100 everything is fine.
I do not know what would cause this.

Do you Have any feedback with vmware NSX, or Windows 2019?
These are the two things changed from my Old datacenter

Post Reply