Plain Auth do not work, and Encrypted do
Moderator: Project members
Plain Auth do not work, and Encrypted do
hello,
i am currently migrating a working FZ server to a new datacenter
i am on the same version of FZ. I used an export of the settings of FZ server.
I use passive communication, and wrote rules as for my previous server datacenter fw/nat.
In settings i wrote the new external ip
it is installed on Windows Server 2019. Windows Firewall is off
now, if i connect through filezilla client to the new server with Explicit, it works fine.
But if i connect with plain authentification, it does not work.
Does anyone have an idea where to start looking ?
the issue is reproduced on two different clients
Client log when using Plain auth :
Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Statut : Le protocole FTP est non sécurisé. Basculez du protocole FTP au protocole TLS.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Erreur : Connection interrompue après 20 secondes d'inactivité
Erreur : Impossible de récupérer le contenu du dossier
Server log :
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> Connected on port 21, sending welcome message...
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> USER Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> 331 Password required for Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> PASS *********
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 230 Logged on
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PWD
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 257 "/" is current directory.
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> TYPE I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 200 Type set to I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PASV
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 227 Entering Passive Mode (82.65.62.137,117,92)
(000025)22/08/2020 10:33:08 - 82.65.62.137(82.65.62.137)> disconnected.
Example of working comm on new server with Explicit :
Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Commande : AUTH TLS
Réponse : 234 Using authentication type TLS
Statut : Initialisation de TLS...
Statut : Vérification du certificat...
Statut : Connexion TLS établie.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Commande : PBSZ 0
Réponse : 200 PBSZ=0
Commande : PROT P
Réponse : 200 Protection level set to P
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Réponse : 227 Entering Passive Mode (82.65.62.137,117,60)
Commande : MLSD
Réponse : 150 Opening data channel for directory listing of "/"
Réponse : 226 Successfully transferred "/"
Statut : Contenu du dossier "/" affiché avec succès
i am currently migrating a working FZ server to a new datacenter
i am on the same version of FZ. I used an export of the settings of FZ server.
I use passive communication, and wrote rules as for my previous server datacenter fw/nat.
In settings i wrote the new external ip
it is installed on Windows Server 2019. Windows Firewall is off
now, if i connect through filezilla client to the new server with Explicit, it works fine.
But if i connect with plain authentification, it does not work.
Does anyone have an idea where to start looking ?
the issue is reproduced on two different clients
Client log when using Plain auth :
Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Statut : Le protocole FTP est non sécurisé. Basculez du protocole FTP au protocole TLS.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Erreur : Connection interrompue après 20 secondes d'inactivité
Erreur : Impossible de récupérer le contenu du dossier
Server log :
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> Connected on port 21, sending welcome message...
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> USER Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> 331 Password required for Oliver
(000025)22/08/2020 10:32:48 - (not logged in) (82.65.62.137)> PASS *********
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 230 Logged on
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PWD
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 257 "/" is current directory.
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> TYPE I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 200 Type set to I
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> PASV
(000025)22/08/2020 10:32:48 - 82.65.62.137(82.65.62.137)> 227 Entering Passive Mode (82.65.62.137,117,92)
(000025)22/08/2020 10:33:08 - 82.65.62.137(82.65.62.137)> disconnected.
Example of working comm on new server with Explicit :
Statut : Résolution de l'adresse de 82.65.62.137
Statut : Connexion à 82.65.62.137:21...
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Bienvenue sur le Serveur FTP 82.65.62.137.
Commande : AUTH TLS
Réponse : 234 Using authentication type TLS
Statut : Initialisation de TLS...
Statut : Vérification du certificat...
Statut : Connexion TLS établie.
Commande : USER Oliver
Réponse : 331 Password required for Oliver
Commande : PASS *********
Réponse : 230 Logged on
Commande : PBSZ 0
Réponse : 200 PBSZ=0
Commande : PROT P
Réponse : 200 Protection level set to P
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I
Commande : PASV
Réponse : 227 Entering Passive Mode (82.65.62.137,117,60)
Commande : MLSD
Réponse : 150 Opening data channel for directory listing of "/"
Réponse : 226 Successfully transferred "/"
Statut : Contenu du dossier "/" affiché avec succès
Last edited by Aniodon on 2020-08-24 08:25, edited 2 times in total.
Re: Plain Auth do not work, and Encrypted do
Unfortunately all diagnostic information has been removed from the log. Please post complete and unmodified logs.
My best guess would be rogue firewall or NAT router.
My best guess would be rogue firewall or NAT router.
Re: Plain Auth do not work, and Encrypted do
Are both client and server running on the very same machine?
Re: Plain Auth do not work, and Encrypted do
no, my client is on my ISP (at home), and the second client on which i tested is on my corporate network.
Both clients have the same issue : working on Explicit, and not working on Plain
Both clients have the same issue : working on Explicit, and not working on Plain
Re: Plain Auth do not work, and Encrypted do
for the record, i do manage the NAT / FW in front of the filezilla server.
Is there anything different with ports between Plain and Explicit ?
Is there anything different with ports between Plain and Explicit ?
Re: Plain Auth do not work, and Encrypted do
No. FTPS is just using the TLS (Transport Layer Security) layer for encrypting the traffic end-to-end. Underneath, it's the same old FTP we all know and love. No differences in handling. What IS a problem is the level of tampering the firewalls and routers on the way can do. There is no way of tampering with encrypted traffic, but plain FTP can be read and modified along the way, even in malicious ways, without you ever knowing. That's why we strongly discourage plain FTP over any public routes.
Your firewall may try to modify IP or port information, usually you'll notice if comparing logs from client and server for the very same session. Turn off any special FTP handling the firewall might have. Try a port different from 21 (like 2100).
Your firewall may try to modify IP or port information, usually you'll notice if comparing logs from client and server for the very same session. Turn off any special FTP handling the firewall might have. Try a port different from 21 (like 2100).
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Plain Auth do not work, and Encrypted do
Hello boco and thanks,boco wrote: ↑2020-08-24 10:03No. FTPS is just using the TLS (Transport Layer Security) layer for encrypting the traffic end-to-end. Underneath, it's the same old FTP we all know and love. No differences in handling. What IS a problem is the level of tampering the firewalls and routers on the way can do. There is no way of tampering with encrypted traffic, but plain FTP can be read and modified along the way, even in malicious ways, without you ever knowing. That's why we strongly discourage plain FTP over any public routes.
Your firewall may try to modify IP or port information, usually you'll notice if comparing logs from client and server for the very same session. Turn off any special FTP handling the firewall might have. Try a port different from 21 (like 2100).
i posted in my first post the logs you talked about : client and server in the same session
no ip seems to be modified, and no port also (it is in the range i asked : 30000-30050)
the firewall is PFSense, and it is working in a simple way (no IDS/IPS or antivirus), the ftp helper is uninstalled, i just forward the ports through nat.. i do not see anything relevant to ftp security
Re: Plain Auth do not work, and Encrypted do
It does not need to be your firewall. Any firewall, router and other "network security" equipment can cause this. Unfortunately, it's very common among consumer devices.
Try to use port 2100 for testers. If plain will work with 2100 but not with 21, then it is definitely a malicious network device or software interfering (these do "work" only on 21).
Try to use port 2100 for testers. If plain will work with 2100 but not with 21, then it is definitely a malicious network device or software interfering (these do "work" only on 21).
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Plain Auth do not work, and Encrypted do
Hey,
Thanks, you are absolutely right, with 2100 everything is fine.
I do not know what would cause this.
Do you Have any feedback with vmware NSX, or Windows 2019?
These are the two things changed from my Old datacenter
Thanks, you are absolutely right, with 2100 everything is fine.
I do not know what would cause this.
Do you Have any feedback with vmware NSX, or Windows 2019?
These are the two things changed from my Old datacenter