FTP over TLS / Plain FTP

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
StandardTool
504 Command not implemented
Posts: 8
Joined: 2016-08-12 14:48
First name: Standard
Last name: Tool

FTP over TLS / Plain FTP

#1 Post by StandardTool » 2018-08-29 15:15

Is it possible to have both users on a system, ones connecting as FTP over TLS and the others Plain FTP. I have enabled FTP over TLS, set my Passive custom port range, certificate set and have no issues connecting using FTP over TLS. However with our China staff, they cannot have encryption through the Great china wall so I have unchecked "Disallow plain FTP" and unchecked Force PROT P but I cannot get those staff connecting, it simply gets stuck or timeouts on Directory listing.

I have tried myself and cannot connect using plain FTP, it never displays the directories. What am I am doing wrong, thank you.

Log on server:
000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> Connected on port 21, sending welcome message...
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> AUTH SSL
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 502 Explicit TLS authentication not allowed
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> AUTH TLS
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 502 Explicit TLS authentication not allowed
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> USER username
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> 331 Password required for username
(000003)8/29/2018 10:57:57 AM - (not logged in) (x.x.x.x)> PASS ********
(000003)8/29/2018 10:57:57 AM - username (x.x.x.x)> 230 Logged on
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PWD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 257 "/" is current directory.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> FEAT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 211-Features:
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MDTM
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> REST STREAM
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> SIZE
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MLST type*;size*;modify*;
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MLSD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> UTF8
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> CLNT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> MFMT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> EPSV
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> EPRT
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 211 End
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> OPTS UTF8 ON
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 202 UTF8 mode is always enabled. No need to send this command.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PWD
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 257 "/" is current directory.
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> PASV
(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 227 Entering Passive Mode

User avatar
botg
Site Admin
Posts: 32257
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FTP over TLS / Plain FTP

#2 Post by botg » 2018-08-29 15:51

The reply to the PASV command is incomplete. You have a piece of malware on your system that modifies the behavior of FileZilla Server, making it return incomplete replies.

StandardTool
504 Command not implemented
Posts: 8
Joined: 2016-08-12 14:48
First name: Standard
Last name: Tool

Re: FTP over TLS / Plain FTP

#3 Post by StandardTool » 2018-08-29 19:13

I don't think a malware issue but its the same issue with the thread above mine regarding Plain FTP not using the custom ports possibly. My firewall logs are showing ports being assigned are not the custom ports being forwarded.

User avatar
boco
Contributor
Posts: 24589
Joined: 2006-05-01 03:28
Location: Germany

Re: FTP over TLS / Plain FTP

#4 Post by boco » 2018-08-30 03:37

(000003)8/29/2018 10:57:58 AM - username (x.x.x.x)> 227 Entering Passive Mode
That line is not complete, the IP and port proposed to the client is missing. Either you truncated the log (which you shouldn't), or it is really missing.

In any way, if the firewall/router tampers with the traffic, there's really not much we can do. You can try using a non-default port for FTP (not 21). Many routers enable the traffic tampering only for default service ports.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

StandardTool
504 Command not implemented
Posts: 8
Joined: 2016-08-12 14:48
First name: Standard
Last name: Tool

Re: FTP over TLS / Plain FTP

#5 Post by StandardTool » 2018-08-30 14:21

Thank you. I probably did truncate it when copying, but appreciate your suggestion, I will try the non default port assignment and see if that does change, running the server behind a Sophos XG appliance. Just an FYI. When running just the non FTP over TLS, it works perfectly but just when trying to combine the 2 types of connections, plain FTP fails bu the other works flawlessly. Thanks again.

User avatar
boco
Contributor
Posts: 24589
Joined: 2006-05-01 03:28
Location: Germany

Re: FTP over TLS / Plain FTP

#6 Post by boco » 2018-08-30 15:32

FTP over TLS is end-to-end encryption. That means no device/software along the way can decrypt and read the traffic, let alone modify it. For the firewall/router (acting as man-in-middle), the traffic looks like binary gibberish. No way to modify FTP over TLS traffic (unless the encryption is broken).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

sjgmbob
500 Command not understood
Posts: 4
Joined: 2019-07-12 03:05

Re: FTP over TLS / Plain FTP

#7 Post by sjgmbob » 2019-07-12 03:15

Is it possible to have both users on a system, ones connecting as FTP over TLS and the others Plain FTP. I have enabled FTP over TLS, set my Passive custom port range, certificate set and have no issues connecting using FTP over TLS. However with our China staff, they cannot have encryption through the Great china wall so I have unchecked "Disallow plain FTP" and unchecked Force PROT P but I cannot get those staff connecting, it simply gets stuck or timeouts on Directory listing.
I use an encrypted connection. Initial connection works fine. Problem is constant connection interruption. :(

Update: I managed to get rid of the problem by using a VPN, connect to VPN first, then connect FileZilla. With that even plain connection works I guess that's because the traffic is encrypted by the VPN altogether.

Post Reply