FTP Illegal PORT command


I've set up proftpd to use ssl/tls. Trying to connect I get an 'Illegal PORT command'

Finding Host xxx.nl ...
Connecting to xxx.xxx.xxx.xxx:21
Connected to xxx.xxx.xxx.xxx:21 in 0.018001 seconds, Waiting for Server 
Initializing SSL Session ...
220 FTP Server ready.
234 AUTH TLS successful
SSL session NOT set for reuse
SSL Session Started.
Host type (1): AUTO
USER xxx
331 Password required for xxx
PASS (hidden)
230 User xxx logged in
215 UNIX Type: L8
Host type (2): Unix (Standard)
200 PBSZ 0 successful
200 Protection set to Private
257 "/" is the current directory
CWD /var/www/html/
250 CWD command successful
PWD257 "/var/www/html/" is the current directory
200 Type set to A
PORT 192,168,192,14,211,181
500 Illegal PORT command
Port failed 500 Illegal PORT command
227 Entering Passive Mode (xxx,xxx,xxx,xxx,160,151).
connecting data channel to xxx.xxx.xxx.xxx:160,151(41111)
Failed to connect data channel to xxx.xxx.xxx.xxx:160,151(41111)


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            /* 000 accept all icmp */
ACCEPT     all  --  anywhere             anywhere            /* 001 accept all to lo interface */
REJECT     all  --  anywhere             loopback/8          /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            /* 003 accept all to eth1 interface */
ACCEPT     all  --  anywhere             anywhere            /* 004 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            multiport ports ftp /* 021 allow ftp. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports ssh /* 022 allow ssh. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports smtp /* 025 allow smtp. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports pharos /* 051 allow rundeck. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports 8140 /* 814 allow puppetserver. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports http /* 080 allow http. */
ACCEPT     tcp  --  anywhere             anywhere            multiport ports https /* 443 allow https. */
DROP       all  --  anywhere             anywhere            /* 999 drop all */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Connecting via normal ftp works just fine…

I'm using WS_FTP with ftp-authssl//xxx.nl/…. I tried several other connection options, ports, etc. But all give the same error. Althoiugh it seems that sometimes a first directory listing is shown (but that might be caching of WS_FTP)

Best Answer

  • First note that the two final commands, PORT and PASV, have nothing to do with each other. They're two independent connection attempts (one for active FTP, one for passive FTP).

    So, your PORT failure is expected.

    The way PORT works (the "active FTP" mode) is by having the client send its own address to the server ā€“ the server connects back to you for data transfer.

    According to the logs, your client computer is behind a NAT and has a "private" IP address. That's the only address it knows, so that's what it sends with the PORT command.

    Usually, your router would recognize an FTP connection and sneakily edit the PORT command, replacing your private address with the router's own public one. (Or, if you're unlucky, it would replace it with garbage.)

    However, since your control connection is now encrypted using TLS, the router cannot perform this fixup (all it sees is encrypted data), and the server receives exactly what your client sends: your private address.

    Since the server is on another network, it cannot possibly reach a private address (that's the whole point of NAT). Although it doesn't even bother trying ā€“ for security reasons, most servers just immediately refuse any address that doesn't exactly match where the control connection came from.

    tl;dr Switch your FTP client to passive mode. Yes, your logs show passive mode (PASV) being broken as well. But at least it's somewhat fixable if your server has a dedicated public IP address, whereas active mode is not.

    What about PASV? Well, the problem is similar.

    Usually, your server's firewall would snoop on the FTP control connection, extract the temporary port from the "Entering passive mode (x,y,zā€¦)" reply, and mark it as belonging to a "RELATED" connection. Then your rule #004 would allow it.

    However, again, iptables cannot see through TLS (all it sees is encrypted data) and can no longer recognize your FTP data connections as related. So your connection just hits rule #999 and is dropped.

    To make PASV work, you will need to configure ProFTPd to use a specific range of passive ports (doesn't matter what range exactly), and tell iptables to allow connections to those ports.

  • Related Question