Koozali.org: home of the SME Server

FTP Access not possible

Offline umbi

  • ***
  • 100
  • +0/-0
FTP Access not possible
« on: December 22, 2022, 12:36:31 AM »
Hi, everyone

in the previous server V9.2 i had access to FTP to a chrooted directory, where i could upload a file via a script. In both servers is smeserver-remoteuseraccess installed.

With the V10 I made all the settings the same but I get the following error when connecting:

Passive mode address sent by server is not routable. Use the server address instead.

i tried to connect by ftp.domain.com  and allso by using the servers IP-Adress (like did in the past).

Maybe someone here knows what could be causing this problem?

Thanks in advance for the help :-)
« Last Edit: December 22, 2022, 12:54:41 AM by umbi »

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: FTP Access not possible
« Reply #1 on: December 22, 2022, 12:53:09 AM »
not a problem, by design, there are a number of posts here re sme10s and ftp, requires more than just the server-manager setting to allow, also needs settings on clinet side..

as a start  https://forums.koozali.org/index.php/topic,54899.msg288855.html#msg288855

and another https://forums.koozali.org/index.php/topic,54513.msg286072.html#msg286072
--
qui scribit bis legit

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: FTP Access not possible
« Reply #2 on: December 22, 2022, 12:54:19 AM »
should also add some clients are easier/better to setup and use
--
qui scribit bis legit

Offline umbi

  • ***
  • 100
  • +0/-0
Re: FTP Access not possible
« Reply #3 on: December 22, 2022, 01:08:59 AM »
Hi TerryF

Thank you for this fast answer.

The chrootet directory has only a file wich is not accessable from outside (WAN).

tls mode ?  = for me unknown it is an php script uploading once a day the file
active/passive =   i think in the past it was passive, so need the same (but readet that only active mode is now possible?)
server behind NAT firewall =  no, i have router with static address and portforwarding
server only / server-gateway = Server Only

The easyiest for me is in old mode like it worked in V9.2 in that chrooted directory i guess its jailed so should be more or less save.

The portmaskerading i did in the past with the portforwarding  port xxx to 21 serverside.

my script which is uploading from Wan  accept   host, user and pw.
Is there an howto for enabling the same ftp server access as i had on V9.2 ?

Thank you
« Last Edit: December 22, 2022, 02:34:29 AM by umbi »

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: FTP Access not possible
« Reply #4 on: December 22, 2022, 06:14:20 AM »
what you are describing is TLS disabled = danger

a good primer - https://winscp.net/eng/docs/ftp_modes

the TLS setting can be found in the config db

eg default settings

]# config show ftp
ftp=service
    LoginAccess=private
    TCPPort=21
    TLSEnable=on
    TLSRequired=on
    TLSVerifyClient=off
    access=private
    status=disabled
--
qui scribit bis legit

Offline umbi

  • ***
  • 100
  • +0/-0
Re: FTP Access not possible
« Reply #5 on: December 22, 2022, 10:52:37 AM »
Hi TerryF

I guess my right configuration must be:

]# config show ftp
ftp=service
    LoginAccess=private
    TCPPort=21
    TLSEnable=on
    TLSRequired= ***OFF***
    TLSVerifyClient=off
    access=private
    status=disabled

but if i understand right you say  ftp port masquerading by router is not enough save ?
You have a bether solution for me ?

I have really no idea how to modify my ftp-script for accepting TLS which is uploading from WAN a dayli File to chrooted folder.

Apreciating your help - Thanks!

Offline umbi

  • ***
  • 100
  • +0/-0
Re: FTP Access not possible
« Reply #6 on: December 22, 2022, 12:09:19 PM »
Hi

i tried now over filezilla a connection  using  sftp://  etc.  but still same error.

i try over   ftps://domain1.com  (has a valid SSL Cert)
i try over  sftp://domain1.com

Connection refused with same error

my question is:  does the root domain pointing to primary ibay need a valid ssl cert for accessing by ftp over tls ?

thx

Offline umbi

  • ***
  • 100
  • +0/-0
Re: FTP Access not possible
« Reply #7 on: December 22, 2022, 03:41:19 PM »
update:

config show ftp
ftp=service
    LoginAccess=private
    TCPPort=21
    TLSEnable=on
    TLSRequired= OFF
    TLSVerifyClient=off
    access=private
    status=disabled

with filezilla still no connection by using

servers wan ip , user and PW

is TLSEnable=on maybe also to be turned off ?

i will let it only to this state until i find out how i can reprogramm my app to tls connection. 
« Last Edit: December 22, 2022, 03:43:41 PM by umbi »

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: FTP Access not possible
« Reply #8 on: December 22, 2022, 10:51:18 PM »
away for a few days no computer access, another may chip in for you..
--
qui scribit bis legit

Offline umbi

  • ***
  • 100
  • +0/-0
Re: FTP Access not possible
« Reply #9 on: December 22, 2022, 11:09:30 PM »
Good idea my Friend

i take care of your words.

I close the vulnerable port now and enjoy my family and look for a other solution after Xmas maybe small rasberry with ftp and then localhost dataforward or similar.

Even if nobody could help me with this case, I am very grateful to you admins here for the work you are doing.

I wish You and your family all the best for xmas and an happy new year.


Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: FTP Access not possible
« Reply #10 on: December 23, 2022, 01:34:58 AM »
please keep TLS mandatory. 

ftp in clear mode let all your password accessible clearly over the internet or the lan. 
also change any password that have been userd with non tls ftp now. 

TLS does not make it harder to configure. what make it harder to configure is deciding active vs passive and route the additional ports. 

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: FTP Access not possible
« Reply #11 on: December 30, 2022, 01:21:25 AM »
What JP said :-)
--
qui scribit bis legit