Every site on the server has issues when i FTP.. there is a login delay when i try to open the connection
I think the issue has to do with PASV failed but i'm not sure how to fix it.. my LOG [code:1] *** CuteFTP 8.0 - build Aug 22 2006 ***
STATUS:> [12/21/2007 7:11:42 AM] Getting listing ""... STATUS:> [12/21/2007 7:11:43 AM] Connecting to FTP server... 111.111.111.111:21 (ip = 111.111.111.111)... STATUS:> [12/21/2007 7:11:44 AM] Socket connected. Waiting for welcome message... [12/21/2007 7:11:44 AM] 220 FTP Server ready. STATUS:> [12/21/2007 7:11:44 AM] Connected. Authenticating... COMMAND:> [12/21/2007 7:11:45 AM] USER user_name [12/21/2007 7:11:45 AM] 331 Password required for user_name. COMMAND:> [12/21/2007 7:11:45 AM] PASS ***** [12/21/2007 7:11:45 AM] 230 User user_name logged in. STATUS:> [12/21/2007 7:11:45 AM] Login successful. COMMAND:> [12/21/2007 7:11:45 AM] PWD [12/21/2007 7:11:45 AM] 257 "/" is current directory. STATUS:> [12/21/2007 7:11:45 AM] Home directory: / COMMAND:> [12/21/2007 7:11:45 AM] FEAT [12/21/2007 7:11:45 AM] Informational Message Only: 211-Features: MDTM REST STREAM SIZE 211 End STATUS:> [12/21/2007 7:11:45 AM] This site supports features. STATUS:> [12/21/2007 7:11:45 AM] This site supports SIZE. STATUS:> [12/21/2007 7:11:45 AM] This site can resume broken downloads. COMMAND:> [12/21/2007 7:11:46 AM] REST 0 [12/21/2007 7:11:46 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer COMMAND:> [12/21/2007 7:11:46 AM] PASV [12/21/2007 7:11:46 AM] 227 Entering Passive Mode (207,190,241,114,93,235). COMMAND:> [12/21/2007 7:11:46 AM] LIST STATUS:> [12/21/2007 7:11:46 AM] Connecting FTP data socket... 111.111.111.111:24043... ERROR:> [12/21/2007 7:12:07 AM] Can't connect to remote server. Socket error = #10065. ERROR:> [12/21/2007 7:12:07 AM] PASV failed, trying PORT. STATUS:> [12/21/2007 7:12:07 AM] Waiting 0 seconds... STATUS:> [12/21/2007 7:12:07 AM] Getting listing "/"... STATUS:> [12/21/2007 7:12:07 AM] Connecting to FTP server... 111.111.111.111:21 (ip = 111.111.111.111)... STATUS:> [12/21/2007 7:12:07 AM] Socket connected. Waiting for welcome message... [12/21/2007 7:12:07 AM] 220 FTP Server ready. STATUS:> [12/21/2007 7:12:08 AM] Connected. Authenticating... COMMAND:> [12/21/2007 7:12:08 AM] USER user_name [12/21/2007 7:12:08 AM] 331 Password required for user_name. COMMAND:> [12/21/2007 7:12:08 AM] PASS ***** [12/21/2007 7:12:08 AM] 230 User user_name logged in. STATUS:> [12/21/2007 7:12:08 AM] Login successful. COMMAND:> [12/21/2007 7:12:08 AM] PWD [12/21/2007 7:12:08 AM] 257 "/" is current directory. STATUS:> [12/21/2007 7:12:08 AM] Home directory: / STATUS:> [12/21/2007 7:12:08 AM] This site supports features. STATUS:> [12/21/2007 7:12:08 AM] This site supports SIZE. STATUS:> [12/21/2007 7:12:08 AM] This site can resume broken downloads. COMMAND:> [12/21/2007 7:12:08 AM] REST 0 [12/21/2007 7:12:08 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer COMMAND:> [12/21/2007 7:12:08 AM] PORT 111,111,111,111,15,173 [12/21/2007 7:12:08 AM] 200 PORT command successful COMMAND:> [12/21/2007 7:12:08 AM] LIST [12/21/2007 7:12:08 AM] 150 Opening ASCII mode data connection for file list [12/21/2007 7:12:09 AM] 226 Transfer complete. STATUS:> [12/21/2007 7:12:10 AM] Directory listing completed. [/code:1]
how can i fix PASV failed at the server level?
Anytime you see slow logins, it's almost certainly DNS. The PASV thing might be an issue, but I bet it isn't.
Try turning off IdentLookups and UseReverseDNS in proftpd.conf, and restarting ProFTPd.
--
Check out the forum guidelines!
this is my config file
as you can see looks ups are off already:
[code:1]
# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off
# Use this to excude users from the chroot
DefaultRoot ~ !adm
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# Default to show dot files in directory listings
ListOptions "-a"
# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
#RootLogin off
#LoginPasswordPrompt on
#MaxLoginAttempts 3
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile no
# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score
# Normally, we want users to do a few things.
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
[/code:1]
i changed this to ON and restarted the service
[code:1]
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS ON
[/code:1]
and still have this error
[code:1]
COMMAND:> [12/22/2007 7:54:39 AM] REST 0
[12/22/2007 7:54:39 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
COMMAND:> [12/22/2007 7:54:39 AM] PASV
[12/22/2007 7:54:39 AM] 227 Entering Passive Mode (111,111,111,111,111,111).
COMMAND:> [12/22/2007 7:54:39 AM] LIST
STATUS:> [12/22/2007 7:54:39 AM] Connecting FTP data socket... 111.111.111.111:35957...
ERROR:> [12/22/2007 7:55:00 AM] Can't connect to remote server. Socket error = #10065.
ERROR:> [12/22/2007 7:55:00 AM] PASV failed, trying PORT.
STATUS:> [12/22/2007 7:55:00 AM] Waiting 0 seconds...
STATUS:> [12/22/2007 7:55:00 AM] Getting listing "/"...
STATUS:> [12/22/2007 7:55:00 AM] Connecting to FTP server... 111.111.111.111:21 (ip = 111.111.111.111)...
STATUS:> [12/22/2007 7:55:00 AM] Socket connected. Waiting for welcome message...
[12/22/2007 7:55:01 AM] 220 FTP Server ready.
STATUS:> [12/22/2007 7:55:01 AM] Connected. Authenticating...
[/code:1]
anyone????
Why would you turn ReverseDNS on, when I suggested turning it OFF? I just wanted to make sure you weren't waiting on DNS timeouts before embarking on more complicated procedures. ;-)
To get rid of the PASV errors, you'll want to open up the high ports on your server...you may still have problems, if there is a firewall or a poorly behaved NAT device between the client and server.
I usually just open all high ports, but you may prefer something like the default rule on Red Hat systems that allows "RELATED" connections.
My iptables rules include opening all high ports:
iptables -I INPUT -p tcp --dport 1024:65535 -j ACCEPT
Or, if you prefer to make it open only for related connections:
iptables -I INPUT -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
Actually, I use a rule like that for all ports:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Remember to save your changes, once you've got a rule set you like, which can usually be done with:
iptables-save
SUSE is a notable exception to this...and Debian/Ubuntu use a variety of iptables configuration files, and I'm not entirely sure how to use them...they aren't very well documented. Red Hat based systems can always use "service iptables save" and the right thing will happen, no matter what version you're using (as long as you aren't using some non-standard firewall scripts).
You can, of course, add rules like this in the Webmin Linux Firewall module. It makes getting the syntax right a lot easier, and also generally knows the right way to save stuff to your iptables configuration file(s), including on Debian/Ubuntu, where it is quite intimidating to figure out...but it's harder to describe in a forum post.
--
Check out the forum guidelines!