Fix FTP over TLS errors on Ubuntu in CyberPanel

FTP or File Transfer Protocol is used to transfer files to servers or your website from your own computers, mobiles or other servers. It’s as old as the internet itself, however, we live in a world full of cybersecurity issues.

In order to ensure that your credentials aren’t snooped by malicious actors during authentication, CyberPanel uses FTP over TLS which provides encryption to authentication mechanism and file transfer.

This is the default option and CyberPanel uses automatic upgrading from FTP to FTP over TLS by using passive ports in the range of 40110-40210

However, sometimes the passive ports aren’t open or the configuration is missing which causes errors like these

Error:        GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Error:        Could not read from socket: ECONNABORTED - Connection aborted
Error:        Could not connect to server

Or

Status:Retrieving directory listing...
Command:PWD
Response:257 "/" is your current location
Command:TYPE I
Response:200 TYPE is now 8-bit binary
Command:PASV
Response:227 Entering Passive Mode (37,139,17,170,252,238)
Command:MLSD
Error:Connection timed out after 20 seconds of inactivity
Error:Failed to retrieve directory listing

The issue has been fixed at the code level however if you are using an older version of CyberPanel ( which should be updated anyway) or a marketplace image of CyberPanel on Ubuntu 18.04 the issue can be fixed by running the following commands in your terminal

1. 1. Open the passive ports
   2. Download updated version of PureFtpD
   3. Install the latest version
   4. Restart the FTP server

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-mysql_1.0.47-3_amd64.deb
dpkg --install --force-confold pure-ftpd-common_1.0.47-3_all.deb
dpkg --install --force-confold pure-ftpd-mysql_1.0.47-3_amd64.deb
systemctl restart pure-ftpd-mysql.service'

Voila, the issue will be fixed and you will be able to transfer your files with a peace of mind and sense of security

Hi Mr. Usman,
I have installed Cyber Panel in Ubuntu Server 20.04 and created the ftp user but not able to login;
I tried your advise as you mentioned, but no luck , I have the below ERROR ;

I had checked in server status of pure-ftpd below for your ref;
root@srv1-zebrando:~# systemctl status pure-ftpd-mysql.service
● pure-ftpd-mysql.service
Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated)
Active: active (running) since Mon 2021-11-15 18:11:19 IST; 10min ago
Docs: man:systemd-sysv-generator(8)
Process: 5752 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=0/SUCCESS)
Tasks: 7 (limit: 2269)
Memory: 5.9M
CGroup: /system.slice/pure-ftpd-mysql.service
├─5731 pure-ftpd (IDLE)
├─5732 pure-ftpd (PRIV)
├─5762 pure-ftpd (SERVER)
├─5771 pure-ftpd (IDLE)
├─5772 pure-ftpd (PRIV)
├─5785 pure-ftpd (IDLE)
└─5786 pure-ftpd (PRIV)

Nov 15 18:12:37 srv1-zebrando pure-ftpd[5771]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] SNI: [panel.zebrando.com]
Nov 15 18:12:37 srv1-zebrando pure-ftpd[5771]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 15 18:12:37 srv1-zebrando pure-ftpd[5771]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] admin_ftp is now logged in
Nov 15 18:12:57 srv1-zebrando pure-ftpd[5785]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] New connection from abts-tn-dynamic-131.162.174.122.airtelbroadband.in
Nov 15 18:12:57 srv1-zebrando pure-ftpd[5785]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] SNI: [panel.zebrando.com]
Nov 15 18:12:57 srv1-zebrando pure-ftpd[5785]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] SNI: [panel.zebrando.com]
Nov 15 18:12:57 srv1-zebrando pure-ftpd[5785]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 15 18:12:57 srv1-zebrando pure-ftpd[5785]: (?@abts-tn-dynamic-131.162.174.122.airtelbroadband.in) [INFO] admin_ftp is now logged in
Nov 15 18:20:24 srv1-zebrando pure-ftpd[4922]: ([email protected]) [INFO] Timeout
Nov 15 18:20:44 srv1-zebrando pure-ftpd[4924]: ([email protected]) [INFO] Timeout
root@srv1-zebrando:~#

Please guide to fix this.

Thanks for your Kind Support!
Sathish

Hi Mr. Usman,

I have solved this issue but I’ve done a mistake as explained below:

If the IP address in the 227 response to the PASV command does not match the actual FTP server IP address, the server is misconfigured.

This usually happens, when the server is not aware of its external IP address and reports its internal IP address.

So I have used below commands in server to resolve this issue by adding my server local IP:

However, fixing steps are as below:

Step(1) - Set the ForcePassiveIP option : echo "172.16.1.136" > /etc/pure-ftpd/conf/ForcePassiveIP

Step(2) - Restart the PureFTP service: service pure-ftpd restart

That’s all.
Thank you again and best regards.
Sathish

Thanks, @usmannasir !

How can we verify in either the client transcript or server logs that a connection has been auto-negotiated to use TLS, rather than falling back on insecure classic FTP?

Thanks.

By issuing valid ssl on the corresponding domain

But the legacy clients will still connect via insecure FTP if it can’t auto-negotiate TLS? But how to tell if secure or insecure connection is being used?

But what exactly is the concern? I am little confused about your use case here. Are you not able to connect ftp?

Concern is whether a secure connection is established or whether it’s unencrypted!

That is shown when you connect to FTP inside the FTP software you use. The display panel in FTP software shows all these information while connecting.

OK, great. What line of the FTP log should we pay attention to in order to know if it’s secure or not?