Pure-FTPd Error: Failed to retrieve directory listing

Running CyberPanel Version 2.0 Build 3 on Ubuntu 20.04.2. LTS. Clean install.

When I try to connect via ftp user I cannot get it to list directories. I have enabled debug on pure-ftpd to see if there are any useful errors and the first one was:

[DEBUG] Couldn’t load the DH parameters file /etc/ssl/private/pure-ftpd-dhparams.pem

I fixed that with
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

And restarted
systemctl restart pure-ftpd-mysql

Still cannot list directories.

The server is available on port 21 if I do telnet to the IP address of the server I get this:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 3 of 50 allowed.
220-Local time is now 15:22. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

So I have connectivity to the server via port 21

If I look at the debug log I can see that I am successfully authenticated it just won’t go any further than that.
anonymized log from filezilla:
Status: Connecting to ServerIP:21…
Status: Connection established, waiting for welcome message…
Status: Initializing TLS…
Status: Verifying certificate…
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (ServerIP,156,174)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

anonymized log from server:
Mar 1 15:40:16 ServerName pure-ftpd-mysql[1106]: Starting ftp server:
Mar 1 15:40:16 ServerName pure-ftpd-mysql[1120]: Running: /usr/sbin/pure-ftpd-mysql -l mysql:/etc/pure-ftpd/db/mysql.conf -P ServerIP -p 40110:40210 -d -A -Y 1 -B
Mar 1 15:40:16 ServerName systemd[1]: Started pure-ftpd-mysql.service.
Mar 1 15:40:16 ServerName systemd[1]: Reached target Multi-User System.
Mar 1 15:40:16 ServerName systemd[1]: Reached target Graphical Interface.
Mar 1 15:40:16 ServerName systemd[1]: Starting Execute cloud user/final scripts…
Mar 1 15:40:16 ServerName systemd[1]: Starting Update UTMP about System Runlevel Changes…
Mar 1 15:40:16 ServerName systemd[1]: systemd-update-utmp-runlevel.service: Succeeded.
Mar 1 15:40:16 ServerName systemd[1]: Finished Update UTMP about System Runlevel Changes.
Mar 1 15:42:02 ServerName CRON[1157]: (root) CMD (if ! find /home//public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name ‘.htaccess’ -exec false {} +; then /usr/local/lsws/bin/lswsctrl restart; fi)
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [INFO] New connection from ClientIP
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [auth] [TLS]
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [user] [client_username]
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [pass] [<
>]
Mar 1 15:43:31 ServerName pure-ftpd: (?@ClientIP) [INFO] client_username is now logged in
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [syst]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [feat]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [opts] [UTF8 ON]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pbsz] [0]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [prot] [P]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pwd]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [type] [I]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pasv]
Mar 1 15:43:31 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [mlsd]
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [INFO] New connection from ClientIP
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [auth] [TLS]
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [user] [client_username]
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [DEBUG] Command [pass] [<>]
Mar 1 15:43:51 ServerName pure-ftpd: (?@ClientIP) [INFO] client_username is now logged in
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [opts] [UTF8 ON]
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pbsz] [0]
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [prot] [P]
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pwd] []
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [type] [I]
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [pasv] []
Mar 1 15:43:51 ServerName pure-ftpd: (client_username@ClientIP) [DEBUG] Command [mlsd] []
Mar 1 15:45:01 ServerName CRON[1167]: (root) CMD (if ! find /home/
/public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name ‘.htaccess’ -exec false {} +; then /usr/local/lsws/bin/lswsctrl restart; fi)

I did all the suggestions from searching the forums on forums.cyberpanel.net by removing the firewall rules and re-adding them. I have also tried to disable all firewalls still the same.

I think there is something wrong with the default configuration:
/etc/pure-ftpd/pure-ftpd.conf
ChrootEveryone yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog yes
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous yes
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
PAMAuthentication yes
LimitRecursion 10000 8
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
MinUID 1000
#UseFtpUsers no
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload yes
AltLog clf:/var/log/pureftpd.log
CreateHomeDir yes
MaxDiskUsage 99
CustomerProof yes
TLS 0
PassivePortRange 40110 40210

/etc/pure-ftpd/pureftpd-mysql.conf
MYSQLServer localhost
MYSQLPort 3306
MYSQLSocket /var/lib/mysql/mysql.sock
MYSQLDatabase cyberpanel
MYSQLCrypt md5
MYSQLGetDir SELECT Dir FROM users WHERE User=‘\L’
MYSQLGetGID SELECT Gid FROM users WHERE User=‘\L’
MYSQLGetPW SELECT Password FROM users WHERE User=‘\L’
MYSQLGetUID SELECT Uid FROM users WHERE User=‘\L’
MYSQLPassword ******************
MYSQLUser cyberpanel

/etc/pure-ftpd/conf/ChrootEveryone
yes

/etc/pure-ftpd/conf/ForcePassiveIP
ServerIP (public IP)

/etc/pure-ftpd/conf/PassivePortRange
40110 40210

Please help.

Any advice would be appreciated!

40110-40210 port incoming.

Type your comment> @letienvy said:

40110-40210 port incoming.

I had a really hard time convincing my network team colleague that we need this ports open for it to work properly.

Is it really necessary to have this ports open? Can it work without this ports?

If we only open ports 20 and 21 can it run encrypted connection over active FTP?

Hello! Were you able to fix this problem? If yes, how?

Yes we did solve the problem. You need to open the passive ports if you want to use TLS to connect. For reference you can use this document https://download.pureftpd.org/pub/pure-ftpd/doc/FAQ

* Firewalling

-> My FTP server is behind a firewall. What ports should I open?

First, you have to open port 21 TO the FTP server. You also have to allow
connections FROM (not to) ports <= 20 (of the FTP server) to everywhere.
That's enough to handle the "active" mode. But that's not enough to handle all
types of clients. Most clients will use another mode to transmit data called
'passive' mode. It's a bit more secure than 'active' mode, but you need to
open more ports on your firewall to have it work.

So, open some ports TO the FTP server. These ports should be > 1023. It's
recommended to use at least twice the max number of clients you are
expecting. So, if you accept 200 concurrent sessions, opening ports 50000 to
50400 is ok.

Then, run pure-ftpd with the '-p' switch followed by the range configured in
your firewall. Example: /usr/local/sbin/pure-ftpd -p 50000:50400 &

Unlike some popular belief, the MORE opened ports you have for passive FTP,
the MORE your FTP server will be secure, because the LESS you are vulnerable
to data hijacking.

If your firewall also does network translation (NAT), you have to enable
port forwarding for all passive ports.

On the client side, if a client if behind a firewall, that firewall must
understand the FTP protocol. On Linux firewalls (iptables), just load
the ip_conntrack_ftp and ip_nat_ftp modules. On OpenBSD, ISOS and
FreeBSD 5 firewalls (PF), redirect all traffic to port 21, to ftp-proxy.