Ftp access failed after Hestia Control Panel v1.7.8 to v1.8.1 update

Community Support FTP
1

Hello!

I can not access FTP after Hestia Control Panel update from v1.7.8 to v1.8.1 version. It displays the following error: Failed to retrieve directory listing.
Also, I got an email with such content:

The upgrade script has generated additional notifications, which must be heeded urgently:

Manual Action Required [IMPORTANT]

To enable the “Enhanced and Optimized TLS” feature, we must update the NGINX configuration file (/etc/nginx/nginx.conf).

But for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.

Please follow the default configuration file to sync it:
/usr/local/hestia/install/deb/nginx/nginx.conf

Backed up configuration file:
/root/hst_backups/120720230633/conf/nginx/nginx.conf

Here is the log from FileZilla:

Status: Resolving address of MYWEBSITE.net
Status: Connecting to SERVER_IP:21…
Status: Connection established, waiting for welcome message…
Response: 220 FTP Server ready.
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS…
Status: TLS connection established.
Command: USER user_ftp
Response: 331 Password required for user_ftp
Command: PASS ****************
Response: 230 User user_ftp logged in
Command: CLNT FileZilla
Response: 200 OK
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 / is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (91,107,215,72,152,47).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of MYWEBSITE.net
Status: Connecting to SERVER_IP:21…
Status: Connection established, waiting for welcome message…
Response: 220 FTP Server ready.
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS…
Status: TLS connection established.
Command: USER user_ftp
Response: 331 Password required for user_ftp
Command: PASS ****************
Response: 230 User user_ftp logged in
Command: CLNT FileZilla
Response: 200 OK
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Logged in
Status: Retrieving directory listing…
Command: PWD
Response: 257 / is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (91,107,215,72,147,245).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

I have disabled the HestiaCP automatic updates. Any ideas how to fix it? Thank you.

2

This should not matter for FTP…

3

Hello!

It could be the firewall issue but HestiaCP firewall blocks my FTP connection or it could be the server firewall?
I have tried to access FTP on several devices, so I can confirm this issue with FTP access exists on these devices as well. So, I assume it’s not related to my PC firewall. Thanks.

4

Hestia uses a firewall but port 21 should be open by default

I also can’t think what has changed on 1.8 regarding ftp

5

I always update Hestia to the newest version automatically and never get any issue with that. But I think this 1.8.1 version leads to FTP issue. Is there a way to roll back all changes and switch to Hestia Control Panel 1.7.8 version? Thank you.

6

There havent been any changes to ftp or firewall: Comparing 1.7.8...1.8.1 · hestiacp/hestiacp · GitHub

Downgrade isnt supported, check if the passive ports are open aswell, they are from 12000-12100. Maybe that’s the reason for your issue, as it fails while entering to passive mode.

7

I have tried to connect to FTP using telnet. It reports 220 FTP Server ready,
230 User user_ftp logged in. So, I think these ports: 12000-12100 are open. But when I try to call LIST / command it displays:
425 Unable to build data connection: Connection timed out
450 LIST: Connection timed out

Any ideas what could cause such issue? Thank you.

8

No, the login procedure will be done over port 21, 12000-12100 will be used as soon as you want to do data action - like list directory or put files. Verify that this ports are open (by default it is in hestia, but ensure that your isp havent blocked them).

9

Using telnet I get the following output:

Microsoft Windows [Version 10.0.19045.3208]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>telnet SERVER_IP 12000
Connecting To 91.107.215.72…Could not open connection to the host, on port 12000: Connect failed

C:\WINDOWS\system32>telnet SERVER_IP 12100
Connecting To 91.107.215.72…Could not open connection to the host, on port 12100: Connect failed

C:\WINDOWS\system32>

So, it means these ports are closed on the server? Thank you.

10

Why are you using passive ftp? It makes it more complex.

11

The server support replied that all ports are open on the server and this issue is caused by Hestia CP upgrade to v1.8.1, which could be unstable.

I have installed proftpd service with Hestia Control Panel when configured it on this server. From Hestia CP, proftpd works well: https://i.ibb.co/dQ37k3S/2023-07-16-155653.png

12

I use FTP to update the website scripts/etc. What should I use then?

13

OK. I got more log information:

Jul 16 16:59:57 my-server.server.net proftpd[147816]: * Stopping ftp server proftpd

Jul 16 16:59:57 my-server.server.net proftpd[145256]: localhost - ProFTPD killed (signal 15)

Jul 16 16:59:57 my-server.server.net proftpd[145256]: localhost - ProFTPD 1.3.6c standalone mode SHUTDOWN

Jul 16 16:59:57 my-server.server.net proftpd[147816]: …done.

Jul 16 16:59:57 my-server.server.net systemd[1]: proftpd.service: Succeeded.-- The unit proftpd.service has successfully entered the ‘dead’ state.

– Subject: A stop job for unit proftpd.service has finished

– A stop job for unit proftpd.service has finished.

Jul 16 16:59:57 my-server.server.net systemd[1]: proftpd.service: Found left-over process 146754 (proftpd) in control group while starting unit. Ignoring.

Jul 16 16:59:57 my-server.server.net systemd[1]: proftpd.service: Found left-over process 146755 (proftpd) in control group while starting unit. Ignoring.

Jul 16 16:59:57 my-server.server.net systemd[1]: proftpd.service: Found left-over process 146756 (proftpd) in control group while starting unit. Ignoring.

Jul 16 16:59:57 my-server.server.net systemd[1]: proftpd.service: Found left-over process 146770 (proftpd) in control group while starting unit. Ignoring.

– Subject: A start job for unit proftpd.service has begun execution

– A start job for unit proftpd.service has begun execution.

Jul 16 16:59:57 my-server.server.net proftpd[147830]: * Starting ftp server proftpd

Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: fatal: TLSProtocol: unknown protocol: ‘TLSv1.3’ on line 17 of ‘/etc/proftpd/tls.conf’

Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: warning: unable to include ‘/etc/proftpd/tls.conf’: Operation not permitted

Jul 16 16:59:57 my-server.server.net proftpd[147830]: …done.-- Subject: A start job for unit proftpd.service has finished successfully

– A start job for unit proftpd.service has finished successfully.

Jul 16 16:59:57 my-server.server.net proftpd[147844]: localhost - ProFTPD 1.3.6c (maint) (built Thu Feb 27 2020 19:34:56 UTC) standalone mode STARTUP

Jul 16 16:59:58 my-server.server.net proftpd[146770]: pam_unix(proftpd:session): session closed for user user_ftp

Jul 16 16:59:58 my-server.server.net proftpd[146756]: pam_unix(proftpd:session): session closed for user user_ftp

Jul 16 16:59:59 my-server.server.net proftpd[146755]: pam_unix(proftpd:session): session closed for user user_ftp

Jul 16 16:59:59 my-server.server.net proftpd[146754]: pam_unix(proftpd:session): session closed for user user_ftp

Jul 16 17:00:01 my-server.server.net proftpd[147845]: pam_unix(proftpd:session): session opened for user user_ftp by (uid=0)

Jul 16 17:00:22 my-server.server.net proftpd[148225]: pam_unix(proftpd:session): session opened for user user_ftp by (uid=0)

14

From the server log it reports TLSProtocol: unknown protocol: ‘TLSv1.3’, which was added to Hestia CP version 1.8.1.

Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: fatal: TLSProtocol: unknown protocol: ‘TLSv1.3’ on line 17 of ‘/etc/proftpd/tls.conf’

Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: warning: unable to include ‘/etc/proftpd/tls.conf’: Operation not permitted

So, I have a few more questions:

  1. I assume this message: To enable the “Enhanced and Optimized TLS” feature, we must update the NGINX configuration file (/etc/nginx/nginx.conf). which I got on my email is connected to this issue: Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: fatal: TLSProtocol: unknown protocol: ‘TLSv1.3’ on line 17 of ‘/etc/proftpd/tls.conf’

Jul 16 16:59:57 my-server.server.net proftpd[147843]: 2023-07-16 16:59:57,736 my-server.server.net proftpd[147843]: warning: unable to include ‘/etc/proftpd/tls.conf’: Operation not permitted?

  1. Or should I remove TLSv1.3 from /etc/proftpd/tls.conf and use the previous TLSv1.1 TLSv1.2?
    What was the TLS version on that 17th line before the HestiaCP update?

Thank you.

15

Whats your proftpd version and is it already up to date?

16

The current version - ProFTPD Version: 1.3.6c (maint)

proftpd -vv
2023-07-16 17:58:30,965 my-server.server.net proftpd[157296]: fatal: TLSProtocol: unknown protocol: ‘TLSv1.3’ on line 17 of ‘/etc/proftpd/tls.conf’
2023-07-16 17:58:30,966 my-server.server.net proftpd[157296]: warning: unable to include ‘/etc/proftpd/tls.conf’: Operation not permitted
ProFTPD Version: 1.3.6c (maint)

  • Scoreboard Version: 01040003*
  • Built: Thu Feb 27 2020 19:34:56 UTC*
17

Why OS version?

18

OS: Ubuntu 20.04 (x86_64)

19

Please check if this work

There seems to be a bug in documentation of ProFTPD

http://www.proftpd.org/docs/contrib/mod_tls.html#TLSProtocol

20

Currently the line 17th in file: /etc/proftpd/tls.conf looks like this: TLSProtocol TLSv1.2 TLSv1.3

I should change it to: TLSProtocol ALL -SSLv3? Thanks.