FTP Passive issue

[jimlongo]

I just had a new server created CentOS7 / EA4 with Apache 2.4/PHP5.6
The previous server was CentOS6.9 / EA 3
Both with CSF of course, and settings copied from the old to new.

I've run into a problem with some php backup scripts that send a mysql dump file offsite.
The scripts (which have been running for years on the old server) are failing around the ftp connection and transfer.

Here's the code snippet around the failure . . .

Code: Select all

$ftp_conn = ftp_connect($ftp_server);
$login_result = ftp_login($ftp_conn, $ftp_username, $ftp_password);
ftp_pasv($ftp_conn, true);
$upload = ftp_put($ftp_conn, $filepath, $filename, FTP_BINARY);
ftp_close($ftp_conn);

Here's the error message

Code: Select all

Warning: ftp_put(): php_connect_nonb() failed: Operation now in progress (115) in /home/wan/_BUscripts/BU_sql_wan.php on line 37
Warning: ftp_put(): Type set to I in /home/wan/_BUscripts/BU_sql_wan.php on line 37
FTP upload has failed.

I opened a ticket at cPanel and they looked at the issue and said that it works when CSF is disabled, and only appears when it's enabled.

Here is their response to my ticket.

When CSF is enabled I am not able to get a data control session.

redacted@wanless.com [~/_BUscripts]# ftp ftp.drivehq.com
Connected to ftp.drivehq.com (66.220.9.50).
220 Welcome to the most popular FTP hosting service!
Name (ftp.drivehq.com: redacted): redacted
331 User name ok, need password.
Password:
230 User redacted logged on. Free service has restrictions and is slower.
Remote system type is UNIX.
ftp> ls
227 Entering Passive Mode (66,220,9,50,32,108).
ftp: connect: Connection refused
ftp> quit
221 Bye
redacted@wanless.com [~/_BUscripts]# id
uid=1008(redacted) gid=1008(redacted) groups=1008(redacted)
redacted@wanless.com [~/_BUscripts]#

but when disable I am able without issues.

Because this works fine with CSF Firewall disabled this will need to be addressed within CSF itself. CSF Firewall isn't an application we provide and isn't something we can correct. If assistance s needed with CSF Firewall then please contact their support team

Can you suggest what settings I should look at, or any information you need.

Thanks.

[UWH-David]

Check your pasv port range config for your ftp daemon (pureftpd/proftpd/etc) and add that range to the tcp range in csf configuration.

[jimlongo]

Thanks UWH-David, that doesn't seem to matter. My settings were as below.

The setting for ProFTP is PassivePortRange: 49152 65534

And in CSF, the last characters in TCP_IN are 49152:65534

[UWH-David]

That is good. Do you have port 20 allowed as well?

[jimlongo]

Yes both TCP_IN and TCP_OUT.

[UWH-David]

Have you restarted ftp since the passive range change? Is it enabled in the config? Have you run a csf -r since the update to csf? Doesn't look like it but are you using TLS? If so, add 990 as well. 22 if using sftp. What happens if you whitelist the remote host?

[jimlongo]

It looks like whitelisting the remote IP worked. Didn't need to use port 22.
Thanks for your help.

[UWH-David]

My pleasure.

[honesting]

Hello,

I have the same problem and adding the IP to whitelist doesn't resolve it. What more can I check? passsive ports are setup. Thank you.