3

I have pureftp running on an AWS ec2 instance. I'm trying to get it to run in passive mode which I thought was working, however I'm finding it may not be working correctly. I'm receiving the following error in FileZilla

Status:         Connected
Status:         Retrieving directory listing...
Status:         Server sent passive reply with unroutable address. Using server address instead.
Status:         Directory listing of "/" successful

The odd part is some people are unable to log in while others are.

I have the following pureftp configuration

Port Range

#Port range for passive connections replies. - for firewalling.

PassivePortRange `50000 50100`

PASV IP

#Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
#Symbolic host names are also accepted for gateways with dynamic IP
#addresses.

ForcePassiveIP            `ftp.mydomain.com` "my cname record is mapped to my ec2 public dns"

When I view the local port range on the server, /proc/sys/net/ipv4/ip_local_port_range the following are open.

32768   61000

My ec2 security group has port 50000 - 50100 open

When I view my server logs I don't see much other than this every once in a while. 

Feb  5 08:57:41 ip-172-11-42-52 dhclient[1062]: DHCPREQUEST on eth0 to 172.11.32.1 port 67 (xid=0x601547fd)
Feb  5 08:57:41 ip-172-11-42-52 dhclient[1062]: DHCPACK from 172.11.32.1 (xid=0x601547fd)
Feb  5 08:57:43 ip-172-11-42-52 dhclient[1062]: bound to 172.11.42.52 -- renewal in 1417 seconds.

Anybody have any idea where things might be going wrong?

Code Junkie
  • 7,602
  • 26
  • 79
  • 141

4 Answers4

6

Server sent passive reply with unroutable address. Using server address instead

This solved the error for me to get FTP working on AWS EC2 by adding the following lines to etc/vsftpd.conf

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_addr_resolve=YES
pasv_address=XX.XX.XX.XX

XX.XX.XX.XX is set to the elastic IP assigned as the public address for the instance.

Ports in range 1024-1048 and 20-21 created as Custom TCP inbound rules allowing connections from anywhere.

FTP server is running vsftpd on an Ubuntu EC2 accessed with Filezilla client.

lm5050
  • 789
  • 7
  • 10
  • This worked for me on Amazon an AWS instance of Ubuntu 18.4 after opening up those ports in the security group settings, thanks! – Dave Seidman Oct 15 '20 at 12:51
  • All I had to do was to open the ports in the security group as @DaveSeidman said too. – Herii Jun 02 '21 at 05:17
4

So I believe I resolved this issue. It appears as if aws was dynamically changing ip addresses. When I was referencing ftp.domain.com for my passiveip the ip that it resolved to didn't match the initial ip tied to the cname record.

The solution was to assign a static elastic ip to my ec2 instance and set my passiveip in pureftp to my static elastic ip. Thus far it appears to have resolved my issue.

Code Junkie
  • 7,602
  • 26
  • 79
  • 141
  • Seems legit. The protocol conponents FTP uses to set up the data connection is hideously error-prone in situations like that. Was "ftp.domain.com" originally a CNAME referencing your machine's `*-compute*.amazonaws.com` hostname? – Michael - sqlbot Feb 06 '15 at 13:39
  • @Michael Yes it was and it still failed. It was returning an alternate IP address. Even after I gave the machine a static ip address it still failed if I set ForcePassiveIP to use ftp.domain.com. I ended up just hard setting the ForcePassiveIP with the static ip. – Code Junkie Feb 06 '15 at 15:00
1

I found some solution you can try.

https://serverfault.com/questions/821025/vsftpd-passive-reply-with-0-0-0-0-address-even-with-correct-pasv-address

I solved it by disabling listen_ipv6 and enabling listen in the config.

listen_ipv6=NO listen=YES

Jim Wu
  • 21
  • 1
0

I got the solution by setting vsftpd.conf

listen=YES
listen_ipv6=NO

Reference here https://stackoverflow.com/a/54707769/1336561

MasEDI
  • 41
  • 2