Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: d00dbro
d00dbro Author
User level: Level 1
63 points

FTP Logins Always Fail over WAN

Whenever anyone tries to connect and log in via FTP to my server, it delays for a minute then fails. But it works using the local IP address of the server. This is my setup:


FTP enabled with default settings and everything, maximum of 50 users at a time. There are zero now.

Port 21 open on the firewall, but I tried disabling the firewall just in case.

Router (AEBS) has port 21 open to the WAN and forwards it to port 21 on the server.

AFP and such are also enabled and work fine over WAN.


Details about what happens when someone outside my LAN connects:


The connection is established perfectly. When valid login information is used, it stalls for a minute then fails. I SOMETIMES see that Server Admin sees an authenticated FTP connection during that period of time with the type showing as "LIST". Like it's listing the files? Share points? I see things like the following in the console:


11/14/13 6:55:43 PMftpd: 192.168.1.1: connected: IDLE [4778]DEAD_PROCESS: 4777 ftp4777


I've tried an answer I found on the communities elsewhere, replacing the file ftpaccess with ftpaccess.default, with no effect. I've stopped and started the FTP service a bunch of times and have tried different users. Any help would be greately appreciated since my friend needs to be able to connect to a share point I have set up for him, and his computer can't do AFP.

Posted on Nov 14, 2013 7:02 PM

Reply
Question marked as Best reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Posted on Nov 14, 2013 10:58 PM

FTP uses multiple ports, so opening port 21 is not sufficient. That enables the FTP Control channel (for commands), but doesn't allow for DATA connections, hence the stall - your client is able to send a command but the resulting data connection is blocked.


There are several potential fixes, ranking from preferable to least preferable:


1) Don't use FTP. It's not secure (everything is sent in plaintext/unencrypted), it's a PITA to get through firewalls (as demonstrated by your post) and there are better options around


2) Open port 20 as well as port 21. Port 20 is the default data connection port and might resolve the problem.


3) Toggle active/passive FTP on the client. FTP can work in two different modes known as 'active' and 'passive'. The short difference is in the way that data connections are established. You may need to do this in addition to option 2 above.

View in context
4 replies
Question marked as Best reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Nov 14, 2013 10:58 PM in response to d00dbro

FTP uses multiple ports, so opening port 21 is not sufficient. That enables the FTP Control channel (for commands), but doesn't allow for DATA connections, hence the stall - your client is able to send a command but the resulting data connection is blocked.


There are several potential fixes, ranking from preferable to least preferable:


1) Don't use FTP. It's not secure (everything is sent in plaintext/unencrypted), it's a PITA to get through firewalls (as demonstrated by your post) and there are better options around


2) Open port 20 as well as port 21. Port 20 is the default data connection port and might resolve the problem.


3) Toggle active/passive FTP on the client. FTP can work in two different modes known as 'active' and 'passive'. The short difference is in the way that data connections are established. You may need to do this in addition to option 2 above.

Reply
User profile for user: d00dbro
d00dbro Author
User level: Level 1
63 points

Nov 15, 2013 6:36 AM in response to Camelot

Thanks! That was the problem. I needed port 20 for it to work.


I ended up mapping 20-21 to my server on the router, but I really wanted to have some other port going to the server FTP port. Forwarding 9064 and 9063 to 21 and 20, respectively, won't work. So I set my firewall to only allow FTP access to those connecting from California, hoping to minimize the break-in attempts. I'll also ask my friend if he can use something other than FTP.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,523 points

Nov 15, 2013 8:15 AM in response to d00dbro

d00dbro wrote:


I'll also ask my friend if he can use something other than FTP.


Introduce your friend to sftp, via the command line with OS X, or via the Cyberduck, Transit, Filezilla or other add-on tools if your friend prefers the GUI. These connections are encrypted, work via a single port (TCP port 22), and you can also optionally choose to use more advanced user authentication via certificate-based[1] logins.


[1]Certificates are a flexible user authentication scheme, with revokable gonzo-grade passwords.

Reply

FTP Logins Always Fail over WAN

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up