# [Solved] vsftpd Command: LIST - Error: Connection timed out

## FilthyPitDog

Hey guys I'm really pulling my hair out here... Trying to get my ftp server up. I'm testing using ftptest.net

I believe I almost have everything in order (static ip, ports forwarded on router, iptables setup) as it gets as far as "Command: LIST Error: Connection timed out" I'm on port 990 using FTP over TLS in Passive Mode.

```
listen=YES

listen_ipv6=NO

listen_port=990

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_root=/mnt

local_umask=022

dirmessage_enable=YES

use_localtime=YES

xferlog_enable=YES

xferlog_file=/var/log/vsftpd.log

connect_from_port_20=YES

log_ftp_protocol=YES

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=My Banner Goes Here

ssl_enable=YES

allow_anon_ssl=NO

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

pasv_address=foo.bar.com

pasv_addr_resolve=YES

port_enable=YES

pasv_enable=YES

pasv_min_port=50100

pasv_max_port=51100
```

```
# Generated by iptables-save v1.8.7 on Thu Jun 17 20:59:29 2021

*mangle

:PREROUTING ACCEPT [3393222:1509182188]

:INPUT ACCEPT [3391510:1509143249]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3369645:536014132]

:POSTROUTING ACCEPT [3374851:536295052]

COMMIT

# Completed on Thu Jun 17 20:59:29 2021

# Generated by iptables-save v1.8.7 on Thu Jun 17 20:59:29 2021

*filter

:INPUT ACCEPT [8:3062]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [6:328]

-A INPUT -p tcp -m tcp --dport 50100:51100 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT

COMMIT

# Completed on Thu Jun 17 20:59:29 2021
```

```
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 20:34 PDT

Nmap scan report for foo.bar.com

Host is up (0.000036s latency).

Not shown: 65530 closed ports

PORT      STATE SERVICE

990/tcp   open  ftps
```

ftptest.net result

```
Warning: Selected port (990) is not the default port (21) of the selected protocol.

Status: Resolving address of foo.bar.com

Status: Connecting to foo.bar.com

Warning: The entered address does not resolve to an IPv6 address.

Status: Connected, waiting for welcome message...

Reply: 220 My Banner Goes Here

Command: CLNT https://ftptest.net on behalf of foo.bar.com

Reply: 530 Please login with USER and PASS.

Command: AUTH TLS

Reply: 234 Proceed with negotiation.

Status: Performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=XX,ST=XX,L=XX,O=XX,OU=XX,CN=foo.bar.com,EMAIL=foo@bar.com'

issuer='C=XX,ST=XX,L=XX,O=XX,OU=XX,CN=foo.bar.com,EMAIL=foo@bar.com'

Command: USER test

Reply: 331 Please specify the password.

Command: PASS ********

Reply: 230 Login successful.

Command: SYST

Reply: 215 UNIX Type: L8

Command: FEAT

Reply: 211-Features:

Reply: AUTH TLS

Reply: EPRT

Reply: EPSV

Reply: MDTM

Reply: PASV

Reply: PBSZ

Reply: PROT

Reply: REST STREAM

Reply: SIZE

Reply: TVFS

Reply: UTF8

Reply: 211 End

Warning: The server does not indicate MLSD support. MLSD uses a well-specified listing format. Without MLSD, directory listings have to be obtained using LIST which uses an unspecified output format.

Command: PBSZ 0

Reply: 200 PBSZ set to 0.

Command: PROT P

Reply: 200 PROT now Private.

Command: PWD

Reply: 257 "/mnt" is the current directory

Status: Current path is /mnt

Command: TYPE I

Reply: 200 Switching to Binary mode.

Command: PASV

Reply: 227 Entering Passive Mode (foo.bar.com,197,150).

Command: LIST

Error: Connection timed out
```

I see "Warning: The server does not indicate MLSD support" after checking https://stackoverflow.com/questions/52032468/does-vsftpd-supports-mlsd-command it seems vsftpd does not. Not sure if thats a deal-breaker. Also I would like my local_root to be /mnt. However https://wiki.gentoo.org/wiki/Vsftpd#Configuration tells me to "chown ftp /home/ftp" And I have, Ive tried "local_root=/home/ftp" with the same result as "local_root=/mnt"... Command: LIST Error: Connection timed out....

Any help would be greatly appreciated and slow down my balding...   :Laughing: Last edited by FilthyPitDog on Fri Aug 13, 2021 9:46 am; edited 3 times in total

----------

## alamahant

Have you opened and port-forwarded this range of ports in your router?

```

pasv_min_port=50100

pasv_max_port=51100

```

Possibly also these

```

ftp-data   20/tcp            # File Transfer [Default Data]

ftp-data   20/udp

ftp      21/tcp            # File Transfer [Control]

ftp      21/udp      fsp fspd

```

Also you might wish to add these in your vsftpd.conf

```

force_local_data_ssl=YES

force_local_logins_ssl=YES

```

Best to use tor-browser to run 

your ftp test online utility.

----------

## FilthyPitDog

Yes ports 50100:51100 are forwarded on my router. I added port 20 TCP/UPD to iptables

iptables -L

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:50100:51100

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

ACCEPT     udp  --  anywhere             anywhere             udp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data

ACCEPT     udp  --  anywhere             anywhere             udp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftps

ACCEPT     udp  --  anywhere             anywhere             udp dpt:ftps

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination 
```

I aslso added 

```
force_local_data_ssl=YES

force_local_logins_ssl=YES 

```

To my vsftpd.conf, restarted vsftpd and same thing stops at Command: LIST... Ohh brother lol

----------

## alamahant

Plz comment out

```

#local_root=/mnt

```

So it will default to ~$USER.

May be makes a difference.

Also try opening a tor-browser and go to

```

ftp://<host> ###or maybe

ftps://<host>

```

----------

## FilthyPitDog

Thank you so much for helping out! Commented out line. Tried to connect again here is /var/log/vsftpd.log

```
Fri Jun 18 15:23:11 2021 [pid 2] CONNECT: Client "49.12.121.47"

Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "220 My Banner Goes Here"

Fri Jun 18 15:23:11 2021 [pid 2] FTP command: Client "49.12.121.47", "CLNT https://ftptest.net on behalf of foo.bar.com"

Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "530 Please login with USER and PASS."

Fri Jun 18 15:23:11 2021 [pid 2] FTP command: Client "49.12.121.47", "AUTH TLS"

Fri Jun 18 15:23:11 2021 [pid 2] FTP response: Client "49.12.121.47", "234 Proceed with negotiation."

Fri Jun 18 15:23:12 2021 [pid 2] FTP command: Client "49.12.121.47", "USER mrturcot"

Fri Jun 18 15:23:12 2021 [pid 2] [mrturcot] FTP response: Client "49.12.121.47", "331 Please specify the password."

Fri Jun 18 15:23:12 2021 [pid 2] [mrturcot] FTP command: Client "49.12.121.47", "PASS <password>"

Fri Jun 18 15:23:12 2021 [pid 1] [mrturcot] OK LOGIN: Client "49.12.121.47"

Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "230 Login successful."

Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "SYST"

Fri Jun 18 15:23:12 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "215 UNIX Type: L8"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "FEAT"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "211-Features:"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " AUTH TLS??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " EPRT??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " EPSV??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " MDTM??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PASV??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PBSZ??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " PROT??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " REST STREAM??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " SIZE??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " TVFS??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", " UTF8??"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "211 End"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PBSZ 0"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 PBSZ set to 0."

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PROT P"

Fri Jun 18 15:23:13 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 PROT now Private."

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PWD"

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "257 "/home/mrturcot" is the current directory"

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "TYPE I"

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "200 Switching to Binary mode."

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "PASV"

Fri Jun 18 15:23:14 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "227 Entering Passive Mode (foo.bar.com)."

Fri Jun 18 15:23:15 2021 [pid 3] [mrturcot] FTP command: Client "49.12.121.47", "LIST"

Fri Jun 18 15:24:15 2021 [pid 3] [mrturcot] FTP response: Client "49.12.121.47", "425 Failed to establish connection."

Fri Jun 18 15:24:15 2021 [pid 2] [mrturcot] DEBUG: Client "49.12.121.47", "Control connection terminated without SSL shutdown."
```

local_root is correct /home/mrturcot I feel like its so close!

----------

## alamahant

Try disabling iptables.

Maybe some problem with the range of ports.

Do you have this in .config

```

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_NAT_FTP=m

CONFIG_IP_VS_FTP=m

```

?

Also since you are usinf ssl

DONT connect via ip

Plz use domain.

Also this 

```

rsa_cert_file=/etc/ssl/private/vsftpd.pem

```

is a self signed certificate.

Unrelated maybe to issue at hand but better Letsencrypt.

Or if you are using a local client like lftp

```

set ssl:verify-certificate no

```

Filezilla also has a setting no?

----------

## FilthyPitDog

I've cleared my iptables rules, I checked and I have 2 of those kernel options however I don't have CONFIG_IP_VS_FTP in my .config I'm using 5.12 kernel

```
cat /usr/src/linux/.config |grep FTP

CONFIG_NF_CONNTRACK_FTP=m

# CONFIG_NF_CONNTRACK_TFTP is not set

CONFIG_NF_NAT_FTP=m
```

Also I do connect via a domain/host name. I would like use letsencrypt for my cert after I get this figured out... I'm at a loss it still wont LIST. Thnx again for troubleshooting alamahant  :Smile: 

----------

## alamahant

```

ls_recurse_enable=YES

```

in vsftpd.conf

?

----------

## FilthyPitDog

Appended vsftpd.conf restarted service, with same result

----------

## FilthyPitDog

Wow turns out I needed to setup a DMZ on my firewall for my local PC and now everything works as intended. Not sure if this opens me up for any security risks? Or it just bypasses the real issue... In any case it works now. Cheers

----------

## figueroa

 *FilthyPitDog wrote:*   

> Wow turns out I needed to setup a DMZ on my firewall for my local PC and now everything works as intended. Not sure if this opens me up for any security risks? Or it just bypasses the real issue... In any case it works now. Cheers

 

Now the entire Internet can invade you. Bad plan.

----------

## FilthyPitDog

I appreciate the advice and have switched of the DMZ. Just back to same same problem it wont list. Filezilla log shows I'm connecting to port 990 > TLS connection established > Logged in > PWD /mnt is the current directory > switching to binary > entering extended passive mode > Connection timed out.... I'm at my wits end... I have my passive ports forwarded on my router and added the TCP rules in iptables for those portsLast edited by FilthyPitDog on Wed Jun 23, 2021 4:08 am; edited 1 time in total

----------

## figueroa

EDIT -- ADDED: Obviously I didn't read the thread closely enough before jumping in. It looks like you hand-jam your own IPTABLES. Good for you!

Reply continues:

OK, if you really just meant a firewall on your PC and the firewall on your router is still in-effect, then DMZ on your PC's firewall is less of a problem. But, you should be able to fine tune your PC's firewall to allow vsftpd to function.

I don't use vsftpd (I use sftp as it meets my use cases), so I can't comment on it specifically, though I may try it. Perhaps post what software firewall runs on your Gentoo PC and someone will already know the trick for your settings.

ALSO ADDED: Your IPTABLES look good to me (I'm no authority.). But, since DMZ allowed vsftpd to work, it seems that's obviously where the problem is. Following with interest.

----------

## FilthyPitDog

Exactly, the only rules I have in iptables is

```
:OUTPUT ACCEPT [48675231:47380521714]

-A INPUT -p tcp -m tcp --dport 50100:51100 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
```

And the only ports forward on my router are those that are in iptables. The firewall is active on my router and enabled DMZ for the local ip of the server. I hope this is not that bad. Ill try with sftp with DMZ off see how it goes!Last edited by FilthyPitDog on Wed Jun 23, 2021 5:28 am; edited 1 time in total

----------

## figueroa

Wondering, do you also have a firewall mode set on your router other than NAT. That's probably a wild goose chase.

For what it's worth, with ssh/sftp, I only enable/forward my primary, non-standard, sshd port on the router, i.e. 2039 or whatever. I also use fail2ban with very hostile settings, and I get quite a bit less random probing by not using port 22.

----------

## alamahant

What dmz host does at the router is open and forward ALL ports. to a particular LAN IP

If that works but your port range doesnt it means that somehow you are not properly forwarding the range from the router to your host.

----------

## FilthyPitDog

 *alamahant wrote:*   

> What dmz host does at the router is open and forward ALL ports. to a particular LAN IP
> 
> If that works but your port range doesnt it means that somehow you are not properly forwarding the range from the router to your host.

 

Thank you very, very much, this was the issue. Its all working great with dmz off. The issue was not having the all the passive ports forwarded correctly on my router.

----------

