Join Log in
Score:0
MohammedSimba avatar Server

Can't ftp on active mode from ec2 instance (as a client)

cn flag
MohammedSimba

We need to ftp on "active mode" using Ubuntu ec2 instance as a client on a remote not ec2 ftp server.

Unfortunately we can't use sftp functionality. And we are able to connect using passive mode, but all we need is to use "active mode". I know active mode is problematic on NAT level (private-public IPs), but is there a way to overcome that?

On the client (ec2 instance), using active mode we got:

#ftp 11.11.11.11
Connected to 11.11.11.11.
220 (vsFTPd 3.0.2)
Name (11.11.11.11:ubuntu): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd files
250 Directory successfully changed.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use

The ftp server (not ec2 instance) configuration is as following:

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ascii_upload_enable=YES
ascii_download_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
seccomp_sandbox=NO
allow_writeable_chroot=YES
pasv_enable=YES
pasv_min_port=10024
pasv_max_port=10048
port_enable=YES
pasv_address=11.11.11.11

Inbound and Outbound is wide-open to the world!

enter image description here enter image description here

31
0 + 0
ftp
A.B avatar
cl flag
A.B
It's all happening on the client side since active FTP connects back from server to client. If each layer of firewall or NAT between client and server doesn't implement an [ALG](https://en.wikipedia.org/wiki/Application-level_gateway) for FTP, won't work. Maybe if you're using a tunnel between client and server to avoid NAT...
0
Reply
Appleoddity avatar
ng flag
Appleoddity
Consider first that an EC2 instance has a private IP address assigned to it, but through an internet gateway is reachable via a public IP address. The PORT command includes sending an IP address to the remote server to use to connect back to the client (in active mode). But, the client only knows about it’s private IP address. So at the very least the server is receiving an invalid IP address to connect to (the private IP of the EC2 instance). I’m not sure why the particular “address in use” error but you have to solve the primary issue before worrying about that.
0
Reply
Appleoddity avatar
ng flag
Appleoddity
The FTP client has to have a feature to recognize the public IP address or configure the IP address sent in the PORT command. Otherwise you’re stuck doing incredibly, inelegant hacks like this: https://serverfault.com/questions/889934/ftp-active-mode-and-nat-with-private-addressing-aws
0
Reply
Appleoddity avatar
ng flag
Appleoddity
The `lftp` client supports this feature (specifying the IP address for the PORT command) `ftp:port-ipv4`. I’m sure there are others. Drastic times call for drastic measures.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.