Continuum Discussion - FTP Issues and Solutions, Noah Davids

FTP Issues and Solutions
Noah Davids
Stratus Support Engineer
Stratus Technologies
mailto:noah.davids@stratus.com

FTP issues seem to be cropping up more and more often. This article will discuss several of the more common ones and present a possible solution.
Firewalls and connection problems:

Error messages reported by client applications are as varied as the clients themselves, but the symptoms are always the same. You can make a connection to the server and login, but you cannot transfer any files or list a directory.

To understand the problem, you have to understand how FTP manages its connections and transfers a file. Listing a directory is treated the same way as transferring a file. Just to make things difficult there are two different ways FTP can do this.

In default mode (figure 1) the FTP client sends a PORT command to the server telling it the IP address and port number on which it will listen. The FTP server then makes a connection from port 20 (the FTP data port) to the IP address and port number specified in the PORT command.

TCP from 164.152.77.50.4601 to 164.152.77.34.ftp seq 1051624986, ack 470841144, window 65145, 27 data bytes, flags Push Ack +. X/Off 05, Flags 18, Cksum 9df3, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 50 4f 52 54 20 31 36 34 2c 31 35 32 2c 37 37 2c * PORT 164,152,77, 10 35 30 2c 31 37 2c 32 35 33 d a * 50,17,253<< 15:51:31.073 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:41:3b:6e Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 2c, ID 963, Flg/Frg 0, TTL 3c, Prtl 6 Cksum 91e4, Src a4984d22, Dst a4984d32 TCP from 164.152.77.34.ftp-data to 164.152.77.50.4605 seq 483640561, ack n.a., window 8192, 4 data bytes, flags Syn. X/Off 06, Flags 02, Cksum a0cb, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 2 4 5 b4 <<<4
Figure 1: Making an FTP data connection - default mode
With passive mode (figure 2), the client first sends a PASV command to the server telling it to enter passive mode. The server responds by listening on a new port number and sending back a response to PASV that includes the port number. The client then connects to that port number.

15:28:05.563 Rcvd IP Ver/HL 45, ToS 0, Len 2e, ID ca73, Flg/Frg 4000, TTL 8 +0, Prtl 6 Cksum 4cd1, Src a4984d32, Dst a4984d22 TCP from 164.152.77.50.4503 to 164.152.77.34.ftp seq 2726681515, ack 70932649, window 65156, 6 data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum 305a, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 50 41 53 56 d a PASV<< 15:28:05.563 Xmit IP Ver/HL 45, ToS 0, Len 5b, ID f1b6, Flg/Frg 0, TTL 3 +c, Prtl 6 Cksum a961, Src a4984d22, Dst a4984d32 TCP from 164.152.77.34.ftp to 164.152.77.50.4503 seq 70932649, ack 2726681521, window 8192, 51 data bytes, flags Push Ack +. X/Off 05, Flags 18, Cksum 0fba, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 32 32 37 20 45 6e 74 65 72 69 6e 67 20 50 61 73 * 227 Entering Pas 10 73 69 76 65 20 4d 6f 64 65 20 28 31 36 34 2c 31 * sive Mode (164,1 20 35 32 2c 37 37 2c 33 34 2c 32 32 35 2c 31 37 32 * 52,77,34,225,172 30 29 d a * )<< 15:28:05.564 Rcvd IP Ver/HL 45, ToS 0, Len 30, ID ca74, Flg/Frg 4000, TTL 8 +0, Prtl 6 Cksum 4cce, Src a4984d32, Dst a4984d22 TCP from 164.152.77.50.4514 to 164.152.77.34.57772 seq 1470659224, ack n.a., window 65535, 8 data bytes, flags Syn. X/Off 07, Flags 02, Cksum da0a, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 2 4 5 b4 1 1 4 2 <<<4<<<<
Figure 2: Making an FTP data connection - passive mode
What does all this mean? Look at the network diagram in figure 3. Both the client and the server are protected by firewalls. The server firewall must allow packets addressed to the server's FTP control port (21) to go through, or a connection cannot be made to the server. However, the firewall generally will block incoming connection requests. Assume that the client is using the default mode. It sends a PORT command to the server, which then attempts to connect to that port. This is blocked by the client's firewall. In passive mode, the server sends a port number to the client in the PASV response message, but when the client tries to connect, its blocked by the server's firewall.
Most firewalls can monitor FTP connections for PORT commands and PASV responses and open the appropriate holes in the firewall to allow the connections. Once the connection terminates, the hole is closed. However, some firewalls can't or won't do this - at least not unless configured to do so by the network administrator.

Figure 3: Example network
The STCP FTP server supports passive mode starting in VOS releases 14.6.1az, 14.7.0ag, 15.0.0ac, and 15.1. The STCP FTP client supports passive mode starting in releases 14.7.2ah, 14.7.tl1.ag, 15.1.2ak, 15.1.tel.ah, 15.2 and 16.
On an ftServer^® system, the Microsoft^® Windows^® IIS environment does support passive mode, however, it's a mixed bag for the client. You can configure Internet Explorer to use passive mode. Select "Internet Options" from the Tools menu. Then on the Advanced tab scroll down about half way and check the "Use Passive FTP for firewall and DSL modem compatibility". See figure 4.

Figure 4: Configuring Internet Explorer to use passive mode
However, the FTP client you can run at the command prompt does not have a way to get into passive mode.
I'll end this section by explaining how to figure out the port number specified by the PORT and response to PASV messages. The format is A,B,C,D,X,Y. A,B,C,D is the IP address. Note that the octets are separated by comas not dots. The X,Y represents the port number. The actual port number is calculated as: 256 * X + Y
For example, in figure 1 the client's PORT command specifies 164,152,77,50,17,253. The server connects to port 4605
17 * 256 + 253 = 4605
In figure 2 the response to PASV specifies 164.152,77,34,225,172. The client connects to port 57772
225 * 256 + 172 = 57772
NAT/PAT and connection problems:
Network Address Translation (NAT) and Port Address Translation (PAT) devices modify the IP address and/or port numbers in the IP header for all IP packets leaving the (inside) network. They keep track of the original and modified values so that when a response comes back, they can reverse the mapping. The typical reason for doing this is that the inside network has more devices i.e. IP addresses than the network has public IP addresses. The NAT/PAT devices allow you to multiplex the public IP addresses among the inside hosts. Another reason for using these devices is to delay (perhaps permanently) the readdressing of a large number of hosts. Some people also feel that these devices enhance security, since special configuration is needed to allow an outside host to initiate a connection to an inside host.
That, of course, is the "feature" that prevents FTP from working. Go back to figure 3 and imagine that the firewalls are now NAT devices. In default mode, the server makes a connection back to client. But, the IP address in the PORT message is the IP address that the client thinks it has, i.e. the inside address. The server probably does not have a route to that address. In addition, the port number in the PORT message does not have a mapping in the NAT/PAT map table. If you assume passive mode, you have the same problem from the servers end. Admittedly, it is less likely that the server has a NAT/PAT device in front of it, but it is not impossible. Like firewalls, the NAT/PAT device can be configured to send connections to port 21 to an FTP server.
Also like firewalls, FTP can be made to work with NAT/PAT devices. The trick is for the NAT/PAT devices to monitor traffic passing through them and add a mapping, allowing a connection to the request port number through. Unlike firewalls, NAT/PAT devices must also modify the packets to adjust the IP address to the outside IP address. Because this can change the length of the PORT or PASV response messages, NAT/PAT devices must also be able to adjust the TCP sequence numbers and checksums. This must be done not only for the PORT and PASV response messages, but for all subsequent messages in the connection.
GUI interface user clients do not work:
The command line version of FTP is now passé; people want to be able to drag and drop files. The simplest way to do this is with Internet Explorer; just put in the URL for the FTP server and away you go (figure 5). Unfortunately, when connecting to an STCP server, you get something that appears to be very strange (figure 6). This is because the results of the "dir" command are not Unix-like and, therefore cannot be parsed by the FTP client. You can still get a list, but you cannot do anything with it or get to any subdirectories.

Figure 5: Internet Explorer displaying a Windows based FTP site

Figure 6:" Internet Explorer displaying a STCP- based FTP site
There is a suggestion to change the output so it is compatible with most GUI FTP clients (sftp-9) but I don't think it will ever be accepted. One reason is that there are FTP clients that can parse STP's output, so changing it would break them. The programs that I have used in the past are TTWin (figure 7) and WS_FTP Pro (figure 8).

Figure 7
TTWin FTP client displaying a STCP-based FTP site

Figure 8: WS_FTP FTP client displaying a STCP-based FTP site
Passwords, File, and Directory content are visible to everyone:
There are two related security issues with FTP. First, anyone with an analyzer can see your password (figure 9). Second, anyone with an analyzer can see the contents of files you transfer (figure10) and the contents of any directories that you list (figure 11).

16:32:33.488 Rcvd Ether Dst 00:00:a8:8f:81:ec Src 00:0c:6e:3f:ab:45 Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 31, ID f8e8, Flg/Frg 4000, TTL 80, Prtl 6 Cksum 1e75, Src a4984d32, Dst a4984d06 TCP from 164.152.77.50.4550 to 164.152.77.6.ftp seq 42a7fa4a, ack 369c40a5, window ff71, 9. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum ddb8, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 55 53 45 52 20 6e 64 d a USER nd< < 16:32:33.492 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:8f:81:ec Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 47, ID 8fd8, Flg/Frg 0, TTL 3c, Prtl 6 Cksum 0b70, Src a4984d06, Dst a4984d32 TCP from 164.152.77.6.ftp to 164.152.77.50.4550 seq 369c40a5, ack 42a7fa53, window 2000, 31. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum 835c, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 33 33 31 20 50 61 73 73 77 6f 72 64 20 72 65 71 * 331 Password req 10 75 69 72 65 64 20 66 6f 72 20 6e 64 2e d a * uired for nd.<< 16:32:50.198 Rcvd Ether Dst 00:00:a8:8f:81:ec Src 00:0c:6e:3f:ab:45 Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 42, ID f923, Flg/Frg 4000, TTL 80, Prtl 6 Cksum 1e29, Src a4984d32, Dst a4984d06 TCP from 164.152.77.50.4550 to 164.152.77.6.ftp seq 42a7fa53, ack 369c40c4, window ff52, 26. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum 3bd5, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 50 41 53 53 20 74 68 69 73 69 73 6e 6f 74 6d 79 * PASS thisisnotmy 10 70 61 73 73 77 6f 72 64 d a * password<<
Figure 9: Passwords are available for everyone to see

16:38:43.202 Rcvd Ether Dst 00:00:a8:8f:81:ec Src 00:0c:6e:3f:ab:45 Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 3b, ID fc77, Flg/Frg 4000, TTL 80, Prtl 6 Cksum 1adc, Src a4984d32, Dst a4984d06 TCP from 164.152.77.50.4550 to 164.152.77.6.ftp seq 42a7faa0, ack 369c413c, window feda, 19. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum af42, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 52 45 54 52 20 73 75 70 65 72 5f 73 65 63 72 65 * RETR super_secre 10 74 d a * t<< 16:38:47.299 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:8f:81:ec Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 55, ID b0c9, Flg/Frg 0, TTL 3c, Prtl 6 Cksum ea70, Src a4984d06, Dst a4984d32 TCP from 164.152.77.6.ftp-data to 164.152.77.50.4578 seq 3d1c9cc6, ack 7ad211a2, window 2000, 45. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum df21, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 54 68 65 73 65 20 61 72 65 20 74 68 65 20 73 75 * These are the su 10 70 65 72 20 73 65 63 72 65 74 20 6d 61 72 6b 65 * per secret marke 20 74 69 6e 67 20 70 6c 61 6e 73 2e d a * ting plans.<<
Figure 10: File contents are available for everyone to see

16:40:59.384 Rcvd Ether Dst 00:00:a8:8f:81:ec Src 00:0c:6e:3f:ab:45 Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 2e, ID fd43, Flg/Frg 4000, TTL 80, Prtl 6 Cksum 1a1d, Src a4984d32, Dst a4984d06 TCP from 164.152.77.50.4550 to 164.152.77.6.ftp seq 42a7face, ack 369c41c3, window fe53, 6. data bytes, flags Push Ack. X/Off 05, Flags 18, Cksum 57ae, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 4e 4c 53 54 d a NLST<< 16:41:07.259 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:8f:81:ec Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 5db, ID bedb, Flg/Frg 0, TTL 3c, Prtl 6 Cksum d6d8, Src a4984d06, Dst a4984d32 TCP from 164.152.77.6.ftp-data to 164.152.77.50.4586 seq 3f501496, ack 142c538b, window 2000, 1459. data bytes, flags Ack. X/Off 05, Flags 10, Cksum a4aa, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 30 36 30 37 5f 68 6f 6d 65 2e 63 2e 67 6f 6f 64 * 0607_home.c.good 10 2e 6f 75 74 d a 31 37 2e 62 69 6f 2e 63 73 76 * .out<<17.bio.csv 20 d a 31 37 2e 73 74 61 74 73 2e 63 73 76 d a * <<17.stats.csv<< 30 31 38 2e 62 69 6f 2e 63 73 76 d a 31 38 2e 73 * 18.bio.csv<<18.s 40 74 61 74 73 2e 63 73 76 d a 32 34 6c 69 6e 65 * tats.csv<<24line 50 73 2e 6c 6f 67 d a 32 35 6c 69 6e 65 73 2e 6c * s.log<<25lines.l 60 6f 67 d a 5f 65 64 69 74 2e 74 6c 69 5f 6c 6f * og<<_edit.tli_lo 70 67 6d 32 5f 31 35 31 39 2e 31 d a 61 2d 39 31 * gm2_1519.1<.a-91
Figure 11: Directory listings are available for everyone to see
Changing FTP port numbers breaks FTP:
One of the things I have been asked is how to change the port numbers that FTP uses. The rationale is that by changing the port numbers, the "bad" people with analyzers will no longer know what ports to monitor, and therefore, passwords and secret files will be safe. Security by obscurity is not security. There are software analyzers that do nothing but scan all packets looking for keywords like PASS (figure 9). A good port scanner will find all open ports, and by analyzing the banner sent when a connection is made, it will recognize that an FTP server is listening on that port.
While changing the port does not give you any real security, it does create some real problems. Go back to figure 3 and assume that the firewalls are smart enough to monitor for the PORT and PASV response messages. Typically, these devices only monitor connections using the FTP control port. So, when you change port numbers, they will no longer do this and data connections will fail. The same problem will also occur with NAT and PAT devices. There are probably ways to configure some devices to process messages on other ports, but you have to get your network administrator to do it — assuming you have a device that supports alternative ports.
In addition, you may also have some problems specifying the port number in the FTP client. The Windows command line client does not allow you to specify a port number from the "C" prompt (figure 12), but you can do it from the FTP environment using the open command (figure 13).

Figure 12: No way to specify an alternate port number from the command line

Figure 13: Specifying an alternate port number with the FTP open request
The STCP client works the same way. On the command line, you can only enter the host name or IP address of the server, but from the FTP environment, you can issue the open request with both an IP address/host name and a port number.
Both the GUI interfaces mentioned make it easy to connect to a server with a non-standard port number (see figures 14 and 15).

Figure 14: Specifying an alternate port number with TTWin

Figure 15: Specifying an alternate port number with WS_FTP Pro
OK, if after all this, you still want to change the port numbers, all you need to do is change the FTP entry in the services file (see figure 16).

Figure 16: STCP services file
Note that even though the ftp-data entry is there, it is not used. The data connection is always one less than the control port.
Solutions:
We have talked about four problems:

Firewall connection problems
NAT/PAT connection problems
GUI interface user clients that don't work
Passwords, file, and directory content visible to everyone
The good news is that all four of these problems have the same solution — Secure FTP or SFTP.
SFTP is part of the OpenSSL/OpenSSH process (Software purchase code S270), which became available in VOS 14.7 (release 1.0) and 15.1+ (release 2.0). It is not available in release 15.0.
SFTP uses only one connection from the client to the server. As long as the server's firewall is configured to allow a connection to the SSH server (over port 22), there will be no problems. SFTP can also be used over connections going through a NAT/PAT device and since all data is encrypted using SSL (figure 17), "bad" people with analyzers are mostly out of luck. Note: there are still ways to spy on these connections, specifically with man-in-the-middle attacks, but these types of attacks are not limited to SFTP.

19:27:34.729 Xmit Ether Dst 00:04:c1:09:78:60 Src 00:00:a8:41:3b:6e Type 0800 +(IP) IP Ver/HL 45, ToS 0, Len 7c, ID d805, Flg/Frg 0, TTL 3c, Prtl 6 Cksum c072, Src a4984d22, Dst a4984fb1 TCP from 164.152.77.34.22 to 164.152.79.177.1430 seq 455397298, ack 2023432541, window 8192, 84 data bytes, flags Push Ack +. X/Off 05, Flags 18, Cksum 0135, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 23 50 9e a4 6f 4 3e 39 2e 29 6b 9f 16 23 e5 94 #P>$o<>9 .)k><#e> 10 70 d7 9e 9e 46 74 d2 f7 c5 81 d 21 37 c6 39 d pW>>FtRw E>.!7F9. 20 e8 de f be 2f 7c 1 45 d7 75 34 a1 a9 b4 4e b3 h^<>/|.E Wu4!)4N3 30 ad 38 8e fc 0 3a a9 ab 82 4a 5d 1 84 e5 69 5 -8>| :)+ >J]<>ei< 40 81 12 27 ba 43 58 5d 4c 99 46 f3 6b db 62 9d db ><':CX]L >Fsk[b>[ 50 59 a3 e8 7 Y#h<
Figure 17: With SFTP all data is encrypted
There is a whole host of SFTP clients available for Windows and Unix^® operating systems —, just google SFTP. Three Windows-based clients that I have used are psftp, which is a command line tool, WinSCP (figure 18), and SecureFX (figure 19), both of which present GUI interfaces.

Figure 18 : WinSCP SFTP client

Figure 19: SecureFX SFTP client
In addition, the SFTP product for STCP also includes an sftp client (figure 20).

Figure 20: STCP's SFTP client
One final note, for those people wondering: yes, the STCP SSH server allows interactive logins (directly in release 2.0 and via tunneling in release 1.0) and the STCP SSH client can be used to log into another system running SSH.

Revision History

Originally published in Vol 9 (October 2005) of the Stratus eCustomer/ePartner Newsletter

Updated 06-06-05 to include information regarding sftp-248 bug fix - support for passive mode in STCP FTP client

Updated 06-07-18 to include sftp-248 bug fix information for release 14.7.2ah

mailto:noah.davids@stratus.com

copyright & trademark statement