Help with getting connected via FTP on a Cpanel server

[kiasujones]

Hi ConfigServer friends!

I recently installed the CSF and LFD software onto my Cpanel server and I experiencing some problems with users who wish to connect via FTP.
My FTP keep complaining to me that they are unable to list directories of the folder that they have access to.

When I attempted to replicate their experience, I found that this complaint was true.
While using Filezilla ver 3.58.0, I could connect successfully but the status would end at 'Status: Retrieving directory listing...' with no directory listing at all.

I have tried to search on the ConfigServer forums for a solution and have tried quite a few potential solutions, including adding 'allow incoming TCP ports: 30000:35000' to the CSF setting 'TCP_IN' as recommended in this forum post:
viewtopic.php?p=26632&hilit=Filezilla#p26632

However I am still not able to list directories when connecting via FTP.
The only way I can list directories when connecting via FTP is to disable the CSF and LFD software.

Can I ask if there any CSF users here who also use it on their Cpanel servers?
How did you manage to connect via FTP?
Can anyone help me to resolve this FTP issue?

Below are the logs taken from the Filezilla ver 3.58.0 software:
--------------------------------------------------
2022-07-16 20:49:56 38016 1 Status: Resolving address of ftp.vtt.webxxx.xx
2022-07-16 20:49:56 38016 1 Status: Connecting to 1xx.2xx.2x.2xx:x...
2022-07-16 20:49:56 38016 1 Status: Connection established, waiting for welcome message...
2022-07-16 20:49:56 38016 1 Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
2022-07-16 20:49:56 38016 1 Response: 220-You are user number 4 of 50 allowed.
2022-07-16 20:49:56 38016 1 Response: 220-Local time is now 20:49. Server port: 21.
2022-07-16 20:49:56 38016 1 Response: 220-This is a private system - No anonymous login
2022-07-16 20:49:56 38016 1 Response: 220-IPv6 connections are also welcome on this server.
2022-07-16 20:49:56 38016 1 Response: 220 You will be disconnected after 15 minutes of inactivity.
2022-07-16 20:49:56 38016 1 Command: AUTH TLS
2022-07-16 20:49:56 38016 1 Response: 234 AUTH TLS OK.
2022-07-16 20:49:56 38016 1 Status: Initializing TLS...
2022-07-16 20:49:56 38016 1 Status: Verifying certificate...
2022-07-16 20:49:56 38016 1 Status: TLS connection established.
2022-07-16 20:49:56 38016 1 Command: USER ftpx@vtt.webxxx.xx
2022-07-16 20:49:56 38016 1 Response: 331 User ftpx@vtt.webxxx.xx OK. Password required
2022-07-16 20:49:56 38016 1 Command: PASS ************
2022-07-16 20:49:56 38016 1 Response: 230 OK. Current restricted directory is /
2022-07-16 20:49:56 38016 1 Command: SYST
2022-07-16 20:49:56 38016 1 Response: 215 UNIX Type: L8
2022-07-16 20:49:56 38016 1 Command: FEAT
2022-07-16 20:49:56 38016 1 Response: 211-Extensions supported:
2022-07-16 20:49:56 38016 1 Response: UTF8
2022-07-16 20:49:56 38016 1 Response: EPRT
2022-07-16 20:49:56 38016 1 Response: IDLE
2022-07-16 20:49:56 38016 1 Response: MDTM
2022-07-16 20:49:56 38016 1 Response: SIZE
2022-07-16 20:49:56 38016 1 Response: MFMT
2022-07-16 20:49:56 38016 1 Response: REST STREAM
2022-07-16 20:49:56 38016 1 Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
2022-07-16 20:49:56 38016 1 Response: MLSD
2022-07-16 20:49:56 38016 1 Response: PRET
2022-07-16 20:49:56 38016 1 Response: AUTH TLS
2022-07-16 20:49:56 38016 1 Response: PBSZ
2022-07-16 20:49:56 38016 1 Response: PROT
2022-07-16 20:49:56 38016 1 Response: TVFS
2022-07-16 20:49:56 38016 1 Response: ESTA
2022-07-16 20:49:56 38016 1 Response: PASV
2022-07-16 20:49:56 38016 1 Response: EPSV
2022-07-16 20:49:56 38016 1 Response: ESTP
2022-07-16 20:49:56 38016 1 Response: 211 End.
2022-07-16 20:49:56 38016 1 Command: OPTS UTF8 ON
2022-07-16 20:49:56 38016 1 Response: 504 Unknown command
2022-07-16 20:49:56 38016 1 Command: PBSZ 0
2022-07-16 20:49:56 38016 1 Response: 200 PBSZ=0
2022-07-16 20:49:56 38016 1 Command: PROT P
2022-07-16 20:49:56 38016 1 Response: 200 Data protection level set to "private"
2022-07-16 20:49:56 38016 1 Status: Logged in
2022-07-16 20:49:56 38016 1 Status: Retrieving directory listing...
2022-07-16 20:49:56 38016 1 Command: PWD
2022-07-16 20:49:56 38016 1 Response: 257 "/" is your current location
2022-07-16 20:49:56 38016 1 Command: TYPE I
2022-07-16 20:49:56 38016 1 Response: 200 TYPE is now 8-bit binary
2022-07-16 20:49:56 38016 1 Command: PASV
2022-07-16 20:49:56 38016 1 Response: 227 Entering Passive Mode (1xx.2xx.2x.2xx,120)
2022-07-16 20:49:56 38016 1 Command: MLSD
2022-07-16 20:50:05 38016 1 Error: Directory listing aborted by user
2022-07-16 20:50:06 38016 1 Status: Disconnected from server

[Sergio]

What type of FTP software are you using? CyberDuck? FileZilla?
Well, some of them when connecting to FTP tries to connect in passive ports that usually are not set at CSF config file.
Usually you use ports 20 or 21, but when the FTP software connects, it automatically tries to use IPs over high ports.

Enter into your CSF configuration and search for the following:

All listed ports should be removed from TCP_IN/UDP_IN to block access from
elsewhere. This option uses the same format as TCP_IN/UDP_IN

An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP

In my CSF configuration I have the following set:

CC_ALLOW_PORTS = GB,US (here I have a list of Country Codes that belongs to my customers, Ex. US,GB)
CC_ALLOW_PORTS_TCP = 20,21,49152:65534 (those countries are the only ones that can access FTP active and passive ports)

Hope this helps,
Sergio

[kiasujones]

Big thank you for your reply, Sergio!

I am using Filezilla ver 3.58.0.
I added the following to my CSF config file and now my FTP directory listing works!
CC_ALLOW_PORTS = MY COUNTRY CODE
CC_ALLOW_PORTS_TCP = 20,21,49152:65534

This is good news for me and my users!
My question is how do those big hosting companies with powerful Cpanel servers that have 200 - 300 Cpanel accounts handle this?
Do they have to add every COUNTRY CODE into: CC_ALLOW_PORTS = ___________________super duper long list_____________________?

What type of FTP software are you using? CyberDuck? FileZilla?
Well, some of them when connecting to FTP tries to connect in passive ports that usually are not set at CSF config file.
Usually you use ports 20 or 21, but when the FTP software connects, it automatically tries to use IPs over high ports.

Enter into your CSF configuration and search for the following:

All listed ports should be removed from TCP_IN/UDP_IN to block access from
elsewhere. This option uses the same format as TCP_IN/UDP_IN

An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP

In my CSF configuration I have the following set:

CC_ALLOW_PORTS = GB,US (here I have a list of Country Codes that belongs to my customers, Ex. US,GB)
CC_ALLOW_PORTS_TCP = 20,21,49152:65534 (those countries are the only ones that can access FTP active and passive ports)

Hope this helps,
Sergio

[Sergio]

My question is how do those big hosting companies with powerful Cpanel servers that have 200 - 300 Cpanel accounts handle this?
Do they have to add every COUNTRY CODE into: CC_ALLOW_PORTS = ___________________super duper long list_____________________?

Well, what we do is that when a customer buys an account in his/her info it shows from what country he/she is and that is the country code that we add to the list on the server that the customer is assigned, most of the customers are from the same country, so, the list is not very long.

I am glad that my info helped you.

Sergio