Poorly secured FTP services can be one of the causes of server attacks.

However, VsFTPd servers come with restricted root privileges, making it one of the safer FTP servers.

Sometimes, the VsFTPd server may not work as we expect and result in “227 Entering Passive Mode ftp: connect: Connection timed out“ error.

It happens mainly due to improper passive port range configuration in the server.

Today, we’ll see how our Support Engineers fixed the error as part of our Server Management Services.

What is VsFTPd?

VsFTPd is a secure, stable, and fast FTP server. Also, VsFTPd becomes the preferred FTP server for many sites that need simultaneous downloads.

In addition, a FTP server is vulnerable to server attacks because of cleartext password authentication. Password sniffing attacks that collect user names and passwords from the network are common in FTP server.

However, the VsFTPd server is more secure and the malicious user finds it more difficult to compromise directly. Because it does not use usernames, passwords. Also, VsFTPd does not run with root privileges. By default, VsFTPd transfers each file in binary mode to improve security.

Moreover, 227 entering passive mode in VsFTPd is a response code given by the server and indicates that the server is ready to connect to the client for establishing a data connection.

How we fixed issues related to 227 entering passive mode in VsFTPd

From our experience in managing servers, we’ve seen that many customers experiencing errors related to VsFTPd.

Let’s see how our Support Engineers fixed these issues.

1. Missing passive port range

Recently, one of the customers reported us with a problem after logging in VsFTPd server, he couldn’t list files using the command “ls” and results in an error like this,

ftp> ls
227 Entering Passive Mode (192,168,122,55,220,105)
ftp: connect: Connection timed out

Then our Support Engineers took the following steps to solve the error.

1. Firstly, we checked /var/log/vsftpd.log file to identify the cause of this error.

2. We found that the error is due to the improper passive port range configuration in /etc/vsftpd.conf file.

3. Therefore, we opened the port range 64000-64321 in /etc/vsftpd.conf file.

pasv_min_port=64000
pasv_max_port=64321

4. At last, we restarted the service VsFTPd.

service vsftpd restart

That’s solved the error. Now the directory listing is done by “ls” command.

2. Firewall blocks IP

Similarly, another customer had a directory listing issue with VsFTPd server. After executing the command “ls”, he was getting an error like 227 Entering Passive Mode ftp: connect: Connection timed out.

1. Firstly, our Support Engineers analyzed /var/log/vsftpd.log file to identify the cause of this error. We found an entry corresponding to the IP firewall blocks the request.

2. After that, we checked the  “ip_conntrack_ftp” module is enabled or not. The module was not activated in the firewall configuration file.

3. So, we enabled the “ip_conntrack_ftp” module in the FTP server’s iptables configuration.

For firewall like Iptables,

3.1. To add “ip_conntrack_ftp” module, open /etc/sysconfig/iptables-config file add the following code as shown below.

# stored in /etc/modprobe.conf.
IPTABLES_MODULES=”ip_conntrack_ftp”

4. In addition, we make sure that the passive port range has enabled in the VsFTPd configuration file.

5. Now, we restarted the iptables and VsFTPd services.

That fixed the error and the user could list the directory without any error.

[Getting 227 entering passive mode VsFTPd connect connection timed out error? We’ll fix it for you.]

Conclusion

In short, 227 entering passive mode in VsFTPd is a response given by the server. It indicates that the server is ready to connect to the client for establishing a data connection. Today, we saw how our Support Engineers fixed the error related to 227 entering passive mode in VsFTPd.