Xlight FTP Server Frequently Asked Questions
General questions
Mapped Network Drive will be available only after user logs into Windows Computer. However Windows service applications are started before user logs into Windows Computer. That is the reason that you cannot access virtual path linked to Mapped Network Drive when running Xlight FTP Server as system service.
To use Network Drive in system service, you need to use UNC path format "\\host-name\share-name\file_path", where host-name can be IP address or network name.
Server Upgrade & Backup questions
Before upgrade, you must stop the running FTP Server. If FTP Server is running as system service, you need to goto "Control Panel->Manage Tools->Service", find and select "Xlight FTP Server" in service window, click mouse right button, select "Stop" from PopupMenu and then close the service window. Then you can choose either one of the following method:
- Method 1: Uninstall old version of Xlight, old configuration files are still kept. Reintstall new version to the old installation path.
- Method 2: Download 32-bit xlight.zip or 64-bit xlight-x64.zip , unzip the file and use it to overwrite the old Xlight FTP server executable, which by default is under "c:\program files\xlight".
Under Xlight FTP server installation folder ("c:\program files\xlight"), there are 5 files: "ftpd.hosts","ftpd.option","ftpd.password", "ftpd.rules"."ftpd.users". These are configuration files of Xlight FTP server. For server configuration, you only need to backup these 5 files. If you use quotas function in Xlight ftp server, you may also need to backup the file ".quota" in the same directory.
From the Xlight FTP Server version 3.2 and above, there is a new option to automatically backup configuration files. The option is at [Global Option]->[General]->[Backup After Configuration Change]. You need to select a destination directory for storing configuration backup.
You need to do the following 3 steps:
Step 1. Download and install Xlight FTP in new server.
Step 2. Under old server's Xlight FTP installation folder ("c:\program files\xlight"), there are 5 files: "ftpd.hosts","ftpd.option","ftpd.password", "ftpd.rules"."ftpd.users". You need to copy these 5 files to the folder where Xlight FTP is installed in new server. If you use quotas function in Xlight ftp server, you may also need to copy the file ".quota" to new server.
Step 3. The Xlight FTP license in older server is stored in registry at either one of the following two locations:
- "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xlight FTP"
- "HKEY_LOCAL_MACHINE\SOFTWARE\Xlight FTP"
You will need to copy the license to new server in the same location of registry.
Network related questions
There are three ways to input IP address ranges in Xlight FTP Server. 1. You can use character * to represent IP range 192.168.0.1 - 192.168.0.255 as 192.168.0.* . 2. You can set IP range directly, such as 192.168.1.15 - 192.168.1.45. 3. You can use subnet mask such as 192.168.0.1/24 or 192.168.0.1/255.255.255.0.
"An existing connection was forcibly closed by the remote host"
It means that the remote side closed the connection(usually by sending a TCP/IP RST packet to server). The likely causes are:
- The network link between the client and server is going down for some reason.
- The client exit FTP client without proper TCP shutdown sequence(Kill the software, directly shutdown computer etc.).
So it is a quite common error from client side or for network between client and server.
FTP protocol needs two ports to work. The common port 21 is for FTP commands. The data port is for transfer file and directory list. If you can not see directory list from outside, but server can work internally(you can test the server using loopback IP 127.0.0.1, with a client in the same machine), then the FTP data port might be blocked by firewall. Windows has software firewall, you would better add Xlight program into its exception list. If your company has hardware firewall and user has the problem is outside the firewall. You would better follow the link to setup firewall port forwarding.
The default TCP buffer sizes for Xlight is set as 32KB optimized for thousand of online users. If you don't have that much users, you can adjust TCP buffer size to increase network performance for user. TCP buffer size can be adjusted in virtual server at [Virtual Server Configuration] - [Advanced] - [Socket Buffer Size] or for individual user at [User Configuration] - [Option] - [Socket Buffer Size]. The base unit for this option is KB. So if you want t set a 64KB buffer, you can put value 64 in it. You can check Xlight help document for detail of this option.
If your server has multiple NIC cards, the Dynamic IP(0.0.0.0) will bind to all NIC cards available. That means that your virtual server will listen on all NIC cards. If you select a specific IP associated with a NIC card, then virtual server will listen only in this NIC card. If you moved your server later and IP has changed, you won't need to worry when using Dynamic IP, because it doesn't associated with a specific IP. But if you bind virtual server to a specific IP, you need to adjust accordingly, otherwise virtual server with incorrect IP will not be able to start.
"The requested address is not valid in its context".
Ypu get this error because your virtual server was bound to a specific IP and this IP is no longer valid after you moved server. You need go to [Virtual Server Configuration] - [General] - [Virtual Server] - [Server IP and Port] to set the new IP for your virtual server.
Goto [Virtual Server Configuration] - [Security] - [IP Address Auto Blocking], Enable this option.
Set IP auto blocking last for to a value such as 600 seconds. Set Number of "failed logins" or "Hammer connections" to a value such as 5 and "in seconds" to 60.
This will auto block the IP for 600 seconds if it makes 5 connections or failed logins within 60 seconds. Set checking period for failed logins is only available from Xlight FTP version 3.9.3.
To check auto blocked IPs or unblock one of them, from Xlight FTP main Windows, goto "Connection Detail", click the top left small icon.
Active Directory, LDAP and ODBC database questions
From [Virtual Server Configuration] - [General] - [external user authentication], click the setup button. You can see the option "Show debug trace information in Error Log". Enable this option will allow you to see debug information for external authentication in Xlight FTP Server error log.
Microsoft has special security police, normal domain users cannot logon to Active Directory domain controller. So when Xlight FTP Server is run in domain controller, normal domain users cannot logon to FTP Server through Active Directory authentication. You would better run Xlight FTP Server in a different domain machine.
In case you must run FTP Server in domain controller, you have to grant the Allowed logon locally system right to that user account in the domain. You can follow the step "Grant a Member the Right to Logon Locally" from Microsoft. You must reboot your machine for the change to take effect.
"IP xxx.xxx.xxx.xxx had made over 6 failed logins in the past 60 seconds, server will automatically ban this IP for 600 seconds to prevent from being lockout by Active Directory for hammering."
When Xlight FTP Server is configured to use Active Directory to authenticate user. If in a short period of time, there are many failed login attempts to Active Directory from Xlight program, Active Directory will think that Xlight FTP program is hammering it and will block Xlight FTP program from accessing it. When this happened, you have to restart Xlight service to unblock it, which is undesirable. So Xlight FTP Server has an internal protection mechanism to prevent this from happening, which is the error message that you see in Xlight error log.
If you open the server port to public internet, there are hackers looking for new victims to exploit using port scanner. Port scanner will try to login(break into) your server and could generate a lot of failed logins for short time. If those logins are forwarded to Active Directory, it could trigger Xlight FTP server to prevent those IPs from hammering Active Directory. That could be the source of above error message.
If you don't want those logins being forwarded to Active Directory, you might be able to do something. Port scanner normally uses a particular account such as "root" to break into your server. You can create a local FTP account "root" with nothing in it and select the Xlight user option “Bypass the external authentication for this user” from [User Configuration – Account] – [Account Other Options] – [Option for external authentication] for this account. By selecting this option, all logins to this account will be local and will not be forwarded to Active Directory. You could do this step for other account used by port scanner.