Support

Hello,

can you please share the backup log? Looking at what you're reporting, I suspect you have to change the state of the FTP connection mode (if "passive" was checked, you should uncheck it and viceversa).

Your backup log gets blocked since it's too large. Please zip it and attach it.

A 0byte file means that the data transfer doesn't happen. If even by toggling the passive option the transfer fails, it means that there's a firewall blocking the connection between your servers. In this case it's not possible to perform the transfer, I'd suggest you to switch to SFTP so it only needs one port and usually is more reliable as solution.

Please get in touch with your host and ask them to enable such module, so you'll be able to use SFTP 

There isn't a specific port to open, since both servers will talk each other and after the established the command connection on port 21, they will try to arrange a connection for data transfer. If both are blocking the connection, it's impossible to establish a connection. More info here: https://www.exavault.com/blog/active-vs-passive-ftp

> Your web server does not have the SSH2 PHP module, therefore can not connect to SFTP servers.

This message is self-explanatory.

The version of PHP you are using to run your site does not have the PHP extension “ssh2”. This is something that your host needs to install and enable on your site.

Kindly note that this is already documented in https://www.akeeba.com/documentation/akeeba-backup-joomla/data-processing-engines.html#postproc-sftp. Please allow me to quote our documentation:

This engine uses the PHP extension called SSH2. The SSH2 extension is still marked as an alpha and is not enabled by default or even provided by many commercial hosts. In this case you may want to use the Upload to Remote SFTP server over cURL engine instead which uses PHP's cURL extension, available on most hosts.

> what port numbers do you want open on the firewall to make sure this works?

I am baffled. You are an IT manager. The question as posed makes no sense. What do you want me to say? SFTP: port 22. FTP: ports 21, 20 and 1024 to 65535. It's true but it sounds completely daft as you shouldn't (and don't need to!) open all these ports unconditionally.

If you don't already know, please do read how FTP works. Remember that Akeeba Backup uses Passive FTP by default.

If the connection takes place but there is no data transfer (the resulting file is 0 bytes) your problem is definitely that something in either the WEB or STORAGE server is blocking the data channel connection. Connecting and logging into the FTP server happens over the command channel (port 21). So does creating the folders and initiating the file upload. At this point the storage server starts listening to a randomly numbered port (the data channel of the connection) and tells your web server about it over the command channel (established over port 21). Your web server needs to open an outgoing connection to that random port and start sending the file data. If it fails to do so the connection times out and you end up with a zero byte file.

Our problem is that your web server needs to allow outgoing connections to this random data channel port. Of course you cannot open all ports 1024-65535 unconditionally, you might just as well drop the outgoing firewall rules! You need to open these ports conditionally: if they are related to an FTP connection made to a server's control channel over port 21. You do that with iptables and Linux' nf_conntrack_ftp kernel module. If an outgoing connection is opened related to the command channel port we should allow it.

Likewise, the storage server needs to only be listening to ports 21 (FTP command channel) and 20 (active FTP). Again, it should only open a connection to a random port 1024-65535 if it's related to the already established FTP connection. 

Linking the random ports to established connections prevents exploitation of the open ports after the command channel closes.

On the STORAGE server end you can enable incoming FTP traffic with a simple set of iptables rules and the nf_conntrack_ftp kernel module:

modprobe nf_conntrack_ftp
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

On the WEB server you can enable outgoing FTP traffic very similarly:

modprobe nf_conntrack_ftp
iptables -A INPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Since Linux 4.7 you also need to set net.netfilter.nf_conntrack_helper=1 via sysctl (e.g. put it in /etc/sysctl.d/conntrack.conf). 

If I understand correctly you are doing your own in-house IT management. You should really have a UNIX sysadmin, this is pretty standard stuff.