SERVICE: Stops Responding or 100% CPU

BPFTP Server has the ability to operate as a Windows System Service aka SERVICE-MODE (HOWTO).

This is essentially, the same as the normal GUI-MODE that you are used to seeing when you login to the computer and run the application, however it’s running under Session-0 (Windows System Service) and all GUI operations are hidden. This can make it more difficult to diagnose issues, as the software can only respond via the Windows Event Viewer (start, view) and the BPFTP Server Log (Settings -> Logging -> Settings -> “Saved Log-File Location”).

But, why is it not responding or is stuck at 100% ?!?!
I don’t immediately know the answer to this, the software doesn’t have any known problems which would cause this.. so we need to look at the environment, conditions and logs coming back from the software. It’s possible that there’s a network share that isn’t responding (the most likely issue), it’s also possible you’ve encountered an issue, in either case, we need more information…

When encountering a problem with running in SERVICE-MODE, it’s important to start breaking down the problem:

  • Look at the Windows System Service under “Windows Logs” -> “Application|System” -> Source=”BulletProof FTP Server”
  • View the BPFTP Server log file, make sure the software is terminated, so you see the current log. BPFTP Server -> Settings -> Logging -> Settings
  • Make sure you have the current version of the software, BPFTP Server -> Tools -> Check for Update and/or visit the web-site/changelog
  • Can you reproduce the error? Try running the software in DEBUG-MODE and send us the *.csl/*.zip. Don’t just email a giant log file… In order for us to find the issue, please perform the operation that reproduces the error, the date/time (so we can find it) and the symptoms of the issue.
  • LASTLY, and MOST IMPORTANTLY… run the software in the GUI mode, not the SERVICE mode. This will allow the UI to communicate with the desktop, so that you can see what’s going on. This is an absolute must, in order to discover the source of the issue. It doesn’t mean you’ll never be able to run SERVICE mode, only during the testing phase.
  • FTP Protocols and URLs

    FTP Protocols and URLs

    ProtocolPorts UsedWeb Browser Support?Encrypted?Example 
    FTP21 (+pasv)YESNOftp://myhost.mydomain.com
    FTPS Implicit990 (+pasv)NOYESftps://myhost.mydomain.com:990
    Implicit-Mode is FTP over TLS/SSL and was the first method of encrypting FTP and moves the control-port to 990 where it "implicitly" requires TLS/SSL to be used. Largely replaced by FTPS:Explicit.
    FTPS Explicit21 (+pasv)NOYESftpes://myhost.mydomain.coim
    Explicit is FTP over TLS/SSL and allows the ftp-client to turn-on encryption at login via the standard control-port tcp/ip 21. Once encryption is enabled (before login), everything communicated will be sent via TLS/SSL.
    SFTP22NOYESsftp://myhost.mydomain.com
    SFTP is FTP over SSH and is an extension of an SSH Server to allow for file-transfers. Considered a stable in the Unix/Linux world, and operating almost identical to "SCP", this protocol is considered industry standard for encrypted FTP.
    +PASV: In addition to the main port used to login and issue commands, you *must* define and port-forward the data-ports for any ftp-server on the internet and/or operating from behind a firewall. By default, the software is configured to use tcp/ip ports 30000 to 30100. These ports are used to communicate directory-listings and transfer-files.

    Firewall Ports

    ServiceTCP/IP PortDescription
    FTP21Initial port used for FTP, used for connecting, logging in and issuing commands
    FTP and FTPS30000 to 30100Data-Ports used for Data-Connections (directory-listings and file-transfers).

    These ports *MUST* be opened and port-forwarded in order to offer FTP to clients on the internet
    FTPS21,990Explicit vs Implicit Mode

    These two ports are used for connecting, logging in and issuing commands.
    SFTP22Standard SSH port, used for all communication (does not need PASV)

    HOWTO: Enabled SFTP for User Account

    As of version 2018.0.0.40, BulletProof FTP Server supports SFTP aka FTP over SSH in the Secure Edition of the product.

    Enabling SFTP for a given User-Account simply requires the toggling of the feature for the user-account, and specifying the authentication method. The two methods of authenticating are via Public-Key, Password or both. Optionally, you can specify that the authentication must happen via the keyboard.

    Turn on SFTP for User-Account
    (click for full-size)
    Optional: Enable Password Authentication
    (click for full-size)
    Optional: Enable Public-Key Authentication (Recommended)
    (click for full-size)

    HOWTO: Enabled SFTP for FTP Server

    As of version 2018.0.0.40, BulletProof FTP Server supports SFTP aka FTP over SSH in the Secure Edition of the product.

    Enabling SFTP is very simple and only requires a Private-Key. The Private-Key can be loaded via a file or text which has been copy/paste’d into the software (NOTE: text keys will be stored encrypted in the software).

    Enabled SFTP for the FTP Server
    Enable SFTP for the FTP Server (click for full-size)
    Generate Private-Key (click for full-size)
    Assigned Private-Key (click for full-size)

    HOWTO: Enter License-Code from Command-Line

    In some Windows configurations, it might be necessary to enter the license-code via the command-line. Specifically, in Windows Server where “Internet Explorer Enhanced Security” is turned on (More Info: here, here, here, here and here). When IE ESC is turned on, you’ll need to turn it off; this is because the dialog-box that appears for entering your registration code uses the IE WebKit and as a result the links won’t work correctly.

    However, you don’t have to disable IE ESC, you can also enter it via the command-line:


    1) Start -> Run -> "cmd" (enter)
    2) c:
    3) cd "C:\Program Files (x86)\BulletProof FTP Server"
    4) Working with a license-code that looks like...

    Name:John Doe
    Key:00012X-8d7DJF2-6F323F-JVQBUA-8DJF3F-28RR4E-02Z6PC-ZXG37G-QBFDH2-NPDPBM-9XS9D9-MPH56G

    Enter the following command:

    bpftpserver.exe QUIETREGISTER John Doe 00012X-8d7DJF2-6F323F-JVQBUA-8DJF3F-28RR4E-02Z6PC-ZXG37G-QBFDH2-NPDPBM-9XS9D9-MPH56G

    FEATURE: IP-Based Access-Control: Server Wide

    - Navigate to Management -> Security -> IP Access Control-Lists - Right-click and choose "Add IP/ACL" PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    – Navigate to Management -> Security -> IP Access Control-Lists
    – Right-click and choose “Add IP/ACL”
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the "Refuse IP Address Access" should be chosen. PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the “Refuse IP Address Access” should be chosen.
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    - Navigate to Server Monitor -> Log Watch In this example, you'll see the DENY rule being made for "-54.153.69.28" and you'll see the ftp-client disconnect and then attempt to reconnect again, only to be refused access.
    – Navigate to Server Monitor -> Log Watch
    In this example, you’ll see the DENY rule being made for “-54.153.69.28” and you’ll see the ftp-client disconnect and then attempt to reconnect again, only to be refused access.

    FEATURE: IP Based Access-Control for Users/Groups

    - Navigate to User/Group Manager -> Edit User/Group -> Restrictions - Right-click and choose "Add IP/ACL" PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    – Navigate to User/Group Manager -> Edit User/Group -> Restrictions
    – Right-click and choose “Add IP/ACL”
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the "Allow IP Address Access" should be chosen, in order to restrict a user|group to a specific IP Address (aka whitelist) PLEASE NOTE: All rules should be added as a DENY rule ("-" minus) sign. Entering a ALLOW rule ("+" plus) will override the default rule of "+*.*.*.*" and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    Enter the IP Address to be banned. Please note that the “Allow IP Address Access” should be chosen, in order to restrict a user|group to a specific IP Address (aka whitelist)
    PLEASE NOTE: All rules should be added as a DENY rule (“-” minus) sign. Entering a ALLOW rule (“+” plus) will override the default rule of “+*.*.*.*” and turn IP/ACL into whitelist only, where all IPs are rejected unless an ALLOW rule is created.
    - Navigate to Server Monitor -> Log Watch In this example, you'll see the ftp-client from "-54.153.69.28" is denied. This is because the IP/ACL was converted to a "whitelist" with a single ALLOW rule and "+192.168.0.*" does not match the incoming ftp-client.
    – Navigate to Server Monitor -> Log Watch
    In this example, you’ll see the ftp-client from “-54.153.69.28” is denied. This is because the IP/ACL was converted to a “whitelist” with a single ALLOW rule and “+192.168.0.*” does not match the incoming ftp-client.