All Products
Search

This Product

    Elastic Compute Service:Instance connection FAQ

    Document Center

    Elastic Compute Service:Instance connection FAQ

    Last Updated:Feb 14, 2026

    SSH remote connection issues

    SSH service startup issues and solutions

    Other FAQ and solutions

    Remote Desktop (RDP) connection issues

    Issues with remotely connecting to an instance using VNC

    Issues with remotely connecting to an instance using VNC

    Issues with connecting to the FTP service on an ECS instance

    Windows instances

    Linux instances

    Appendix

    The sshd service fails to start, and the system log reports an error: /usr/share/empty.sshd must be owned by root and not group or world-writable

    • Description

      The sshd service on an ECS instance fails to start. The system log shows that the OpenSSH server cannot start because of a permission issue. The error message reported in the system log is: /usr/share/empty.sshd must be owned by root and not group or world-writable

    • Causes

      The sshd service fails to start because the permissions of the /usr/share/empty.sshd file do not meet the requirements.

    • Solution

      chown -R root.root /usr/share/empty.sshd
chmod 744 /usr/share/empty.sshd
systemctl start sshd
ll -ld /usr/share/empty*

    What do I do if I cannot connect to and access the FTP service on an ECS instance that runs Windows from the Internet?

    Symptom

    The FTP service on a Windows ECS instance cannot be connected to or accessed from the Internet.

    Cause

    This issue may occur for the following reasons:

    Solutions

    Choose one of the following solutions based on your requirements.

    Solution 1: Add security group rules for FTP

    After you set up an FTP site on a Windows ECS instance, you must add an inbound rule to the security group of the instance. This rule must allow access to port 21 and the port range from 1024 to 65535, which the FTP server may use in passive mode. For more information, see Add a security group rule.

    Note

    For more information about security group configurations, see Security group application guide and use cases and Common ports.

    Solution 2: Configure firewall support for FTP

    If the firewall is enabled, you must configure IIS Manager to allow FTP traffic on TCP port 21 and the port range from 1024 to 65535. To do so, perform the following steps:

    Note

    • The internal firewall of a Windows ECS instance is disabled by default.

    • This topic describes how to configure FTP using IIS Manager as an example.

    1. Remotely connect to the Windows instance.

      For more information, see Log on to a Windows instance using a password or key.

    2. Open IIS Manager and double-click FTP Firewall Support to open its configuration page.

    3. Configure the parameters and click Apply.

      Note

      The parameters are described as follows:

      • External IP Address of Firewall: Enter the public IP address of the Windows ECS instance.

      • Data Channel Port Range: The range of ports for passive connections. The valid port range is 1025 to 65535. You can set a custom range based on your requirements. For example, you can enter 1024 to 65535.

    4. Open the command line and run the following command to restart the FTP service. This ensures that the new configuration overwrites the existing configuration for each FTP site.

      net stop ftpsvc&net start ftpsvc

    5. (Optional) If you can access the FTP server from the local machine but not from other machines after the FTP server is configured, the issue is caused by an incorrect firewall configuration. Perform the following steps to configure the firewall:

      1. First, check the inbound rules in Server Manager to ensure that the FTP server is enabled.

      2. Add the main process of the Windows service.

        1. Go to Control Panel > Windows Firewall. In the left navigation pane, click Allow an App or Feature Through Windows Firewall.

        2. In the new window, click Allow Another App.... In the Browse window, open C:\Windows\System32\svchost.exe to add the service host process.

        3. When a Windows Service Host Process item appears, select the Private and Public checkboxes, and then click OK.

    What do I do if I receive a "530 Login incorrect" error when I connect to the FTP server on an ECS instance that runs Windows?

    Symptom

    When you connect to the FTP server on a Windows ECS instance, the following error message is displayed.

    Response: 331 Please specify the password.
Command: PASS ************
Response: 530 Login incorrect.
Error: Critical error: Could not connect to server
    Cause

    This issue may occur for the following reasons:

    Solutions

    Choose one of the following solutions based on your requirements.

    Solution 1: Change the FTP password

    1. Remotely connect to the Windows instance.

      For more information, see Log on to a Windows instance using a password or key.

    2. You can open Server Manager by right-clicking Computer > Manage on the desktop.

    3. In the left navigation pane, click Local Users and Groups > Users. Right-click the FTP account and select Set Password.

    Solution 2: Add FTP user permissions

    1. Remotely connect to the Windows instance.

      For more information, see Log on to a Windows instance using a password or key.

    2. Check whether the directory for the FTP user exists.

      1. If the directory does not exist, see Step 3: Set permissions for shared files to recreate the directory for the FTP user and add the required permissions.

      2. If the file already exists, right-click the folder and select Properties > Security. Then, select the FTP account and grant the required permissions.

    What do I do if I receive a "530 valid hostname is expected" error when I connect to the FTP server on an ECS instance that runs Windows?

    Symptom

    After you attach a domain name to an FTP site on IIS 7.5, a "530 valid hostname is expected" or "503 Login with USER first" error occurs when you connect to the FTP server on the Windows ECS instance using an IP address or other methods.

    Cause

    This issue occurs because the logon format is incorrect after you attach a domain name to an FTP site that is configured in IIS 7.5.

    Solution

    If the domain name attached to the FTP site is www.example.com and the username is user, you must use the www.example.com|user format to log on.

    Note

    • The separator is a pipe symbol (|).

    • Alternatively, you can remove the domain name attachment and log on using only the username. The following figure shows how to perform this operation.

    What do I do if uploading a file to FileZilla Server using FTP on an ECS instance that runs Windows fails with a "550 Permission denied" error?

    Symptom

    When you use FTP to upload a file to FileZilla Server on a Windows ECS instance, a "550 Permission denied" error is returned.

    Cause

    The FTP account in FileZilla Server does not have the write permission.

    Solution

    1. Remotely connect to the Windows instance.

      For more information, see Log on to a Windows instance using a password or key.

    2. Start FileZilla Server. On the Users page, select Shared folders.

    3. Select the user and directory, select the Write check box, and click OK to grant the permission.

    What do I do if I receive a "534 Policy requires SSL" error when I connect to an FTP site created by the IIS service on a Windows instance using FTP over TLS?

    Description

    When you use FTP over TLS to connect to an FTP site that is created by the IIS service on a Windows instance, a "534 Policy requires SSL" error is reported and the connection fails.

    Cause

    The response message "534 Local policy on server does not allow TLS secure connections." indicates an incorrect FTP SSL Settings parameter for the FTP site.

    Solution

    1. Remotely connect to the Windows instance.

      For more information, see Connection methods.

    2. In the lower-left corner of the desktop, choose 开始图标 > Windows Administrative Tools > Internet Information Services (IIS) Manager.

    3. In the FTP area on the FTP homepage, double-click FTP SSL Settings.

    4. Under FTP SSL Settings, set the SSL Policy to Allow SSL connections. Then, in the Actions pane, click Apply.

    5. Try to access the FTP site again.

    What do I do if I receive a "425 Security:Bad IP connection" error when I upload a file to an FTP site on an ECS instance that runs Linux?

    Symptom

    A "425 Security:Bad IP connection" error occurs when a user uploads a file to an FTP site on a Linux ECS instance.

    Cause

    This issue usually occurs because the client is in a Network Address Translation (NAT) network that is associated with more than one public IP address. This causes the source IP address to be inconsistent between the control connection and the data connection, which results in the error.

    Note

    The FTP service uses two simultaneous connections: a control connection and a data connection. By default, the FTP server verifies that the source IP addresses of the two connections match during data transmission. If the IP addresses do not match, the server returns a "425 Security:Bad IP connection" error.

    Solution

    Perform the following steps to disable the IP security check in passive mode.

    1. Remotely connect to the Linux instance.

      For more information, see Log on to a Linux instance using a password or key.

    2. Run the following command to edit the FTP configuration file.

      vi /etc/vsftpd/vsftpd.conf

    3. Press the i key to enter edit mode. Add the following content to the configuration file.

      pasv_promiscuous=yes

    4. After you finish editing, press the Esc key to exit edit mode. Then, enter :wq and press the Enter key to save the changes and exit.

    5. Run the following command to restart the FTP service.

      systemctl restart vsftpd

    What do I do if uploading a file using vsftp on an ECS instance that runs Linux fails with a "553 Could not create file" error?

    Symptom

    File uploads to a Linux ECS instance using vsftp fail with the "553 Could not create file" error.

    Cause

    This issue may occur for the following reasons:

    • The disk space of the Linux instance is full.

    • The FTP home directory does not have the write permission.

    Solution

    Perform the following steps to check the disk space of the Linux instance and the permissions of the FTP home directory.

    1. Remotely connect to the Linux instance.

      For more information, see Log on to a Linux instance using a password or key.

    2. Run the following command to check if insufficient disk space on the Linux instance caused the file upload to fail.

      df -h
      Note

      A disk partition is considered full when its space usage is 100%.

      The system returns a message similar to the following example, in which the space usage of the /dev/xvda1 partition is 59%.

    3. Run the following command to check whether the FTP home directory has the write permission.

      Note

      Before you run the following command, replace /home/user with the actual FTP home directory.

      ls -l /home/user

      If the permissions shown in the red box in the following figure do not include w, you do not have the write permission.

      1111

    4. Run the following command to add the write permission and save the change. 

      chmod +w /home/user

    5. Run the following command. If the command output contains w, the write permission is granted.

      ls -l /home/user