• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Enable proftpd with PASSIVE MODE !!!!

J

JoaoCorreia

Guest
In proftpd.conf include these lines:

# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
# 49152-65534
PassivePorts 49152 65534

In you firewall script enable this port range on TCP.
something like this on
/etc/sysconfig/iptables


-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT


Regards
Joao Correia
 
You can setup any Passive ports you want in proftpd.conf, depending on your firewall. Then you must restart xinetd.
 
I ALWAYS add these directives to my proftpd.conf. I think Plesk should include them by default.

Code: 
# delay on login off (are included on newest Plesk)
IdentLookups off
UseReverseDNS off

# Custom directives
TimeoutIdle                     900
TimeoutNoTransfer       900
PassivePorts                  49152 65534
TimesGMT                      Off

Also they should include an option to add port-RANGES in the Firewall module (for the PassivePorts this would be handy too).
 
its always one of the first things I do when I re-setup my box or install a new version..

I don't use so much ports for it anyway
 
Yuck...

...get with the times, you should be using SFTP over SSH - ftp, of course, sends username and password over the wire unencrypted.

To make this work, of course, should install a shell like chmodded rssh (allows sftp and scp only, disallows direct login and command execution), or at a push, plesk's builtin chmodded bash. (but that's a bit riskier).

It's also a nice side-effect that you don't need to change any configs or open any more ports, it's all done through 22.
 
Chmodded ????

You mean chrooted ?

Plesk already supports nice chrooted SFTP for domains.
 
Umm

modprobe ip_conntrack_ftp

Seems to allow passive without making a dirty great big hole in one's firewall.

Stuart
 
now there's someone who knows a little something about linux
 
Yeah and don't forget to do this again after a reboot.

What should be added in /etc/modprobe.conf to automate this ??

Just a new line with 'ip_conntrack_ftp' ?? Or with 'install' before it or something ?
 
depends what OS/distro you're using.

for rhel3, the proper way is to specify it in /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_ftp"

if you need to load two or more modules, separate them with spaces because the iptables script does a for-in on the IPTABLES_MODULES variable.
 
You must log in or register to reply here.

Similar threads

Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
1K
Liwindo
Liwindo
Sailorhost
Question IPv6 unreachable
Replies
4
Views
2K
Sailorhost
Sailorhost
M
Issue FTP behind VPN - Connect it via Local IP
Replies
0
Views
2K
Mutate2546
M
T
Issue Explicit FTP over TLS: Initializing TLS... TLS/TLS-C negotiation failed on control channel
Replies
3
Views
3K
mow
M
D
Resolved plesk connection ftp, command MLSD failed, PassivePorts allready added
Replies
5
Views
3K
D-JAY
D
Back
Top