1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Enable proftpd with PASSIVE MODE !!!!

Discussion in 'Plesk for Linux - 8.x and Older' started by JoaoCorreia, Jun 7, 2005.

  1. JoaoCorreia

    JoaoCorreia Guest

    In proftpd.conf include these lines:

    # Restrict the range of ports from which the server will select when sent the
    # PASV command from a client. Use IANA-registered ephemeral port range of
    # 49152-65534
    PassivePorts 49152 65534

    In you firewall script enable this port range on TCP.
    something like this on

    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

    Joao Correia
  2. hardweb

    hardweb Guest

    You can setup any Passive ports you want in proftpd.conf, depending on your firewall. Then you must restart xinetd.
  3. BoXie

    BoXie Guest

    I ALWAYS add these directives to my proftpd.conf. I think Plesk should include them by default.

    # delay on login off (are included on newest Plesk)
    IdentLookups off
    UseReverseDNS off
    # Custom directives
    TimeoutIdle                     900
    TimeoutNoTransfer       900
    PassivePorts                  49152 65534
    TimesGMT                      Off 
    Also they should include an option to add port-RANGES in the Firewall module (for the PassivePorts this would be handy too).
  4. CosmicD

    CosmicD Guest

    its always one of the first things I do when I re-setup my box or install a new version..

    I don't use so much ports for it anyway
  5. philjohn

    philjohn Guest


    ...get with the times, you should be using SFTP over SSH - ftp, of course, sends username and password over the wire unencrypted.

    To make this work, of course, should install a shell like chmodded rssh (allows sftp and scp only, disallows direct login and command execution), or at a push, plesk's builtin chmodded bash. (but that's a bit riskier).

    It's also a nice side-effect that you don't need to change any configs or open any more ports, it's all done through 22.
  6. BoXie

    BoXie Guest

    Chmodded ????

    You mean chrooted ?

    Plesk already supports nice chrooted SFTP for domains.
  7. perlboy

    perlboy Guest


    modprobe ip_conntrack_ftp

    Seems to allow passive without making a dirty great big hole in one's firewall.

  8. serial-thrilla

    serial-thrilla Guest

    now there's someone who knows a little something about linux
  9. BoXie

    BoXie Guest

    Yeah and don't forget to do this again after a reboot.

    What should be added in /etc/modprobe.conf to automate this ??

    Just a new line with 'ip_conntrack_ftp' ?? Or with 'install' before it or something ?
  10. serial-thrilla

    serial-thrilla Guest

    depends what OS/distro you're using.

    for rhel3, the proper way is to specify it in /etc/sysconfig/iptables-config:

    if you need to load two or more modules, separate them with spaces because the iptables script does a for-in on the IPTABLES_MODULES variable.