1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Enable proftpd with PASSIVE MODE !!!!

Discussion in 'Plesk for Linux - 8.x and Older' started by JoaoCorreia, Jun 7, 2005.

  1. JoaoCorreia

    JoaoCorreia Guest

    In proftpd.conf include these lines:

    # Restrict the range of ports from which the server will select when sent the
    # PASV command from a client. Use IANA-registered ephemeral port range of
    # 49152-65534
    PassivePorts 49152 65534

    In you firewall script enable this port range on TCP.
    something like this on

    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

    Joao Correia
  2. hardweb

    hardweb Guest

    You can setup any Passive ports you want in proftpd.conf, depending on your firewall. Then you must restart xinetd.
  3. BoXie

    BoXie Guest

    I ALWAYS add these directives to my proftpd.conf. I think Plesk should include them by default.

    # delay on login off (are included on newest Plesk)
    IdentLookups off
    UseReverseDNS off
    # Custom directives
    TimeoutIdle                     900
    TimeoutNoTransfer       900
    PassivePorts                  49152 65534
    TimesGMT                      Off 
    Also they should include an option to add port-RANGES in the Firewall module (for the PassivePorts this would be handy too).
  4. CosmicD

    CosmicD Guest

    its always one of the first things I do when I re-setup my box or install a new version..

    I don't use so much ports for it anyway
  5. philjohn

    philjohn Guest


    ...get with the times, you should be using SFTP over SSH - ftp, of course, sends username and password over the wire unencrypted.

    To make this work, of course, should install a shell like chmodded rssh (allows sftp and scp only, disallows direct login and command execution), or at a push, plesk's builtin chmodded bash. (but that's a bit riskier).

    It's also a nice side-effect that you don't need to change any configs or open any more ports, it's all done through 22.
  6. BoXie

    BoXie Guest

    Chmodded ????

    You mean chrooted ?

    Plesk already supports nice chrooted SFTP for domains.
  7. perlboy

    perlboy Guest


    modprobe ip_conntrack_ftp

    Seems to allow passive without making a dirty great big hole in one's firewall.

  8. serial-thrilla

    serial-thrilla Guest

    now there's someone who knows a little something about linux
  9. BoXie

    BoXie Guest

    Yeah and don't forget to do this again after a reboot.

    What should be added in /etc/modprobe.conf to automate this ??

    Just a new line with 'ip_conntrack_ftp' ?? Or with 'install' before it or something ?
  10. serial-thrilla

    serial-thrilla Guest

    depends what OS/distro you're using.

    for rhel3, the proper way is to specify it in /etc/sysconfig/iptables-config:

    if you need to load two or more modules, separate them with spaces because the iptables script does a for-in on the IPTABLES_MODULES variable.