• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Enable proftpd with PASSIVE MODE !!!!

J

JoaoCorreia

Guest
In proftpd.conf include these lines:

# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
# 49152-65534
PassivePorts 49152 65534

In you firewall script enable this port range on TCP.
something like this on
/etc/sysconfig/iptables


-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT


Regards
Joao Correia
 
You can setup any Passive ports you want in proftpd.conf, depending on your firewall. Then you must restart xinetd.
 
I ALWAYS add these directives to my proftpd.conf. I think Plesk should include them by default.

Code: 
# delay on login off (are included on newest Plesk)
IdentLookups off
UseReverseDNS off

# Custom directives
TimeoutIdle                     900
TimeoutNoTransfer       900
PassivePorts                  49152 65534
TimesGMT                      Off

Also they should include an option to add port-RANGES in the Firewall module (for the PassivePorts this would be handy too).
 
its always one of the first things I do when I re-setup my box or install a new version..

I don't use so much ports for it anyway
 
Yuck...

...get with the times, you should be using SFTP over SSH - ftp, of course, sends username and password over the wire unencrypted.

To make this work, of course, should install a shell like chmodded rssh (allows sftp and scp only, disallows direct login and command execution), or at a push, plesk's builtin chmodded bash. (but that's a bit riskier).

It's also a nice side-effect that you don't need to change any configs or open any more ports, it's all done through 22.
 
Chmodded ????

You mean chrooted ?

Plesk already supports nice chrooted SFTP for domains.
 
Umm

modprobe ip_conntrack_ftp

Seems to allow passive without making a dirty great big hole in one's firewall.

Stuart
 
now there's someone who knows a little something about linux
 
Yeah and don't forget to do this again after a reboot.

What should be added in /etc/modprobe.conf to automate this ??

Just a new line with 'ip_conntrack_ftp' ?? Or with 'install' before it or something ?
 
depends what OS/distro you're using.

for rhel3, the proper way is to specify it in /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_ftp"

if you need to load two or more modules, separate them with spaces because the iptables script does a for-in on the IPTABLES_MODULES variable.
 
You must log in or register to reply here.

Similar threads

Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
794
Liwindo
Liwindo
Sailorhost
Question IPv6 unreachable
Replies
4
Views
1K
Sailorhost
Sailorhost
M
Issue FTP behind VPN - Connect it via Local IP
Replies
0
Views
2K
Mutate2546
M
T
Issue Explicit FTP over TLS: Initializing TLS... TLS/TLS-C negotiation failed on control channel
Replies
3
Views
3K
mow
M
D
Resolved plesk connection ftp, command MLSD failed, PassivePorts allready added
Replies
5
Views
3K
D-JAY
D
Back
Top