• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Enable proftpd with PASSIVE MODE !!!!

J

JoaoCorreia

Guest
In proftpd.conf include these lines:

# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
# 49152-65534
PassivePorts 49152 65534

In you firewall script enable this port range on TCP.
something like this on
/etc/sysconfig/iptables


-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT


Regards
Joao Correia
 
You can setup any Passive ports you want in proftpd.conf, depending on your firewall. Then you must restart xinetd.
 
I ALWAYS add these directives to my proftpd.conf. I think Plesk should include them by default.

Code: 
# delay on login off (are included on newest Plesk)
IdentLookups off
UseReverseDNS off

# Custom directives
TimeoutIdle                     900
TimeoutNoTransfer       900
PassivePorts                  49152 65534
TimesGMT                      Off

Also they should include an option to add port-RANGES in the Firewall module (for the PassivePorts this would be handy too).
 
its always one of the first things I do when I re-setup my box or install a new version..

I don't use so much ports for it anyway
 
Yuck...

...get with the times, you should be using SFTP over SSH - ftp, of course, sends username and password over the wire unencrypted.

To make this work, of course, should install a shell like chmodded rssh (allows sftp and scp only, disallows direct login and command execution), or at a push, plesk's builtin chmodded bash. (but that's a bit riskier).

It's also a nice side-effect that you don't need to change any configs or open any more ports, it's all done through 22.
 
Chmodded ????

You mean chrooted ?

Plesk already supports nice chrooted SFTP for domains.
 
Umm

modprobe ip_conntrack_ftp

Seems to allow passive without making a dirty great big hole in one's firewall.

Stuart
 
now there's someone who knows a little something about linux
 
Yeah and don't forget to do this again after a reboot.

What should be added in /etc/modprobe.conf to automate this ??

Just a new line with 'ip_conntrack_ftp' ?? Or with 'install' before it or something ?
 
depends what OS/distro you're using.

for rhel3, the proper way is to specify it in /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_ftp"

if you need to load two or more modules, separate them with spaces because the iptables script does a for-in on the IPTABLES_MODULES variable.
 
You must log in or register to reply here.

Similar threads

Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
822
Liwindo
Liwindo
Sailorhost
Question IPv6 unreachable
Replies
4
Views
1K
Sailorhost
Sailorhost
M
Issue FTP behind VPN - Connect it via Local IP
Replies
0
Views
2K
Mutate2546
M
T
Issue Explicit FTP over TLS: Initializing TLS... TLS/TLS-C negotiation failed on control channel
Replies
3
Views
3K
mow
M
D
Resolved plesk connection ftp, command MLSD failed, PassivePorts allready added
Replies
5
Views
3K
D-JAY
D
Back
Top