Configuring FTP Passive port range in cPanel server
FTP uses two ports, a data port and a command port, to transfer information between a client and a server. During a typical active mode session, the command port uses port 21 and the data port uses port 20. When you use a passive mode, however, the data port does not always use port 20.
Let see about, what is Active FTP and what is Passive FTP ?
ACTIVE FTP
In active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. Network Address Translation (NAT) configurations block this connection request.
In the above figure, a user connects from a random port on a file transfer client to port 21 on the server. It sends the PORT command, specifying what client-side port the server should connect to. This port will be used later on for the data channel and is different from the port used in this step for the command channel.
In the above figure, the server connects from port 20 to the client port designated for the data channel. Once connection is established, file transfers are then made through these client and server ports.
PASSIVE FTP
In passive mode, the FTP client initiates both connection attempts. NAT configurations do not block this connection request.
In the above figure, the client connects from a random port to port 21 on the server and issues the PASV command. The server replies, indicating which (random) port it has opened for data transfer.The client connects from another random port to the random port specified in the server’s response. Once connection is established, data transfers are made through these client and server ports.
How to Enable the passive port range for Pure-FTPd
Login to your server SSH with root, edit the pure-FTPd configuration file with below command and search for “PassivePortRange”
[root@chennaihosting ~]# nano /etc/pure-ftpd.conf . . . . # Port range for passive connections replies. - for firewalling. PassivePortRange 30000 45000 . . . .
Modify it as above, save the configuration file and restart the service
[root@chennaihosting ~]# service pure-ftpd restart
Note : Changes made directly to the /etc/pure-ftpd.conf file will be overwritten any time the configuration file is rebuilt, which could happen during updates. Changes made to the template file will be applied when the configuration file is rebuilt, so you will want to modify that so your changes are added if the file is rebuilt.
Modify the template file with below command.
[root@chennaihosting ~]# nano /var/cpanel/conf/pureftpd/main . . . . . . . . MaxLoad: 4 MinUID: 100 NoAnonymous: 'yes' PassivePortRange: 30000 45000 ProhibitDotFilesRead: 'no' ProhibitDotFilesWrite: 'no' . . . . .
After modifying that, you can run this command to rebuild the ftp configuration file with your changes, then restart ftp.
[root@chennaihosting ~]# /usr/local/cpanel/bin/build_ftp_conf [root@chennaihosting ~]# /scripts/restartsrv_ftpd
Now, you can able to connect FTP with Passive mode.
Note : Make sure you have configured this passive port range in your CSF, to add this port range in csf use the below command.
[root@chennaihosting ~]# nano /etc/csf/csf.conf # Allow incoming TCP ports TCP_IN="20,21,22,25,53,80,110,143,443,465,587,2082,2083,2086,2087,2095,2096,30000:45000" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,30000:45000"
Include the Passive Port range and reload the csf
[root@chennaihosting ~]# csf -r
Hope this article helps you. Share your comments to improve us.
Related articles
Basic Firewall Setup on Dedicated Linux Server