Applicable to:
- Plesk for Linux
Question
How to configure the passive ports range for ProFTPd on a server behind a firewall?
Answer
Note: When configuring the passive port range, a selected port range must be in the non-privileged range (e.g., greater than or equal to 1024). It is strongly recommended that the chosen range should be large enough to handle many simultaneous passive connections. The default passive port range is 49152-65535 (the IANA registered ephemeral port range).
-
Connect to a server via SSH.
-
Run the command below to check if the passive port range is configured in the FTP server:
# sed -n '/\<Global/,/\/Global/p' /etc/proftpd.conf /etc/proftpd.d/* | grep PassivePorts
If the command returns the same output as below, the passive port range is set up in ProFTPd configuration. Continue to step 3.
CONFIG_TEXT: PassivePorts 49152 65535
If no output is returned, configure the passive port range:
2.1. Create the
/etc/proftpd.d/55-passive-ports.conffile using the following command:# touch /etc/proftpd.d/55-passive-ports.conf
2.2. Open the
/etc/proftpd.d/55-passive-ports.conffile in a text editor. In this example, we use the vi editor:# vi /etc/proftpd.d/55-passive-ports.conf
2.3. Paste the content below in the file:
CONFIG_TEXT: <Global>
PassivePorts 49152 65535
</Global>2.4. Save the changes and close the file.
-
Enable the kernel modules in the system:
Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.
3.1. Enable the
nf_conntrack_ftpmodule:# /sbin/modprobe nf_conntrack_ftp
3.2. If the server is behind the NAT (private IP address is configured in the system), enable the kernel
nf_nat_ftpmodule as well:# /sbin/modprobe nf_nat_ftp
3.3. Verify the changes:
# lsmod | grep nf_nat_ftp
nf_nat_ftp 16384 0
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_nat 32768 1 nf_nat_ftp
nf_conntrack 131072 3 nf_conntrack_ftp,nf_nat_ftp,nf_nat3.4. To keep the changes after a system reboot, apply these steps:
-
Add the modules to the
/etc/modules-load.d/modules.conffile with these commands:# echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
# echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf -
On CentOS/RHEL-based distributions, add the modules to the
IPTABLES_MODULESline in the/etc/sysconfig/iptables-configfile as follows:# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
-
-
Restart the xinetd service to apply changes:
# service xinetd restart
-
Open the passive ports range in a firewall:
Note: If there is an intermediate firewall between a Plesk server and the Internet, make sure that the passive port range is allowed in its configuration as well. Contact your Internet Service Provider for assistance.
To open the ports in a local firewall, follow these steps:
Opening the passive port range using Plesk FirewallNote: If Plesk Firewall is not installed, use this installation guide.
-
Log in to Plesk and go to Tools & Settings > Firewall and click Enable Firewall Rules Management.
-
Once Firewall Rules Management is enabled, Look for the FTP server passive ports rule. If the rule exists, you are ready to go.
Note: In Plesk Onyx 17.8 which was not upgraded from previous versions, the FTP server passive ports rule is already installed. Just make sure this rule is enabled.
If the rule does not exist, create it:
2.1. Click Modify Plesk Firewall Rules.
2.2. Click Add Custom Rule.
2.2. Configure the rule:
-
Rule name: FTP server passive ports
-
Match direction: Incoming
-
Action: Allow
-
In the Add port or port range field, specify the configured passive port range 49152-65535 and select the TCP option.
2.3. Click OK to create the rule.
2.4. Next, click Apply Changes.
-
Opening the passive port range via a command-line interface-
on CentOS/RHEL-based distributions:
# iptables -I INPUT 1 -p tcp --dport=49152:65535 -j ACCEPT
# service iptables save -
on Debian/Ubuntu-based distributions:
# iptables -I INPUT 1 -p tcp --dport=49152:65535 -j ACCEPT
# iptables-save > /etc/iptables/rules.v4
-
Comments
20 comments
Hello, I've followed this article step by step, but I still receive this error:
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (..............................).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Hello,
I recommend you to double-check the firewall (that it is configured to allow all range of passive ports).
If you are sure that firewall allows connections to passive ports, please contact our support at
https://support.plesk.com/hc/en-us/requests/new
Hi @Konstantin!
I have the Plesk WEB ADMIN EDITION and haven't installed any third party Firewall. My server is on Digital Ocean and there is no Firewall installed as well. What other firewall could generate the problem?
Thanks
Simeon,
Let's confirm if it is a firewall or not. Please perform the following:
On the server:
1. Install netcat utility for troubleshooting
# yum install nc
2. launch the utility with -l option to start listening on specific port (from passive ftp port range)
# nc -l 57001
3. Try to connect to the server using the telnet utility from external machine (from the local machine for example):
# telnet <server IP> 57001
If the connection is successful, all the text you are writing in telnet session will be transferred to remote host.
If the connection is not successful, it means that there is a firewall between the server and the client.
Can you share the results of this troubleshooting?
You are right, the output is this:
Connecting To <server IP>...Could not open connection to the host, on port 57001: Connect failed
I've installed PLESK on my Digital Ocean Droplet using the One-Click installer operation described here: https://support.plesk.com/hc/en-us/articles/213928265-How-to-install-Plesk-on-Digital-Ocean-cloud-infrastructure-instance-
I have not installed any Firewall in Plesk and in my Digital Ocean account.
Does this means that the One-Click installer installs a firewall anyway?
In this case what should I do to make the Passive ports to work?
Thank you
Simeon,
Yes, we confirmed the the cause is firewall.
Could you please check several points:
1. Have you configured the Firewall in Digital Ocean to open needed range of ports? Introduction to DO firewall described here:
https://www.digitalocean.com/community/tutorials/an-introduction-to-digitalocean-cloud-firewalls
2. Do you have plesk-firewall installed?
# rpm -qa | grep psa | grep fire
psa-firewall-17.5.3-cos7.build1705170317.16.x86_64
3. If Plesk firewall is installed, you can configure it under Plesk > Tools&Settings > Firewall
4. If Plesk Firewall is not installed, please check iptables on the server:
# iptables -L
If there are rules inside, it is needed to add a rule to accept packets which are coming to passive ports with the command like that:
# iptables -A INPUT -p tcp --match multiport --dports 57000:58000 -j ACCEPT
Hi Konstantin:
1) No, I have no firewall configured on my digital ocean account for the server droplet:
2) No, I have no plesk-firewall installed on the server. The command you suggested returns empty result.
3) I don't have such an option inside my Plesk > Tools&Settings page
4) Yes, the command returns me a list of rules
5) I've already done this following the article steps. I've done it again, but when I try to listen the port with the suggested command from you and if I try to connect via telnet from my local computer, there is still a Connect failed response.
My PLESK is installed on a Centos7 OS and the command # firewall-cmd --get-active-zones returns me "FirewallD is not running" as well
Hello Simeon,
The connection may be blocked by an intermediate firewall: such as firewall on network router or internet provider firewall).
Please review the entire network route: from source machine to the target server and ensure that there is no firewall blocking passive port range (TCP 57000-58000).
In addition, since firewalld is disabled on the server with CentOS 7 please ensure that iptables rules are saved after server reboot.
Please refer to the article:
https://support.plesk.com/hc/en-us/articles/115000497953-Iptables-rules-get-reset-after-server-reboot-on-CentOS-7
Hello Alexandr,
I was not able to make it work, but when I activated the SSH access to the FTP user and used SFTP instead of FTP, it works... I think there is some problem with the insecure FTP port or something like that...
@Simeon, as for SFTP, it works because it uses SSH port. As for passive ports, I would recommend you contact service provider support to find the cause and rectify the issue.
The modules didn't load after a server reboot.
After executing these commands they loaded correctly after a reboot:
More info:
https://unix.stackexchange.com/questions/240044/on-centos7-firewalld-overwrite-iptables-modules
@Stephan van Heest
Thank you for additional information, the article has been updated.
where in ubuntu
Hello @Elkadiri Abdellah,
Could you, please, specify the Ubuntu version and what issue do you have with Passive FTP configuration?
In general, the configuration process from the article is valid for Ubuntu.
It works for me, thanks :)
Hello,
it is worked for me (VZ container) without part 3
command
/sbin/modprobe nf_conntrack_ftp
caused error
"modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/4.4.0-042stab134.8/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/4.4.0-042stab134.8"
So, problem was solved without part 3.
# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
Hello Pedro Telmo,
You must install the iptables-services package first:
Since this is to manage the firewall manually and not through Plesk.
This worked perfectly for me. FTP is now working as expected.
Hi Kuzma Ivanov,
Thanks for the article.
The allowing the port range opening via CLI should appear on the top section CLI, as it breaks the Plesk article covenants.
Please sign in to leave a comment.