当前位置:首页 > linux > 正文内容

How to Enable FTP Passive Mode

root6年前 (2020-09-12)linux2052

Overview

This document explains how to use the active or passive mode to connect to a File Transfer Protocol (FTP) server.

Important:

In cPanel & WHM version 60 and later, the system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPd servers by default. If you use the CSF firewall plugin, the system also adds passive port ranges to your server’s firewall by default. If you use the IPTABLES or firewalld applications for your firewall, you must enable firewall settings for the passive ports manually. For more information about firewalls, read our How to Configure Your Firewall for cPanel & WHM Services documentation.

Active and passive mode sessions

FTP uses a data port and a command port to transfer information between a client and a server. During a typical active mode session, the command port uses port 21 and the data port uses port 20. When you use a passive mode session, however, the data port does not always use port 20.

Active

In active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. Network Address Translation (NAT) configurations block this connection request.

Active FTP

Active FTP

 
Active FTP (with firewall)

Active FTP (with firewall)

The firewall blocks the server’s attempt to communicate with the client because the server uses a different port than the first connection.

Passive

In passive mode, the FTP client initiates both connection attempts. NAT configurations do not block this connection request.

Passive FTP (with firewall)

Passive FTP (with firewall)

The firewall does not block the server’s attempt to communicate with the client because the client initiated the communication both times.

Note:If FTP users exist on the private network side of a NAT configuration, you must enable FTP’s passive mode, and open the passive port range in your FTP server’s configuration file. You may also need to open the passive port range on your firewall.

Configure FTP servers

The sections below explain how to edit the default configurations for a Pure-FTPd server and a ProFTPd server.

Note:

  • A local file contains your desired settings which overwrite any default settings from the main file.

  • The system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPd servers by default.

Pure-FTPd servers

To edit the FTP configuration for a PureFTP server, perform the following steps:

  1. Log in to the server as the root user via SSH.

  2. Open the /var/cpanel/conf/pureftpd/local file, if it already exists, with a text editor. If it does not already exist, create the /var/cpanel/conf/pureftpd/local file.

  3. Add the desired changes to the file. If your FTP server exists behind a NAT configuration, set the ForcePassiveIP option to the FTP server’s public IP address, as in the following example:

    ForcePassiveIP: 203.0.113.0

    If your server does not exist in a NAT configuration, set the ForcePassiveIP option to the following entry:

    ForcePassiveIP: ~

    Important:Only one ForcePassiveIP entry can exist in a configuration file.

  4. If you want to change your server’s default passive port range, run the following commands:

    1 2
    echo "PassivePortRange: 49152 65534" >> /var/cpanel/conf/pureftpd/local /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force
  5. Configure your server to allow the passive port range to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.

  6. Restart the PureFTP service with the following command:

    /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

ProFTPd servers

To edit the FTP configuration for a ProFTPd server, perform the following steps:

  1. Log in to the server as the root user via SSH.

  2. Open the /var/cpanel/conf/proftpd/local file, if it already exists, with a text editor. If it does not already exist, create the /var/cpanel/conf/proftpd/local file.

  3. Add the desired changes to the file. If your FTP server exists behind a NAT configuration, set the MasqueradeAddress option to the FTP server’s public IP address, as in the following example:

    MasqueradeAddress: 203.0.113.0

    If your server does not exist in a NAT configuration, set the MasqueradeAddress option to the following entry:

    MasqueradeAddress: ~

    Important:Only one MasqueradeAddress entry can exist in a configuration file.

  4. If you want to change your server’s default passive port range, run the following commands:

    1 2
    echo "PassivePorts: 49152 65534" >> /var/cpanel/conf/proftpd/local /usr/local/cpanel/scripts/setupftpserver proftpd --force
  5. Configure your server to allow the passive port range to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.

  6. Restart the ProFTP service with the following command:

    /usr/local/cpanel/scripts/setupftpserver proftpd --force

Configure the firewall

Note:The system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPd servers by default.

You may need to add your FTP server’s passive port range to the firewall manually.

CSF

If you use the CSF plugin to manage your server’s firewall, open the /etc/csf/csf.conf file, and confirm that the passive port range exists at the end of the TCP_IN line. The system adds your FTP server’s passive port range to the firewall by default. For more information about how to install and use CSF, visit the CSF website.

IPTABLES

If you use the IPTABLES application for your FTP server’s firewall, perform the following steps to add the passive port range to your server’s firewall:

  1. Install the IPTABLES application if it does not already exist on your server. To do this, run the following command:

    yum install iptables-services
  2. After you add an IPTABLES entry to the /etc/sysconfig/iptables file, run the following commands:

    1 2
    iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT service iptables save

firewalld

If you use the firewalld application for your CentOS 7, CloudLinux™ 7, or Red Hat® Enterprise Linux (RHEL) 7 server, run the following commands to add the passive port range to your server’s firewall:

1 2 3
firewall-cmd --permanent --zone=public --add-service=ftp firewall-cmd --permanent --add-port=49152-65534/tcp firewall-cmd --reload


SolusVM and Xen

If you use SolusVM and Xen® on a CloudLinux™ server, you may experience problems with Passive FTP. These problems may resemble a firewall or other connection issue, even when no firewall exists.

To resolve these issues, perform the following steps:

  1. Replace the IPTABLES_MODULES=ip_conntrack_netbios_ns line in the /etc/sysconfig/iptables-config file on the VPS node with the following line:

    IPTABLES_MODULES=ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT
  2. Run the service iptables restart command to restart the iptables service.

Troubleshoot FTP passive mode

If your NAT-configured server cannot execute Passive FTP connections to other IP addresses on the server, perform either of the following actions:

  • In cPanel & WHM version 66 and later, set the ForcePassiveIP option with a tilde (~) character. The system interprets this character as an undefined directive and prevents automatic changes to the /etc/pure-ftpd.conf or /etc/proftpd.conf files.

  • In cPanel & WHM version 64 and earlier, follow the directions in our Passive FTP and NAT Configuration Temporary Workaround documentation.

from https://docs.cpanel.net/knowledge-base/ftp/how-to-enable-ftp-passive-mode/

扫描二维码推送至手机访问。

版权声明:本文由一叶知秋发布,如需转载请注明出处。

本文链接:https://zhiqiu.top/?id=4

分享给朋友:

相关文章

一行 Python 实现并行化 -- 日常多线程操作的新思路

一行 Python 实现并行化 -- 日常多线程操作的新思路

Python 在程序并行化方面多少有些声名狼藉。撇开技术上的问题,例如线程的实现和 GIL1,我觉得错误的教学指导才是主要问题。常见的经典 Python 多线程、多进程教程多显得偏“重”。而且往往隔靴搔痒,没有深入探讨日常工作中最有用的内容...

supervisor的安装使用

一、supervisor简介Supervisor是用Python开发的一套通用的进程管理程序,能将一个普通的命令行进程变为后台daemon,并监控进程状态,异常退出时能自动重启。它是通过fork/exec的方式把这些被管理的进程当作supe...

linux   挂载盘

linux 挂载盘

sudo  fdisk -l :列出所有分区信息;找到自己插入到linux系统的硬盘上图从众多盘中找到自己的 看type 和大小。/dev/sdb 是盘的名字/dev/sdb4  是分区接下来是挂载s...

linux添加用户,修改用户密码,设置文件/文件夹的归属用户和用户组 、 hostname

添加用户useradd  username  修改用户密码passwd username修改文件用户和用户组chown -R username:group  /project/修改归属用户chown&...

修改linux时区

ubuntu:rm  /etc/localtimeln -sf /usr/share/zoneinfo/Asia/Shanghai  /etc/localtimecentos echo "A...

zabbix 中文乱码

zabbix 中文乱码

原因是因为zabbix没有支持中文的字体,在win找到一个中文字体文件名是:simkai.ttf把这个文件复制到服务器的/usr/share/zabbix/fonts  路径下然后修改zabbix的配置文件vim /us...