How to configure the passive ports range for ProFTPd on a Plesk server behind a firewall

Question

How to configure the passive ports range for ProFTPd on a server behind a firewall?

Answer

Note: When configuring the passive port range, a selected port range must be in the non-privileged range (e.g., greater than or equal to 1024). It is strongly recommended that the chosen range should be large enough to handle many simultaneous passive connections. The default passive port range is 49152-65535 (the IANA registered ephemeral port range).

1. Connect to a server via SSH.

2. Run the command below to check if the passive port range is configured in the FTP server:

   # sed -n '/<Global/,//Global/p' /etc/proftpd.conf /etc/proftpd.d/* | grep PassivePorts

   If the command returns the same output as below, the passive port range is set up in ProFTPd configuration. Continue to step 3.

   PassivePorts 49152 65535

   If no output is returned, configure the passive port range:

   2.1. Create the /etc/proftpd.d/55-passive-ports.conf file using the following command:

   # touch /etc/proftpd.d/55-passive-ports.conf

   2.2. Open the /etc/proftpd.d/55-passive-ports.conf file in a text editor. In this example, we use the vi editor:

   # vi /etc/proftpd.d/55-passive-ports.conf

   2.3. Paste the content below in the file:

   <Global>
   PassivePorts 49152 65535
   </Global>

   2.4. Save the changes and close the file.

3. Enable the kernel modules in the system:

   Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.

   3.1. Enable the nf_conntrack_ftp module:

   # /sbin/modprobe nf_conntrack_ftp

   3.2. If the server is behind the NAT (private IP address is configured in the system), enable the kernel nf_nat_ftp module as well:

   # /sbin/modprobe nf_nat_ftp

   3.3. Verify the changes:

   # lsmod | grep nf_nat_ftp
   nf_nat_ftp 16384 0
   nf_conntrack_ftp 20480 1 nf_nat_ftp
   nf_nat 32768 1 nf_nat_ftp
   nf_conntrack 131072 3 nf_conntrack_ftp,nf_nat_ftp,nf_nat

   3.4. To keep the changes after a system reboot, apply these steps:

   • Add the modules to the /etc/modules-load.d/modules.conf file with these commands:

     # echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
     # echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf

   • On CentOS/RHEL-based distributions, add the modules to the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file as follows:

     # cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
     IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"

4. Restart the xinetd service to apply changes:

   # service xinetd restart

5. Open the passive ports range in a firewall:

   Note: If there is an intermediate firewall between a Plesk server and the Internet, make sure that the passive port range is allowed in its configuration as well. Contact your Internet Service Provider for assistance.

   To open the ports in a local firewall, follow these steps:

    

   Opening the passive port range using Plesk Firewall

    

   Note: If Plesk Firewall is not installed, use this installation guide.

   1. Log in to Plesk and go to Tools…