{"id":558,"date":"2021-07-23T12:32:51","date_gmt":"2021-07-23T12:32:51","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/how-to-enable-ftp-passive-mode\/"},"modified":"2021-07-23T12:32:51","modified_gmt":"2021-07-23T12:32:51","slug":"how-to-enable-ftp-passive-mode","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/how-to-enable-ftp-passive-mode\/","title":{"rendered":"How to Enable FTP Passive Mode"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

This document explains how to use the active or passive mode to connect to a File Transfer Protocol (FTP) server.<\/p>\n

\n
Important:<\/div>\n
\n

In cPanel & WHM version 60 and later, the system enables passive ports 49152<\/code> through 65534<\/code> for Pure-FTPd servers and ProFTPD servers by default. If you use the CSF firewall plugin, the system also<\/strong> adds passive port ranges to your server\u2019s firewall by default.<\/p>\n

If you use the nftables<\/code>, firewalld<\/code>, or iptables<\/code> applications for your firewall, you must<\/strong> enable firewall settings for the passive ports manually. For more information about firewalls, read our How to Configure Your Firewall for cPanel & WHM Services documentation.<\/p>\n<\/p><\/div>\n<\/div>\n

Active and passive mode sessions<\/h2>\n

FTP uses a data port and a command port to transfer information between a client and a server. During a typical active mode session, the command port uses port 21<\/code> and the data port uses port 20<\/code>. When you use a passive mode session, however, the data port does not always use port 20<\/code>.<\/p>\n

Active<\/h3>\n

In active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. Network Address Translation (NAT) configurations block this connection request.<\/p>\n

\n \"Active
\n

Active FTP<\/em><\/p>\n<\/figcaption><\/figure>\n

\n \"Active
\n

Active FTP (with firewall)<\/em><\/p>\n<\/figcaption><\/figure>\n

The firewall blocks the server\u2019s attempt to communicate with the client because the server uses a different port than the first connection.<\/p>\n

Passive<\/h3>\n

In passive mode, the FTP client initiates both<\/strong> connection attempts. NAT configurations do not<\/strong> block this connection request.<\/p>\n

\n \"Passive
\n

Passive FTP (with firewall)<\/em><\/p>\n<\/figcaption><\/figure>\n

The firewall does not<\/strong> block the server\u2019s attempt to communicate with the client because the client initiated the communication both times.<\/p>\n

\n
Note:<\/div>\n
\n If FTP users exist on the private network side of a NAT configuration, you must<\/strong> enable FTP\u2019s passive mode, and open the passive port range in your FTP server\u2019s configuration file. You may also need to open the passive port range on your firewall.\n <\/div>\n<\/div>\n

Configure FTP servers<\/h2>\n

The sections below explain how to edit the default configurations for a Pure-FTPd server and a ProFTPD server.<\/p>\n

\n
Note:<\/div>\n
\n
    \n
  • A local file contains your desired settings which overwrite<\/strong> any default settings from the main file.<\/li>\n
  • The system enables passive ports 49152<\/code> through 65534<\/code> for Pure-FTPd servers and ProFTPD servers by default.<\/li>\n<\/ul><\/div>\n<\/div>\n

    Pure-FTPd servers<\/h3>\n

    To edit the FTP configuration for a PureFTP server, perform the following steps:<\/p>\n

      \n
    1. Log in to the server as the root<\/code> user via SSH.<\/li>\n
    2. Open the \/var\/cpanel\/conf\/pureftpd\/local<\/code> file, if it already exists, with a text editor. If it does not already exist, create the \/var\/cpanel\/conf\/pureftpd\/local<\/code> file.<\/li>\n
    3. Add the desired changes to the file. If your FTP server exists behind a NAT configuration, set the ForcePassiveIP<\/code> option to the FTP server\u2019s public IP address, as in the following example:\n
      \n
      ForcePassiveIP: 203<\/span>.0.113.0<\/code><\/pre>\n<\/div>\n
      If your server does not exist in a NAT configuration, set the ForcePassiveIP<\/code> option to the following entry:<\/p>\n
      \n
      ForcePassiveIP: ~<\/code><\/pre>\n<\/div>\n
      \n
      Important:<\/div>\n
      \n        Only one ForcePassiveIP<\/code> entry can exist in a configuration file.\n    <\/div>\n<\/div>\n<\/li>\n
    4. If you want to change your server\u2019s default passive port range, run the following commands:\n
      \n
      \n\n\n
      \n
      1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
      		\n
      echo \"PassivePortRange: 49152 65534\" >> \/var\/cpanel\/conf\/pureftpd\/local\n\/usr\/local\/cpanel\/scripts\/setupftpserver pure-ftpd --force <\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n
    5. Configure your server to allow the passive port range to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.<\/li>\n
    6. Restart the PureFTP service with the following command:\n
      \n
      \/usr\/local\/cpanel\/scripts\/setupftpserver pure-ftpd --force<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
      ProFTPD servers<\/h3>\n
      To edit the FTP configuration for a ProFTPD server, perform the following steps:<\/p>\n
        \n
      1. Log in to the server as the root<\/code> user via SSH.<\/li>\n
      2. Open the \/var\/cpanel\/conf\/proftpd\/local<\/code> file, if it already exists, with a text editor. If it does not already exist, create the \/var\/cpanel\/conf\/proftpd\/local<\/code> file.<\/li>\n
      3. Add the desired changes to the file. If your FTP server exists behind a NAT configuration, set the MasqueradeAddress<\/code> option to the FTP server\u2019s public IP address, as in the following example:\n
        \n
        MasqueradeAddress: 203<\/span>.0.113.0<\/code><\/pre>\n<\/div>\n
        If your server does not<\/strong> exist in a NAT configuration, set the MasqueradeAddress<\/code> option to the following entry:<\/p>\n
        \n
        MasqueradeAddress: ~<\/code><\/pre>\n<\/div>\n
        \n
        Important:<\/div>\n
        \n        Only one<\/strong> MasqueradeAddress<\/code> entry can exist in a configuration file.\n    <\/div>\n<\/div>\n<\/li>\n
      4. If you want to change your server\u2019s default passive port range, run the following commands:\n
        \n
        \n\n\n
        \n
        1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
        		\n
        echo \"PassivePorts: 49152 65534\" >> \/var\/cpanel\/conf\/proftpd\/local\n\/usr\/local\/cpanel\/scripts\/setupftpserver proftpd --force <\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n
      5. Configure your server to allow the passive port range to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.<\/li>\n
      6. Restart the ProFTP service with the following command:\n
        \n
        \/usr\/local\/cpanel\/scripts\/setupftpserver proftpd --force<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
        Configure the firewall<\/h3>\n
        \n
        Note:<\/div>\n
        \n        The system enables passive ports 49152<\/code> through 65534<\/code> for Pure-FTPd servers and ProFTPD servers by default.\n    <\/div>\n<\/div>\n
        You may need to add your FTP server\u2019s passive port range to the firewall manually.<\/p>\n
        ConfigServer Security & Firewall<\/h3>\n
        If you use the ConfigServer Security & Firewall (CSF) plugin to manage your server\u2019s firewall, open the \/etc\/csf\/csf.conf<\/code> file, and confirm that the passive port range exists at the end of the TCP_IN<\/code> line. The system adds your FTP server\u2019s passive port range to the firewall by default. For more information about how to install and use CSF, visit the CSF website.<\/p>\n
        nftables<\/h3>\n
        If you use the nftables<\/code> framework for your CentOS 8, AlmaLinux 8, or CloudLinux 8 server, run the following commands to add the passive port range to your server\u2019s firewall:\n<\/p>\n
        \n
        \n\n\n
        \n
        1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
        		\n
        nft add rule filter INPUT tcp dport 49152-65534 accept\nnft -s list ruleset | tee \/etc\/sysconfig\/nftables.conf # to save the ruleset post reboot<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
        You will find the nftables<\/code> ruleset for your server in the \/etc\/sysconfig\/nftables.conf<\/code> file.<\/p>\n
        \n
        Warning:<\/div>\n
        \n
        cPanel & WHM version 92 for CentOS 8 and CloudLinux 8 is experimental<\/strong> software and we do not<\/strong> recommend using it in production environments. For more information, read our cPanel & WHM version 92 for CentOS 8 documentation.<\/p>\n
        Upgrade to a later version of cPanel & WHM to use CentOS 8 and CloudLinux 8 in production environments.<\/p>\n<\/p><\/div>\n<\/div>\n
        firewalld<\/h3>\n
        If you use the firewalld<\/code> application for your CentOS 7, CloudLinux\u2122 7, or Red Hat\u00ae Enterprise Linux (RHEL) 7 server, run the following commands to add the passive port range to your server\u2019s firewall:\n<\/p>\n
        \n
        \n\n\n
        \n
        1\n<\/span>2\n<\/span>3\n<\/span><\/code><\/pre>\n<\/td>\n
        		\n
        firewall-cmd --permanent --zone=public --add-service=ftp\nfirewall-cmd --permanent --add-port=49152-65534\/tcp\nfirewall-cmd --reload<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
        iptables<\/h3>\n
        \n
        Important:<\/div>\n
        \n
        Red Hat Enterprise Linux 8 deprecated the iptables<\/code> utility. While cPanel, L.L.C. does not support this version of RHEL, this change affects all cPanel-supported operating systems. We recommend the nftables<\/code> utility for servers that run CentOS 8, AlmaLinux 8, or CloudLinux 8. For servers that run CentOS 7, CloudLinux 7, or RHEL 7, we recommend that you use the firewalld<\/code> utility.<\/p>\n
        \n
        Warning:<\/div>\n
        \n
        cPanel & WHM version 92 for CentOS 8 and CloudLinux 8 is experimental<\/strong> software and we do not<\/strong> recommend using it in production environments. For more information, read our cPanel & WHM version 92 for CentOS 8 documentation.<\/p>\n
        Upgrade to a later version of cPanel & WHM to use CentOS 8 and CloudLinux 8 in production environments.<\/p>\n<\/p><\/div>\n<\/div><\/div>\n<\/div>\n
        If you use the iptables<\/code> application for your FTP server\u2019s firewall, perform the following steps to add the passive port range to your server\u2019s firewall:<\/p>\n
          \n
        1. Install the iptables-services<\/code> package if it does not already exist on your server. This package provides the iptables<\/code> and ip6tables<\/code> services, which are not included in the iptables<\/code> application. To install this package, run the following command:\n
          \n
          yum install iptables-services<\/code><\/pre>\n<\/div>\n<\/li>\n
        2. Run the following commands to add the rules to the firewall and save the configuration:\n
          \n
          \n\n\n
          \n
          1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
          		\n
          iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT\nservice iptables save<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n
          SolusVM and Xen<\/h2>\n
          If you use SolusVM and Xen\u00ae on a CloudLinux\u2122 server, you may experience problems with Passive FTP. These problems may resemble a firewall or other connection issue, even when no firewall exists.<\/p>\n
          To resolve these issues, perform the following steps:<\/p>\n
            \n
          1. Replace the IPTABLES_MODULES= ip_conntrack_netbios_ns<\/code> line in the \/etc\/sysconfig\/iptables-config<\/code> file on the VPS node with the following line:\n
            \n
            IPTABLES_MODULES=<\/span>ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT<\/code><\/pre>\n<\/div>\n<\/li>\n
          2. Run the service iptables restart<\/code> command to restart the iptables<\/code> service.<\/li>\n<\/ol>\n
            Troubleshoot FTP passive mode<\/h2>\n
            If your NAT-configured server cannot execute Passive FTP connections to other IP addresses on the server, perform either of the following actions:<\/p>\n
              \n
            • In cPanel & WHM version 66 and later, set the ForcePassiveIP<\/code> option with a tilde (~<\/code>) character. The system interprets this character as an undefined directive and prevents automatic changes to the \/etc\/pure-ftpd.conf<\/code> or \/etc\/proftpd.conf<\/code> files.<\/li>\n
            • In cPanel & WHM version 64 and earlier, follow the directions in our Passive FTP and NAT Configuration Temporary Workaround documentation.<\/li>\n<\/ul><\/div>\n","protected":false},"excerpt":{"rendered":"
              Overview This document explains how to use the active or passive mode to connect to a File Transfer Protocol (FTP) server. Important: In cPanel & WHM version 60 and later, the system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPD servers by default. If you use the CSF firewall plugin, the system …<\/p>\n","protected":false},"author":1,"featured_media":559,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/558"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=558"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/558\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/559"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}