ProFTPd, Disabling the Passive Mode

By CPressland
in Linux

 Share

Recommended Posts

Mentor

Rockett15

Posted
Posted

I had this issue in the past and found it wasn't worth the effort involved in fudging this to work.

What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:

1. You only need to forward port 22

2. Most FTP clients support FTP over SSH

3. It's pretty much plug and play - start the service and you can start logging in with your users :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

And why would you want to disable it?? Have we not gone over this? Have your users use ACTIVE connections! As I thought I had already told you if your having issues with your router doing the passive for you.. Just manually set it up.

Set proftpd to use a specific range for its passive ports

http://www.proftpd.org/docs/directives/lin...ssivePorts.html

PassivePorts 49152 65534

I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.

Now forward this range on your router to your ftp server. Done!

Grand Master

CPressland

Posted
  • Author
Posted
I had this issue in the past and found it wasn't worth the effort involved in fudging this to work.

What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:

1. You only need to forward port 22

2. Most FTP clients support FTP over SSH

3. It's pretty much plug and play - start the service and you can start logging in with your users :)

Mind if you give me a small tutorial on setting that up or link me to a site that'll explain setting up FTP access

And why would you want to disable it?? Have we not gone over this? Have your users use ACTIVE connections! As I thought I had already told you if your having issues with your router doing the passive for you.. Just manually set it up.

Set proftpd to use a specific range for its passive ports

http://www.proftpd.org/docs/directives/lin...ssivePorts.html

PassivePorts 49152 65534

I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.

Now forward this range on your router to your ftp server. Done!

Yeah and I've done that with no luck, it dosnt work.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Is your server still open? And you were going to give me access to your router?

So your users are not smart enough to not enable passive in IE, or to uncheck it.. or use a real ftp client to access site so they can set passive or active based on site, etc..

But you going to have them use a SSH tunnel to get to your ftp server?? Yeah that makes sense :rolleyes:

if your going to go the SSH route -- why not just setup SFTP? the openssh will provide SFTP, and kill 2 birds with 1 stone.. BTW yes ftp tunneled thru ssh or SFTP is way moe secure than FTP but it does come with a performance hit as its price.. You have the added overhead of encryption.

BTW -- normally in FTP over SSH, only the control traffic, ie port 21 is secured. The data connection would be in the clear and would still be either a passive or active connection.. So doing a ssh ftp tunnel is not going to fix your passive issue.

Unless your using clients that understand it, etc.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Ok I just took a look at that routers controls the dir-655 right? What level of SPI are you doing on that?

Under advanced, firewall -- I would assume its set to "Port And Address Restricted" as the default.. Change it to "Endpoint Independent" atleast for testing.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Ok since you had sent me the login info for your router.. I did some testing.. BTW -- I don't show your proftpd.conf being changed since 6/3 so when exactly did you configure the passive ports it uses?? Nor did I see any forwards for the passive ranges.

Anyway -- it seems your problem is your SPI firewall. I turned it off and passive works just fine!! With no need of a manual forward of the passive ports.

Retrieving directory listing...

TYPE A

200 Type set to A

PASV

227 Entering Passive Mode (82,13,132,223,247,198)

LIST -a

150 Opening ASCII mode data connection for file list

226 Transfer complete

Directory listing successful

PASV

227 Entering Passive Mode (82,13,132,223,247,183)

LIST -a

150 Opening ASCII mode data connection for file list

226 Transfer complete

Directory listing successful

If I enabled the passive range as a forward -- it would sometimes work, sometimes not.. But once I turned off the SPI it works every single time I have connected.

To be honest you really have little use for their added SPI checks since your behind a NAT anyway.. Only traffic that you forward or is in answer to something you request will get thru.

From the help on your router.

Enable SPI

SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.

So turning that off just disables some extra checks.. its really still doing SPI -- ie its checking the state.. Its just not doing added BS checks on the packets.

Grand Master

CPressland

Posted
  • Author
Posted
Your welcome -- if you don't mind.. leave my access open.. I'll check on your collection now and then ;) I'm a HUGE Scifi fan myself ;)

No problem mate, help yourself but dont expect any fast downloads :) (70KB/s max :()

I delete episodes while I watch them on the Popcorn Hour so keep an eye out for stuff.

I'm putting in a 1TB hard drive soon so hopefully then I wont need to delete stuff.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By +Eternal Tempest · Posted

      It use to be a nightmare, with LibreOffice supporting a newer draft ODF standard by default, and Microsoft Office supporting the older non-draft standard. Now that they both support the same version of ODF, they should be interoperable.
    • Brave Browser 1.91.171

      By Copernic · Posted

      Brave Browser 1.91.171 by Razvan Serea Brave Browser is a lightning-fast, secure web browser that stands out from the competition with its focus on privacy, security, and speed. With features like HTTPS Everywhere and built-in tracker blocking, Brave keeps your online activities safe from prying eyes. Brave is one of the safest browsers on the market today. It blocks third-party data storage. It protects from browser fingerprinting. And it does all this by default. Speed - Brave is built on Chromium, the same technology that powers Google Chrome, and is optimized for speed, providing a fast and responsive browsing experience. Brave Browser also features Brave Rewards, a system that rewards users with Basic Attention Tokens (BAT) for viewing opt-in ads. This innovative system provides an alternative revenue model for content creators and a way to support the Brave community. SlimBrave Neo takes all the good things about Brave and makes them even better by keeping everything clean, light, and privacy-focused. It removes the extra clutter, turns off features you might not need, and cuts down on anything that could slow you down or collect unnecessary data. Because it relies on simple settings and policies instead of modifying the browser itself, you still get full Brave compatibility—just in a smoother, lighter, and more privacy-friendly package. Brave Browser 1.91.171 changelog: General Fixed Cardano not being disabled on upgrade to Brave Origin. Upgraded Chromium to 149.0.7827.103. Origin Removed “Survey Panelist” setting from brave://settings/privacy. Fixed P3A and usage ping under brave://settings/privacy being displayed on first launch on Linux. Upgraded Chromium to 149.0.7827.103. Download: Brave Browser 64-bit | 1.2 MB (Freeware) Download: Brave Browser 32-bit View: Brave Homepage | Offline Installers | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Can't access the forum on mobile

      By RaidenX · Posted

      Hi. As the title suggests, I can't access the forum on my phone. I'm using Edge on Android and when I try to navigate to the forum I get a "we value your privacy" popup and none of the buttons are clickable. It effectively stonewalls me from reading any forum content.
    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By Brandon H · Posted

      Honestly you're not wrong about AdGuard. Neowin frequently has lifetime license discounts for them and that's how I got my cheap family license a few years ago to run it on all my devices.
    • Windows 11's big performance boost is finally available for all

      By nekrosoft13 · Posted

      yap yap, drink more coolaid.

  • Recent Achievements

    • Community Regular
      coch went up a rank
      Community Regular
    • One Year In
      slackerzz earned a badge
      One Year In
    • One Year In
      highriskpaym earned a badge
      One Year In
    • One Month Later
      highriskpaym earned a badge
      One Month Later
    • Week One Done
      highriskpaym earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      521
    2. 2
      PsYcHoKiLLa
      197
    3. 3
      +Edouard
      157
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!