Note: When configuring the passive port range, a selected port range must be in the non-privileged range (e.g., greater than or equal to 1024). It is strongly recommended that the chosen range should be large enough to handle many simultaneous passive connections. The default passive port range is 49152-65535 (the IANA registered ephemeral port range).
- Connect to a server via SSH.
- Run the command below to check if the passive port range is configured in the FTP server:# sed -n '/\<Global/,/\/Global/p' /etc/proftpd.conf /etc/proftpd.d/* | grep PassivePortsIf the command returns the same output as below, the passive port range is set up in ProFTPd configuration. Continue to step 3.PassivePorts 49152 65535If no output is returned, configure the passive port range:2.1. Create the/etc/proftpd.d/55-passive-ports.conffile using the following command:# touch /etc/proftpd.d/55-passive-ports.conf2.2. Open the/etc/proftpd.d/55-passive-ports.conffile in a text editor. In this example, we use the vi editor:# vi /etc/proftpd.d/55-passive-ports.conf2.3. Paste the content below in the file:<Global>
 PassivePorts 49152 65535
 </Global>2.4. Save the changes and close the file.
- Enable the kernel modules in the system:Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.3.1. Enable thenf_conntrack_ftpmodule:# /sbin/modprobe nf_conntrack_ftp3.2. If the server is behind the NAT (private IP address is configured in the system), enable the kernelnf_nat_ftpmodule as well:# /sbin/modprobe nf_nat_ftp3.3. Verify the changes:# lsmod | grep nf_nat_ftp
 nf_nat_ftp 16384 0
 nf_conntrack_ftp 20480 1 nf_nat_ftp
 nf_nat 32768 1 nf_nat_ftp
 nf_conntrack 131072 3 nf_conntrack_ftp,nf_nat_ftp,nf_nat3.4. To keep the changes after a system reboot, apply these steps:- Add the modules to the/etc/modules-load.d/modules.conffile with these commands:# echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
 # echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf
- On CentOS/RHEL-based distributions, add the modules to theIPTABLES_MODULESline in the/etc/sysconfig/iptables-configfile as follows:# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
 IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
 
- Restart the xinetd service to apply changes:# service xinetd restart
- Open the passive port range in a firewall:Note: If there is an intermediate firewall between a Plesk server and the Internet, make sure that the passive port range is allowed in its configuration as well. Contact your Internet Service Provider for assistance.To open the ports in a local firewall, follow these steps:- Manually# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # iptables -I INPUT 2 -p tcp --match multiport --dports 49152:65535 -j ACCEPT
 # service iptables save
- Using Plesk Firewall (Recommended)
 
 
Không có nhận xét nào:
Đăng nhận xét