How to Enable FTP Passive Mode on cPanel

Active and Passive are two modes of FTP protocol. The FTP server can operate in active and passive. Today we are going to explain how to setup FTP Passive Mode on cPanel using for Pure-FTPd and ProFTPd servers.

Active FTP vs Passive FTP

FTP uses two data channels between the FTP client and the FTP Server with separate TCP connections, the command channel is used for commands and responses, the FTP Data transmitted between client and servers uses a data channel just for that purpose. FTP uses two channels between client and server, the command channel and the data channel, which are actually separate TCP connections.

When FTP connection is Active, the FTP client establishes the command channel from X port on client’s host to destination port 21, and the server defines the data channel from 20 Port to the FTP client port.

In FTP passive mode, the difference is that the client establishes both channels and the server tells the client which port should be used for the data channel.

FTP Passive mode is often used when you have problems working with FTP Active mode (eg. when the server can’t establish the data channel), this is common when you have firewall rules over the network that are blocking normal usage of FTP active connections.

How can I configure FTP Passive Mode on cPanel?

On cPanel servers, you can enable FTP passive mode if you are using Pure-FTPd or ProFTPd server.

Enable FTP Passive on Pure-FTPd

Follow the next steps to enable FTP passive mode on cPanel servers:

nano -w /etc/pure-ftpd.conf

Uncomment / remove the $ from the beginning of the line that contains PassivePortRange variable. Make sure you set the PassivePortRange to a port value greater or equal than 1024.
After the changes, your PassivePortRange variable should look like this:

# Port range for passive connections replies. - for firewalling.
PassivePortRange          30000 50000

It is recommended to set a large number of ports for the passive connections. By default cPanel comes with 30k to 50k, however you can change it as you like, as long as it is a large number.

Important: if you are running your FTP server behind NAT configuration, you will have to add an additional configuration.
Set ForcePassiveIP to the public IP address of your server. For example:

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
ForcePassiveIP XX.XX.XX.XX

Make sure you replace XX.XX.XX.XX with your real IP address.
Once ready, save your modifications and exit the text editor.

Apply this changes to Pure-FTPd configuration to avoid cPanel updates overwriting the Pure-FTPd main configuration files and changes you did earlier in this post

echo "PassivePortRange: 30000 50000" >> /var/cpanel/conf/pureftpd/main
/usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

If your FTP server is behind a NAT run this echo command

echo "ForcePassiveIP: 10.3.5.333" >> /var/cpanel/conf/pureftpd/main

Enable FTP Passive on ProFTPd

FTP Passive mode can be enabled for ProFTPd server, follow the next steps:

nano -w /etc/proftpd.conf 

Add this line to the first block of the configuration file:

PassivePorts 30000 50000

If your ProFTPd server is behind a NAT configuration add this extra lines:

MasqueradeAddress server.hostname.com
MasqueradeAddress XX.XX.XX.XX

Replace server.hostname.com with your real server hostname.
Replace XX.XX.XX.XX with your real FTP server public IP address

Save and close the file.

To prevent cPanel overwrite your changes on cPanel updates, let’s make this changes permanent by running:

echo "PassivePorts: 30000 50000" >> /var/cpanel/conf/proftpd/main
/usr/local/cpanel/scripts/setupftpserver proftpd --force

Configure your Firewall for Passive FTP connections

If you are using CSF firewall follow this steps:

nano -w /etc/csf/csf.conf

Now search for this TCP_IN line, example:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"

And add your passive FTP port range, it should look like this:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:50000"

Restart CSF to apply changes:

csf -r

If you are running a generic iptables based configuration, this should be enough to open those ports:

iptables -I INPUT 2 -p tcp --dport 30000:50000 -j ACCEPT
service iptables save

Restart your Pure-FTPd server

/usr/local/cpanel/scripts/restartsrv_ftpserver

That should be all, please let us know if you have any problems or questions regarding this FTP Passive Mode on cPanel.

Further reading:

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *