Can't change pureFTP passive port range

[Ioan Sameli]

I can't connect to my server with ftp, as pureFTP is trying to enter passive mode with ports below 1024, which are blocked. I did specify a 20000 - 30000 range in pure-ftpd.conf, but it seems this setting is ignored by pureFTP.

Other settings that I modify in pure-ftpd.conf are taken in account after I restartsrv_ftpserver, but PassivePortRange seems to be ignored for some reasons.

Here's the relevant part of my pure-ftpd.conf file:

#Port range for passive connections replies. - for firewalling.

PassivePortRange          30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

ForcePassiveIP                54.65.xxx.xxx

And here's the error I get when I try to connect with FileZilla - pureFTP is asking to connect to ports 218,129 instead of the range I've set:

Command: 	PASV
Response:  	227 Entering Passive Mode (54,65,xxx,xxx,218,129)
Command: 	MLSD
Error:         	The data connection could not be established: ECONNREFUSED - Connection refused by server
Error:         	Connection timed out
Error:         	Failed to retrieve directory listing

I'm pretty sure I'm missing something simple here, but I've been searching for a good hour now, and can't figure out what I'm doing wrong. Any idea?

 

[cPanelMichael]

Hello

Are you using a third-party firewall management utility such as CSF? If so, does the issue persist when temporarily disabling CSF? You must ensure the passive port range is not blocked in your firewall.

Thank you.

 

[Ioan Sameli]

Hi Michael,

Thanks for your reply.

The passive range is definitively blocked by my firewall, and I don't want to leave the ports <1024 open (except the obvious ones).

My problem is that I can't change the PassivePortRange for pureFTP - the directive seems to be ignored. Any idea why?

Thanks.

 

[cPanelMichael]

My problem is that I can't change the PassivePortRange for pureFTP - the directive seems to be ignored. Any idea why?.

Please ensure you follow the instructions exactly as they are presented here:

How to enable Passive mode for Pure-FTPd

Thank you.

 

[Ioan Sameli]

That's exactly the tutorial I originally followed, but pureFTP still redirects me to the wrong ports when I try to connect:

Command: 	PASV
Response:  	227 Entering Passive Mode (54,65,160,149,218,239)

As you can see, even though I've set the PassivePortRange to "30000 50000", it tries so use ports 218 and 239 for some reasons - and those are blocked by the firewall.

Other settings that I modify in the same /etc/pure-ftpd.conf configuration file are taken into account, but it seems the PassivePortRange setting is either ignored or overridden by something.

Any idea what could cause this? I did a fair amount of googling but couldn't find any answer.

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

 

[Ioan Sameli]

Thanks a lot for your help Michael.

I've tried again on a fresh cPanel install and got exactly the same problem, still not sure if it's a bug or me who does something wrong.

I've submitted the ticket 6029505, looking forward to get this resolved.

 

[Ioan Sameli]

Ticket resolved (that was effective).

If anyone runs into this issue in the future, here's the solution:

- My port number was actually right - the port number is not plain, it's a 16bit digit encoded as two 8bit digits: How to get port in FTP protocol from passive mode? - Stack Overflow
- My connection was refused because iptable was blocking the ports in the passive range - so double check your iptable configuration.

 

[cPanelMichael]

I am happy to see the issue has been resolved. Thank you for updating us with the outcome.