Aug 27, 2018
6
1
3
Brazil
cPanel Access Level
Root Administrator
Hi, i am continuing the following topic All users get blocked when FTP. I have created a new one that is old.

So, today a few hours ago I got this problem. Had Take a few minutes to see that´s would be a little bit harder than the usual. Then i get this thread and have needed to use a few snippets of each post here to solve my problem. i did´nt know where/when exactly this began. An user just told me him could not connect throught FTP.
Let´s Go:
First of all, my SO is CL 7.6 and WHM/CPANEL v80.0.22 and CSF
I realized the plain connection occurs fine, the problem just with TLS connection. And also realized that inserting my IP in the CSF Allow ACL allowed my computer easily access but not the another IPs.

I have read this and check my pure-ftpd.conf's PassivePortRange Directive and the port range was from 49152 65534. Has looked weird but not at all. I kept reading.

The "Broken Clients Compatibility" had no effect at all.

I jumped the reading about Pure-FTP Not Working on Cpanel 11.52 (Pure-Ftpd Not Working on cPanel 11.52)

The compliment to ConfigServer Team give me a light, but nothing relevant.

And here bellow came the light and... also the total confusion.

Edit /etc/pure-ftpd.conf and make sure PassivePortRange is set to the same range you have open in your firewall. This is the most common cause of this problem, where users can connect via FTP but get disconnected whenever they try to open a folder or really do anything else.
After read this the first thing i did was set the firewall to test mode. Nothing happened.

Then i checked the iptables rules in hope find something blocked or allowed. Nothing.

Hello :)

I am happy to see you were able to address the issue. Note there's a guide on this at:

How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

Thank you.
Here I started reading the session about pure-ftp.

Notes:

A local file contains your desired settings which overwrite any default settings from the main file.
The system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPd servers by default.
ok...

I have read the step 2, did not found the local file and would like not to create it because I found the main file.

I read steps 3, 4, 5, and 6 and, did not made none changes and jumped to 'Configure the firewall' section

When I was going to start making IPTABLES rules, and actually I should make CSF rules, i saw in my CSF Dashboard, a button "Fix Common Problems" and there, the option 'Open PASV FTP Hole' (If the kernel (usually on virtual servers) is broken and cannot perform ftp connection tracking, or if you are trying to use FTP over SSL, this option will open a hole in the firewall to allow PASV connections through
Note: The port range 30000 to 35000 is already open in csf.

I clicked, the system made the changes and... did not work. Then i stop and start CSF and pim pirilim IT WORKS!

But, why was it working before and it stops suddenly? I don´t know. So I kept reading

Just a minor little followup on this...

As it turns out, on these new CloudLinux 6.7 servers (at least the ones I recently purchased)...

ANY time any setting is changed at all in WHM > Service Configuration > FTP Server Configuration , or even if no change is made but you click the Save button in WHM > Service Configuration > FTP Server Configuration

It automatically resets PassivePortRange to 30000 50000 in /etc/pure-ftpd.conf

So, if you're an "old schooler" who has always had it set 30000 35000 in /etc/pure-ftpd.conf and 30000:35000 in your CSF TCP_IN field, then this little bugger will, for lack of a better term - mess with you!

For many years it seemed the standard was always 30000:35000 (which you'll also see commonly posted in places like the FileZilla forums) so once you set it in your CSF and pure-ftpd.conf you could forget it, even when making other changes in WHM > Service Configuration > FTP Server Configuration.

But now, at least with these new CL servers I got, any time the Save button is clicked in WHM > Service Configuration > FTP Server Configuration for any reason at all, it automatically resets PassivePortRange to 30000 50000 in /etc/pure-ftpd.conf

I learned the hard way this morning when after making a slight change to a different setting in WHM > Service Configuration > FTP Server Configuration last night, suddenly this morning noticed users getting blocked for "port scans" just for logging in to FTP.

So instead of trying to fight it and do things the way I always have for years (30000:35000) I just changed my CSF TCP_IN to include 30000:50000 so it'll never require a second thought if I ever have change a setting in WHM > Service Configuration > FTP Server Configuration again.

On the one hand I guess this seems a bit silly on my part, but on the other hand I feel at least tiny bit vindicated since in the end it was an issue of the WHM FTP Server Configuration tool changing PassivePortRange back to 30000 50000 in /etc/pure-ftpd.conf after I'd already gone in to /etc/pure-ftpd.conf and setting it to 30000 35000. What I thought was just my tired eyes making an oversight was really that setting being changed without my knowledge when I was making a completely different adjustment in WHM FTP Server Configuration.

I hope at least this little merry go 'round I got stuck on ends up helping someone else someday. o_O
Then I made the test suggest by Metro2 and is that correct. My pure-ftpd.conf has changed the automatically PassivePortRange not to 30000 50000, but to 49152 65534 as in 'var/cpanel/conf/pureftpd/main'. Then i changed directive PassivePortRange: 30000 35000 in such file. A new test a no new surprises of port changing. It´s everything working nicely.

And I still don´t know why the port changing but I supose version upgrade. As a little few users use the FTP service, has taken a while to perceive the problem.

maybe if I had not clicked the button there in the CSF panel, nor changed the ports in the main file, I could solve the problem the same way by creating a release rule for the ports configured in the main file.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
CSF implements the port range for 30000:35000 which was updated for FTP on cPanel servers some time ago to the passive port range 49152:65534

The ports opened in the firewall and the ports opened for FTP in the configuration file need to be the same so one or the other must be updated in order for it to work properly which is most likely why you ran into this issue (if it's not being used often)

The documentation here How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation goes over how to enable this correctly.