A little while ago I’ve written an article about opening Passive FTP Ports specifically for using Plesk on Amazon AWS. Here’s a slightly more condensed version about how to do this on any server if you need it.
Passive FTP ports are not open by default when you install Plesk. To make it happen we need to patch the ProFTP configuration with a range of ports (anything between 49152 and 65534) and open the same range in our firewall.
You’ll find the ProFTP config file in /etc/proftpd.conf. There’s no need to open the whole available range, I’ll settle for 99 possible ports here. Add the following somewhere at the top of the file, outside any global declarations:
# adding passive ports and public IP address PassivePorts 50001 50100
For the changes to become effective we’ll need to restart the xinetd service which ProFTP is part of in Plesk:
service xinetd restart
This will allow passive connections – but you also need to open those in your firewall. The easiest way to do this is via the Firewall Extension in Plesk:
Select Modify Firewall Rules, then Add Custom Rule. Give it a title, then add your port rage and click OK. Your changes are not effective yet because Plesk needs to restart the firewall service. To do this hit “Apply Changes”, followed by “Activate”. Wait a moment and Plesk will have taken care of it.
If you don’t want to use the extension, here’s how you can open those ports manually. On CentOS 6 you can manually add that port range on the command line like this:
iptables –I INPUT –p tcp --dport 50001:50100 –j ACCEPT service iptables restart
On CentOS 7 you can do it like this:
firewall-cmd --zone=public --add-port=50001-50100/tcp --permanent firewall-cmd --reload
Testing testing… this thing on?
To make sure everything is working, simply use your favourite FTP client and try to make a passive connection. If you get timeout errors something isn’t right.
You can also use a great web based tool to check if passive connections are working thanks to Tim Kosse: https://ftptest.net