How to allow Passive FTP Connections in Plesk

Plesk-LogoA little while ago I’ve written an article about opening Passive FTP Ports specifically for using Plesk on Amazon AWS. Here’s a slightly more condensed version about how to do this on any server if you need it.

Passive FTP ports are not open by default when you install Plesk. To make it happen we need to patch the ProFTP configuration with a range of ports (anything between 49152 and 65534) and open the same range in our firewall.

You’ll find the ProFTP config file in /etc/proftpd.conf. There’s no need to open the whole available range, I’ll settle for 99 possible ports here. Add the following somewhere at the top of the file, outside any global declarations:

# adding passive ports and public IP address
PassivePorts 50001 50100

For the changes to become effective we’ll need to restart the xinetd service which ProFTP is part of in Plesk:

service xinetd restart

This will allow passive connections – but you also need to open those in your firewall. The easiest way to do this is via the Firewall Extension in Plesk:

Screen Shot 2014-12-18 at 18.20.48

Select Modify Firewall Rules, then Add Custom Rule. Give it a title, then add your port rage and click OK. Your changes are not effective yet because Plesk needs to restart the firewall service. To do this hit “Apply Changes”, followed by “Activate”. Wait a moment and Plesk will have taken care of it.

If you don’t want to use the extension, here’s how you can open those ports manually. On CentOS 6 you can manually add that port range on the command line like this:

iptables –I INPUT –p tcp --dport 50001:50100 –j ACCEPT
service iptables restart

On CentOS 7 you can do it like this:

firewall-cmd --zone=public --add-port=50001-50100/tcp --permanent
firewall-cmd --reload

Testing testing… this thing on?

To make sure everything is working, simply use your favourite FTP client and try to make a passive connection. If you get timeout errors something isn’t right.

You can also use a great web based tool to check if passive connections are working thanks to Tim Kosse:


Further Reading

You can leave a comment on my original post.