Archive for the FTP ISSUES Category

Passive Port Range in Proftpd

If you want to enable the Passive Port Range for Proftpd on  your server then  follow the below steps ::

open  the /etc/proftpd.conf and add the Passive Port range anywhere in between the global directive.

example ::

 

[email protected][#]  /etc/proftpd.conf
<Global>
.....
.....
PassivePorts 30000 65000
</Global>

Once done that restart proftpd service on  the server .

Additionally,  you have to open  the same port range “30000 65000” in  the server firewall as well.

 

For more information regarding this refer the URL  :: http://proftpd.org/docs/directives/linked/config_ref_PassivePorts.html.

 

That’s all.

 

How to Block Ftp Access using Iptables Or CSF?

Block FTP access using the IPtables(Default system firewall)

1) If you want to completely disable the FTP access on the server then run the command :

[email protected][#] iptables -A INPUT -p tcp --dport 21 -j DROP 

2) If you want to block FTP access for a Specific IP then run the below command :

[email protected][#] iptables -A INPUT -p tcp -s 10.10.10.10 --dport 21 -j DROP 

3) If you want to Disable FTP access for Specific Subnet then run the below command :

[email protected][#] iptables -I INPUT -p tcp -s 10.10.10.10/24 --dport 21 -j DROP

After adding the adding rules you need to save the rules by running the command :

 [email protected][#] /etc/init.d/iptables save

Then to apply the above saved rules , restart the IPtables by running the command :

 [email protected][#] /etc/init.d/iptables restart

Block FTP access using the CSF firewall

1) If you want to completely disable the FTP access on the server then follow the steps :

[email protected][#] vi /etc/csf/csf.conf 

Search for the lines :
# Allow incoming TCP ports
TCP_IN =
and remove the port 21 from the list
Save and quit .

And then restart the CSF firewall using the below command :

[email protected][#] csf -r 

2) If you want to block FTP access for a Specific IP then follow the below steps :

[email protected][#] vi /etc/csf/csf.deny 
and add the line :
tcp:in:d=21:s=10.10.10.10

save and quit

And then restart CSF firewall using the below command :

[email protected][#] csf -r 

3) If you want to allow FTP access for only one ip on the server and denied for all other ips
follow the steps :

 [email protected][#] vi /etc/csf/csf.conf 
Then search for the line :
# Allow incoming TCP ports
 and the remove the ports : 21 and 22
and also search for the line :
# Allow outgoing TCP ports
 and remove the ports : 21 and 22 

Save and quit

Then open the csf.allow file

[email protected][#] vi /etc/csf/csf.allow 
 and add the entry as :
tcp:in:d=21:s=10.10.10.10

Save and Quit.

And then restart the CSF service

 [email protected][#] csf -r 

Note : Replace the IP 10.10.10.10 with the Actual IP.

That’s all you are done.