Table of Contents
Background
WHM doesn’t allow passive FTP connections through by default. You have to first tell the FTP software that it must allow it and do firewall work. This article explains how to do it if you’re running PureFTPd and ConfigServer Firewall. In summary you have to first tell PureFTPd that it can accept passive FTP connections, and then in ConfigServer Firewall you have to add the passive IP port range to the TCP_IN configuration directive. According to the documentation ConfigServer Firewall will add these passive IP ports ranges for you automatically, but on our servers we found that this is not the case.
Confirm you’re using PureFTPd.
First confirm you’re using PureFTPd. On WHM you have two options, PureFTPd and ProFTPd.
To see if you’re running PureFTPd, do this:
# service pure-ftpd status Redirecting to /bin/systemctl status pure-ftpd.service ● pure-ftpd.service - Pure-FTPd Loaded: loaded (/etc/systemd/system/pure-ftpd.service; enabled; vendor prese> Active: active (running) since Fri 2023-04-07 00:16:34 SAST; 2 days ago
Add the `ForcePassiveIP` Setting
vi /var/cpanel/conf/pureftpd/local
Add this (unless you have NAT):
ForcePassiveIP: ~
If you have NAT, determine your server’s IP address:
curl ifconfig.me
Add your server’s IP address to the force passive IP setting:
ForcePassiveIP: 203.0.113.0
Restart Pure-FTPd:
/usr/local/cpanel/scripts/setupftpserver proftpd --force
CSF Firewall Configuration
In CSF, look for TCP_IN here:
vi /etc/csf/csf.conf
Example with the ports directive you need to add, namely: `,49152:65534`
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443,49152:65534"
Next restart CSF:
service csf restart
You are done and passive FTP should be working now.
References
Instructions for Passive FTP for Pure FTP:
Forum post that helped: