ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
    • Linux
      • Basics
      • Apache
      • Control Panels
      • FTP
      • Magento
      • Miscellaneous
      • MySQL
      • NGINX
      • PHP
      • PHP-FPM
      • Setting up Websites
      • NFS
      • VPN
      • Percona
      • SSH
      • SSL
      • Git
      • Redis
      • Elasticsearch
      • MongoDB
      • Ncdu
    • VMware ESXi
    • Windows
  • Webcelerator
  • MyUKFast
  • Home >
  • Operating systems >
  • Linux >
  • FTP >
  • Configuring FTP passive mode

Configuring FTP passive mode¶

This guide will help you configure your server and firewall correctly in order to connect using FTP passive mode.

If you see an error similar to this when trying to connect to your server via FTP, it’s likely you need to set up passive ports:

Response:   227 Entering Passive Mode (123,123,123,123,174,209)
Command:    MLSD
Error:  Failed to retrieve directory listing

If you see an error similar to this, then your server is likely behind a firewall with NAT configuration, and you need to set up a Masquerade Address on your FTP server:

"Server sent passive reply with unroutable address. Using server address instead."

The steps to set this up differ depending on your server, so below you will find guides based on some common server types. These examples are based upon setting up a range of 40000 to 40100.

WHM/cPanel servers¶

WHM / cPanel comes with two possible FTP servers built in, and the configuration is slightly different on each. To find out which one your server is using, log into WHM and navigate to Home >> Service Configuration >> FTP Server Selection. You’ll see either ProFTPD or Pure-FTPd selected.

For more information please do check out the official cPanel guide.

Pure-FTPd¶

  • Log in via SSH and open the configuration file /var/cpanel/conf/pureftpd/local. If this file does not exist, then create it.

  • Add this line to set which ports your server should use.

  PassivePortRange: 40000 40100

  • If your server is behind a firewall and you are seeing unroutable address errors, add the following line, replacing 123.123.123.123 with your server’s public IP:

  ForcePassiveIP: 123.123.123.123

  • Restart Pure-FTPd by running:

  /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

  • On your firewall, allow inbound connections on the passive port range you selected (in our example 40000 to 40100). If necessary please read our guide on opening firewall ports.

ProFTPD¶

  • Log in via SSH and open the configuration file /var/cpanel/conf/proftpd/local. If this file does not exist, then create it.

  • Add this line to set which ports your server should use.

PassivePorts: 40000 40100

  • If your server is behind a firewall and you are seeing unroutable address errors, add the following line, replacing 123.123.123.123 with your server’s public IP:

MasqueradeAddress: 123.123.123.123

  • Restart ProFTPD by running:

/usr/local/cpanel/scripts/setupftpserver proftpd --force

  • On your firewall, allow inbound connections on the passive port range you selected (in our example 40000 to 40100). If necessary please read our guide on opening firewall ports.

Plesk servers¶

Plesk also uses the ProFTPD server, but the configuration is slightly different. For more information please do refer to the official guide for Plesk.

  • Log in via SSH, then followed the guide for your version of Plesk:

Plesk Onyx:¶

  • Edit/create the file /etc/proftpd.d/55-passive-ports.conf

  • Add the following configuration this file:

<Global>
PassivePorts 40000 40100
</Global>

  • Restart the FTP service to pick up the changes:

systemctl restart xinetd

  • On your firewall, allow inbound connections on the passive port range you selected (in our example 40000 to 40100). If necessary please read our guide on opening firewall ports.

Plesk 12.5 and older:¶

  • Edit the file /etc/proftpd.conf

  • Look for the existing tags, and add your port range in between them:

<Global>
PassivePorts 40000 40100
</Global>

  • Restart the FTP service to pick up the changes:

systemctl restart xinetd

  • On your firewall, allow inbound connections on the passive port range you selected (in our example 40000 to 40100). If necessary please read our guide on opening firewall ports.

Unroutable Address on Plesk¶

  • If your server is behind a firewall and you are seeing unroutable address errors, look to see if that configuration already exists anywhere on your server:

grep -r Masq /etc/proftpd*

  • Edit whichever file has this directive, and replace the IP with your server’s public IP. If the MasqueradeAddress directive isn’t found, add it in.

MasqueradeAddress: 123.123.123.123

  • Restart the FTP service to pick up the changes:

systemctl restart xinetd

Opening ports on your firewall¶

If you are a UKFast customer and you’re not sure about how to open ports or manage other aspects of your firewall configuration, please do refer to our other guides on managing your firewall.

If you use any software firewalls, such as CSF, Plesk Firewall, IPTables, or firewalld, you’ll need to make sure your passive port range is not blocked there either.

Next Article > VSFTPd

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ