开发者

how to change ProFTPd port without using "passive mode"

I just re-installed Ubuntu server 10.04 and decided to change all of my default ports to get a little extra security. Everything works fine, except when I decided to change the FTP (ProFTPd)开发者_运维百科 port from the standard 21 to 3521. No problems with firewalls or port forwarding. ProFTPd was restarted but when I am trying to connect to it,even though it does respond, it throws the client (FileZilla) into a "passive mode" and then never goes into listing a directory. I don't really want to use the "passive mode" and I have it disabled in proftpd.conf, but nevertheless I can't seem to change the default port otherwise and make it working. It does seem to work fine on port 21. FYI, the proftpd was installed as a standalone daemon, if that matters somehow?


Ok, I think I figured this out after reading this page: link . It appears that most FTP connections are indeed "passive" and the problem with "active" connections comes from the use of firewalls on the client side since FTP server is initiating an outgoing "data" connection to the client on some random port. In passive mode the client initiates both "command" and "data" connections to the server and hence the firewall isn't a problem, but you should specify which "passive" ports to use on the server. I enabled 3520 and 3521 PassivePorts and it's now working


FTP Active Mode by definition requires the server to initiate its outgoing connections from port L-1. Does your firewall allow outgoing connections from port 3520 as well?

From the FTP RFC:

3.2. ESTABLISHING DATA CONNECTIONS

  The mechanics of transferring data consists of setting up the data
  connection to the appropriate ports and choosing the parameters
  for transfer.  Both the user and the server-DTPs have a default
  data port.  The user-process default data port is the same as the
  control connection port (i.e., U).  The server-process default
  data port is the port adjacent to the control connection port
  (i.e., L-1).

...

3.3. DATA CONNECTION MANAGEMENT

  Default Data Connection Ports:  All FTP implementations must
  support use of the default data connection ports, and only the
  User-PI may initiate the use of non-default ports.

  Negotiating Non-Default Data Ports:   The User-PI may specify a
  non-default user side data port with the PORT command.  The
  User-PI may request the server side to identify a non-default
  server side data port with the PASV command.  Since a connection
  is defined by the pair of addresses, either of these actions is
  enough to get a different data connection, still it is permitted
  to do both commands to use new ports on both ends of the data
  connection.

You might wish to take the opportunity to change your users to SFTP, a much nicer protocol.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜