July 6, 2021 . 2 MIN READ
At Superrb website security is one of our core priorities, therefore we actively encourage our hosting clients to consider using secure and encrypted methods of transferring files and updates to their sites such as SSH, FTPS or SFTP rather than using the much less secure FTP. However some clients still need to be able to use FTP for a variety of reasons and several clients notified us that they were getting a lot of connection time outs when using passive FTP connections.
All of our hosting is provided through Amazon Web Services using Ubuntu as the operating system and passive, rather than active, is the default connection method in most FTP clients. Click here for more information on passive and active FTP connections. This is because the network connection on an Amazon EC2 instance uses a routed internal IP address so the FTP server reports unroutable IP address back to the client upon connection You can find out more about Network Address Translation here.
To enable passive FTP to work through a NAT gateway using Proftpd you can follow the instructions below.
I assume that you have the Amazon EC2 API tools installed. First you need to open up the correct firewall ports, I will be using the IANA registered ephemeral port range for the passive port range. If you aren’t using EC2 you will need to enable these ports on your firewall or forward them on your router.
ec2-authorize default -p 20-21ec2-authorize default -p 49152-65535
Then you can install the ProFTPD binary using your package manager of choice.
# Debian based systems:apt-get install proftpd # RPM based systems:yum install proftpd
Next you need to edit your ProFTPD config file to tell it what your public IP address is as well as which passive ports it should use. The config file is normally located at /etc/proftpd/proftpd.conf
You need to then add or edit the following lines:
PassivePorts 49152 65535MasqueradeAddress set to your instance public ip address
I use an Elastic IP assigned to the EC2 Instance to make sure I don’t have to update my DNS records everytime I reboot the instance. Restart ProFTPD and you are away! No more timeouts when using Passive FTP.
/etc/init.d/proftpd restart # Or service proftpd restart
There you go, now you should be able to connect using passive FTP. Please make sure you keep your FTP service as secure as possible though, you can do this via a variety of methods such as IP filtering and explicitly setting the permissions for each user that is allowed to connect, but this is outside the scope of this article.
