Printable View
I am running vsftpd running on my Linux server. My vsftpd is configure under active mode to receive incoming connection. As a security issue it better to configure vsftpd server in passive mode. Now in passive mode firewall is also an issue. How can i configure my server under passive mode and open more number of ports on the firewall. I only want to configure some particular ports to the user to get access. Any used port can cause a security breach. Provide suggestions.
It is a good decision to switch to passive mode from active mode. But firewall will block your incoming connections, so that your genuine users will also affected. Also under active mode of your server security risk inherit in an unsecure protocol like FTP. Eg. usernames and passwords are sent in plain text which can be capture by sniffer. You can use more secure file transfer method like scp or sftp. I am running Proftp, and shore firewall with the help of webmin. I can setup a range of ports on the server like for passive ports 60000 62000 which include a range in firewall rules | 60000:62000. You will also need a FTP client which can target those ports.
Under passive mode your server is more secure as compare to active mode. The common issue will running a server in passive mode is firewall. You can specify the Passive Port Range in your server. On the other hand if Passive Port Range is not specified the server used the available ports.The Passive Port Range are specified in - /proc/sys/net/ipv4/ip_local_port_range file
Configuration settings :
- Set the port rang in /etc/sysctl.conf as, net.ipv4.ip_local_port_range <start_port> <end_port> by configuring sysctl
- sysctl -p now can load the new kernel values.
- Open the port range specified above in your firewall.
To open more ports in you vsftp server under passive mode do the following :
1). The below function enable local user. So that your local can use vsftp server.
local_enable=YES
write_enable=YES
2). The below function enable passive mode
pasv_enable=YES
3). The below function enable the number of ports.
pasv_max_port=51000
pasv_min_port=50000
port_enable=YES
Don't forget to save the file. Restart your vsftpd server.