This appendix will describe methods used to configure various popular FTP servers to limit the number of passive ports they will listen on. As mentioned in the main text, FTP server admins will almost definitely need to support passive FTP in order to allow the greatest number of clients to access their FTP resources. In order to support passive FTP, however, a large number of high-numbered ports on the server must be opened through a firewall. Luckily, most FTP servers allow this port range to be specified so as to limit exposure to attacks.
ProFTPd, http://www.proftpd.net, is an increasingly popular FTP server due to its modularity and Apache-style configuration directives. ProFTPd also supports virtual hosts "out of the box", causing it to become one of the most common FTP servers used by web hosting companies.
As of version 1.20RC3 and later (current version as of this writing is
1.2.4), ProFTPd supports a directive called PassivePorts
.
The PassivePorts
directive is usually used in a global
context in the proftpd.conf
file (the location of which
varies depending on how ProFTPd was configured and installed).
PassivePorts
takes two arguments, the minimum port number and
the maximum port number, as in the below example:
PassivePorts 51000 51999
The ProFTPd documentation has the following to say about the
PassivePorts
directive:
PassivePorts restricts the range of ports from which the server will select when sent the PASV command from a client. The server will randomly choose a number from within the specified range until an open port is found. Should no open ports be found within the given range, the server will default to a normal kernel-assigned port, and a message logged.
The port range selected must be in the non-privileged range (eg. greater than or equal to 1024); it is STRONGLY RECOMMENDED that the choosen range be large enough to handle many simultaneous passive connections (for example, 49152-65534, the IANA-registered ephemeral port range).
If you are attempting to use SSH port forwarding to securely tunnel the
FTP command channel over an SSH connection (so that passwords are not sent
in clear text), be aware that you must set the
AllowForeignAddress
directive to "on" in the
proftpd.conf
file. If this is not set and a tunnelled
connection is attempted, ProFTPd will log a message similar to the
following:
SECURITY VIOLATION: Passive connection from a.b.c.d rejected
Important Note: Please read and understand the
documentation about the AllowForeignAddress
directive before
implementing it. This can open your FTP server up to bounce attacks. It
is strongly recommended that this option not be set on systems being used
as anonymous FTP servers.