FTP/TLS or FTP/SSL not working on VPS with CSF Firewall

CSF is a great opensource firewall to use instead of raw IP tables and it includes a WHM add on module for cPanel servers, but getting FTP/TLS or FTP/SSL to run successfully needs a couple of tweaks.

FTP works fine over Port 21 but is not considered that secure.

To get FTP/TLS SSL working you need to open up some more higher numbered ports so FTP can connect, in WHM go to CSF>Firewall Configuration> and allow TCP_In 30000:50000 and TCP_Out 30000:50000 – restart the firewall.

ftp-csf-allow-ports-open

Then you need to edit your ftp server to use these passive ports, so it’s either pure or pro, edit the conf file:

/etc/pure-ftpd.conf

Uncomment the line below:

# Port range for passive connections replies. - for firewalling.
PassivePortRange          30000 50000

Restart the FTP Server and all should be ok, make sure that the port range in both the TCP_IN and range in the ftp config are the same.

If the FTP service is still not right it may be that some iptable modules need to be loaded, these are what are iptables are needed for CSF to function:

ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ipt_conntrack
ip_conntrack
ip_conntrack_ftp
iptable_mangle

You can check what IP Table modules are loaded in the command line with:

cat /proc/net/ip_tables_matches

One of the issues with some shared hosting including VPS packages is that not all these modules are loaded such as ‘conntrack’, if this is the case for you then you are stuck with insecure FTP over 21 or you could use SFTP over 22.

Refs – CSF & Parallels Virtuozzo