FTP ( File Transfer Protocol ) is TCP based service. FTP is widely use for transferring files over network. There are various ftp servers available to use like vsftpd, proftpd, pureftpd etc.
FTP uses two different ports –
1. Port 20 is used for data port, But the data port is not always on 20 port. It may change in passive mode.
2. Port 21 is used as command port.
FTP works on two different modes (Active FTP vs Passive FTP) as per server and client configuration. In this article, I am trying to define Active FTP vs Passive FTP a definitive explanation, I hope this will help you to understand its working.
Active mode FTP
Among the two modes, Active mode is the older one. It was the mode introduced in the early days of computing when mainframes were more common and attacks to information security were not as prevalent.Here's a simplified explanation on how an active mode connection is carried out, summarized in two steps. Some relevant steps (e.g. ACK replies) have been omitted to simplify things.
- A user connects from a random port on a file transfer client to port 21 on the server. It sends the PORT command, specifying what client-side port the server should connect to. This port will be used later on for the data channel and is different from the port used in this step for the command channel.
- The server connects from port 20 to the client port designated for the data channel. Once connection is established, file transfers are then made through these client and server ports.
Passive Mode FTP
In passive mode, the client still initiates a command channel connection to the server. However, instead of sending the PORT command, it sends the PASV command, which is basically a request for a server port to connect to for data transmission. When the FTP server replies, it indicates what port number it has opened for the ensuing data transfer.
Here's how passive mode works in a nutshell:
The following chart should help admins remember how each FTP mode works:
Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20
Passive FTP :
command : client >1023 -> server 21
data : client >1024 -> server >1023
A quick summary of the pros and cons of active vs. passive FTP is also in order:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.
Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.
Here's how passive mode works in a nutshell:
- The client connects from a random port to port 21 on the server and issues the PASV command. The server replies, indicating which (random) port it has opened for data transfer.
- The client connects from another random port to the random port specified in the server's response. Once connection is established, data transfers are made through these client and server ports.
Summary
The following chart should help admins remember how each FTP mode works:
Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20
Passive FTP :
command : client >1023 -> server 21
data : client >1024 -> server >1023
A quick summary of the pros and cons of active vs. passive FTP is also in order:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.
Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.
Configure Server to Allow Passive Mode FTP
Your ftp server needs a channel to transfer data. Port 21 is used to establish the connection. So to make data transfer possible you'd need to enable port 20 as well. See the following configuration
First load the following module to make sure passive ftp connections are not rejected
modprobe ip_conntrack_ftp
Allow FTP connections on port 21 incoming and outgoing
~]#iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
~]#iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
Allow FTP port 20 for active connections incoming and outgoing
~]#iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
~]#iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
Finally allow FTP passive inbound traffic
~]#iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
~]#iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
First load the following module to make sure passive ftp connections are not rejected
modprobe ip_conntrack_ftp
Allow FTP connections on port 21 incoming and outgoing
~]#iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
~]#iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
Allow FTP port 20 for active connections incoming and outgoing
~]#iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
~]#iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
Finally allow FTP passive inbound traffic
~]#iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
~]#iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
Verify your FTP server Mode
Server side: changing
pasv_enable=NO will disable the passive mode changing pasv_enable=YES will enable the passive mode
Client Side: connect yo ftp using command line
~]#ftp 192.168.234.135
ftp>quote PASV
you will get permission denied error when passive mode is disabled
~]#ftp 192.168.234.135
ftp>quote PASV
it will enter into the passive mode
connect to the FTP server then run ls command if your getting an list of files and directories passive mode is enabled, otherwise it's gives 550 permission denied error.
you can enabled and disable passive mode by typing passive
ftp> passive
Passive mode on.
ftp> ls
550 Permission denied.
Passive mode refused.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
Thanks for reading the post.
Red Hat Enterprise Linux 7: How Do I Check Which Ftp (Passive Or Active) Is Running? - Redhat Linux Rhce >>>>> Download Now
ReplyDelete>>>>> Download Full
Red Hat Enterprise Linux 7: How Do I Check Which Ftp (Passive Or Active) Is Running? - Redhat Linux Rhce >>>>> Download LINK
>>>>> Download Now
Red Hat Enterprise Linux 7: How Do I Check Which Ftp (Passive Or Active) Is Running? - Redhat Linux Rhce >>>>> Download Full
>>>>> Download LINK EF