KNOWNHOST WIKI

User Tools

Site Tools


control-panels:misc:how-to-enable-fxp-in-ftp

The File eXchange Protocol


The File eXchange Protocol allows a user to establish a direct FTP connection between two remote servers. This allows a user to directly transfer files between the two servers using FTP without the need to download and upload the files to the user's local machine. This direct FTP connection between the two machines allows for the transfer of files to and from on both machines and for the data transfer request to be initiated via the client's connection to either server.

FXP is disabled in FTP by default due to security concerns. Those concerns exist because FXP can enable an attacker to use the PORT command to port scan victim machines as well as use a proxy machine to access otherwise inaccessible ports. These attacks are known as FTP bounce attacks. Enabling FXP enables the PORT command, thus allowing such attacks to occur.

If you must enable FXP to transfer files between servers, FXP must be enabled in the FTP configuration on the servers. You can use the following to confirm whether or not it is disabled:

  • PureFTP
  grep -i fxp /etc/pure-ftpd.conf
  • ProFTP
  grep -i AllowForeignAddress /etc/proftpd.conf 

You would need to change AllowFUserFXP to 'yes' on both servers if not already set.


cPanel

To do so, you should not edit the main FTP configurations files as they will be overwritten by cPanel with updates. Instead, you should edit the templates that cPanel uses if you want these changes to be preserved.

  • Pure-FTPd servers
  echo "AllowUserFXP: 'yes'" >> /var/cpanel/conf/pureftpd/local
  /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force
  • ProFTPd servers
  echo "AllowForeignAddress On" >> /var/cpanel/conf/proftpd/local
  /usr/local/cpanel/scripts/setupftpserver proftpd --force


DirectAdmin

For DirectAdmin, you simply just edit the FTP configuration file and restart FTP.

  • PureFTP
    • You will add "AllowUserFXP: 'yes'"
  nano /etc/pure-ftpd.conf
  service pure-ftpd restart
  • ProFTP
    • You will add "AllowForeignAddress On" to the top-most block of settings.
  nano /etc/proftpd.conf
  service proftpd restart


Enabling the Passive Port Range

If you need to configure the passive port range for FTP, here are the instructions to be ran as root via SSH.


cPanel

  • Pure-FTPd servers
  echo "PassivePortRange: 30000 30100" >> /var/cpanel/conf/pureftpd/local
  /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force
  • ProFTPd servers
  echo "PassivePorts: 30000 30100" >> /var/cpanel/conf/proftpd/local
  /usr/local/cpanel/scripts/setupftpserver proftpd --force


DirectAdmin

For DirectAdmin, you simply just edit the FTP configuration file to include "PassivePortRange 35000 35100 " and restart FTP (KnownHost sets this by default).

  • PureFTP
  nano /etc/pure-ftpd.conf
  service pure-ftpd restart
  • ProFTP
  nano /etc/proftpd.conf
  service proftpd restart


CSF/LFD Firewall

You may also need to adjust the open ports in your firewall to allow ports for passive FTP. You can attempt the connection to the target server while tailing /var/log/messages to see what ports are being attempted so that you may determine the port range that would need to be opened in the firewall.

Those logs indicate a firewall port blocking issue:

  [T] 425 Could not open data connection to port 50007: Connection timed out
  [i] Transfer Failed: .htaccess
  [T] 425 Could not open data connection to port 50008: Connection timed out
  [i] Transfer Failed: favicon.ico

Adjusting the ports in Knownhost's DirectAdmin and cPanel servers involves editing the CSF/LFD configuration file. The passive ports may need to be opened in each server (edit /etc/csf/csf.conf files' TCP_IN/TCP_OUT settings, then run 'csf -ra' to restart):

Knownhost limits the open FTP Passive Ports to the range from 30000 to 30100 in cPanel and from 35000 to 35100 in DirectAdmin for PureFTP, but cPanel's default settings is described below 1) How to Enable FTP Passive Mode in cPanel:

In cPanel & WHM version 60 and later, the system enables passive ports 49152 through 65534 for Pure-FTPd servers and ProFTPd servers by default. If you use the CSF firewall plugin, the system also adds passive port ranges to your server's firewall by default.

So you may be required to edit the either the firewall or FTP configuration so that the ports used in both the FTP server and the firewall to match. It is advised to continue to limit the accessible ports as much as possible, so you will want to try to keep this in mind when choosing which to edit and how.

Both DirectAdmin and cPanel servers have a graphical user interface that one can use to adjust the configuration file. You can also edit the open ports in WHM's ConfigServ Security & Firewall section → "csf - ConfigServer Firewall" section –> "Firewall Configuration" button.

It is advised to disable FXP once done to prevent the possibility of FTP bounce attacks.

control-panels/misc/how-to-enable-fxp-in-ftp.txt · Last modified: 2020/06/01 10:02 by Karson N.