Vsftpd service listens for port modification and sets iptables 04/26 Update SLTechnology News&Howtos

Vsftpd service listens for port modification and sets iptables

2025-04-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/03 Report--

I. brief introduction

FTP supports two modes, one is called Standard (that is, PORT, active), and the other is Passive (that is, PASV, passive).

In active mode, the FTP client first establishes a connection with the TCP 21 port of the FTP server, and sends commands through this channel. When the client needs to receive data, the client sends PORT commands on this channel. The PORT command includes what port the client uses to receive data. When transmitting data, the server connects to the designated port of the client through its own TCP 20 port to send data.

Passive mode (Passive) mode is similar to Standard mode when establishing a control channel, but after establishing a connection, it sends not a Port command, but a Pasv command. After receiving the Pasv command, the FTP server randomly opens a high-end port (port number greater than 1024) and notifies the client of the request to send data on this port. The client connects to the FTP server this port. Then the FTP server will transmit the data through this port, and at this time FTP server no longer needs to establish a new connection with the client.

II. Configuration modification process

Since most ftp client software is in passive mode, only passive mode is introduced.

1. Set the configuration file opened in passive mode

# vim / etc/vsftpd/vsftpd.conf

Add or modify the following

Connect_from_port_10021=YES / / Port 10021 here, you can change it to your favorite pasv_min_port= / / set the minimum number of ports in passive mode, you don't have to be so large, but the value had better be larger (at least greater than 1024) pasv_max_port= / / set the maximum number of ports in passive mode

2. Then change the fire prevention strategy

# vim / etc/sysconfig/iptables

Add the following fire protection rules

-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 10021-j ACCEPT

-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 8888 tcp 8899-j ACCEPT

3. Finally, restart the service to make the fire prevention rules effective.

# service vsftpd restart#service iptables restart

Here, our vsftp officially modifies the port to 10021.

Specify port access through ftp://IP:10021, of course, if you find that selinux will still block ftp, then set it to temporarily shut down! (# setenforce 0)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.