Plesk ProFTPD not working with FileZilla

ProFTPD (short for Pro FTP daemon) is a FTP server. ProFTPD is Free and open-source software, compatible to Unix-like systems and Microsoft Windows (via Cygwin). Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in UNIX-like environments today. Plesk had been using it since from the beginning.

So suddenly, you’ve got users complaining that they can’t access the server via FTP. You’re running ProFTPD (as Plesk kindly installed it for you) and can log in from the CLI FTP client (on Windows or Linux), but can’t get in using FileZilla, FireFTP or Internet Explorer. FileZilla is probably giving the error “Cannot Retrieve Directory Listing” but will have authenticated correctly just before that. And, FileZilla will hang just after MSLD or LIST commands.

I googled it around and all leads to a firewall configuration problem. But the firewall is working normally without any error, so? The issue here is that Plesk hasn’t specified ports to use for Passive mode, so ProFTPD selects a random (non-privileged) port. In a world where we are letting clients connect to any damn port they want this works well. In a world where we actually control access this doesn’t work nearly as well!

So let’s tell ProFTPD which ports to use:
$ vi /etc/proftpd.conf

For example we’ll use port range 1354 – 1394.

Add the following line to /etc/proftpd.conf

PassivePorts 1354 1394

Exit and save.

Now we need to allow connections through the firewall (note, if you want to limit to specific clients add -s {client ip} into the command)

Add the following line to /etc/sysconfig/iptables

iptables -I INPUT -p tcp –dport 1354:1394 -j ACCEPT

Now try and connect with FileZilla again, it should be working as a swift!

If not, don’t forget to save the iptables rules so they’ll be remembered on reboot;
$ /etc/rc.d/init.d/iptables restart

Note: The reason the CLI clients can connect is that they use BINARY and ACTIVE mode by default. You can switch the connection type to PASSIVE once you’ve connected and it won’t return an error until you try and run another command.