ProFTPD not working with FileZilla (Plesk)

So you've got a nicely configured server, slightly tarnished by the presence of Plesk but everything seems to be running well. Suddenly, you've got users complaining that they can't access the server via FTP.

You're running ProFTPD (as Plesk kindly installed it for you) and can log in from the CLI FTP client (on Windows or Linux), but can't get in using FileZilla, FireFTP or Internet Explorer. FileZilla is probably giving the error "Cannot Retrieve Directory Listing" but will have authenticated correctly just before that. For some, FileZilla will hang just after MSLD or LIST commands.

This documentation details how to resolve a common issue

Have you taken the sensible step of changing the default policy of your firewall to DROP? If so, then this may be the cause of your issues. We can, however, work around that without needing to lower security by changing the policy to ACCEPT.

First, let's test whether this is actually the cause

iptables -I INPUT -j ACCEPT

Now try and connect using FileZilla. Get in? Good. Now let's remove that rule before some miscreant decides to try and have fun with the server

iptables --list INPUT --line-numbers

The rule should be line 1, but it's always worth checking in case a rule has been added since we ran the command. If so, replace 1 with the relevant line number.

iptables -D INPUT 1

Try and connect again, Oh look we broke it.


The Issue

The issue here is that Plesk hasn't specified ports to use for Passive mode, so ProFTPD selects a random (non-privileged) port. In a world where we are letting clients connect to any damn port they want this works well. In a world where we actually control access this doesn't work nearly as well!

So let's tell ProFTPD which ports to use

nano /etc/proftpd.conf

We now need to select some ports to use. They need to be non-privileged (i.e. above 1024) and the wider the port range the more simultaneous connections the server will accept (don't go mad here!)

For the sake of example we'll use port range 1354 - 1394.

Add the following line to /etc/proftpd.conf

PassivePorts 1354 1394

Exit and save.

We now need to allow connections through the firewall (note, if you want to limit to specific clients add -s {client ip} into the command)

iptables -I INPUT -p tcp --dport 1354:1394 -j ACCEPT

Now try and connect with FileZilla again, it should work!


If not, then this isn't the cause of your issue......... sorry!

If so, don't forget to save the iptables rules so they'll be remembered on reboot;

/etc/init.d/iptables save


service iptables save

Note: The reason the CLI clients can connect is that they use BINARY and ACTIVE mode by default. You can switch the connection type to PASSIVE once you've connected and it won't return an error until you try and run another command.