How do I set the active or passive modes for IIS FTP?

Source: Internet
Author: User
Tags default ftp port ftp connection microsoft iis


Configure passive mode in Win 2003


Passive mode FTP connection Is sometimes referred to as "Server Management", because the server end port used as a data connection with one of the transient ports server responds to the client PASV Command ,. After the data connection command is issued, the server connects to the client and uses the port to control the client port.
The response is randomly selected from the default passive-iis ftp mode in the port range of 1024-65535. To further limit the range of these huge ports, the system administrator can configure the name Passiveportrange Metadatabase attribute keyword. This attribute keyword only exists in IIS 6.0, and for IIS 5.0 is in Windows 2000. The system administrator needs to install Service Pack 4 in the system registry. 

Passiveportrange .
Change Passiveportrange For IIS, the execution process is described in the following section.
For Windows Server 2003
To enable direct edit of metadatabase)
1. Open the Microsoft IIS Console (MMC ).
2. Right-click the Local Computer node.
3. Select Attribute .
4. Make sure that Enable direct edit metadatabase Check box.
Configure passiveportrange B using the adsutil script)
1. Click Start , Run , Type cmd, and then OK .
2. Type CD Inetpub \ adminscripts and press Enter.
3. type the following command from the command prompt.
Cscript.exe c: \ Inetpub \ adminscripts \ adsutil. vbs set/msftpsvc/passiveportrange "5500-5515"
4. Restart the FTP service.
You can see the following output When configuring through the adsutil script:
Microsoft (r) Windows Script Host version 5.6
Copyright (c) Microsoft Corporation 1996-2001. All rights reserved ..
Passiveportrange (String )" 5500-5515 ":
Note: If the built-in firewall is enabled, you must add the above ports in the exception.


What is active, what is passive, and why is passive preferred?



FTP is divided into two types:
Active FTP (Port FTP), that is, the ordinary FTP slave Passive FTP (Port FTP)



Active FTP



The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port n (n> 1024), that is, port 21. Then the client starts port n + 1 and sends the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).



For the firewall before the FTP server, you must allow the following communication to support active FTP:



1. Port 21 from any port to the FTP server (client-initiated connection S <-C)
2. Port 21 of the FTP server to a port greater than 1024 (the server responds to the control port S-> C of the client)
3. Port 20 of the FTP server to port greater than 1024 (the data port S-> C of the server to initialize data connection to the client)
4. Port 20 from Port 1024 to the FTP server (the client sends an ACK response to the server's data port S <-C)
The main problem with active FTP is the client. The FTP client does not actually establish a connection to the data port of the server. It simply tells the server the port number of the ***, and the server returns to connect to the specified port of the client. For the client's firewall, This is a connection established from the external system to the internal client, which is usually blocked.



Firewall setting example
Build an FTP server under the firewall and use the active FTP (Port FTP) mode: Default FTP port: 21 and FTP data port: 20
Execute the following two lines of commands, only port 21 and Port 20 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport-dport 21,20-J accept
Iptables-A input-p tcp-J reject-with TCP-Reset



FTP software settings



Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following two lines
Listen_port = 21
Ftp_data_port = 20



If an error is set
You cannot select passive mode for the online mode of the FTP client (such as CuteFTP). Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get.



Passive FTP



To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.



In the Passive ftp mode, both the command connection and data connection are performed by the client, so that the firewall can filter out the inbound connections from the server to the client's data port. When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n> 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P> 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.



For the server-side firewall, the following communication must be allowed to support Passive FTP:



1. From any port to port 21 on the server (client-initiated connection S <-C)
2. Port 21 of the server to any port greater than 1024 (the server responds to the connection s-> C from the control port of the client)
3. Port 1024 or more from any port to the server (inbound; the client initializes the data to connect to any port specified by the server S <-C)
4. Port 1024 or greater on the server to the remote port 1024 or greater (outbound; the server sends ack response and data to the client's data port S-> C)



Firewall setting example
Build an FTP server under the firewall and use Passive FTP (Port FTP) mode: ftp port: 21 and FTP data port from 9981 to 9986.
Execute the following two lines of commands, only port 21 and port 9981-9990 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport-dport 21,9981, 9982,9983, 9984,9985, 9986,9987, 9988,9989, 9990-J accept
Iptables-A input-p tcp-J reject-with TCP-Reset



FTP software settings
Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following four lines
Listen_port = 21
Pasv_enable = Yes
Pasv_min_port = 9981
Pasvanderbilt max_port = 9986



If an error is set
In this example, You must select passive mode for the FTP client (such as CuteFTP) online mode. Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get. 


iis ftp active mode


Alibaba Cloud Hot Products

Elastic Compute Service (ECS) Dedicated Host (DDH) ApsaraDB RDS for MySQL (RDS) ApsaraDB for PolarDB(PolarDB) AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL) Data Transmission Service (DTS) Server Load Balancer (SLB) Global Accelerator (GA) Cloud Enterprise Network (CEN)
Object Storage Service (OSS) Content Delivery Network (CDN) Short Message Service (SMS) Container Service for Kubernetes (ACK) Data Lake Analytics (DLA)

ApsaraDB for Redis (Redis)

ApsaraDB for MongoDB (MongoDB) NAT Gateway VPN Gateway Cloud Firewall
Anti-DDoS Web Application Firewall (WAF) Log Service DataWorks MaxCompute
Elastic MapReduce (EMR) Elasticsearch

Alibaba Cloud Free Trail

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.