File eXchange Protocol allows users to establish a direct FTP connection between two remote servers.This helps a user to transfer files directly between the two servers using FTP, without having to download and upload the files to the local computer of the user. This direct FTP connection between the two machines enables file transfer to and from both machines as well as initiating the request for data transfer through the client's connection to either server.
FXP is disabled by default in FTP due to security issues. These attacks are known as FTP bounce attacks and are based on the FTP PORT command.
If you want to enable FXP to transfer files between servers, FXP must be enabled in the FTP configuration on the servers. You can use the following to confirm whether or not it is disabled:
• PureFTP
grep -i fxp /etc/pure-ftpd.conf• ProFTP
grep -i AllowForeignAddress /etc/proftpd.confTo enable FXP, change AllowFUserFXP to "yes".
cPanel
To enable FXP, do not edit the FTP server configuration file because it may be overwritten by cPanel updates. Instead, edit the cPanel templates if you want these changes to be saved.
• Pure-FTPd
echo "AllowUserFXP: 'yes'" >> /var/cpanel/conf/pureftpd/local
/usr/local/cpanel/scripts/setupftpserver pure-ftpd --force• ProFTPd
echo "AllowForeignAddress On" >> /var/cpanel/conf/proftpd/local
/usr/local/cpanel/scripts/setupftpserver proftpd --force
DirectAdmin
For DirectAdmin, edit the FTP configuration file and restart the FTP service.
• PureFTP
Add "AllowUserFXP: 'yes'"
nano /etc/pure-ftpd.conf
service pure-ftpd restart• ProFTP
• Add "AllowForeignAddress On"
nano /etc/proftpd.conf
service proftpd restart
Activating the Passive Port Range
If you need to configure the range of FTP passive ports, here are the instructions to run from the SSH console as root:
cPanel
• Pure-FTPd
echo "PassivePortRange: 30000 30100" >> /var/cpanel/conf/pureftpd/local
/usr/local/cpanel/scripts/setupftpserver pure-ftpd --force• ProFTPd
echo "PassivePorts: 30000 30100" >> /var/cpanel/conf/proftpd/local
/usr/local/cpanel/scripts/setupftpserver proftpd --forceDirectAdmin
In case of DirectAdmin, edit the FTP configuration file to include "PassivePortRange 35000 35100" and restart.
• PureFTP
nano /etc/pure-ftpd.conf
service pure-ftpd restart• ProFTP
nano /etc/proftpd.conf
service proftpd restart
CSF / LFD Firewall
To allow passive FTP ports it may be necessary to adjust the open ports in the firewall. You can try the connection to the target server while monitoring system logs to see which ports are being tried.
These logs indicate a firewall port lock issue:
[T] 425 Could not open data connection to port 50007: Connection timed out
[i] Transfer Failed: .htaccess
[T] 425 Could not open data connection to port 50008: Connection timed out
[i] Transfer Failed: favicon.icoPort adjustment on the DirectAdmin and cPanel servers involves editing the CSF / LFD configuration file. Passive ports must be open on each server (edit the file /etc/csf/csf.conf setting TCP_IN / TCP_OUT, then run 'csf -ra' to restart).
In cPanel & WHM version 60 and later, the system allows passive ports 49152 to 65534 for Pure-FTPd servers and ProFTPd servers by default. If you use the CSF firewall plugin, the system by default adds passive port ranges to your server firewall.
Therefore, you may need to change your firewall configuration or FTP configuration so that the ports used on both the FTP server and the firewall match. It is recommended that you continue to limit the accessible ports as much as possible.
Both DirectAdmin and cPanel managed servers have a graphical user interface that you can use to adjust the configuration file. You can also edit open ports in the ConfigServ Security & Firewall WHM section "CSF - ConfigServer Firewall" -> "Firewall Configuration" button.
It is recommended to disable the FXP function once the process is complete to prevent bounce FTP attacks.
