Update: Make FTP server slightly more secure

John shared a great idea in his comment to my “FTP: a trip down the memory lane” post: when using some FTP servers you can specify the range of passive ports, allowing you to tighten your router ACL (otherwise you’d have to allow inbound connections to all TCP ports above 1024).

If you’re using wu-ftpd, the port range is specified with the passive ports configuration directive in the ftpaccess configuration file. ProFTPD uses PassivePorts configuration directive and recommends using IANA-specified ephemeral port range. Pure-FTPd takes a more cryptic approach: the port range is specified in the –p command-line option.


  1. vsftpd has pasv_min_port and pasv_max_port to limit the range of the passive ports used.
  2. As I pointed out in the previous post - if you want security then you don't want FTP - switch to SSH and all will be well in the world.
  3. Can't agree more ... the problem is usually in client or server availability. For example, no SSH/SFTP from Microsoft (the push WebDAV), only FP extensions or FTP for Frontpage (until MS Expression Web 3).
Add comment