Fix FTP Passive Mode Problems on Amazon EC2 Instances

Dev with Geoff - Development time with our CTO Geoff Wagstaff

For a while I was forced to connect to FTP (an installation of VSFTP) on our EC2 server using Active mode, because passive mode refused to work. While this is OK for FTP clients that can be configured to use active mode, other utilities such as screen capture (e.g. Jing) and the wordpress auto-upgrade could not work with active mode, causing all sorts of erroneous malarky.

If you’re getting errors such as “227 entering passive mode… Connection [Failed/Timed out]” this may work for you

I decided enough was enough and set about problem-solving: the developer’s favourite. It turns out, as usual, the problem relates to the ports the EC2 firewall opens for its instances, namely, none at all. Since passive mode connects to any random port > 1023, this is a problem. So, what you will need to do is define a fixed port range for VSFTP to use for PASV connections and then allow these in your “Security Groups” firewall rules.

Note: This method will probably work on any server, just add the config settings and then open the correct ports in your software firewall or router

1. Specify a port range in which VSFTP will run PASV connections
Add the following lines to your vsftpd.conf file:

pasv_enable=YES
pasv_max_port=12100
pasv_min_port=12000
port_enable=YES

You also need to add an extra line to specify which IP address VSFTP will advertise in response to a passive connection, so underneath the lines you’ve already pasted in vsftpd.conf, put:
pasv_address={your public IP address}

OR if you don’t have a fixed elastic IP address:

pasv_addr_resolve={your public domain or DNS}

2. Authorise required ports in a security group that applies to your instance

This can be done via the AWS management console (Amazon’s EC2 web control panel), or in your own console:

ec2-authorize default -p 20-21
ec2-authorize default -p 12000-12100

Now restart vsftpd by typing /etc/init.d/vsftpd restart in your server’s terminal.

If all goes well and it’s your lucky day, passive connections should now work properly.

Subscribe to the GoSquared newsletter.

Join 15,000 people. Get our latest posts delivered to your inbox every week.

  • Tried exactly this myself and found this post after searching for reasons why it does not work.

    I get:
    ftp> passive
    Passive mode on.
    ftp> ls
    500 OOPS: child died
    Passive mode refused.

  • That worked for me, to get my address working, I did this before restarting vsftpd .
    It looks like when you do it this way, when you restart vsftpd, it picks the IP address at boot time and then uses that numeric address.

    pasv_address=www.mysite.com
    pasv_addr_resolve=YES

    You also might want to ftp to your localhost, and see if that works, that will rule out the firewall issue, but not rule out the address issue, because locally your address will be different than externally (why EC2 gives you 2 addresses)

  • Thanks this did save me some time.

  • Thanks, this worked for me on Debian EBS AMI

  • Amit J

    Thanks, this worked for me.

  • Sailesh

    Thanks for this write-up. This helped resolve issues we had with our EC2 ftp instance when users refused connection when tried with Filezilla or cuteftp. after implementing the above it worked great. thanks again

  • Thanks, this was a lifesaver – couldn’t fathom how it was working and then stopped.

  • Chris

    Thanks – Just switched it over and instantly solved the problems.

  • Logeshwaran

    Really it helps thanks a lot

  • Tiago Alves

    Thanks a lot! This saved a lot of time!

  • xbakesx

    This helped a metric ton (if help can be measured that way). Thank you so much!

    A little side note, James Tripp indirectly mentioned it but vsftp’s config items: pasv_address and pasv_addr_resolve don’t work as you describe them in the post.

    If you do not have an elastic IP the format should be:

    pasv_address={your public domain or DNS}
    pasv_addr_resolve=YES

    Otherwise you’ll have a weird error like this (because pasv_addr_resolve is a boolean config item):

    bad bool value in config file for: pasv_addr_resolve

  • Thanks man, this helps a lot!

  • Astrill Arnold Chitwa

    You are a Life Life Life ,Time Time Time Saver! Thanks!

  • Pranil Naik

    Thanks a lot lot lot. It really helped me

  • Muretz

    Doesnt work.

  • Victor Fernandez

    I did exactly this but using my DNS name which is not public. My instance is also not public and is sitting in a private network within it’s VPC. When I try to login I login successfully but ‘ls’ just freezes…it just sits there like it’s working but there no output. I’ve tried to CTRL-C and get out but I can’t as I’m stuck. I have to completely close the shell window to exit which is annoying. Any help would be greatly appreciated.

  • I do not use VSFTP but your article give me hint and finally resolve issue. Thanks a lot.

  • Paulo Trentin

    Awesome!!

  • dadlison

    Big man you are a life saver! This was exactly what I needed!

  • Tom

    Great, thanks for help! There’s is a little mistake tough. In newer versions of vsftpd for resolving DNS, the config needs to be like this:

    pasv_address={your public IP address OR public domain}
    pasv_addr_resolve=YES

    From man:
    pasv_address
    Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup.