How to Fix DirectAdmin FTP Connection Refused and Passive Mode Errors

Priya

Content Writer & Researcher

Last Updated: 9 June 2026

How to Fix DirectAdmin FTP Connection Refused and Passive Mode Errors

🖥️

FTP Still Not Working on Your DirectAdmin Server?

Passive mode misconfigurations and firewall port blocks are tricky to trace. CloudHouse's DirectAdmin specialists can audit your FTP daemon, passive ports, and CSF rules — and get FTP working across all your client accounts.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

FTP connection errors on a DirectAdmin server are one of the most frustrating problems web hosting customers encounter. The connection appears to start, then stalls or refuses entirely — usually with errors like ECONNREFUSED, Could not retrieve directory listing, or Connection timed out after passive mode failed. This guide covers every root cause behind DirectAdmin FTP not working, from passive port misconfiguration and firewall blocks to NAT/IP address mismatches and ProFTPd vs Pure-FTPd differences.

1. Understand Active vs Passive FTP Mode

Before troubleshooting, you need to understand which FTP mode is failing. Active and passive mode have completely different connection flows, and your firewall needs different rules for each.

Active mode: The server connects back to the client's port. This almost always fails through NAT firewalls and is not recommended for modern use.
Passive mode (PASV): The client connects to a random high port on the server that the server opens. This requires a defined port range to be open in your firewall.

Most FTP clients (FileZilla, WinSCP, Cyberduck) default to passive mode. If you see PASV in the connection log before the error, you have a passive mode problem.

Check which FTP daemon DirectAdmin is running

ps aux | grep -E "pureftpd|proftpd" | grep -v grep

DirectAdmin installations typically use either Pure-FTPd or ProFTPd. The fix differs slightly between them.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

2. Check the Passive Port Range Configuration

The most common cause of passive FTP failures on DirectAdmin is that the passive port range is not defined in the FTP daemon's configuration — or it is defined but not opened in the firewall.

For Pure-FTPd:

1Check the passive port range

grep -i "PassivePorts\|PassivePortRange" /etc/pure-ftpd.conf /etc/pure-ftpd/conf/PassivePorts 2>/dev/null

You should see a range like 35000 35999. If this file or setting is missing, passive connections will use random ports that your firewall will block.

2Set the passive port range

echo "35000 35999" > /etc/pure-ftpd/conf/PassivePorts
# or edit /etc/pure-ftpd.conf and add:
PassivePortRange 35000 35999

3Restart Pure-FTPd

systemctl restart pure-ftpd
# or:
service pure-ftpd restart

For ProFTPd:

1Check the passive port range

grep -i "PassivePorts" /etc/proftpd.conf /etc/proftpd/proftpd.conf 2>/dev/null

2Set the passive port range in the ProFTPd config

grep -q "PassivePorts" /etc/proftpd.conf || echo "PassivePorts 35000 35999" >> /etc/proftpd.conf

3Restart ProFTPd

systemctl restart proftpd

1Add the passive port range to CSF

Edit /etc/csf/csf.conf and find the TCP_IN setting. Add the passive port range:

grep "TCP_IN" /etc/csf/csf.conf | head -3

Add 35000:35999 to the TCP_IN list:

sed -i 's/^TCP_IN = "/TCP_IN = "35000:35999,/' /etc/csf/csf.conf

Or edit the file directly and append 35000:35999 to the comma-separated list.

2Reload CSF

csf -r

If using iptables directly:

iptables -I INPUT -p tcp --dport 35000:35999 -j ACCEPT
service iptables save
# or:
iptables-save > /etc/iptables/rules.v4

Verify the ports are now open:

iptables -L INPUT -n | grep "35000"

1Identify the public and private IPs

hostname -I        # internal IP(s)
curl -s ifconfig.me  # public/external IP

2Force Pure-FTPd to advertise the public IP in PASV responses

echo "YOUR_PUBLIC_IP" > /etc/pure-ftpd/conf/ForcePassiveIP

Replace YOUR_PUBLIC_IP with the actual public IP from the curl command above.

3For ProFTPd on NAT servers

Add this to /etc/proftpd.conf:

MasqueradeAddress YOUR_PUBLIC_IP
PassivePorts 35000 35999

4Restart the FTP daemon

systemctl restart pure-ftpd
# or:
systemctl restart proftpd

1Check FTP daemon status

systemctl status pure-ftpd
# or:
systemctl status proftpd

If stopped, start it:

systemctl start pure-ftpd && systemctl enable pure-ftpd

2Check port 21 is listening

ss -tlnp | grep ":21"

3Check port 21 is open in CSF/iptables

grep "^TCP_IN" /etc/csf/csf.conf | grep -o "21[^0-9]"
# or:
iptables -L INPUT -n | grep " 21 "

4Test the FTP connection manually from the server

ftp localhost 21

You should receive a 220 banner from the FTP daemon. Type quit to exit.

1Check the FTP account exists and has the correct home directory

2Reset the FTP account password

In DirectAdmin > FTP Management, click the FTP account and set a new password. Update this in your FTP client.

3Check via CLI that the FTP user exists in the passwd database

grep "your-ftp-username" /etc/passwd

4Verify the FTP root directory exists and has correct permissions

ls -la /home/username/domains/yourdomain.com/public_html/

The directory must exist and be readable by the FTP user. If it was deleted or has wrong ownership, FTP logins will succeed but directory listing will fail.

1Enable TLS in Pure-FTPd

echo "1" > /etc/pure-ftpd/conf/TLS
echo "2" > /etc/pure-ftpd/conf/TLSCipherSuite

2Generate a self-signed certificate for Pure-FTPd

openssl req -x509 -nodes -days 365 -newkey rsa:2048   -keyout /etc/ssl/private/pure-ftpd.pem   -out /etc/ssl/private/pure-ftpd.pem   -subj "/CN=ftp.yourdomain.com"
chmod 600 /etc/ssl/private/pure-ftpd.pem

3Restart Pure-FTPd and configure your client for explicit FTPS

systemctl restart pure-ftpd

In FileZilla, change the Protocol to FTP and Encryption to Require explicit FTP over TLS.

For persistent FTP connectivity issues across multiple DirectAdmin server accounts, CloudHouse's DirectAdmin managed support team can audit your FTP daemon configuration, firewall rules, and passive port setup — and fix it in a single session.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Passive mode requires the client to connect to a high-numbered port (typically 35000-35999) that the FTP server opens for the data connection. If this port range is not defined in Pure-FTPd or ProFTPd, or is blocked by CSF/iptables, passive connections will fail. Active mode works because the server initiates the connection back to the client — but active mode fails through most NAT firewalls on the client side.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...