/ Register

Learn about Centmin Mod LEMP Stack today
Register Now

CSF PUREFTPD_DISABLED='y' leaves passive FTP ports in CSF and causes duplication

Discussion in 'Other Centmin Mod Installed software' started by iaTa, May 30, 2026 at 2:51 AM.

Previous Thread Next Thread
Loading...
  1. May 30, 2026 at 2:51 AM #1
    iaTa

    iaTa Member

    89
    16
    8
    Mar 26, 2018
    Ratings:
    +32
    Local Time:
    5:19 AM
    Nginx 1.31.x
    MariaDB 10.11.x
    • CentOS Version: AlmaLinux 9.8
    • Centmin Mod Version Installed: 140.00beta01.b348
    • Nginx Version Installed: 1.31.1
    • PHP Version Installed: 8.3.31
    • MariaDB MySQL Version Installed: 10.11.18
    • Updated Centmin Mod code base: Today
    • Persistent Config:
      Code (Text):
      PUREFTPD_DISABLED=y
    Hi George,

    I wanted to report a small bug regarding how CM interacts with the CSF firewall configuration when Pure-FTPd is completely disabled via the custom configuration file. I also noticed a few open ports that might be worth reviewing for security hardening.

    Pure-FTPd Disabled Port Duplication

    When setting PUREFTPD_DISABLED='y' in custom_config.inc, CM leaves the passive FTP ports (30001:50011) opened inside /etc/csf/csf.conf under TCP_IN and TCP6_IN.

    If I manually remove 30001:50011 from /etc/csf/csf.conf, subsequent CM updates or routine cronjobs appear to trigger an automated port-check routine. It appends a string of duplicate ports to the end of the line alongside the passive FTP ports again:
    Code (Text):
    TCP_IN = "25,53,853,80,110,143,443,465,587,993,995,222,1110,1186,1194,81,9418,1110,1186,1194,81,9418,1110,1186,1194,81,9418,30001:50011"

TCP6_IN = "25,53,853,80,110,143,443,465,587,993,995,222,1110,1186,1194,81,9418,1110,1186,1194,81,9418,1110,1186,1194,81,9418,30001:50011"
    (Notice how ports like 1110,1186,1194,81,9418 loop repeatedly right before the passive FTP range is re-inserted).

    Expected Behaviour
    1. If PUREFTPD_DISABLED='y', CM's CSF setup routine should omit 30001:50011 from both TCP_IN and TCP6_IN completely.
    2. The port verification regex/script should check for exact matches or use a cleaner array structure to prevent appending duplicate strings when it detects missing ports.
    Separately, PORTFLOOD = "21;tcp;20;300" can also be changed to PORTFLOOD = "" when Pure-FTPd is disabled.

    Unnecessary Default Ports (UDP 20, 21, 80) & Security Hardening

    While reviewing the CSF configuration files, I also noticed that UDP_IN and UDP_OUT include ports 20, 21 and 80 (UDP_IN) by default. As I understand it these open UDP ports are unnecessary for standard operations.

    Given the recent rise in severe exploits can I suggest it might be a good time to do a general review of the default open ports in CM's CSF template to ensure only strictly required ports are left open by default?
     
  2. May 31, 2026 at 11:50 AM #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    2:19 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Haven't tested this config option in ages so stuff slipped through. Testing fixes for this right now and will update Centmin Mod once testing is complete :)

    upload_2026-5-31_11-50-7.png
     
  3. May 31, 2026 at 4:51 PM #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    2:19 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Believe I fixed it for fresh installs

    upload_2026-5-31_16-51-30.png
     
  4. Jun 1, 2026 at 3:30 AM #4
    iaTa

    iaTa Member

    89
    16
    8
    Mar 26, 2018
    Ratings:
    +32
    Local Time:
    5:19 AM
    Nginx 1.31.x
    MariaDB 10.11.x
    Yeah the update fixed my existing CSF config too, thank you!
     
Previous Thread Next Thread
Loading...

.