Announcement

Collapse
No announcement yet.

Secure ProFTPD

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by Justec
    I dont see how that is possible? The only way I would see it working is if the connection is ACTIVE and not PASSIVE even though Passive is enabled on the server.

    Also, Int, not sure if you figure out your other post I got to my email (I dont see it here anymore), but the secure ProFTPD isn't a requirement. You can still connect without SSL. Let me know if this is still an issue with this.
    You have to open the port - for sure. I don't see how PASV could work without it. My guess is that pascal's APF isn't really running right, or his PASV is set to a single port (or a couple) which he has forwarded but doesn't realize.

    As for SSL being an option - i erased that post minutes after writing it because I realized that there's an option in the conf which I copy/pasted as ON... which I changed:

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off
    In your post, it was set to 'on', so it made it required =) It's sorted now, thanks for the reply/concern =)


    ---------

    EDIT: Last thing Justec, please make sure that you add PORT 22 to your APF. I had previously erased it from the default conf.apf file since i have changed the default SSH port on my server. Don't forget to have that port included (or whatever your SSH port is) or you'll be locked out of your server!

    Comment


    • #32
      There is some defaults rules in APF like the one for port 20 by example. I agree that normally you'll have to open these ports but I promise you that I've tested with filezilla using PASV mode and I do not have any pbms and as yu may see my rules didn't open any specific ports for PASV mode.I didn't investigate so more, so maybe I've wrong. Make a try yourself

      Pascal

      Comment


      • #33
        Originally posted by pascal
        ps I also use bfd, ad, sim, from r-fx-network . So good !!!
        Pascal,

        What is the difference between BFD and DOS for APF that comes with the standard APF install?
        [ JUSTIN ]
        [ OFF unit ]
        [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
        ]

        Comment


        • #34
          Going to interject here slightly.

          -- I had several problems with my APF (and associated apps) install. I'm *sure* there are many people using is successfully, but it was causing me great amounts of grief. I'm also the type of person who likes to know *exactly* what a script is doing. So, I took a day and learned IPTables and wrote my own firewall. Honestly, given the minds of Pascal, Justec and Int -- you could do it yourself easilly in a couple of hours of research, at which point, you'd know exactly what you've implemented.

          -- In this process, I did a bunch of research on the difference between PASV and Active, and the repercussions of either. Active is *much* more secure from the server side (obviously). I was happy to discover that most client routers/firewalls, etc these days are "FTP aware/savvy" and will on-the-fly do the hoop-jumping to negotiate an Active FTP connection. We tested the Active FTP connections to the server from several clients, each with different hardware (Westell, Linksys, D-Link, etc) and had NO issues connecting to an Active session. (Understandably, this would not have been the case several years ago).

          In our case, we chose Active connections only, and put the burden of the connectivity back on the clients -- and haven't had one complaint. Nada.

          Adjustments would have to be made of course for forcing the secure connections, but conceptually, it should be the same.

          JB

          Comment


          • #35
            Originally posted by Justec
            I just tried something that works and you won't have to create your own key and certificate!

            Also, the compile code is a little different now. This is if you are on Redhat 9.0 box. If you are on another box then you change out the rht90 for your OS.
            Minor resurrection. When running this on CentOS 4.1 x86_64 using the following command:

            Code:
            rpmbuild --rebuild --with rhe4x --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-100.iworx.src.rpm
            I get the following output at the end once everything's compiled and setting up to install for the creation of the RPM:

            Code:
            /usr/bin/install -c -s -o root -g root -m 0755 proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/proftpd
            if [ -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ] ; then \
                    rm -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ; \
            fi
            ln -s proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
            chown -h root:root /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
            /usr/bin/install -c -s -o root -g root -m 0755  ftpcount /var/tmp/proftpd-1.2.10-root/usr/bin/ftpcount
            /usr/bin/install -c -s -o root -g root -m 0755  ftpdctl  /var/tmp/proftpd-1.2.10-root/usr/bin/ftpdctl
            /usr/bin/install -c -s -o root -g root -m 0755 ftpshut  /var/tmp/proftpd-1.2.10-root/usr/sbin/ftpshut
            /usr/bin/install -c -s -o root -g root -m 0755  ftptop   /var/tmp/proftpd-1.2.10-root/usr/bin/ftptop
            /usr/bin/install -c -s -o root -g root -m 0755  ftpwho   /var/tmp/proftpd-1.2.10-root/usr/bin/ftpwho
            if [ ! -f /var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ] ; then \
                    /usr/bin/install -c -o root -g root -m 0644 \
                               ./sample-configurations/basic.conf \
                               /var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ; \
            fi
            /usr/bin/install -c -o root -g root -m 0644 ./src/ftpdctl.8    /var/tmp/proftpd-1.2.10-root/usr/man/man8
            /usr/bin/install -c -o root -g root -m 0644 ./src/proftpd.8    /var/tmp/proftpd-1.2.10-root/usr/man/man8
            /usr/bin/install -c -o root -g root -m 0644 ./utils/ftpshut.8  /var/tmp/proftpd-1.2.10-root/usr/man/man8
            /usr/bin/install -c -o root -g root -m 0644 ./utils/ftpcount.1 /var/tmp/proftpd-1.2.10-root/usr/man/man1
            /usr/bin/install -c -o root -g root -m 0644 ./utils/ftptop.1   /var/tmp/proftpd-1.2.10-root/usr/man/man1
            /usr/bin/install -c -o root -g root -m 0644 ./utils/ftpwho.1   /var/tmp/proftpd-1.2.10-root/usr/man/man1
            /usr/bin/install -c -o root -g root -m 0644 ./src/xferlog.5    /var/tmp/proftpd-1.2.10-root/usr/man/man5
            + mkdir -p /var/tmp/proftpd-1.2.10-root/etc/pam.d
            + mkdir -p /var/tmp/proftpd-1.2.10-root/var/log/ftpd
            + install -m 644 contrib/dist/rpm/ftp.pamd /var/tmp/proftpd-1.2.10-root/etc/pam.d/ftp
            + mkdir -p /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d
            + sed -e '/FTPSHUT=/c\' -e FTPSHUT=/usr/sbin/ftpshut contrib/dist/rpm/proftpd.init.d
            + mv --force contrib/dist/rpm/proftpd.init.d.tmp contrib/dist/rpm/proftpd.init.d
            + install -m 755 contrib/dist/rpm/proftpd.init.d /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d/proftpd
            + mkdir -p /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/
            + install -m 644 contrib/dist/rpm/proftpd.logrotate /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/proftpd
            + rm -f contrib/README.mod_sql
            + mkdir -p /var/tmp/proftpd-1.2.10-root/usr/doc
            + rm -f '/var/tmp/proftpd-1.2.10-root/usr/doc/*'
            + cp -f /usr/src/redhat/SOURCES/proftpd.conf /var/tmp/proftpd-1.2.10-root/usr/etc
            + exit 0
            Processing files: proftpd-1.2.10-100.rhe4x.iworx
            error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
            error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
            error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
            error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*
            
            
            RPM build errors:
                File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
                File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
                File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
                File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*
            Admittedly, this is not something I've done much before. I did notice that the directories are not lining up properly (those throwing errors have extra "share" directories involved). Not sure how to fix those, though.

            Comment


            • #36
              Bueller?

              Anyone? Anyone? Bueller?

              Comment


              • #37
                Martin,

                It's a very odd error. It looks like the macros for RPM aren't set "right". I'd edit /usr/lib/rpm/macros and find the following section:

                Code:
                %_prefix                /usr
                %_exec_prefix           %{_prefix}
                %_bindir                %{_exec_prefix}/bin
                %_sbindir               %{_exec_prefix}/sbin
                %_libexecdir            %{_exec_prefix}/libexec
                %_datadir               %{_prefix}/share
                %_sysconfdir            %{_prefix}/etc
                %_sharedstatedir        %{_prefix}/com
                %_localstatedir         %{_prefix}/var
                %_lib                   lib      
                %_libdir                %{_exec_prefix}/%{_lib}
                %_includedir            %{_prefix}/include
                %_oldincludedir         /usr/include
                %_infodir               %{_prefix}/info
                %_mandir                %{_prefix}/man
                and change it to:

                Code:
                %_prefix                /usr
                %_exec_prefix           %{_prefix}
                %_bindir                %{_exec_prefix}/bin
                %_sbindir               %{_exec_prefix}/sbin
                %_libexecdir            %{_exec_prefix}/libexec
                %_datadir               %{_prefix}/share
                %_sysconfdir            /etc
                %_sharedstatedir        %{_prefix}/com
                %_localstatedir         %{_prefix}/var
                %_lib                   lib      
                %_libdir                %{_exec_prefix}/%{_lib}
                %_includedir            %{_prefix}/include
                %_oldincludedir         /usr/include
                %_infodir               %{_prefix}/info
                %_mandir                %{_prefix}/share/man
                That *may* do it, but make a backup of the macros file in case you need the original.

                Chris
                Chris Wells
                InterWorx L.L.C. | http://interworx.com
                InterWorx Control Panel

                Comment


                • #38
                  Worked, but didn't...

                  It compiled, but then it prevented all new TCP connections from completing. Existing connections continued, but new ones would not SYN-ACK.

                  Backed it out (from the console) and that fixed it. Still, no SFTP for me yet.

                  Comment


                  • #39
                    Any word on whether this is going to coming along as a supported RPM? I'd like to add this in, especially since at work we've implemented (using completely separate products) FTP over SSL, and it works wonderfully clearly over standard FTP ports.

                    Comment


                    • #40
                      Well there are two different things, SFTP and FTP over SSL.

                      SFTP is availble already you just have to give shell access and use your linux username / password (port 22).

                      FTP over SSL is what I think you are referring to right? I thought that was already included by default now.
                      [ JUSTIN ]
                      [ OFF unit ]
                      [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                      ]

                      Comment


                      • #41
                        No mod_tls in there at all on my installation, and no updates listed available for proftp.

                        I'm generally uncomfortable providing any level of shell access to users. One does have it, but mostly because I promised him a secure channel for his work on the last server.

                        Comment


                        • #42
                          Originally posted by Martin Blank
                          No mod_tls in there at all on my installation, and no updates listed available for proftp.
                          For some reason I thought Iworx did this already, but I guess not.
                          Originally posted by Martin Blank
                          I'm generally uncomfortable providing any level of shell access to users. One does have it, but mostly because I promised him a secure channel for his work on the last server.
                          I agree completely, but I figured out a way that works on RH9 to allow only SFTP access with out regular shell access. Just set the user shell from /sbin/nologin to /usr/libexec/openssh/sftp-server for the user you want to give SFTP access to.
                          [ JUSTIN ]
                          [ OFF unit ]
                          [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                          ]

                          Comment


                          • #43
                            Ah, got it. Tested and works.

                            For those who would like to simplify this, add:

                            /usr/libexec/openssh/sftp-server

                            to /etc/shells. Refresh the Shell Accounts page, and it will be available to users. Set the shell appropriately on a trusted account and test using SFTP (listed as FTP over SSH or SSH2 on some clients).

                            This makes me much happier. Thanks.

                            Maybe a wiki might be useful for handling documentation of little things like this?

                            Comment


                            • #44
                              For some reason I thought Iworx did this already, but I guess not.
                              We did, but it may not be built for all systems. The SRPM has the updates I believe. Martin, if you'd like to open a ticket I can check out the problems you had after building.

                              Chris
                              Chris Wells
                              InterWorx L.L.C. | http://interworx.com
                              InterWorx Control Panel

                              Comment


                              • #45
                                Not at the moment. I need to get a remote access card in the server before I take that one on again -- the last time it happened, no TCP connections could be completed. I'm sure you can understand why I'm a little skittish. :)

                                Comment

                                Working...
                                X