Secure ProFTPD

Got it!

Works with FlashFXP AND CuteFTP now =)

It was just a small error in the code you pasted:

Server’s certificate

TLSRSACertificateFile /home/interworx/etc/ssl/iworx.key
TLSRSACertificateKeyFile /home/interworx/etc/ssl/iworx.key

Should have been:

Server’s certificate

TLSRSACertificateFile /home/interworx/etc/ssl/iworx.crt
TLSRSACertificateKeyFile /home/interworx/etc/ssl/iworx.key

Just the iworx.crt was the problem. My fault - I should have been reading what I was copy/pasting into the conf file!

Justec thanks for all the help =)

Ooops… I think I found the problem

Take a look back at the first page where I listed steps 1 through 4. I have updated this. I made an error and somehow pasted bad code in Step3.

At the very top, the TLSProtocol should be SSLv3, not SSLv23

TLSProtocol SSLv3

Im almost positive this is the problem. I guess I should get more sleep :rolleyes:

[EDIT]
Just read you got it working. Glad to hear. Although its working you may want to use the newer version of the SSLv3 (which i guess wasn’t the problem) anyway.

It’s good to know I wasn’t the only one that really wanted to have a secure FTP :smiley:

I’ve got one last question for you Justec, before I leave you alone, hopefully for a long time =)

Do you know where ProFTPD chooses it’s PASV ports? I had to add ports 411xx to 412xx to my APF firewall to allow the directories to list everytime.

Did you have to reconfigure your firewall too? I don’t like having so many open ports on my server unless i really have to =/

It’s random.
And it should be the same before you had the SSL setup.

Here is some info on Active vs. Passive:
http://slacksite.com/other/ftp.html

If you do passive it only uses port 21 and 20, but then clients behind firewalls would not be able to connect b/c the server tries to connect back from port 20 on the server to a random port on the client.

One thing it says is that it is >1024.

Int,

I have a question for you. I haven’t setup APF before, but I was going to and I decided to do it now.

What ports do you have open?

This is what I have right now:

Common ingress (inbound) TCP ports

IG_TCP_CPORTS=“21,22,25,26,80,443,110,143,993,995,2080,2306,2443,3306,6000_7000”

Common ingress (inbound) UDP ports

IG_UDP_CPORTS=“53,123”

Common ICMP (inbound) types

‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any

IG_ICMP_TYPES=“3,5,11,0,30,8”

Right now I have EGF disabled, but what ports do you have on that one?

[EDIT]
Maybe you should start an APF thread to help others with InterWorx setup APF

It’s not all that random - the ports PASV uses always stays within a range of 100ish ports, i just don’t know where those ports are set.

As for APF and Interworx, the ports I have open are:

Common ingress (inbound) TCP ports

IG_TCP_CPORTS=“20,21,22,25,53,80,110,113,143,161,443,465,993,995,2080,2306,2443,3306,3333,6667,6668,6999,7000,7029,41150_42250”

NOTE: 41150_42250 is for PASV. I believe I had to add 6667-7000 for IRC, and 113 for IDENTD for IRC as well.

Common ingress (inbound) UDP ports

IG_UDP_CPORTS=“20,21,53,1040”

Common ICMP (inbound) types

‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any

IG_ICMP_TYPES=“3,5,11,0,30,8”

I have EGF disabled as well.

There’s not much to setup for APF - I got the instructions off a website a long time ago and followed them to the letter. I then went through and added a couple of ports for Interworx =) If you need me to help you with anything for APF though, I can definately give it a try! Hope what i posted up there is enough. APF and Interworx has worked seamlessly with those settings for over 2 months now.

I think it’s “random” by nature. But it will stay in that “random” range.
But guess what I found :smiley:

A way to make it not so random…

PassivePorts 50000 55535

You add this line to your proftpd.conf.
I added mine here:

DefaultServer   on
DeferWelcome    on
PassivePorts    50000 55535

Then just add 50000_55535 to your conf.apf and you are all set.

Don’t forget to “service proftpd restart” and “apf -r”

I found a thread on another forum that explained the install. Pretty easy to follow and I think I have all the ports you listed here, I will have to double check though. Thanx for the help!

Nice Justec - the PASV port range thing really helped me out =) I much prefer a smaller range of open ports, and that allows me to do that.

As for the APF install, yea it’s really easy!

A couple of other security measures - i suggest you disable direct root login, install a rootkit checker, change the default SSH port from 22, and use SSH V2. Remember to add the new port to the conf.apf =) If you need any help doing any of these, let me know. I remember most of it, and I can dig up a website or two for you for the others.

Ack - I have another question =/

I get:

[R] 550 SSL/TLS required on the control channel
[R] Connection failed

on ALL sites on my server now whereas I don’t want SSL/TLS to be a necessity, just an option. Is that completely out of the question? If it is, I must have misunderstood something at the very start of this thread.

Hello

I use APF for a while and you don’t have to open the port for the PASV.

I do not use the EGress and my Ingress is

Common ingress (inbound) TCP ports

IG_TCP_CPORTS=“21,22,25,53,80,110,143,443,990,993,995,2080,2306,2443,3306,6277”

Common ingress (inbound) UDP ports

IG_UDP_CPORTS=“20,21,53”

Common ICMP (inbound) types

‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any

IG_ICMP_TYPES=“3,5,11,0,30,8”

And it works fine with PASV

Pascal
ps I also use bfd, ad, sim, from r-fx-network . So good !!!

I dont see how that is possible? The only way I would see it working is if the connection is ACTIVE and not PASSIVE even though Passive is enabled on the server.

Also, Int, not sure if you figure out your other post I got to my email (I dont see it here anymore), but the secure ProFTPD isn’t a requirement. You can still connect without SSL. Let me know if this is still an issue with this.

You have to open the port - for sure. I don’t see how PASV could work without it. My guess is that pascal’s APF isn’t really running right, or his PASV is set to a single port (or a couple) which he has forwarded but doesn’t realize.

As for SSL being an option - i erased that post minutes after writing it because I realized that there’s an option in the conf which I copy/pasted as ON… which I changed:

Are clients required to use FTP over TLS when talking to this server?

TLSRequired off

In your post, it was set to ‘on’, so it made it required =) It’s sorted now, thanks for the reply/concern =)


EDIT: Last thing Justec, please make sure that you add PORT 22 to your APF. I had previously erased it from the default conf.apf file since i have changed the default SSH port on my server. Don’t forget to have that port included (or whatever your SSH port is) or you’ll be locked out of your server!

There is some defaults rules in APF like the one for port 20 by example. I agree that normally you’ll have to open these ports but I promise you that I’ve tested with filezilla using PASV mode and I do not have any pbms and as yu may see my rules didn’t open any specific ports for PASV mode.I didn’t investigate so more, so maybe I’ve wrong. Make a try yourself

Pascal

Pascal,

What is the difference between BFD and DOS for APF that comes with the standard APF install?

Going to interject here slightly.

– I had several problems with my APF (and associated apps) install. I’m sure there are many people using is successfully, but it was causing me great amounts of grief. I’m also the type of person who likes to know exactly what a script is doing. So, I took a day and learned IPTables and wrote my own firewall. Honestly, given the minds of Pascal, Justec and Int – you could do it yourself easilly in a couple of hours of research, at which point, you’d know exactly what you’ve implemented.

– In this process, I did a bunch of research on the difference between PASV and Active, and the repercussions of either. Active is much more secure from the server side (obviously). I was happy to discover that most client routers/firewalls, etc these days are “FTP aware/savvy” and will on-the-fly do the hoop-jumping to negotiate an Active FTP connection. We tested the Active FTP connections to the server from several clients, each with different hardware (Westell, Linksys, D-Link, etc) and had NO issues connecting to an Active session. (Understandably, this would not have been the case several years ago).

In our case, we chose Active connections only, and put the burden of the connectivity back on the clients – and haven’t had one complaint. Nada.

Adjustments would have to be made of course for forcing the secure connections, but conceptually, it should be the same.

JB

Minor resurrection. When running this on CentOS 4.1 x86_64 using the following command:

rpmbuild --rebuild --with rhe4x --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-100.iworx.src.rpm

I get the following output at the end once everything’s compiled and setting up to install for the creation of the RPM:

/usr/bin/install -c -s -o root -g root -m 0755 proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/proftpd
if [ -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ] ; then \
        rm -f /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd ; \
fi
ln -s proftpd /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
chown -h root:root /var/tmp/proftpd-1.2.10-root/usr/sbin/in.proftpd
/usr/bin/install -c -s -o root -g root -m 0755  ftpcount /var/tmp/proftpd-1.2.10-root/usr/bin/ftpcount
/usr/bin/install -c -s -o root -g root -m 0755  ftpdctl  /var/tmp/proftpd-1.2.10-root/usr/bin/ftpdctl
/usr/bin/install -c -s -o root -g root -m 0755 ftpshut  /var/tmp/proftpd-1.2.10-root/usr/sbin/ftpshut
/usr/bin/install -c -s -o root -g root -m 0755  ftptop   /var/tmp/proftpd-1.2.10-root/usr/bin/ftptop
/usr/bin/install -c -s -o root -g root -m 0755  ftpwho   /var/tmp/proftpd-1.2.10-root/usr/bin/ftpwho
if [ ! -f /var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ] ; then \
        /usr/bin/install -c -o root -g root -m 0644 \
                   ./sample-configurations/basic.conf \
                   /var/tmp/proftpd-1.2.10-root/usr/etc/proftpd.conf ; \
fi
/usr/bin/install -c -o root -g root -m 0644 ./src/ftpdctl.8    /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./src/proftpd.8    /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpshut.8  /var/tmp/proftpd-1.2.10-root/usr/man/man8
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpcount.1 /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftptop.1   /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./utils/ftpwho.1   /var/tmp/proftpd-1.2.10-root/usr/man/man1
/usr/bin/install -c -o root -g root -m 0644 ./src/xferlog.5    /var/tmp/proftpd-1.2.10-root/usr/man/man5
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/pam.d
+ mkdir -p /var/tmp/proftpd-1.2.10-root/var/log/ftpd
+ install -m 644 contrib/dist/rpm/ftp.pamd /var/tmp/proftpd-1.2.10-root/etc/pam.d/ftp
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d
+ sed -e '/FTPSHUT=/c\' -e FTPSHUT=/usr/sbin/ftpshut contrib/dist/rpm/proftpd.init.d
+ mv --force contrib/dist/rpm/proftpd.init.d.tmp contrib/dist/rpm/proftpd.init.d
+ install -m 755 contrib/dist/rpm/proftpd.init.d /var/tmp/proftpd-1.2.10-root/etc/rc.d/init.d/proftpd
+ mkdir -p /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/
+ install -m 644 contrib/dist/rpm/proftpd.logrotate /var/tmp/proftpd-1.2.10-root/etc/logrotate.d/proftpd
+ rm -f contrib/README.mod_sql
+ mkdir -p /var/tmp/proftpd-1.2.10-root/usr/doc
+ rm -f '/var/tmp/proftpd-1.2.10-root/usr/doc/*'
+ cp -f /usr/src/redhat/SOURCES/proftpd.conf /var/tmp/proftpd-1.2.10-root/usr/etc
+ exit 0
Processing files: proftpd-1.2.10-100.rhe4x.iworx
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
error: File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
error: File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*


RPM build errors:
    File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/logrotate.d/proftpd
    File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/rc.d/init.d/proftpd
    File not found: /var/tmp/proftpd-1.2.10-root/usr/etc/pam.d/ftp
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpcount.1*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftptop.1*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man1/ftpwho.1*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man5/xferlog.5*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpshut.8*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/proftpd.8*
    File not found by glob: /var/tmp/proftpd-1.2.10-root/usr/share/man/man8/ftpdctl.8*

Admittedly, this is not something I’ve done much before. I did notice that the directories are not lining up properly (those throwing errors have extra “share” directories involved). Not sure how to fix those, though.

Bueller?

Anyone? Anyone? Bueller?

Martin,

It’s a very odd error. It looks like the macros for RPM aren’t set “right”. I’d edit /usr/lib/rpm/macros and find the following section:


%_prefix                /usr
%_exec_prefix           %{_prefix}
%_bindir                %{_exec_prefix}/bin
%_sbindir               %{_exec_prefix}/sbin
%_libexecdir            %{_exec_prefix}/libexec
%_datadir               %{_prefix}/share
%_sysconfdir            %{_prefix}/etc
%_sharedstatedir        %{_prefix}/com
%_localstatedir         %{_prefix}/var
%_lib                   lib      
%_libdir                %{_exec_prefix}/%{_lib}
%_includedir            %{_prefix}/include
%_oldincludedir         /usr/include
%_infodir               %{_prefix}/info
%_mandir                %{_prefix}/man

and change it to:


%_prefix                /usr
%_exec_prefix           %{_prefix}
%_bindir                %{_exec_prefix}/bin
%_sbindir               %{_exec_prefix}/sbin
%_libexecdir            %{_exec_prefix}/libexec
%_datadir               %{_prefix}/share
%_sysconfdir            /etc
%_sharedstatedir        %{_prefix}/com
%_localstatedir         %{_prefix}/var
%_lib                   lib      
%_libdir                %{_exec_prefix}/%{_lib}
%_includedir            %{_prefix}/include
%_oldincludedir         /usr/include
%_infodir               %{_prefix}/info
%_mandir                %{_prefix}/share/man

That may do it, but make a backup of the macros file in case you need the original.

Chris

Worked, but didn’t…

It compiled, but then it prevented all new TCP connections from completing. Existing connections continued, but new ones would not SYN-ACK.

Backed it out (from the console) and that fixed it. Still, no SFTP for me yet.

Any word on whether this is going to coming along as a supported RPM? I’d like to add this in, especially since at work we’ve implemented (using completely separate products) FTP over SSL, and it works wonderfully clearly over standard FTP ports.