Hello all, I want to do secure FTP on my proftpd on debian 3.1. All what I can find is a way to do TLS for the whole Server. How can I do secure FTP for each FTP- site? Can someone help? tia stefan
SFTP has nothing to do with ProFTPd. SFTP uses the SSH port 22 and should work by default. Simply use and SFTP client such as WinSCP ( http://winscp.net/eng/download.php ) and connect to your server.
okay, when I understand the issue correct, I have only to enable ssh for users. So I did it and trying to connect with "kasablanca" and "firetfp" but I get an error "500 AUTH not understood". And the other thing is all this users getting shell access and that is not what I want. It should be better to use TLS. Is there a way in ispconfig? can someone help? tia stefan
To test your sftp connection, try e.g. winscp. I guess you will just have to enable TLS in proftpd. Furter Configuration in ISPConfig is not nescessary.
hmm, I dont get it run. Ifollowed the instructions here: http://www.debianhowto.de/doku.php/de:howtos:sargeroftpd_tls and tried: http://www.proftpd.de/HowTo-SFTP-TLS-verschluesse.55.0.html I always get: Code: 220 ProFTPD 1.2.10 Server (Debian) [x.x.x.x] AUTH TLS 500 AUTH not understood Server dont support encryption can someone help? tia stefan
This is what I've found: http://forums.proftpd.org/phpBB2/viewtopic.php?p=4199&sid=d60c12cc764303fa1f2a0d4efedb6d8a http://www.interworx.com/forums/archive/index.php/t-317.html
Hi I played aroung with securing proftpd today. It works now on my Debian Sarge installation. Here what I have done so far: First create the needed certificates: Code: openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/proftpd.cert.pem \ -keyout /etc/ssl/certs/proftpd.key.pem Next edit /etc/proftpd.conf: Code: TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv3 TLSOptions NoCertRequest TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem TLSVerifyClient off Now you should be able to connect to your server from himself (for testing install ftp-ssl and try out ftp -z secure localhost). Next we have to edit /etc/proftpd_ispconfig. Add the following lines within the VirtualHost part. Code: TLSEngine on TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem /etc/proftpd_ispconfig should look like this: Code: ################################### # # ISPConfig proftpd Configuration File # Version 1.0 # ################################### DefaultAddress 127.0.0.1 <VirtualHost [I]your_ip[/I]> DefaultRoot ~ AllowOverwrite on Umask 002 TLSEngine on TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem </VirtualHost> Hope it works for you too. Bernd
error Please where can be problem? I trying to make my ftp server on Mandriva 2007 Free secure. Ftp Client log Code: AUTH TLS 234 AUTH TLS successful Network subsystem is unusable
Hi I have no idea without further information. Maybe I can find something if you post your proftpd config.
in /var/log/proftpd Code: FTP session opened. USER xxx: Login successful. Preparing to chroot to directory '/var/www/web1' error setting IPV6_V6ONLY: Protocol not available FTP session closed. in /var/log/auth.log Code: proftpd: pam_unix(proftpd:session): session opened for user xxx by (uid=0) proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory proftpd: pam_unix(proftpd:session): session closed for user xxx Can be problem in firewall? I have for ftp open port 20 and 21 only. Non secure connection working fine. file /etc/security/pam_env.conf don exist in my instalation maibe is used by tls module in proftpd. But i dont know what may be in this file :/.
I donn't think your problem is with pam_env.conf, but with /etc/proftpd.conf (or where proftpd.conf is). But you may try creating this file. I found one on my Debian Etch box. There is no line in it which is not uncommented ... Have you tried turning IP6 off with proftpd?
Proftpd is compiled with directive --ipv6 i using package from distribution mirror :/ can be turned off, i try that. Maibe recompile, i try fix it later. When i connecting to proftpd normaly not using tls this message isnt in log. Only when i try secured. Code: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Here is Code: # # Includes DSO modules Include /etc/proftpd.d/*.conf # This is the directory where DSO modules resides ModulePath /usr/lib/proftpd # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * ServerName "ProFTPD Server" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on UseIPv6 off TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message ListOptions "-l" DenyFilter \*.*/ # Allow FTP resuming. # Remember to set to off if you have an incoming ftp for upload. AllowStoreRestart on # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. #PassivePorts 49152 65534 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group under which the server will run. User nobody Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP to retrieve passwords: PersistentPasswd off # Be warned: use of this directive impacts CPU average load! # # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. #UseSendFile off TransferLog /var/log/proftpd/proftpd.log SystemLog /var/log/proftpd/proftpd.log <IfModule mod_tls.c> #TLS settings TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv3 TLSOptions NoCertRequest TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem TLSVerifyClient off </IfModule> <IfModule mod_quota.c> QuotaEngine on </IfModule> <IfModule mod_ratio.c> Ratios on </IfModule> # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine on </IfModule> ## Bar use of SITE CHMOD by default #<Limit SITE_CHMOD> # DenyAll #</Limit> DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." <Global> IdentLookups off CommandBufferSize 512 </Global> Include /etc/proftpd_ispconfig.conf
Looks ok. You can try to create /etc/security/pam_env.conf as shown here: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_env.html (there's an example at the end.)
Proftpd sux one night and nothing done. As you say i try. File there exist with some directives but same message in log.. Fine, i try online upgrade to 2007.1 new proftpd new modules. mod_TLS work fine...but my connection not allow to make pasive connection with host. ip NATed to internal network. Localy work fine.. If i dont use Secured ftp in my connection i try make something diferent, that is offtopic but maibe this information help someone. I try use mod_clamav with proftpd to scan uploaded files and delete if is infected. Normaly instalation using urpmi which insert one directive and module. But scaning not occured, in log file i have, if is user connected, message Code: mod_clamav/0.4: warning: No local socket was specified. but directive in /etc/proftpd.d/mod_clamav.conf pointing to right socket Code: ClamLocalSocket /var/lib/clamav/clamd.socket Know someone how fix?
