Hi there, apart from the fact that the proftpd/mysql/Debian-Howto http://www.howtoforge.com/vsftpd_mysql_debian_etch is simply brilliant, we figured out a pretty serious security hole: This configuration enables system users to log in via FTP using an exclamation mark ("!") as password. On one of our Dev-Servers, I was able to log in as ftp proftpd mysql sshd ...with full access to the respective home dirs, which may be fatal if you've got your mysql on the same machine. This can be solved by adding AuthOrder mod_sql.c to proftpd.conf. greets, marcus
whoops... pasted the wrong link there. that was supposed to link to the proftpd howto a few lines below... I can replicate this behaviour on two machines now, both run on etch, I followed the howto nearly 1:1. I assume the plaintext login is the reason... one of these machines is productive and someone already tried to run phpshell ok it - which didn't succeed because the FTP homedir is outside the webroot. Google 'nyck.php' gives some interesting hits...
hi, here's my proftpd.conf (large comments left out) Code: ------8<------- Include /etc/proftpd/modules.conf ServerName "Debian" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayFirstChdir .message ListOptions "-l" UseIPv6 off # (if i add this, everything's ok). without, the "!"-problem returns: # AuthOrder mod_sql.c DenyFilter \*.*/ Port 21 MaxInstances 30 # Set the user and group that the server normally runs at. User ftpuser Group ftpgroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on DefaultRoot ~ UseReverseDNS off IdentLookups off <Global> RootLogin off #RequireValidShell on </Global> # The passwords in MySQL are encrypted using CRYPT SQLAuthTypes Plaintext Crypt SQLAuthenticate users groups # used to connect to the database # databasename@host database_user user_password SQLConnectInfo ftp@localhost proftpd xxxxxxx # Here we tell ProFTPd the names of the database columns in the "usertable" # we want it to interact with. Match the names with those in the db SQLUserInfo ftpuser userid passwd uid gid homedir shell # Here we tell ProFTPd the names of the database columns in the "grouptable" # we want it to interact with. Again the names match with those in the db SQLGroupInfo ftpgroup groupname gid members # set min UID and GID - otherwise these are 999 each SQLMinID 500 # create a user's home directory on demand if it doesn't exist SQLHomedirOnDemand on # Update count every time user logs in SQLLog PASS updatecount SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser # Update modified everytime user uploads or deletes a file SQLLog STOR,DELE modified SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser # User quotas # =========== QuotaEngine on QuotaDirectoryTally on QuotaDisplayUnits Mb QuotaShowQuotas on SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_ avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ft pquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2 }, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally RootLogin off RequireValidShell off ------>8------- proftpd 1.3.0-19 proftpd-common 1.2.10-15sarge4 proftpd-mysql 1.3.0-19 bye, marcus