Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th August 2006, 10:25
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default getting proftpd to work with TLS

hi there,

I found severall tutorials and the result is this:

my proftpd.conf

Quote:
ServerName "Debian"
ServerType standalone
DeferWelcome off
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
# Uncomment this if you would use TLS module:
TLSProtocol SSLv23
<GLOBAL>
TLSEngine on
TLSLog /var/log/proftpd_tls.log
#TLSProtocol TLSv1
TLSOptions NoCertRequest
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
</GLOBAL>
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
Umask 022 022
AllowOverwrite on
Include /etc/proftpd_ispconfig.conf
the remaining problems are I get an error when trying to list the directories, meaning I can connect, see the basic structure but cannot double click on any subfolders.

I googled around but all the posts I found on the net were talking about some firewall or NAT settings I am not concerned with as they do not apply to my configuration. without any encryption, just plain ftp everything is ok.

any ideas? does anyone use proftpd with tls? do the users have to have shell access to be able to do that?

###edit###
I made certificates, don't bother asking about that :-)
btw. I will post the exact error (it started with error code 425..) on monday, I will got to a Fatboy Slim concert tonight and be on the way during the weekend - just posting in case anyone uses this configuration and can tell me how they did it.

Last edited by Ovidiu; 4th August 2006 at 10:42.
Reply With Quote
Sponsored Links
  #2  
Old 5th August 2006, 16:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by Tenaka
do the users have to have shell access to be able to do that?
I'm not quite sure, but I'd try this to see if it changes things...
What's in /var/log/proftpd_tls.log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 6th August 2006, 19:15
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

users with and without shel - same result. the exact error is this:

Quote:
500 Illegal PORT command

425 Unable to build data connection: Connection refused
but I have another suspicion: I am trying to connect from home, being on an internal lan connected to the outside through a router... does that change anything? should not as far as I understand, as I am not using passive ftp and using ftp without any encryption, kust plain ftp works.

###edit###

it seems the error lies with me being behind a router at home:

Quote:
Response: 230 User web6_postmaster logged in.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: 211-MDTM
Response: 211-REST STREAM
Response: 211-SIZE
Response: 211-AUTH TLS
Response: 211-PBSZ
Response: 211-PROT
Response: 211 End
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PORT 192,168,1,136,5,139
Response: 500 Illegal PORT command
Error: Could not retrieve directory listing
Command: REST 0
Response: 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
Command: TYPE I
Response: 200 Type set to I

Last edited by Ovidiu; 6th August 2006 at 19:44.
Reply With Quote
  #4  
Old 7th August 2006, 13:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by Tenaka
it seems the error lies with me being behind a router at home:
Then it seems to be an issue with your router's firewall...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 7th August 2006, 19:42
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

can anyone not behind a router or able to login to other ftp servers with tls spare 5 min and test if he can login with ftp (tls) into my server? I'll make a small testacount and give out the data so if you can spare 5 min send me a pm please
Reply With Quote
  #6  
Old 11th August 2006, 22:25
jimmy jimmy is offline
Junior Member
 
Join Date: Nov 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Maybe i can help here, i used the Proftpd with mysql howto from this site and added in tls support after the fact, adding in the tls was the touchiest(and toughest) part for me and took alot of experimentation to finaly get it right, the idea was to run proftpd over tls without having to change the default port and forcing us to make our customers to switch to new ftp clients. This works perfectly with the filezilla client (latest version)and coreftp which both include built in ftps support, I'll post the pertinent information from my setup and try to include some tips on the snags i encountered along the way.
Code:
# Uncomment this if you would use TLS module:
TLSEngine 			on
TLSProtocol 			SSLv23
TLSLog 				/var/log/proftpd/tls.log
PassivePorts 			60000 65535
# Clients are required to use FTP over TLS when talking to this server
# off = clients can connect using insecure FTP or secure FTP/SSL
# on  = clients can only connect using secure FTP/SSL
# ctrl = ssl encryption on control channel only(encrypted uname and passwords)
# data = data channel only encryption(file transfer data encrypted)
TLSRequired 			on
# Server's certificate
TLSRSACertificateFile 		/path/to/your/ssl.crt
TLSRSACertificateKeyFile 	/path/to/your/ssl.key
# CA the server trusts
TLSCACertificateFile 		/path/to/your/ca.crt
Make note of the PassivePorts directive, this makes proftpd use that port range for passive mode ftp connections which is one of the keys to making this work make sure you allow that port range through your firewall. This works perfectly with the latest version of coreftp and filezilla client
I found the following excerpt in the quote below to be most helpful concerning ftp behavior over tls when coupled with firewalls which can be found here http://www.castaglia.org/proftpd/doc...HOWTO-TLS.html

Quote:
Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?
Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.
Reply With Quote
  #7  
Old 12th August 2006, 00:27
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

well, thx, that advice sounded good but as a first try I tried stopping my firewall (on the server) and still no luck.

I guess my problem is with my local setup, being behind a router.
see this logs:

Quote:
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PORT 192,168,1,136,5,139
Response: 500 Illegal PORT command
Error: Could not retrieve directory listing
192.168.1.136 being my laptops IP in my local lan so I guess here is the problem.

or maybe it is here:

Quote:
Aug 12 00:25:09 mod_tls/2.0.7[20911]: TLS/TLS-C requested, starting TLS handshake
Aug 12 00:25:10 mod_tls/2.0.7[20911]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Aug 12 00:25:11 mod_tls/2.0.7[20911]: Protection set to Private
this being an excerpt from the /var/log/proftpd_tls.log file - during the time I tried connecting. you see the connection succeeded but then the directory listing fails.

so maybe someone not behind a router could test this for me?
Reply With Quote
  #8  
Old 13th August 2006, 19:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

I'm behind a router, but I can test anyway, if you want. Just pm me the login details.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 14th August 2006, 17:42
jimmy jimmy is offline
Junior Member
 
Join Date: Nov 2005
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

You also might want to check and make sure you have passive mode ftp enabled in the client program. Sorry i forgot to add the details for configuring the clients, if using filezilla try going to file>site manager and create an ftp site profile, specify "FTP over SSL(explicit encryption) and edit>settings>firewall settings put a check in "limit local ports used by filezilla" and match the port range to the port range of the proftpd passive ports directive, you can also enable passive mode transfers there as well.
Reply With Quote
  #10  
Old 15th August 2006, 07:58
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
 
Default

thx jimmy,

I did not try everything you suggested as I said, after disabling the firewall on the server it was still not working so why bother complicating matters and trying passive mode?
AND I am interested in using proftp with TLS not FTP over SSL be it implicit or explicit.

is there somewhere a judgemental mistake I am making? can someone see a flaw in the details I have posted in this thread? As far as I am concerned it should work.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
proftpd virtual host not working DaddyFix Installation/Configuration 6 19th April 2006 19:59
Following Perfect Setup Fedora 4 Proftpd Fails on start dutchman Installation/Configuration 4 9th February 2006 21:37
Im thinking about throwing proftpd to the trashcan danf.1979 Installation/Configuration 2 23rd December 2005 09:27
proftpd problems Ovidiu Installation/Configuration 5 21st September 2005 10:47
ISPConfig ProFTPD changes? ProTrooper Installation/Configuration 3 9th September 2005 18:13


All times are GMT +2. The time now is 07:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.