getting proftpd to work with TLS

[Ovidiu]

hi there,

I found severall tutorials and the result is this:

my proftpd.conf

Quote:

ServerName "Debian"
ServerType standalone
DeferWelcome off
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
# Uncomment this if you would use TLS module:
TLSProtocol SSLv23
<GLOBAL>
TLSEngine on
TLSLog /var/log/proftpd_tls.log
#TLSProtocol TLSv1
TLSOptions NoCertRequest
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
</GLOBAL>
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
Umask 022 022
AllowOverwrite on
Include /etc/proftpd_ispconfig.conf

the remaining problems are I get an error when trying to list the directories, meaning I can connect, see the basic structure but cannot double click on any subfolders.

I googled around but all the posts I found on the net were talking about some firewall or NAT settings I am not concerned with as they do not apply to my configuration. without any encryption, just plain ftp everything is ok.

any ideas? does anyone use proftpd with tls? do the users have to have shell access to be able to do that?

###edit###
I made certificates, don't bother asking about that :-)
btw. I will post the exact error (it started with error code 425..) on monday, I will got to a Fatboy Slim concert tonight and be on the way during the weekend - just posting in case anyone uses this configuration and can tell me how they did it.

[falko]

Quote:

Originally Posted by Tenaka

do the users have to have shell access to be able to do that?

I'm not quite sure, but I'd try this to see if it changes things...
What's in /var/log/proftpd_tls.log?

[Ovidiu]

users with and without shel - same result. the exact error is this:

Quote:

500 Illegal PORT command

425 Unable to build data connection: Connection refused

but I have another suspicion: I am trying to connect from home, being on an internal lan connected to the outside through a router... does that change anything? should not as far as I understand, as I am not using passive ftp and using ftp without any encryption, kust plain ftp works.

###edit###

it seems the error lies with me being behind a router at home:

Quote:

Response: 230 User web6_postmaster logged in.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: 211-MDTM
Response: 211-REST STREAM
Response: 211-SIZE
Response: 211-AUTH TLS
Response: 211-PBSZ
Response: 211-PROT
Response: 211 End
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PORT 192,168,1,136,5,139
Response: 500 Illegal PORT command
Error: Could not retrieve directory listing
Command: REST 0
Response: 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
Command: TYPE I
Response: 200 Type set to I

[falko]

Quote:

Originally Posted by Tenaka

it seems the error lies with me being behind a router at home:

Then it seems to be an issue with your router's firewall...

[Ovidiu]

can anyone not behind a router or able to login to other ftp servers with tls spare 5 min and test if he can login with ftp (tls) into my server? I'll make a small testacount and give out the data so if you can spare 5 min send me a pm please

[jimmy]

Maybe i can help here, i used the Proftpd with mysql howto from this site and added in tls support after the fact, adding in the tls was the touchiest(and toughest) part for me and took alot of experimentation to finaly get it right, the idea was to run proftpd over tls without having to change the default port and forcing us to make our customers to switch to new ftp clients. This works perfectly with the filezilla client (latest version)and coreftp which both include built in ftps support, I'll post the pertinent information from my setup and try to include some tips on the snags i encountered along the way.

Code:

# Uncomment this if you would use TLS module:
TLSEngine 			on
TLSProtocol 			SSLv23
TLSLog 				/var/log/proftpd/tls.log
PassivePorts 			60000 65535
# Clients are required to use FTP over TLS when talking to this server
# off = clients can connect using insecure FTP or secure FTP/SSL
# on  = clients can only connect using secure FTP/SSL
# ctrl = ssl encryption on control channel only(encrypted uname and passwords)
# data = data channel only encryption(file transfer data encrypted)
TLSRequired 			on
# Server's certificate
TLSRSACertificateFile 		/path/to/your/ssl.crt
TLSRSACertificateKeyFile 	/path/to/your/ssl.key
# CA the server trusts
TLSCACertificateFile 		/path/to/your/ca.crt

Make note of the PassivePorts directive, this makes proftpd use that port range for passive mode ftp connections which is one of the keys to making this work make sure you allow that port range through your firewall. This works perfectly with the latest version of coreftp and filezilla client
I found the following excerpt in the quote below to be most helpful concerning ftp behavior over tls when coupled with firewalls which can be found here http://www.castaglia.org/proftpd/doc...HOWTO-TLS.html

Quote:

Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?
Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.

[Ovidiu]

well, thx, that advice sounded good but as a first try I tried stopping my firewall (on the server) and still no luck.

I guess my problem is with my local setup, being behind a router.
see this logs:

Quote:

Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PORT 192,168,1,136,5,139
Response: 500 Illegal PORT command
Error: Could not retrieve directory listing

192.168.1.136 being my laptops IP in my local lan so I guess here is the problem.

or maybe it is here:

Quote:

Aug 12 00:25:09 mod_tls/2.0.7[20911]: TLS/TLS-C requested, starting TLS handshake
Aug 12 00:25:10 mod_tls/2.0.7[20911]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Aug 12 00:25:11 mod_tls/2.0.7[20911]: Protection set to Private

this being an excerpt from the /var/log/proftpd_tls.log file - during the time I tried connecting. you see the connection succeeded but then the directory listing fails.

so maybe someone not behind a router could test this for me?

[falko]

I'm behind a router, but I can test anyway, if you want. Just pm me the login details.

[jimmy]

You also might want to check and make sure you have passive mode ftp enabled in the client program. Sorry i forgot to add the details for configuring the clients, if using filezilla try going to file>site manager and create an ftp site profile, specify "FTP over SSL(explicit encryption) and edit>settings>firewall settings put a check in "limit local ports used by filezilla" and match the port range to the port range of the proftpd passive ports directive, you can also enable passive mode transfers there as well.

[Ovidiu]

thx jimmy,

I did not try everything you suggested as I said, after disabling the firewall on the server it was still not working so why bother complicating matters and trying passive mode?
AND I am interested in using proftp with TLS not FTP over SSL be it implicit or explicit.

is there somewhere a judgemental mistake I am making? can someone see a flaw in the details I have posted in this thread? As far as I am concerned it should work.