FTPS or SFTP in ispconfig

Discussion in 'Installation/Configuration' started by blackflag, Nov 15, 2006.

  1. blackflag

    blackflag New Member

    Hello all,

    I want to do secure FTP on my proftpd on debian 3.1.
    All what I can find is a way to do TLS for the whole Server. How can I do secure FTP for each FTP- site?

    Can someone help?

    tia stefan
     
  2. falko

    falko Super Moderator

    SFTP has nothing to do with ProFTPd. SFTP uses the SSH port 22 and should work by default. Simply use and SFTP client such as WinSCP ( http://winscp.net/eng/download.php ) and connect to your server.
     
  3. blackflag

    blackflag New Member

    okay, when I understand the issue correct, I have only to enable ssh for users. So I did it and trying to connect with "kasablanca" and "firetfp" but I get an error "500 AUTH not understood".

    And the other thing is all this users getting shell access and that is not what I want.
    It should be better to use TLS. Is there a way in ispconfig?


    can someone help?

    tia
    stefan
     
    Last edited: Nov 16, 2006
  4. till

    till Super Moderator

    To test your sftp connection, try e.g. winscp.

    I guess you will just have to enable TLS in proftpd. Furter Configuration in ISPConfig is not nescessary.
     
  5. blackflag

    blackflag New Member

  6. falko

    falko Super Moderator

  7. Spaetzle

    Spaetzle New Member

    Hi

    I played aroung with securing proftpd today. It works now on my Debian Sarge installation.

    Here what I have done so far:

    First create the needed certificates:
    Code:
    openssl req -new -x509 -days 3650 -nodes  -out /etc/ssl/certs/proftpd.cert.pem \
    -keyout /etc/ssl/certs/proftpd.key.pem
    
    Next edit /etc/proftpd.conf:
    Code:
    TLSEngine                       on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             SSLv3
    TLSOptions                              NoCertRequest
    TLSRSACertificateFile                   /etc/ssl/certs/proftpd.cert.pem
    TLSRSACertificateKeyFile                /etc/ssl/certs/proftpd.key.pem
    TLSVerifyClient                         off
    
    Now you should be able to connect to your server from himself (for testing install ftp-ssl and try out ftp -z secure localhost).
    Next we have to edit /etc/proftpd_ispconfig. Add the following lines within the VirtualHost part.
    Code:
    TLSEngine                       on
    TLSRSACertificateFile                   /etc/ssl/certs/proftpd.cert.pem
    TLSRSACertificateKeyFile                /etc/ssl/certs/proftpd.key.pem
    
    /etc/proftpd_ispconfig should look like this:
    Code:
    ###################################
    #
    # ISPConfig proftpd Configuration File
    #         Version 1.0
    #
    ###################################
    DefaultAddress 127.0.0.1
    <VirtualHost [I]your_ip[/I]>
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002
            TLSEngine                       on
            TLSRSACertificateFile                   /etc/ssl/certs/proftpd.cert.pem
            TLSRSACertificateKeyFile                /etc/ssl/certs/proftpd.key.pem
    </VirtualHost>
    

    Hope it works for you too.

    Bernd
     
    Last edited: Dec 25, 2006
  8. madmucho

    madmucho ISPConfig Developer

    error

    Please where can be problem?
    :confused: I trying to make my ftp server on Mandriva 2007 Free secure.
    Ftp Client log
    Code:
    AUTH TLS
    234 AUTH TLS successful
    Network subsystem is unusable
    
     
  9. till

    till Super Moderator

    Any errors when you restart the ftp server? Any errors in the syslog, messages log or xferlog?
     
  10. Spaetzle

    Spaetzle New Member

    Hi

    I have no idea without further information.
    Maybe I can find something if you post your proftpd config.
     
  11. madmucho

    madmucho ISPConfig Developer

    in /var/log/proftpd
    Code:
     FTP session opened.
     USER xxx: Login successful.
     Preparing to chroot to directory '/var/www/web1'
     error setting IPV6_V6ONLY: Protocol not available
     FTP session closed.
    
    in /var/log/auth.log
    Code:
     proftpd: pam_unix(proftpd:session): session opened for user
    xxx by (uid=0)
     proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
     proftpd: pam_unix(proftpd:session): session closed for user xxx
    
    Can be problem in firewall? I have for ftp open port 20 and 21 only. Non secure connection working fine.
    file /etc/security/pam_env.conf don exist in my instalation maibe is used by tls module in proftpd. But i dont know what may be in this file :/.
     
  12. Spaetzle

    Spaetzle New Member

    I donn't think your problem is with pam_env.conf, but with /etc/proftpd.conf (or where proftpd.conf is).
    But you may try creating this file. I found one on my Debian Etch box. There is no line in it which is not uncommented ...

    Have you tried turning IP6 off with proftpd?
     
  13. madmucho

    madmucho ISPConfig Developer

    Proftpd is compiled with directive --ipv6 i using package from distribution mirror :/ can be turned off, i try that. Maibe recompile, i try fix it later.

    When i connecting to proftpd normaly not using tls this message isnt in log. Only when i try secured.
    Code:
    pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
    
     
  14. falko

    falko Super Moderator

    What's in your /etc/proftpd.conf?
     
  15. madmucho

    madmucho ISPConfig Developer

    Here is
    Code:
    #
    # Includes DSO modules
    Include /etc/proftpd.d/*.conf
    
    # This is the directory where DSO modules resides
    ModulePath /usr/lib/proftpd
    
    # Allow only user root to load and unload modules, but allow everyone
    # to see which modules have been loaded
    
    ModuleControlsACLs insmod,rmmod allow user root
    ModuleControlsACLs lsmod allow user *
    
    ServerName                      "ProFTPD Server"
    ServerType                      standalone
    DeferWelcome                    off
    
    MultilineRFC2228                on
    DefaultServer                   on
    ShowSymlinks                    on
    
    UseIPv6                         off
    
    TimeoutNoTransfer               600
    TimeoutStalled                  600
    TimeoutIdle                     1200
    
    DisplayLogin                    welcome.msg
    DisplayChdir                   .message
    ListOptions                     "-l"
    
    DenyFilter                      \*.*/
    
    # Allow FTP resuming.
    # Remember to set to off if you have an incoming ftp for upload.
    AllowStoreRestart               on
    
    # Port 21 is the standard FTP port.
    Port                            21
    
    # In some cases you have to specify passive ports range to by-pass
    # firewall limitations. Ephemeral ports can be used for that, but
    # feel free to use a more narrow range.
    #PassivePorts                    49152 65534
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances                    30
    
    # Set the user and group under which the server will run.
    User                            nobody
    Group                           nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask                           022  022
    
    # To cause every FTP user to be "jailed" (chrooted) into their home
    # directory, uncomment this line.
    DefaultRoot ~
    
    # Normally, we want files to be overwriteable.
    AllowOverwrite                  on
    
    # Uncomment this if you are using NIS or LDAP to retrieve passwords:
    PersistentPasswd                off
    
    # Be warned: use of this directive impacts CPU average load!
    #
    # Uncomment this if you like to see progress and transfer rate with ftpwho
    # in downloads. That is not needed for uploads rates.
    #UseSendFile                    off
    
    TransferLog /var/log/proftpd/proftpd.log
    SystemLog   /var/log/proftpd/proftpd.log
    
    <IfModule mod_tls.c>
        #TLS settings
        TLSEngine                       on
        TLSLog                                  /var/log/proftpd/tls.log
        TLSProtocol                             SSLv3
        TLSOptions                              NoCertRequest
        TLSRSACertificateFile                   /etc/ssl/certs/proftpd.cert.pem
        TLSRSACertificateKeyFile                /etc/ssl/certs/proftpd.key.pem
        TLSVerifyClient                         off
    </IfModule>
    
    <IfModule mod_quota.c>
        QuotaEngine on
    </IfModule>
    
    <IfModule mod_ratio.c>
        Ratios on
    </IfModule>
    
    # Delay engine reduces impact of the so-called Timing Attack described in
    # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
    # It is on by default.
    <IfModule mod_delay.c>
        DelayEngine on
    </IfModule>
    
    <IfModule mod_ctrls.c>
        ControlsEngine        on
        ControlsMaxClients    2
        ControlsLog           /var/log/proftpd/controls.log
        ControlsInterval      5
        ControlsSocket        /var/run/proftpd/proftpd.sock
    </IfModule>
    
    <IfModule mod_ctrls_admin.c>
        AdminControlsEngine on
    </IfModule>
    
    ## Bar use of SITE CHMOD by default
    #<Limit SITE_CHMOD>
    #    DenyAll
    #</Limit>
    
    DefaultRoot ~
    IdentLookups off
    ServerIdent on "FTP Server ready."
    
    <Global>
    IdentLookups off
    CommandBufferSize               512
    </Global>
    
    Include /etc/proftpd_ispconfig.conf
    
    
     
  16. falko

    falko Super Moderator

  17. madmucho

    madmucho ISPConfig Developer

    Proftpd sux one night and nothing done.

    As you say i try. File there exist with some directives but same message in log..
    Fine, i try online upgrade to 2007.1 new proftpd new modules.
    mod_TLS work fine...but my connection not allow to make pasive connection with host. ip NATed to internal network. Localy work fine..

    If i dont use Secured ftp in my connection i try make something diferent, that is offtopic but maibe this information help someone.

    I try use mod_clamav with proftpd to scan uploaded files and delete if is infected.
    Normaly instalation using urpmi which insert one directive and module.
    But scaning not occured, in log file i have, if is user connected, message
    Code:
    mod_clamav/0.4: warning: No local socket was specified.
    but directive in /etc/proftpd.d/mod_clamav.conf pointing to right socket
    Code:
    ClamLocalSocket /var/lib/clamav/clamd.socket
    Know someone how fix?
     

Share This Page