The following was for installation on an SGI O2 running IRIX but should work on most UNIX systems will very little change.
Why Use ProFTPDAlso refer to Setting up a multiple IP address interface on an SGI O2 under IRIX 6.5.x for obtaining and configuring the separate IP addresses required for virtual FTP servers to function. The ProFTPD FTP server is a free, open source program for UNIX that is built on a "secure" model and also has a configuration similar to the Apache webserver. It has a lot of options that make it very flexible and enables the administrator to keep control of what is going on. This is expecially so for chrooted areas. While security problems have been encountered in the past (this is not unique to ProFTPD as alerts have been placed on programs such as wuftpd and the standard ftpd have all had alerts on them) but ProFTPD is quick on getting fixes out.
ProFTPD
|
Where to get ProFTPDProFTPD is obtainable as source code or RPMs:
|
|
|
Compiling and Installing ProFTPDThis assumes you have CC or GCC compiled. Be wary that the GCC compiler on IRIX 6.5.x can cause strange behaviour with internet style applications and it is better to use the native CC compilers you can get for IRIX from SGI. For compiling GCC, refer to Compiling the GNU GCC/G++ C compiler for information on how to do this. With a decent workstation, this should not be a problem and the ./configure programs should be able to detect make compiling a relatively trivial application.
|
Setting up/Configuring ProFTPDBasically, the way I did this was lots of trial and error, reading the on-line documentation and trying again. After an hour or 5 (I was not in that big a rush), I was there (but very happy with the result - the standard ftpd is much harder to set up in a secure fashion). The following example should make it easier to install. The default is to install the /usr/local/etc/proftpd.conf file as read only. So you have to a chmod +w proftpd.conf to be able to edit the file. Then after finishing editing the file, do a chmod -w proftpd.conf to make it read-only. Note that proftpd is using the list of names in the /etc/ftpusers file to block access. # Use use the /etc/ftpusers file to deny logins and use the DenyAll UseFtpUsers On To allow FTP Secure Shell tunnelling, create special IP address Virtual domains (where anonymous logings are not allowed) with AllowForeignAddress on where users can log in via Secure Shell tunnelling. This is not something to enable on an IP address that allows anonymous logins. Also refer to: Secure FTP transfers via Secure Shell Tunnelling
|
Something to be aware of with allow/deny in proftpd vs apacheResent-From: [email protected] Reply-To: [email protected] X-Mailing-List: [[email protected]] archive/latest/929 X-Loop: [email protected] Resent-Sender: [email protected] On Thu, Sep 30, 1999 at 07:55:37PM -0700, Jeremy Chadwick wrote: > On Fri, Oct 01, 1999 at 02:00:24AM +0200, [email protected] wrote: > > I just noticed that - IIRC - the default access policy when using > > "order" with ProFTPd is different from that with Apache: > > > > With ProFTPd, "order allow,deny" grants access by default and "order > > deny,access" denies access by default. > > With Apache it's just the other way! > > I posted this ~1 week ago. > > Apache is backwards. I say this because the "Apache way" doesn't > apply logically to doing anything network-oriented, primarily > firewalling rules. You don't put your deny statements before > your allows; it just doesn't make sense, period. > > It'd be silly to change the method ProFTPD, and it'd be silly > to change the order in Apache, especially since both are so > far along the development line. "If it ain't broke, don't fix > it." You hit the nail on the head. I come from a rather rigorous network (read: Cisco) background, and had always found the Apache "way" to be rather backwards; thus the difference you see in proftpd. -- "I am Dyslexic of Borg. Prepare to have your ass laminated." -- To unsubscribe, send mail to [email protected] with "unsubscribe" in the subject field of the message. |
ProFTPD Configuration file# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. # 23rd September 1999 - start hacking away on this - Lachlan Cranswick # The main server is restricted to authorized users - the other IP/address # virtual servers for anonymous access. ServerName "CCP14 Restricted User Area - Authorised Users Only" ServerType standalone # If there is no explicite virtual server defined for the IP # address, then the connection will be refused. DefaultServer off # Only advertise FTP on desired IP addresses # SocketBindTight on # Bind 193.61.32.164 #Undocumented features # ServerIdent off # DisplayConnect /path/to/banner # RootLogin on # AllowForeignAddress on # If Slow DNS return lookups # UseReverseDNS off # IdentLookups off # The address the server will report as being the admin ServerAdmin [email protected] # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 SystemLog /web_logs/proftpd/ftp_logins TransferLog /web_logs/proftpd/xferlog LogFormat default "%h %l %u %t \"%r\" %s %b" # Display .files when doing a directory listing # LsDefaultOptions "-a" # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 100 # Set the user and group that the server normally runs at. User nobody Group nobody # Normally, we want files to be overwriteable. # <Directory /*> # AllowOverwrite on # </Directory> # Use use the /etc/ftpusers file to deny logins and use the DenyAll UseFtpUsers On # Jail logins to their user areas. Means if you want to copy some # root files off, they will first have to be manually copied to a # The following line would chroot users but not the root account. # Bad form to log in via FTP as root. # DefaultRoot ~ users,!root # relevant user area <Global> #UseReverseDNS off #IdentLookups off DefaultRoot ~ DenyFilter '%' DenyFilter \*.*/ PassivePorts 49152 65534 # PassivePorts 6001 6007 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # CDPath /etc # CDPath /usr/local # AccessGrantMsg "Guest access granted for %u." # DeferWelcome on </Global> # DisplayConnect /ftp/.msg.connect # DisplayGoAway /ftp/.msg.goaway # <Anonymous /ftp/> # DisplayLogin /.msg.login # DisplayQuit /.msg.bye # Also big timeout for the restricted user server mainly for doing webwork TimeoutNoTransfer 600 TimeoutIdle 600 # Was Limited to allow logins to www.ccp14.ac.uk from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and other domains # Change this to force upload via cerebus.ccp14.ac.uk and ccp14dev.ccp14.ac.uk virtual domains <Limit LOGIN> DenyAll </Limit> # Anonymous upload area for CCP14 - debian.ccp14.ac.uk www.ccp14.ac.uk <VirtualHost 193.61.32.164> MaxClientsPerHost 6 "Sorry, you may not connect more than four times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/web_live> # chrooted Mirror user account for mirroring. Can only copy # from the mirror user at /web_disc/ccp14/web_area/web_live (~mirror) User mirror Group user AnonRequirePassword on MaxClientsPerHost 5 "Sorry, you may not connect more than five times" #only enable ability to get into the mirror area for mirroring from trusted hosts # Limit from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and others "named" domains # AllowUser mirror <Limit LOGIN> Order Allow,Deny Allow from .dl.ac.uk Allow from .minerals.csiro.au Allow from .u-aizu.ac.jp Allow from .cryst.bbk.ac.uk Deny from all </Limit> <Limit WRITE> DenyAll </Limit> </Anonymous> <Anonymous /home/ccp14/ftp_incoming> # chrooted area for uploading files for CCP14 with CCP14 as the owner User ccp14 Group dlccp14a UserAlias ftp ccp14 AuthAliasOnly on RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # People uploading have to know to use ftp. # UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> <Directory *> <Limit STOR CWD MKD> AllowAll </Limit> <Limit READ RMD DELE RNFR RNTO> DenyAll </Limit> </Directory> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.162> ServerName "CCP14 Crystallographic Software Anonymous FTP Area - ftp.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 4 "Sorry, you may not connect more than four times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/web_live/ccp> #Get symbolic links to work - will try with a later version of ProFTPD ShowSymlinks On # CDPath /web_disc/ccp14/web_area # CDPath /web_disc/ccp14/web_area User ftp Group ftp RequireValidShell off HideGroup xrdguest # HideNoAccess /web_disc/ccp14/web_area/web_live/web-mirrors MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # Must be put in a <limit> box for this to work. # IgnoreHidden on # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> MaxClients 80 DirFakeGroup On DirFakeUser On DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.163> ServerName "Redhat Mirror via Anonymous FTP from the CCP14 Project site - redhat.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/redhat> User ftp Group ftp RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> # ShowSymlinks On DirFakeGroup On DirFakeUser On MaxClients 20 DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> # Old debian config at dl.ac.uk - rem with new change at Birkbeck college #<VirtualHost 193.61.32.164> # ServerName "Debian Mirror via Anonymous FTP from the CCP14 Project site - debian.ccp14.ac.uk" ## TimeoutNoTransfer 600 ## TimeoutIdle 600 ## UseReverseDNS off ## IdentLookups off # MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # <Limit LOGIN> # DenyAll # </Limit> # <Anonymous /web_disc/ccp14/web_area/debian> # User ftp # Group ftp # RequireValidShell off # MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # <Limit LOGIN> # AllowAll # </Limit> ## ShowSymlinks On # DirFakeGroup On # DirFakeUser On # MaxClients 20 # DisplayLogin welcome.msg # DisplayFirstChdir .message # AllowOverwrite off # TransferLog /web_logs/proftpd/anonxferlog_proftpd # <Limit WRITE> # DenyAll # </Limit> # </Anonymous> #</VirtualHost> <VirtualHost 193.61.32.165> ServerName "FreeBSD Mirror via Anonymous FTP from the CCP14 Project site - freebsd.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/freebsdftp> # ShowSymlinks On User ftp Group ftp RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> DirFakeGroup On DirFakeUser On MaxClients 20 DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.166> ServerName "CCP14 Restricted Upload FTP server - unauthorized access forbidden - cerebus.ccp14.ac.uk" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell on AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny Allow 127.0.0.1 Allow 148.666.666.666 Allow .blah.com Allow .blah.net Deny from All </Limit> <Limit LOGIN> Order Allow,Deny AllowUser balh AllowUser blah2 DenyAll </Limit> <Limit LOGIN> Order Allow,Deny AllowGroup groupblah AllowGroup groupguest DenyAll </Limit> </VirtualHost> <VirtualHost 193.61.32.167> ServerName "CCP14 Developers FTP server - unauthorized access forbidden - ccp14dev.ccp14.ac.uk" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell off AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny AllowGroup ccp14dv DenyAll </Limit> #<Limit LOGIN> # Order Allow,Deny # Allow from .jp # Allow from .fr # Allow from .uk # Deny from All #</Limit> #<Limit LOGIN> #Order Allow,deny #AllowUser balh1,blah2 #AllowGroup group1,group2 #</Limit> </VirtualHost> <VirtualHost 193.61.35.93> ServerName "dldata for Blah" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell off AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny Allow from .cryst.bbk.ac.uk Deny from All </Limit> <Limit LOGIN> Order Allow,deny AllowUser user2 AllowGroup groupuser,group2 </Limit> <Anonymous /web_disc/jacques/dldata> # chrooted area for uploading files for CCP14 with CCP14 as the owner User dluser Group dlccp14a # UserAlias dl # AuthAliasOnly on RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # People uploading have to know to use ftp. # UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> <Directory *> <Limit READ CWD> AllowAll </Limit> <Limit STOR MKD RMD DELE RNFR RNTO> DenyAll </Limit> </Directory> </Anonymous> </VirtualHost> |
Manually starting and stopping ProFTPDTo stop ProFTPD, as root type killall proftpd To start ProFTPD (and thus have it use a fresh /usr/local/etc/proftpd.conf type /usr/local/sbin/proftpd
Automatic Startup of ProFTPD on BootThe work for automatic startup is pretty much identical to installing the Apache webserver.
|
What can be said, whatever family that IRIX UNIX comes from, it sucks and it is no wonder Bill Gates is a billionaire selling Windows. Putting something to automatically start up is not that trivial and following is a possibly dodgy implementation. Basically, it seems it is commond just to copy the lpd deamon script the /etc/init.d directory (which then has a link put to it from the /etc/rc2.d directory). Then edit in Proftpd, and edit out LPD. Thus as root go into the /etc/init.d directory and copy the relevant file; In this case on the CCP14 Server; cp bsdlpr proftpd. Make sure it is exectuable (chmod +x proftpd). Change the script so you pretty much get something like the following (start-script.txt). Then type ln -s /etc/init.d/proftpd /etc/rc2.d/S63proftpd (giving the link a number after the LPR deamon showing the order it will be started up in) Then (still as root), type cp /etc/config/bsdlpr /etc/config/proftpd Then type ln -s /etc/config/proftpd /var/config/proftpd In theory, /etc/chkconfig can then be used to check on the status of things. If httpd does not appear by typing chkconfig, try chkconfig httpd on (Summary of all of this, next killer apps for UNIX will be "c:\config.sys" and "c:\autoexec.bat") Though FreeBSD UNIX is a more civilised option. PS: If you wish to have proftpd started under initd, the following is more appropriate "Then I changed the line in /etc/inetd.conf from: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a To: ftp stream tcp nowait root /usr/sbin/tcpd in.proftpd" |
ftpshutDate: Thu, 28 Oct 1999 08:29:12 -0400 (EDT) From: "Andrew C. Ohnstad" [[email protected]] To: [email protected] Subject: Re: Autostart/stop ftp Just delete the file /etc/shtumsg when you want the server to start back up. =-=Andrew "Traveling At The Speed of Thought" --- Teenage FanClub On Thu, 28 Oct 1999, Saunders, Shawn wrote: > We would like to setup Proftpd to automatically shutdown when we do backups > (with messaging to clients that FTP will not be available for while) and > then restart after the backup is complete. > > Now it appears that we have a utility called ftpshut that will do the > shutdown part nicely. Any suggestions on the startbackup procedure? Or is > there a utility or facility I have missed. > > Shawn Saunders |
Investigating the possibility of Allowing users to change passwords themselves via FTP only accountsRefer:
Re: [ProFTPD] DefaultRoot configuration and security... To: [email protected] Subject: Re: [ProFTPD] DefaultRoot configuration and security... From: Jean-Marc Monnez [[email protected]] Date: Mon, 04 Dec 2000 10:00:25 +0100 Organization: AGORA38 I am new on this list, and for my first posting I say hello to all of you. I use proftpd on AIX, and for users I want to be jailed to their home dirs, these users have to give a password. They wont have to telnet on a shell, but they need to be able to change this password, so I replaced for these users the usual /usr/bin/ksh in /etc/password by the command /usr/bin/passwd. It works fine, and this way the only thing they may try with telnet is change their password. HTH. Regards. -- JMM Robert Sweet wrote : > I found the list archive, I now have the users jailed to > their home directories. What is the best way to strip them > of shell access? I have read that shell /bin/false is not > the way to do it...? Can someone point me in a direction to > find the info or help me out. I am setting up ftp access to > our internet server for clients to upload files to. These > clients only need ftp access. Is the best way to create a > user on the system or can it all be done through proftpd? > tia. > > -- > [email protected] | The revolution will not be > -o) | televised. > Linux, the Choice /\ | > of a GNU generation _\_v | > |
To: [email protected] Subject: Re: [ProFTPD] Is it possible ? From: Michael Grabenstein [[email protected]] Date: Fri, 07 Apr 2000 09:29:43 -0400 Irwan Hadi wrote: > First of all I want to thank you for your reply, but my question is what is > the meaning of "the same format ?" > so I make a list of > username:password::::/homedir/ > how about the password ? can it be encrypted or not ? > if it *can* be encrypted, with which tool should I encrypt it then. > Yes that would be the format... I use Perl to encrypt the password, or if you already have a /etc/passwd to start with, then just copy it... An alternative easy way to do this is to encrypt a password and keep the encrypted version around. Like Change your password to 'ABC123' then as you create users in the alternate passwd file, paste the encrypted form of that password into the new logon entry. And instruct the new user to change their password as soon as they first FTP to the system, or change it for them via FTP and give them the new password. :-) BTW: once you have the encrypted version of 'ABC123' feel free to change your password back. :-) Attached is a simple Perl script that will encrypt a plain text password sent to it... Mark, please feel free to add this to the FAQ. TIA. I don't believe proftp has a way of using plain text passwords in the password file, but Mark can correct me if I am wrong. :-) Later, Mike #--- Start Cut after this line #!/usr/bin/perl use Getopt::Std; use vars qw($opt_h $opt_p $opt_s); getopt ("hp:s:"); my ($salt); if ( (defined($opt_h)) || (! defined($opt_p)) ) { print "Usage: $0 -hps\n"; print "\t-h -- This Usage message\n"; print "\t-p <password> -- The password to encrypt\n"; print "\t-s <salt> -- The salt to use, optional\n\n"; exit (166); } if ($opt_s =~ /(\w+)/) { $salt = $1; } else { $chr = chr(int(rand(26)+65)); $salt = $chr; $chr = chr(int(rand(26)+97)); $salt .= $chr; } print crypt($opt_p, $salt) . "\n"; exit (0); # -- Stop here. Don't get the signature at the bottom...
To: [email protected] Subject: Re: [ProFTPD] Allowing FTP, but denying telnet From: Justin Shore [[email protected]] Date: Tue, 15 Feb 2000 13:36:46 -0600 If you setup ProFTPd to require a valid login shell, it parses /etc/shell to see if user X's shell is among that list. If it is then it considers them to have a valid shell. If its not, than you'll have to list it. /etc/shells is a plain text file with the full path to a given shell on each line. I'd also recommend using /bin/false. Do you want the user to be able to change his password? If so, then there's another trick that's been used alot. Make his shell /bin/passwd. Then whenever he telnets in he's instantly given the prompt to change his password. This would only allow them access to change their password. I would highly recommend using ssh if you're going to do that though (as a matter of fact, use ssh only. Trash telnet). Again, /bin/passwd would have to be listed in /etc/shells if you told ProFTPd to require a valid shell (I can't remember the directive off the top of my head). HTH Justin At 6:57 PM +0000 2/15/00, James Lewis wrote: >How can I easily add a user, then allow them ftp access, but deny them telnet > >(I've tried changing their login shell to /dev/null but this also >denies them FTP) > >Many thanks > >-- >To unsubscribe, send mail to [email protected] with "unsubscribe" >in the subject field of the message. > >Please read the documentation and the FAQ before posting a question -- chances >are it's already been answered. > >http://www.proftpd.net -- The Official ProFTPD web site. >http://bugs.proftpd.net -- Bug reporting and feature requests. >http://www.proftpd.net/docs/ -- The latest ProFTPD documentation and FAQ. -- Justin Shore K-State Linux Distro Mirror, Sysadmin [email protected] http://vinnie.ksu.ksu.edu/mirror/rpm2html ftp://vinnie.ksu.ksu.edu/pub/mirror/linux |
Changing Passwords on behalf of Users(Proftpd can use alternative password files)From: "Sebastian Wolfgarten" [[email protected]] To: [[email protected]] Subject: AW: [ProFTPD] Help with updating passwords for users Date: Fri, 20 Oct 2000 21:55:16 +0200 Hi Mike, take a look at your proftp.conf file. In SuSE Linux it's proftpd.conf in /etc/. Make "locate proftpd.conf" to see where it's really at...Open this file with your favourite editor "joe proftpd.conf" for example and there should be a section with "AuthUserFile" and "AuthGroupFile". In this files you will find the users with their passwords. If it is not in use (means it has an "#" before it) then maybe you use a sql database to revalidate the users...you must make an update to the database then. Hhhm, if you use "authuserfile" then just type in the shell "passwd username" to change the user's password. If you need more assistence just write me a mail...maybe post parts of your proftpd.conf Bye Sebastian, nexxium interactive gmbh www.nexxium.de |
Time Stamp Problems with ProFTPDDate: Fri, 20 Oct 2000 19:28:23 -0400 From: John Morrissey [[email protected]] To: [email protected] Subject: Re: [ProFTPD] Time stamp problems On Fri, Oct 20, 2000 at 03:57:11PM -0500, Michael Tucker wrote: % Note the difference in the apparent time stamp. It appears to be off by 5 % hours, which (I believe) is our offset from GMT here in Houston, Texas. % % The ftp server knows what time it is, though. I include the time in the % login message, and it's correct. % % I'm running 1.2 (the CVS version from about August 15) on Solaris 8. I % haven't noticed any other problems. Somewhere along the line, proftpd was changed to display times in GMT; say 'TimesGMT off' in your proftpd.conf to display file times in your local time zone. john |
Creating Custom Password files
|
Limiting Uploads with ProFTPDDate: Tue, 28 Sep 1999 16:27:19 -0400 (EDT) From: Noah [[email protected]] cc: [email protected] Subject: Re: [ProFTPD] Limit disk space and amount of connections On Tue, 28 Sep 1999, Drew Skinner wrote: > Quota's on user upload capabilities are specified at the system level. Run > a man page on quota then enable quota against the ufs/xfs file system. or yo an use proftpd's mod_quota: ftp://pooh.urbanrage.com/pub/c/mod_quota.c --noah |
PHP/CGI Script for ftpwho?Date: Wed, 6 Jun 2001 19:32:16 -0700 (Pacific Daylight Time) From: Vince LaMonica [[email protected]] To: [[email protected]] Subject: Re: [Proftpd-user] PHP/CGI Script for ftpwho? On Wed, 6 Jun 2001, h3rb wrote: } Is there a php/cgi script that will display the results for ftpwho? Like } who's connected. What they are uploading/downloading. Their bandwidth, or } percent completed? Would this be hard to write? I am by no means a Well, a *very* simplicitic solution would be to use the passthru() function: <?php passthru(ftpwho); ?> I'd inclose the above in aformated part of the page. The above "code" simply passes the output of the ftpwho command to the w3 page. You can get much fancier like having the page auto-update [simple HTML via meta-refresh]. HTH, /vjl/ |
Host.allow/host.deny when running ProFTPD in inetd mode - not the case hereFrom: "MacGyver" [[email protected]] To: [[email protected]] Subject: RE: [ProFTPD] Listening on only one interface Date: Tue, 5 Oct 1999 03:18:06 -0500 [email protected] > > IMO, it's not ProFTPD's place to handle the inetd scenario. > > Then, DefaultServer has to be on by default when running in inetd mode as > stock inetd binds to all interfaces - and ProFTPd serves only the primary > one without using DefaultServer. > Nope. > > You can use tcp_wrappers to accomplish what you're looking for. > > Not really, as always the primary hostname (and not the FQDN of > the specific > interface a client connects to) is displayed in the welcome message. I > thought about ipchains-filtering away all ports 21 other than the > ftp.foobar.com interface, but this doesn't solve this problem > (besides: this > is a real hack). > Nope. Simply put, in /etc/hosts.allow: [email protected]: ALL: twist /usr/sbin/in.proftpd -c pick.your.virtual.host.proftpd.conf Done. Simple, efficient, and works. Use a different conf file for each virtual host. This will accomplish what you're looking to do. |
ProFTPD INIT ScriptDate: Tue, 5 Oct 1999 11:22:35 +0100 (BST) From: Mark Lowes [[email protected]] Resent-From: [email protected] The entity claiming to be Daniel Roesen wrote... > Anyone written this yet? Perhaps this should be included in the tarball... Something which might be of use is the script I knocked up for use here. I'm sure someone will tell me it can be done more gracefully :) Mark #!/bin/sh # # ProFTPD init script # # stop and start do exactly what they say # buildconfig - Creates config and tests (using configtest patch) # reconfig - rolls a new config into place and restarts the server # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin VAR=/var/run/proftpd NAME=proftpd DESC=Proftpd # # # function buildconfig() { echo "Creating new config and testing" echo "" cd /var/conf/ftp ./rc.ftp.pl if [ -f /etc/proftpd.conf.new ] then proftpd --configtest -c /etc/proftpd.conf.new fi } # # # function reconfig() { if [ -f /etc/proftpd.conf.new ] then echo "Installing new config and reloading server" echo "" cd /etc/ mv proftpd.conf proftpd.conf.old mv proftpd.conf.new proftpd.conf echo "new proftp.conf loaded" fi } # # Find proftpd pid # cd $VAR for i in proftpd-* do pid=`echo $i | sed "s/proftpd\-//"` if [ -d /proc/$pid/ ] then if [ "`cat /proc/$pid/cmdline | sed -e 's/ .*//'` eq 'proftpd'" ] then MasterPid=$pid echo "Master PID == $MasterPid" fi fi done case "$1" in start) echo -n "Starting $DESC: " reconfig /usr/local/sbin/proftpd echo "Done" ;; stop) echo -n "Stopping $DESC: " killall proftpd echo "Done" ;; reconfig|reload) echo -n "Reconfiguring $DESC " reconfig kill -HUP $MasterPid echo "Done" ;; buildconf|buildconfig) echo -n "Building config for $DESC " buildconfig ;; restart) echo -n "Restarting $DESC: " kill -HUP $MasterPid echo "Done" ;; *) N=/etc/rc.d/init.d/$NAME # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $N {start|stop|restart|reconfig|reload}" >&2 exit 1 ;; esac exit 0 |
Another ProFTPD INIT Script#!/bin/sh # # Startup script for ProFTPD # # chkconfig: 345 85 15 # description: ProFTPD is a highly configurable ftp daemon for unix # and unix-like operating systems HTML files and CGI. # processname: proftpd # config: /etc/proftp.conf # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Starting proftpd: " daemon proftpd echo touch /var/lock/subsys/proftpd ;; stop) echo -n "Shutting down proftpd: " killproc proftpd echo rm -f /var/lock/subsys/proftpd ;; status) status proftpd ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 esac exit 0 |
Another, Another ProFTPD INIT Script - SysV-Init-Script (RedHat 6.0)proftpd.init.d#!/bin/sh # # Startup script for ProFTPd # # chkconfig: 345 85 15 # description: ProFTPD is an enhanced FTP server with \ # a focus toward simplicity, security, and ease of configuration. \ # It features a very Apache-like configuration syntax, \ # and a highly customizable server infrastructure, \ # including support for multiple 'virtual' FTP servers, \ # anonymous FTP, and permission-based directory visibility. # processname: proftpd # config: /etc/proftp.conf # # By: Osman Elliyasa |
I very need Syntax, Context, and Defaults for some undocumented config directives: Module: ratio Ratios UserRatio GroupRatio AnonRatio HostRatio Module: auth LoginPasswordPrompt DefaultChdir UserDirRoot Module: core DisplayQuit DisplayGoAway CommandBufferSize AllowFilter DenyFilter DefaultTransferMode Class Classes Module: ls ShowDotFiles Module: pam AuthPAMAuthoritative PAMConfig Module: readme DisplayReadme Module: sample FooBarDirective What is modules: mod_tar, mod_test? Best regards, Anton mailto:[email protected] |
Hampster's ProFTPD conf fileServerName "Frostbite FTPserver" #ServerType inetd ServerType standalone DeferWelcome on Port 21 Umask 002 User ftp Group ftp TransferLog /var/spool/syslog/proftpd/xferlog.legacy DefaultRoot /ftp/ftp.linux.co.uk TimeoutLogin 120 TimeoutIdle 600 TimeoutNoTransfer 900 TimeoutStalled 3600 ScoreboardPath /var/run/proftpd LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat write "%h %l %u %t \"%r\" %s %b" UseReverseDNS off <Global> DisplayLogin welcome.msg DisplayFirstChdir readme AllowOverwrite yes AccessGrantMsg "Welcome to Tux's kingdom oh chilly %u" DisplayConnect /ftp/ftp.linux.co.uk/login.msg # # Turn off Ident lookups # IdentLookups off # # file/dir access ExtendedLog /var/spool/syslog/proftpd/access.log WRITE,READ write # Log logins ExtendedLog /var/spool/syslog/proftpd/auth.log AUTH auth # Log absolutely every f*cking thing ExtendedLog /var/spool/syslog/proftpd/fascist.log ALL default ServerIdent on "Linux.co.uk server" </Global> <Limit LOGIN> DenyAll </Limit> # ---------------------------------------------------- # ftp.linux.co.uk ("Linux.co.uk FTP Archive") # Contact : [email protected] # <VirtualHost 195.200.4.15> ServerAdmin [email protected] ServerName "Linux.co.uk FTP Archive" TransferLog /var/spool/syslog/xfer/ftp.linux.co.uk MaxLoginAttempts 3 RequireValidShell no DefaultRoot /ftp/ftp.linux.co.uk User linux Group linux AllowOverwrite yes DefaultServer yes DefaultChdir /ftp/ftp.linux.co.uk/mirrors LoginPasswordPrompt off DisplayReadme README #DisplayLogin welcome.msg <Anonymous /ftp/ftp.linux.co.uk> User ftp Group ftp UserAlias anonymous ftp RequireValidShell no MaxClients 20 AccessGrantMsg "Welcome to Tux's kingdom oh chilly anonymous user" <Directory pub/incoming/*> <Limit ALL> DenyAll </Limit> </Directory> <Directory pub/ftech/*> <Limit ALL> Order Deny,Allow Allow 212.32.5.0/26 Allow 212.32.4.0/24 Allow 212.32.17.0/24 </Limit> </Directory> <Directory pub/incoming/*> <Limit STOR> AllowAll </Limit> <Limit WRITE DIRS READ> DenyAll </Limit> <Limit CWD XCWD CDUP> AllowAll </Limit> </Directory> </Anonymous> <Limit ALL> AllowUser linux DenyAll </Limit> </VirtualHost>
Another Example Config file############ My proftpd.conf: ServerType standalone User nobody Group nobody MaxInstances 30 TimeoutStalled 300 AllowRetrieveRestart on AllowStoreRestart on AuthAliasOnly on CommandBufferSize 20 DefaultRoot ~/ftpd DefaultServer on DeferWelcome on SystemLog /var/log/ftpd/proftpd.log ExtendedLog /var/log/ftpd/auth.log AUTH auth ExtendedLog /var/log/ftpd/access.log READ,WRITE write ExtendedLog /var/log/ftpd/all.log ALL TransferLog /var/log/ftpd/xfer.log SyslogLevel debug HiddenStor on LogFormat auth %v [%P] %h %t "%r" %s" LogFormat default "%h %l %u %t "%r" %s %b" LogFormat write "%h %l %u %t "%r" %s %b" MaxClients 5 MaxClientsPerHost 3 PathDenyFilter "(.ftpaccess)|(.htaccess)$" Port 21 Umask 022 <Directory /*> AllowOverwrite on </Directory> UserAlias anonymous karel <Anonymous /var/ftpd> User karel Group karel AuthAliasOnly on MaxClients 10 RequireValidShell no AllowRetrieveRestart on AllowStoreRestart on <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> <Directory upload> <Limit READ WRITE> DenyAll </Limit> <Limit STOR> AllowAll </Limit> </Directory> </Anonymous> <Limit LOGIN> AllowAll </Limit> <Global> AllowOverwrite off #on/off AllowRetrieveRestart on #on/off </Global>
|
Date: Sun, 21 Nov 1999 21:01:10 +0000 (GMT) From: The Flying Hamster [[email protected]] To: [email protected] Subject: Re: [ProFTPD] Modules? Where? On Tue, 16 Nov 1999, Patrick Maartense wrote: > Quick Question.. > Where to get extra Modules for Proftpd?? Pretty much all the modules are included in the source distribution The modules in the pre9 tarball are contrib/mod_ldap.c contrib/mod_linuxprivs.c contrib/mod_mysql.c contrib/mod_pgsql.c contrib/mod_ratio.c contrib/mod_sqlpw.c doc/mod_sample.c modules/mod_auth.c modules/mod_core.c modules/mod_linuxprivs.c modules/mod_log.c modules/mod_ls.c modules/mod_pam.c modules/mod_pgsql.c modules/mod_ratio.c modules/mod_readme.c modules/mod_site.c modules/mod_tar.c modules/mod_test.c modules/mod_unixpw.c modules/mod_xfer.c The default compliation includes the following modules library:~# proftpd -l Compiled-in modules: mod_core.c mod_auth.c mod_xfer.c mod_site.c mod_ls.c mod_unixpw.c mod_log.c To include additional modules do something like ./configure --with-modules=mod_readme:mod_ldap make make install etc etc Mark -- This is a sig, it's not a smart sig or an AI sig, but it's a sig to replace the sig that died during the death of data... the sig is dead, long live the sig |
Also refer to: Secure FTP transfers via Secure Shell Tunnelling
Date: Mon, 22 Nov 1999 12:52:37 +0200 (EET) From: typo [[email protected]] To: [email protected] Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable On Mon, 22 Nov 1999, Lachlan Cranswick wrote: > >o Tunnel your ftp traffic through ssh whenever possible (!!!) > > Is there a web-page on how you would do this with the GUI based > FTP client programs connecting to a ProFTPD server? (assuming you're using windows to connect to a *nix server) 1. Launch SSH. 2. Go to the preferences and click on the tab 'forwarding' (or 'tunneling' in the new SSH2). 3. Select 'local' forwarding (all connections to the specified port on the local computer will be forwarded over the SSH connection to the specified port on the remote computer), port 21 on both local and remote computer (or, if the remote ftp server is using some other port, change that remote port accordingly) and fill in the remote computer's name/IP. 4. Connect to the remote computer with SSH. 5. Launch your FTP client and connect to your localhost, with the remote server's login name and password and you're all set. Everything is now tunneled through the SSH secure connection. If you're using *nix - *nix connections, read through SSH man pages and look for the -L option (local forwarding). Securing FTP traffic over an SSH connection when connecting to a Windows FTP server is a bit more cumbersome and I won't cover it here. Just use Linux/Unix ;) .pi. -- Petteri Lyytinen -+- [email protected] -+- http://vapaa.intternetti.com/~typo Once you stop trying, you can start succeeding.
Date: Mon, 22 Nov 1999 12:16:33 +0100 (MET) From: "V. T. Mueller" [[email protected]] To: [email protected] Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable The only caveat is that this only works for ftp clients that support ftp-sessions over *one port only*. If I don't mix it up that's called passive ftp, where active ftp opens one port for control and one for data. Of course ssh doesn't know anything about that second port and any ftp-session attempt will fail until the client is told to work in passive mode (which is not the default). Regards, Volker |
Date: Mon, 22 Nov 1999 16:56:22 +0000 (GMT) From: The Flying Hamster [[email protected]] cc: [email protected] Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable On Mon, 22 Nov 1999, Leho Kraav wrote: > On Mon, 22 Nov 1999 12:16:33 +0100 (MET), you -> about "Re: [ProFTPD] sniffable > passwords on linux and freebsd3.3-stable": > > >The only caveat is that this only works for ftp clients that support > >ftp-sessions over *one port only*. If I don't mix it up that's called > >passive ftp, where active ftp opens one port for control and one for data. > > AFAIK, that is incorrect. FTP works over two ports, in passive and in active > mode. Passive mode is when the FTP server is set to listen for the client to > specify the data connection port, so that the firewalls would let the data > through on that port. In normal operation, FTP server sends the client > information on what port to listen to. [few minutes reading later...] Passive Mode connections work the same way as normal (Active Mode) connections, except the data connection is also made from the client to the server ie made to port ftp-data (20). This avoids the problem of incoming data connections being blocked by the firewall by making both connections from the client. What it boils down to is Active control channel, port 21 data channel, server specifies random port. Passive control channel, port 21 data channel, port 20 I guess it's doc time :) Mark -- This is a sig, it's not a smart sig or an AI sig, but it's a sig to replace the sig that died during the death of data... the sig is dead, long live the sig |
SSH Tunnelling via ProFTPD
|
I see the following logins that are nearly immediately disconnected. Is ProFTPD kicking people off?
Nov 26 15:48:34 5E:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:37 5D:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Nov 26 15:48:41 5E:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:43 5D:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Nov 26 15:48:48 5E:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:50 5D:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Things are possibly OK here. Programs like the lynx ASCII terminal based web-browser have behavour like this that after a directory listing, it will disconnect. If the user decides to continue, it will log in again to do another directory listing. |
From: "Thomas Gelf" [[email protected]] To: [[email protected]] Subject: Re: [Proftpd-user] Proftpd on Solaris 8 Date: Fri, 6 Apr 2001 00:22:16 +0200 denis> 500 Illegal PORT command. denis> 425 Can't build data connection: Connection refused hmmm... this happens when I try to connect to any FTP Server if I am behind a router or firewall doing NAT (masqerading) for me. you should configure your client to use PASV mode. is this a general ftp/nat problem? and is there any other solution instead of using passive mode?
From: "Thomas Gelf" [[email protected]] To: [[email protected]] Subject: AW: [Proftpd-user] Proftpd on Solaris 8 Date: Fri, 6 Apr 2001 00:25:53 +0200 TJ.> These messages are saying the PORT command issued by your client is for an TJ.> IP address different from that of the client. To allow this, you TJ.> specifically need to set "AllowForeignAddress on" in your proftpd.conf. hmmm... allowing foreign addresses should fix this? if you have been masqueraded too? I don't think that enabling this would be a good idea...
Date: Thu, 5 Apr 2001 22:54:22 +0000 (GMT) From: TJ Saunders [[email protected]] X-Sender: [email protected] To: [email protected] Subject: Re: AW: [Proftpd-user] Proftpd on Solaris 8 tj>Depends...using AllowForeignAddress works, but only if the IP addresses tj>involved are not RFC 1918 non-routable addresses. ;) Ack...I mispoke myself. The reason I suggested AllowForeignAddress is that that particular error message, "(address mismatch)", can many times be resolved using AllowForeignAddress -- but that raises other considerations, as mentioned in the docs: http://www.proftpd.org/docs/configuration.html#AllowForeignAddress The use of RFC 1918 addresses is a different issue. My apologies for adding any confusion...=/ TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Axioms in philosophy are not axioms until they are proved upon our pulses: we read fine things but never feel them to the full until we have gone the same steps as the author. John Keats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Mike McFaul [[email protected]] Subject: Re: [Proftpd-user] Proftpd on Solaris 8 To: [email protected] Date: Thu, 5 Apr 2001 22:26:00 -0400 (EDT) Part of the problem is IPv6 and solaris 8. Change your inetd.conf file to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd to resolve the foreign addresses properly. Proftpd really should have IPv6 support soon, or the install instructions should mention this problem.... > > Hello, > > I try to install proftpd-1.2.0pre10 on a SUN Ultra 10 under Solaris 8. > I use the basic.conf file. When I would like to see what is there on the > ftp directorie (toto), I have the message following: > > 220 ProFTPD 1.2.0pre10 Server (ProFTPD Default Installation) [boracay] > Name (boracay:root): ftptest > 331 Password required for ftptest. > Password: > 230 User ftptest logged in. > ftp> pwd > 257 "/toto" is current directory. > ftp> ls > 500 Illegal PORT command. > 425 Can't build data connection: Connection refused > ftp> put TCP1266 > 500 Illegal PORT command. > ftp> quit > 221 Goodbye. > > I have the same message when I want to put a file in this directorie. > > In the log, I have the following message: > > (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,199 (address > mismatch). > Apr 5 23:40:56 boracay proftpd[5389]: [ID 567783 daemon.warning] > boracay (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,200 (address > mismatch). > Apr 5 23:41:12 boracay proftpd[5389]: [ID 567783 daemon.notice] boracay > (0.0.0.0[0.0.0.0]) - FTP session closed. > > In advance thank you for your help. This is the second night I worked > on. > > Best regards. > > Denis. > > _______________________________________________ > ProFTPD Users List > [[email protected]] > http://lists.sourceforge.net/lists/listinfo/proftp-user > -- Mike McFaul -- phone: 520-2600 ext 3708 -- email: [email protected]
Date: Fri, 6 Apr 2001 03:41:40 +0000 (GMT) From: TJ Saunders [[email protected]] To: [email protected] Subject: Re: [Proftpd-user] Proftpd on Solaris 8 mikey>Part of the problem is IPv6 and solaris 8. Change your inetd.conf file mikey>to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd mikey>to resolve the foreign addresses properly. mikey> mikey>Proftpd really should have IPv6 support soon, or the install mikey>instructions should mention this problem.... IPv6 support will definitely be in the 1.3.x devel tree. In the meantime, there is a post that mentions an IPv6 patch for ProFTPD: http://www.proftpd.org/proftpd-devel-archive/00-10/msg00156.html Hope this helps... TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Universe is change; life is opinion. -Marcus Aurelius ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
Another idea if Netscape or Internet Explorer cannot browse your anonymous FTP areaDate: Thu, 12 Apr 2001 20:51:52 +0100 From: The Flying Hamster ([email protected]) To: [email protected] Subject: Re: [Proftpd-user] Additional information on using an HTTP browser On Thu, Apr 12, 2001 at 03:31:49PM -0700, Lachlan Cranswick wrote: > > In terms of this being a ProFTPD problem(?). Are you using the latest > release or CVS of ProFTPD? > > >From memory - Netscape (and maybe IE) use PASV mode for browsing > FTP sites(?) - so any FTPD with a bug in the PASV mode could give > problems with the browsers - that would not be easily > reproducable with default FTP client software. A previous verson > of ProFTPD did have a problem with PASV - thus using the latest > ProFTPD may cure the problem. Hint for the day: MultilineRFC2228 yes |
Masquerading the IP Address behind a FirewallDate: Fri, 13 Apr 2001 10:06:33 +0000 (GMT) From: TJ Saunders <[email protected]> To: [email protected] Subject: Re: [Proftpd-user] Wrong IP address returned to incoming user? blayde>(http://www.proftpd.org/docs/configuration.html) I tried a blayde>few things, but couldn't seem to get it to work, would you blayde>be inclined to send the syntax of the command? blayde> blayde>I would greatly appreciate it. :) Sure. =) The syntax should be documented in the Configuration.html file, if you download the source code, under the doc/ subdirectory. Otherwise, it's: MasqueradeAddress <dns-hostname>|<ip-address> It should appear either in the main configuration content, or in a <VirtualHost> context. It's a fairly new directive (appeared in proftpd-1.2.2rc1), which is why it may not be on the website yet. Hope this helps... TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once more upon the waters! yet once more! And the waves bound beneath me as as a steed That knows his rider. -Lord Byron |