Setup secure ProFTPd
Fri, 06/12/2009 - 14:42 — sandipFtp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.
I usually use the epel repository to install proftpd:
yum --enablerepo=epel install proftpdConfigure for tls/ssl connection:
<IfModule mod_tls.c>
TLSEngine &
TLSRequired
TLSRSACertificateFile &
TLSRSACertificateKeyFile&nbs
TLSVerifyClient &
TLSRenegotiate &n
TLSLog &nbs
</IfModule>chroot and bindsocket to listen to single IP:
SocketBindTight &
DefaultRoot Setup passive ftp ports:
</Global>
...
...
PassivePorts 50000 51000
</Global>Create the certs:
mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pemCreate /etc/pam.d/ftp so PAM can authenticate for proftpd:
#%PAM-1.0
auth required &nbs
account required &nbs
session required &nbsAdd "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:
useradd -s /bin/false <ftp_user>- sandip's blog
- Login or register to post comments
Configure passive ports range for ProFTPd
Fri, 06/12/2009 - 14:23 — sandipUsually, if a client is behind firewall, they can only trasfer files via a passive ftp connection.
Edit /etc/proftpd.conf and specify the passive ports range. Place it in the 'Global' container:
</Global>
...
...
# Use the IANA registered ephemeral port range
PassivePorts 49152 65534
</Global>Reference: proftpd.org
Load the ip_conntrack_ftp module and iptables rules, so the ports automatically open to the connected client:
# /sbin/modprobe ip_conntrack_ftp
# lsmod | grep conntrack_ftp
ip_conntrack_ftp
ip_conntrack &nbsAdd the below iptables rules:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTIf the server is beind NAT, ip_nat_ftp module also should be loaded:
# /sbin/modprobe ip_nat_ftpForce ProFTPD to listen on only one IP
Sun, 02/24/2008 - 00:10 — sandipIt's not quite as clean as the socket binding under Apache but the principle works something like this.
-
In Standalone mode, to listen on the primary IP of a host use the SocketBindTight directive.
In "/etc/proftpd.conf":
SocketBindTight onTo listen on a interfaces which are not the primary host interface, use the SocketBindTight directive, place your server configuration in a
Port &n
SocketBindTight &
<VirtualHost xxx.xxx.xxx.xxx>
&nbs
&nbs
&nbs
&nbs
</VirtualHost>Analyzing proftpd xferlog file
Tue, 01/29/2008 - 10:59 — wizapRecently I've had to research on some missing files of a website.
When looking through the proftpd xferlog files, it was clear that the files were deleted by a user having ftp access.
The xferlog file is usually located at "/var/log/xferlog". However, since this was a plesk server, it was located at:
"/var/www/vhosts/{DOMAIN}/sta
A quick grep produced the files that were deleted out and could easily be recovered from a previous backup. Also, discovered the time and offending IP address of the person that did the deletes.
Full listing:
$ grep "_ d" /path/to/xferlogListing of just the deleted files:
$ awk '/_ d/ {print $9}' /path/to/xferlogBelow are some additional notes on xferlog anlysis: