tls

Setup secure ProFTPd

Fri, 06/12/2009 - 14:42 — sandip

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:

 
<IfModule mod_tls.c>
TLSEngine   &nbsp;    &nbsp;    &nbsp;    &nbsp;    on
TLSRequired   ;     ;     ;     ;   off
TLSRSACertificateFile &nbsp;    &nbsp;    /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile&nbsp;    &nbsp;  /etc/pki/tls/proftpd/server.key.pem 
TLSVerifyClient  &nbsp;    &nbsp;    &nbsp;    off
TLSRenegotiate  &nbsp;    &nbsp;    &nbsp;     required off
TLSLog   &nbsp;    &nbsp;    &nbsp;    &nbsp;    &nbsp;  /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:

 
SocketBindTight  &nbsp;    &nbsp;    &nbsp;    on
DefaultRoot   ;     ;     ;     ;   ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required   &nbsp;    pam_unix.so   &nbsp; nullok
account required   &nbsp;    pam_unix.so
session required   &nbsp;    pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

sandip's blog
Login or register to post comments

STARTTLS: CRLFile missing (RESOLVED)

Fri, 10/19/2007 - 10:20 — sandip

When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from cacert.org, add the below option in sendmail.mc and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget http://www.cacert.org/revoke.crl

Add the below line to "/etc/mail/sendmail.mc" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check sendmail.cf with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

sandip's blog
Login or register to post comments

Navigation

Home | Forum | Recent Posts | News | Archives | Contact
This site houses a collection of Tips, Tricks, Resources and Guides of Individuals, put together and edited for personal reference into a daily web journal...
Content may not be reproduced without permission from the Individuals.
Copyright © post 2003 L I N U X w e B l o g . C O M