Andreas Meyer | 19 Oct 15:29 2014

[Proftpd-user] Display Chdir has no effect

Hello!

I configured

DisplayLogin            /etc/proftpd/welcome.msg
DisplayChdir            /etc/proftpd/.message
DisplayQuit             /etc/proftpd/.quit

Yesterday DisplayChdir worked and was displayed everytime a directory
changed. Today it does not work anymore. Could it has something to do
that I installed MySQL-access for Proftpd?

DisplayLogin            /etc/proftpd/welcome.msg
DisplayQuit             /etc/proftpd/.quit

work just fine. I started proftpd in debug mode with proftpd -d9 -n
and proftpd -nd6 but there is nothing to see regarding DisplayChdir.

Greetings

  Andreas

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
(Continue reading)

Andreas Meyer | 18 Oct 13:27 2014

[Proftpd-user] SQL question

Hello!

I setup proftpd to use MySQL and it is not clear to me, what the
coloumn count int(11) default NULL means.

I see this in den SQLLog:

....
Okt 18 13:18:20 mod_sql/4.3[12194]: cache miss for UID '0'
Okt 18 13:18:20 mod_sql/4.3[12194]: entering    mysql cmd_select
Okt 18 13:18:20 mod_sql/4.3[12194]: entering    mysql cmd_open
Okt 18 13:18:20 mod_sql/4.3[12194]: connection 'default' count is now 2
Okt 18 13:18:20 mod_sql/4.3[12194]: exiting     mysql cmd_open
Okt 18 13:18:20 mod_sql/4.3[12194]: query "SELECT username, password, uid, gid, homedir, shell FROM ftp
WHERE (uid = 0) LIMIT 1"
Okt 18 13:18:20 mod_sql/4.3[12194]: entering    mysql cmd_close
Okt 18 13:18:20 mod_sql/4.3[12194]: connection 'default' count is now 1
Okt 18 13:18:20 mod_sql/4.3[12194]: exiting     mysql cmd_close
Okt 18 13:18:20 mod_sql/4.3[12194]: exiting     mysql cmd_select
.....

Can someone explain?

  Andreas

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
(Continue reading)

Andreas Meyer | 17 Oct 21:38 2014

[Proftpd-user] walking up the directory tree

Hello!

Today I installed Proftpd on an opensuse 12.2. The server is running,
configured with DefaultRoot ~ web,!users

I was thinking with this configuration every systemuser logged in is
limited to its home-directory but this is not the case. Logged in I can
walk the systemtree up and down and even visit other home-directories.

What's wrong?

Greetings

  Andreas

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

TJ Saunders | 16 Oct 17:56 2014

[Proftpd-user] mod_tls and the SSLv3 "POODLE" attack


Some of you may have heard about a new SSL/TLS attack, called "POODLE".  
This attack specifically targets the SSL3 protocol; it is a protocol flaw, 
not an implementation bug in OpenSSL:

  http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

The question thus is: is proftpd (with mod_tls) vulnerable?  Yes -- it is 
as vulnerable as e.g. Apache, since the vulnerability is in the protocol, 
and how OpenSSL deals with the issue.

To mitigate this attack on your proftpd server, you can work around the 
issue by configuring mod_tls to NOT support SSLv3, using:

  TLSProtocol TLSv1

and, if you have OpenSSL-1.0.1 or later, you can/should enable TLSv1.1 and 
TLSv1.2 as well:

  TLSProtocol TLSv1 TLSv1.1 TLSv1.2

If you want to see which TLS protocol version your FTPS clients are using, 
you can check the TLSLog file; it logs the protocol version, as well as 
ciphersuite negotiated.

In the future, I will be changing mod_tls so that it does not support 
SSLv3 by default; see:

  http://bugs.proftpd.org/show_bug.cgi?id=4114

(Continue reading)

Patricio López | 4 Oct 16:42 2014
Picon

[Proftpd-user] Problem with PAM authentication

Hello

I am trying to setup a linux box with an ftp server and i choose proftpd for this but i am running on a problem of PAM authentication (really just need basic auth here the regular linux user on his/her home directory) here are the details:

Proftpd version:

ProFTPD Version: 1.3.3g (maint)
  Scoreboard Version: 01040003
  Built: Fri Jan 18 2013 16:37:04 UTC

Loaded modules:
  mod_lang/0.9
  mod_ctrls/0.9.4
  mod_cap/1.0
  mod_vroot/0.9.2
  mod_tls/2.4.2
  mod_auth_pam/1.1
  mod_readme.c
  mod_ident/1.0
  mod_dso/0.5
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c

OS version: Centos 6.5 2.6.32-431.29.2.el6.x86_64


Here is my proftpd.conf:

ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root <at> localhost
DefaultServer on

VRootEngine on
DefaultRoot ~ !adm
VRootAlias /etc/security/pam_env.conf /etc/security/pam_env.conf

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off

# Set the user and group that the server runs as
User nobody
Group nobody

MaxInstances 20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off


LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

<IfDefine TLS>
  TLSEngine on
  TLSRequired on
  TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite ALL:!ADH:!DES
  TLSOptions NoCertRequest
  TLSVerifyClient off
  #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
  TLSLog /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>



<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule mod_ban.c
  BanEngine on
  BanLog /var/log/proftpd/ban.log
  BanTable /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs all allow user ftpadm
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask 022

  # Allow users to overwrite files and change permissions
  AllowOverwrite yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
DefaultRoot ~

</Global>
ServerType standalone

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User ftp
    Group ftp
    AccessGrantMsg "Anonymous login ok, restrictions apply."

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias anonymous ftp

    # Limit the maximum number of anonymous logins
    MaxClients 10 "Sorry, max %m users -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir /pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin /welcome.msg
    DisplayChdir .message
    DisplayReadme README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser on ftp
    DirFakeGroup on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    # An upload directory that allows storing files but not retrieving
    # or creating directories.
    <Directory uploads/*>
      AllowOverwrite no
      <Limit READ>
        DenyAll
      </Limit>

      <Limit STOR>
        AllowAll
      </Limit>
    </Directory>

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog off

    # Logging for the anonymous transfers
    ExtendedLog /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog /var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>

PAM file in /etc/pam.d/proftpd:

#%PAM-1.0
session    optional     pam_keyinit.so force revoke
auth   required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth   required     pam_shells.so
auth   include password-auth
account    include password-auth
session    required     pam_loginuid.so
session    include password-auth

My test user can login via SSH but no luck for ftp session. BTW i really dont need pam to enforce logins i just need my users to be able to login to their home directory.

Thanks for your kind help.

--
Patricio López Salgado

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Chris Lasater | 22 Sep 21:48 2014
Picon

[Proftpd-user] Couldn't stat remote file

Hi,
     I think I found a bug, but I am unsure if it would be a change for 
proftpd.  If I use the sftp command with a Red Hat 5.x Machine I get 
"Couldn't stat remote file: Permission denied"  when I try with the 
below configuration on sftp.  If I use filezilla or the sftp command on 
a newer OS everything works fine.  Also, if I add LSTAT to the allowed 
Limit section, it starts to work fine.  So it appears to be related to 
change in sftp that makes this problem go away.

### Config

LoadModule mod_sftp.c

User                            user
Group                           user

port 10021

<VirtualHost 0.0.0.0>
         SFTPEngine on
         SFTPLog /home/user/logs/sftp.log
         SFTPHostKey /home/user/proftpd/etc/ssh_host_rsa_key
         SFTPHostKey /home/user/proftpd/etc/ssh_host_dsa_key

         ServerLog /home/user/logs/proftpd.log
         TransferLog /home/user/logs/xferlog.log

         Port 10022

         AuthUserFile /home/user/proftpd/etc/proftpd.users
         WtmpLog off

         ### Access Control
         # Bar use of SITE CHMOD by default
         <Limit ALL SITE_CHMOD>
                 DenyAll
         </Limit>

         <Directory /home/user/backups>
                 <Limit READ DIRS>  ### if LSTAT is added here it works
                         AllowAll
                 </Limit>
         </Directory>

</VirtualHost>

### proftpd version

[user <at> server etc]$ proftpd -vv
ProFTPD Version: 1.3.5 (stable)
   Scoreboard Version: 01040003
   Built: Mon Sep 22 2014 14:25:55 EDT

Loaded modules:
   mod_sftp/0.9.9
   mod_ctrls/0.9.5
   mod_cap/1.1
   mod_ident/1.0
   mod_dso/0.5
   mod_facts/0.3
   mod_delay/0.7
   mod_site.c
   mod_log.c
   mod_ls.c
   mod_auth.c
   mod_auth_file/1.0
   mod_auth_unix.c
   mod_rlimit/1.0
   mod_xfer.c
   mod_core.c

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Henning | 22 Sep 14:03 2014
Picon
Picon

[Proftpd-user] Authenticating against LDAP groupofuniquenames


Hi,

I have to use proftpd LDAP authentication not with PosixGroup 
memberships but with uniquemembers in GroupOfUniqueNames, but I do not 
get it working. Is it possible at all?

Here is the principal layout:

dn: cn=datagroup,ou=Groups,dc=domain,dc=eu
cn: datagroup
objectclass: top
objectclass: groupofuniquenames
uniquemember: uid=myuser,ou=People,dc=domain,dc=eu

dn: uid=myuser,ou=People,dc=domain,dc=eu
authorizedservice: service
cn: MyUser
givenname: MyUser
homedirectory: /home/myuser
mail: myuser <at> domain.eu
mailhost: localhost
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: person
objectclass: top
objectclass: authorizedServiceObject
authorizedservice: proftpd
ou: ou=people,dc=domain,dc=eu
sn: MyUser
uid: myuser

The user should be able to authenticate if (authorizedservice=proftpd) 
and the membership in datagroup should be mapped to a proftpd group 
membership to be used with LIMIT directives. homedirectory should be 
recognized as well if possible.

best regards
Henning

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Paolo | 11 Sep 01:44 2014
Picon

[Proftpd-user] MaxInstances ...


Ok, default is 20.
And I can increase it in proftpd.conf ...

Question: is there a configuration parameter/tricks to limit on IP base 
(5/10/20/... per IP), or to exclude some IPs from the count so I can 
still connect from these IP also if MaxInstances (NNN) reached?

--

-- 

Regards,
                          Paolo

____________________________________________

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Steve Matzura | 9 Sep 12:58 2014

[Proftpd-user] Config Question

According to everything I've read, the DefaultRoot configuration
directive is used to permit and restrict groups to access things
outside their home directories. The line:

DefaultRoot ~ !management

is supposed to keep everyone but those users in the "management" group
from wandering around the system. I have tried in vain to implement
this with the management group for the system I manage, but I'm
obviously not doing something right because those in the "management"
group still cannot change directory. What's wrong with what I'm doing?

Thanks in advance.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Jorge Bastos | 29 Aug 22:16 2014
Picon

Re: [Proftpd-user] Cannot create directories named "lib" on the root

Ok solved, configuration updated for newer versions J

 

Thanks.

 

From: Jorge Bastos [mailto:mysql.jorge <at> decimal.pt]
Sent: sexta-feira, 29 de Agosto de 2014 15:40
To: proftp-user <at> lists.sourceforge.net
Subject: Re: [Proftpd-user] Cannot create directories named "lib" on the root

 

Hi,

 

Hum understand..just don’t see the reason for virtual users (mysql db),

I’ll dig into this a bit more later tonight,

 

From: Maarten Broekman [mailto:maarten.broekman <at> endurance.com]
Sent: sexta-feira, 29 de Agosto de 2014 11:19
To: proftp-user <at> lists.sourceforge.net
Subject: Re: [Proftpd-user] Cannot create directories named "lib" on the root

 

If you turn off RLimitChroot (assuming you had it turned on), that will allow lib and etc to be created as directories.  I ran into the issue as well.  TJ pointed out the following bug that addresses it:  http://bugs.proftpd.org/show_bug.cgi?id=4018

 

--Maarten

 

On Fri, Aug 29, 2014 at 5:36 AM, Jorge Bastos <mysql.jorge <at> decimal.pt> wrote:

> On 2014-08-29 10:56, Jorge Bastos wrote:
> > Any idea?
>
> Directory permissions?

No.

Previous versions work as expected.


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html



 

--

Maarten Broekman

Endurance International Group

vDeck Senior Linux Systems Administrator / PCI ISA

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Maarten Broekman | 29 Aug 12:18 2014

Re: [Proftpd-user] Cannot create directories named "lib" on the root

If you turn off RLimitChroot (assuming you had it turned on), that will allow lib and etc to be created as directories.  I ran into the issue as well.  TJ pointed out the following bug that addresses it:  http://bugs.proftpd.org/show_bug.cgi?id=4018

--Maarten


On Fri, Aug 29, 2014 at 5:36 AM, Jorge Bastos <mysql.jorge <at> decimal.pt> wrote:
> On 2014-08-29 10:56, Jorge Bastos wrote:
> > Any idea?
>
> Directory permissions?

No.

Previous versions work as expected.


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html



--
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Gmane