[Proftpd-user] SFTP hung sessions and error "Server unexpectedly closed network connection" for only one user

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] tls connection time out

Hi all! Again here 

On a debian server I've proftpd-basic 1.3.3a.

Runs perfectly if I use it without TLS.

When I enable TLS, my clients goes to time out:

Command:	MLSD
Error:	Connection timed out
Error:	Failed to retrieve directory listing

Half or more aftertoon to search with google but I didn't find any
solution ((

thanks for the help!

tail -f /var/log/proftpd/tls.log

May 15 17:58:38 mod_tls/2.4.2[20385]: using default OpenSSL verification
locations (see $SSL_CERT_DIR environment variable)
May 15 17:58:38 mod_tls/2.4.2[20385]: TLS/TLS-C requested, starting TLS
handshake
May 15 17:58:38 mod_tls/2.4.2[20385]: TLSv1/SSLv3 connection accepted,
using cipher DHE-RSA-AES128-SHA (128 bits)
May 15 17:58:38 mod_tls/2.4.2[20385]: Protection set to Private

My config:

openssl req -new -x509 -days 365 -nodes -out
/etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

tls.conf

<IfModule mod_tls.c>

TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
TLSOptions   		                NoCertRequest
TLSRSACertificateFile                   /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile                /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient                         off
TLSRequired                             on

</IfModule>

and proftpd.conf

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

ServerName			"fuckaround.org"
ServerType			standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		1200
TimeoutStalled			1200
TimeoutIdle			1600

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes
DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell		off

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
 PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
#
#   RequireValidShell		off
#
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
#
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayChdir		.message
#
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
#
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
#
# </Anonymous>

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] proftpd-1.3.4a won't follow a symlink if it has a double slash as target

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] chroot and symlinks

Hi all 

I installed proftpd 1.3.4a (debian 7).

I read this page: http://www.proftpd.org/docs/howto/Chroot.html but I
can't see symlinks ((

/home/user1

mkdir /home/user1/www

ln -s /var/www/user1 www

"www" is a directory: ls -l

drwxr-xr-x 2 user1 user1 4096 May 15 09:16 www

and ls -l www is:

lrwxrwxrwx 1 user1 user1 24 May 15 09:16 www.example.com ->
/var/www/www.example.com

When I try to connect, after login:

ncftp / > ls www

www is empty :-///

Thanks for the help!

Pol

cat /etc/proftpd/proftpd.conf

Include /etc/proftpd/modules.conf

UseIPv6				on
IdentLookups			off
ServerName			"Debian"
ServerType			standalone
DeferWelcome			off
MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on
TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200
DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"
DenyFilter			\*.*/
DefaultRoot			~
Port				21
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
MaxInstances			30
User				proftpd
Group				nogroup
Umask				022  022
AllowOverwrite			on
TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Include /etc/proftpd/conf.d/


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

Re: [Proftpd-user] Segfault using mod_ldap (fwd)

god, gmail is the WORST. i have an idea i'm going to exercise, TJ,
based on an idea we'd had a few months ago when mod_sftp was
segfaulting, and it turned out mod_sftp was compiled against FIPS
openssl, but was running against non-FIPS openssl. i suspect something
similar is happening now.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] unsubscribe

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] Segfault using mod_ldap

Hi All (especially TJ and John),

I've had to pick back up using mod_ldap with mod_sftp, using Oracle
Internet Directory and self-signed SSL certificates. Big fun.

I'm currently getting the following error when I try to connect:

mod_ldap/2.9.2: attempting connection to ldaps://172.22.124.13:2390/??sub
mod_ldap/2.9.2: set protocol version to 3
mod_ldap/2.9.2: connected to ldaps://172.22.124.13:2390/??sub
ProFTPD terminating (signal 11)
SSH2 session closed.
-----BEGIN STACK TRACE-----
[0] /lib64/libcrypto.so.6(X509_VERIFY_PARAM_inherit+0xd) [0x37a86a9d5d]
[1] /lib64/libcrypto.so.6(X509_VERIFY_PARAM_inherit+0xd) [0x37a86a9d5d]
[2] /lib64/libssl.so.6(ssl_verify_cert_chain+0x9b) [0x37b103304b]
[3] /lib64/libssl.so.6(ssl3_get_server_certificate+0x2a6) [0x37b101cf16]
[4] /lib64/libssl.so.6(ssl3_connect+0x83e) [0x37b101ea2e]
[5] /lib64/libssl.so.6(ssl23_connect+0xa1a) [0x37b1025d8a]
[6] /usr/lib64/libldap-2.3.so.0(ldap_int_tls_start+0x9c) [0x37a522c32c]
[7] /usr/lib64/libldap-2.3.so.0(ldap_int_open_connection+0x14f) [0x37a520c35f]
[8] /usr/lib64/libldap-2.3.so.0(ldap_new_connection+0x9c) [0x37a521d7fc]
[9] /usr/lib64/libldap-2.3.so.0(ldap_open_defconn+0x1a) [0x37a520c1ea]
[10] /usr/lib64/libldap-2.3.so.0(ldap_send_initial_request+0xae) [0x37a521e14e]
[11] /usr/lib64/libldap-2.3.so.0(ldap_sasl_bind+0x179) [0x37a52144c9]
[12] /usr/lib64/libldap-2.3.so.0(ldap_sasl_bind_s+0x8c) [0x37a521474c]
[13] /u01/app/proftpd/sbin/proftpd [0x50588b]
[14] /u01/app/proftpd/sbin/proftpd [0x505bb3]
[15] /u01/app/proftpd/sbin/proftpd [0x505dc1]
[16] /u01/app/proftpd/sbin/proftpd [0x505fa7]
[17] /u01/app/proftpd/sbin/proftpd [0x5076e8]
[18] /u01/app/proftpd/sbin/proftpd [0x507bae]
[19] /u01/app/proftpd/sbin/proftpd(pr_module_call+0xa3) [0x4a03cf]
[20] /u01/app/proftpd/sbin/proftpd [0x4a4301]
[21] /u01/app/proftpd/sbin/proftpd(pr_auth_getpwnam+0x6c) [0x4a491f]
[22] /u01/app/proftpd/sbin/proftpd(sftp_auth_publickey+0x462) [0x55bae1]
[23] /u01/app/proftpd/sbin/proftpd [0x52ed0e]
[24] /u01/app/proftpd/sbin/proftpd(sftp_auth_handle+0x58) [0x52fa8c]
[25] /u01/app/proftpd/sbin/proftpd(sftp_ssh2_packet_handle+0x256) [0x51a621]
[26] /u01/app/proftpd/sbin/proftpd [0x510c04]
[27] /u01/app/proftpd/sbin/proftpd [0x470fab]
[28] /u01/app/proftpd/sbin/proftpd [0x471727]
[29] /u01/app/proftpd/sbin/proftpd [0x47362f]
[30] /u01/app/proftpd/sbin/proftpd(main+0x808) [0x474218]
-----END STACK TRACE-----

It seems like that could be a ssl handshake failure, but that sure
doesn't seem like the cleanest way to handle it ;)

As an aside, I had a hack in mod_ldap to do something else I was
working on and got a message that I successfully bound, but then had
another, different stack trace. I could introduce that to the thread
too, if it would help.

Proftpd 1.3.4c

-V output:

Compile-time Settings:

  Version: 1.3.4c (maint)

  Platform: LINUX [Linux 2.6.18-348.4.1.el5 x86_64]

  Built: Wed May 8 2013 15:08:25 MDT

  Built With:

    configure  '--prefix=/u01/app/proftpd' '--enable-dso'
'--enable-ctrls' '--enable-openssl' '--with-modules=mod_sftp:mod_ldap'
'--with-includes=/usr/local/ssl/include/'
'--with-libraries=/usr/local/ssl/lib/' '--enable-devel=stacktrace'

  CFLAGS:  -Wall -DPR_DEVEL_STACK_TRACE -g -O0 -Wcast-align
-Wchar-subscripts -Winline -Wstrict-prototypes -Wmissing-declarations
-Wnested-externs -Wpointer-arith -Wshadow -Wundef -Wfloat-equal
-Wunreachable-code -Wstack-protector -fstack-protector-all

  LDFLAGS: -L$(top_srcdir)/lib  -L/usr/local/ssl/lib/

  LIBS:  -lssl -lcrypto -lssl -lcrypto -L$(top_srcdir)/lib/libcap
-lcap  -lldap -llber  -lpam  -lcrypto -lz -lsupp -lcrypt -ldl  -ldl

  Files:

    Configuration File:

      /u01/app/proftpd/etc/proftpd.conf

    Pid File:

      /u01/app/proftpd/var/proftpd.pid

    Scoreboard File:

      /u01/app/proftpd/var/proftpd.scoreboard

    Header Directory:

      /u01/app/proftpd/include/proftpd

    Shared Module Directory:

      /u01/app/proftpd/libexec

  Features:

    - Autoshadow support

    + Controls support

    - curses support

    + Developer support

    + DSO support

    + IPv6 support

    + Largefile support

    - Lastlog support

    - Memcache support

    - ncurses support

    - NLS support

    + OpenSSL support (FIPS enabled)

    - PCRE support

    - POSIX ACL support

    + Shadow file support

    + Sendfile support

    + Trace support

  Tunable Options:

    PR_TUNABLE_BUFFER_SIZE = 1024

    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192

    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192

    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000

    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8

    PR_TUNABLE_HASH_TABLE_SIZE = 40

    PR_TUNABLE_NEW_POOL_SIZE = 512

    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80

    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30

    PR_TUNABLE_SELECT_TIMEOUT = 30

    PR_TUNABLE_TIMEOUTIDENT = 10

    PR_TUNABLE_TIMEOUTIDLE = 600

    PR_TUNABLE_TIMEOUTLINGER = 30

    PR_TUNABLE_TIMEOUTLOGIN = 300

    PR_TUNABLE_TIMEOUTNOXFER = 300

    PR_TUNABLE_TIMEOUTSTALLED = 3600

    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

-vv output:

cohbe1tstftp01 proftpd[30884]: processing configuration directory
'/u01/app/proftpd/etc/conf.d/'

ProFTPD Version: 1.3.4c (maint)

  Scoreboard Version: 01040003

  Built: Wed May 8 2013 15:08:25 MDT

Loaded modules:

  mod_ctrls/0.9.5

  mod_cap/1.1

  mod_ldap/2.9.2

  mod_sftp/0.9.8

  mod_auth_pam/1.2

  mod_ident/1.0

  mod_dso/0.5

  mod_facts/0.3

  mod_delay/0.7

  mod_site.c

  mod_log.c

  mod_ls.c

  mod_auth.c

  mod_auth_file/0.9

  mod_auth_unix.c

  mod_xfer.c

  mod_core.c

Relevant config:

AuthOrder mod_ldap.c*

                LDAPServer      "ldaps://172.22.124.13:2390/??sub"

                LDAPBindDN      "cn=orcladmin"  "XXXX"

                LDAPUsers       ",cn=Users,dc=XXXX,dc=org"

                LDAPAttr        uid     "cn"

                LDAPDefaultUID  1077

                LDAPDefaultGID  1077

                LDAPForceDefaultUID on

                LDAPForceDefaultGID on

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] DSO vs static module -- who wins?

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] New maintainer for ldap, winbind, auth_web modules?

I'm orphaning mod_ldap, mod_winbind, and mod_auth_web to free up time for
other projects.

If anyone with a programming background is interested in taking over
maintainership of these modules, I'd be happy to answer questions and
provide some initial guidance. They're all in good shape (IMHO), with no
major outstanding TODOs or bugs, and mod_ldap's automated test suite is
reasonably complete.

The code is at:

https://github.com/jwm/mod_ldap
https://github.com/jwm/mod_winbind
https://github.com/jwm/mod_auth_web

john
--

-- 
John Morrissey           _o            /\         ----  __o
jwm <at> proftpd.org       _-< \_          /  \       ----  <  \,
www.proftpd.org/   __(_)/_(_)________/    \_______(_) /_(_)__

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] A simple question, I think: ASCII mode and line terminations.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

[Proftpd-user] symlinks are no longer displayed in terminal ftp but it is shown in filezilla

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html