[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

Collaborative Computational Project Number 14

for Single Crystal and Powder Diffraction

CCP14

Installation and Setup of ProFTPD FTP Server

The CCP14 Homepage is at http://www.ccp14.ac.uk

[Back to CCP14 Web/Config Main Page]

[Why use ProFTPD] | Where to get ProFTPD] | Compiling ProFTPD]
[Setting up the ProFTPD Configuration File] | [Manually starting and stopping ProFTPD] | Automatic Startup of ProFTPD on Boot]

The following was for installation on an SGI O2 running IRIX but should work on most UNIX systems will very little change.


Why Use ProFTPD

Also refer to Setting up a multiple IP address interface on an SGI O2 under IRIX 6.5.x for obtaining and configuring the separate IP addresses required for virtual FTP servers to function.

The ProFTPD FTP server is a free, open source program for UNIX that is built on a "secure" model and also has a configuration similar to the Apache webserver. It has a lot of options that make it very flexible and enables the administrator to keep control of what is going on. This is expecially so for chrooted areas. While security problems have been encountered in the past (this is not unique to ProFTPD as alerts have been placed on programs such as wuftpd and the standard ftpd have all had alerts on them) but ProFTPD is quick on getting fixes out.


ProFTPD

ProFTPD


Where to get ProFTPD

ProFTPD is obtainable as source code or RPMs:




Compiling and Installing ProFTPD

This assumes you have CC or GCC compiled. Be wary that the GCC compiler on IRIX 6.5.x can cause strange behaviour with internet style applications and it is better to use the native CC compilers you can get for IRIX from SGI. For compiling GCC, refer to Compiling the GNU GCC/G++ C compiler for information on how to do this. With a decent workstation, this should not be a problem and the ./configure programs should be able to detect make compiling a relatively trivial application.

  • (At this time (4th April 2003) ProFTPD 1.2.8 was the latest version)
  • Extract the ProFTPD distribution file using the command gzip -d < proftpd-1.2.8.tar.gz | tar xvof -
  • Change directory into the proftpd-1.2.8 directory.
  • (if on an SGI - enforce the use of "cc" by going into bash shell and doing env CC=cc ./configure)

  • (if on an SGI and using the September 2000 CVS versions to fix the PASV bug (but to get a successful compile) - go into bash shell and doing env CC=cc ./configure --disable-sendfile)
  • ((if on an SGI and using the August 2001 CVS versions to fix the Permissions bug (but to get a successful compile) - go into bash shell and doing env CC=cc ./configure --disable-sendfile))
  • Run the ./configure program (it should detect your system and set things up OK)

    If you have trouble with sed commands inside the configure file, find out which group used by root (e.g., sys) and set the environment variable install_group to sys.

  • Type make to compile ProFTPD
  • Type make install to copy the general executables into the /usr/local/sbin and the configuration proftpd.conf file into /usr/local/etc/. Normally you would have to be the systems administrator.


Setting up/Configuring ProFTPD

Basically, the way I did this was lots of trial and error, reading the on-line documentation and trying again. After an hour or 5 (I was not in that big a rush), I was there (but very happy with the result - the standard ftpd is much harder to set up in a secure fashion). The following example should make it easier to install.

The default is to install the /usr/local/etc/proftpd.conf file as read only. So you have to a chmod +w proftpd.conf to be able to edit the file. Then after finishing editing the file, do a chmod -w proftpd.conf to make it read-only.

Note that proftpd is using the list of names in the /etc/ftpusers file to block access.

# Use  use the /etc/ftpusers  file to deny logins and use the DenyAll
UseFtpUsers On

To allow FTP Secure Shell tunnelling, create special IP address Virtual domains (where anonymous logings are not allowed) with AllowForeignAddress on where users can log in via Secure Shell tunnelling. This is not something to enable on an IP address that allows anonymous logins. Also refer to: Secure FTP transfers via Secure Shell Tunnelling


Something to be aware of with allow/deny in proftpd vs apache

Resent-From: proftpd@tos.net
Reply-To: proftpd@tos.net
X-Mailing-List: [proftpd@proftpd.net] archive/latest/929
X-Loop: proftpd@proftpd.net
Resent-Sender: proftpd-request@tos.net

On Thu, Sep 30, 1999 at 07:55:37PM -0700, Jeremy Chadwick wrote:
> On Fri, Oct 01, 1999 at 02:00:24AM +0200, th+lists99@coodex.de wrote:
> > I just noticed that - IIRC - the default access policy when using
> > "order" with ProFTPd is different from that with Apache:
> > 
> > With ProFTPd, "order allow,deny" grants access by default and "order 
> > deny,access" denies access by default.
> > With Apache it's just the other way!
> 
> 	I posted this ~1 week ago.
> 
> 	Apache is backwards. I say this because the "Apache way" doesn't
> 	apply logically to doing anything network-oriented, primarily
> 	firewalling rules. You don't put your deny statements before
> 	your allows; it just doesn't make sense, period.
> 
> 	It'd be silly to change the method ProFTPD, and it'd be silly
> 	to change the order in Apache, especially since both are so
> 	far along the development line. "If it ain't broke, don't fix
> 	it."

You hit the nail on the head.  I come from a rather rigorous network (read:
Cisco) background, and had always found the Apache "way" to be rather
backwards; thus the difference you see in proftpd.

-- 
"I am Dyslexic of Borg.  Prepare to have your ass laminated."

--
To unsubscribe, send mail to proftpd-request@proftpd.net with "unsubscribe"
in the subject field of the message.

ProFTPD Configuration file

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
# 23rd September 1999 - start hacking away on this  - Lachlan Cranswick
# The main server is restricted to authorized users - the other IP/address
# virtual servers for anonymous access.


ServerName			"CCP14 Restricted User Area - Authorised Users Only"
ServerType			standalone

#  If there is no explicite virtual server defined for the IP
# address, then the connection will be refused.
DefaultServer			off

# Only advertise FTP on desired IP addresses
# SocketBindTight on
# Bind  193.61.32.164


#Undocumented features
# ServerIdent       off
# DisplayConnect    /path/to/banner
# RootLogin on
# AllowForeignAddress        on

# If Slow DNS return lookups
# UseReverseDNS off
# IdentLookups  off

# The address the server will report as being the admin
ServerAdmin  ccp14@ccp14.ac.uk

# Port 21 is the standard FTP port.
Port				21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

SystemLog /web_logs/proftpd/ftp_logins

TransferLog /web_logs/proftpd/xferlog
LogFormat default "%h %l %u %t \"%r\" %s %b"

# Display .files when doing a directory listing
# LsDefaultOptions "-a"

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			100

# Set the user and group that the server normally runs at.
User				nobody
Group				nobody

# Normally, we want files to be overwriteable.
# <Directory /*>
#  AllowOverwrite		on
# </Directory>

# Use  use the /etc/ftpusers  file to deny logins and use the DenyAll
UseFtpUsers On

# Jail logins to their user areas.  Means if you want to copy some
# root files off, they will first have to be manually copied to a 
# The following line would chroot users but not the root account.
# Bad form to log in via FTP as root.
# DefaultRoot ~ users,!root
# relevant user area
<Global>
#UseReverseDNS off
#IdentLookups off
DefaultRoot ~
DenyFilter '%'
DenyFilter \*.*/
PassivePorts  49152 65534
  # PassivePorts  6001 6007
  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable.
Umask   022
# CDPath    /etc
# CDPath    /usr/local
# AccessGrantMsg "Guest access granted for %u."
# DeferWelcome    on
</Global>

#        DisplayConnect /ftp/.msg.connect
#        DisplayGoAway /ftp/.msg.goaway
#        <Anonymous /ftp/>
#         DisplayLogin            /.msg.login
#         DisplayQuit             /.msg.bye


# Also big timeout for the restricted user server mainly for doing webwork
TimeoutNoTransfer 600
TimeoutIdle  600

# Was Limited to allow logins to www.ccp14.ac.uk from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and other domains
# Change this to force upload via cerebus.ccp14.ac.uk and ccp14dev.ccp14.ac.uk virtual domains

<Limit LOGIN>
  DenyAll
</Limit>

#  Anonymous upload area for CCP14 - debian.ccp14.ac.uk  www.ccp14.ac.uk
<VirtualHost 193.61.32.164>
  MaxClientsPerHost 6 "Sorry, you may not connect more than four times"
  <Limit LOGIN>
  DenyAll
  </Limit>

<Anonymous /web_disc/ccp14/web_area/web_live>
# chrooted Mirror user account for mirroring.  Can only copy
# from the mirror user at /web_disc/ccp14/web_area/web_live (~mirror)
  User                          mirror
  Group                         user
  AnonRequirePassword           on
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"

#only enable ability to get into the mirror area for mirroring from trusted hosts
# Limit from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and others "named" domains
#    AllowUser mirror

  <Limit LOGIN>
   Order Allow,Deny
   Allow from .dl.ac.uk
   Allow from .minerals.csiro.au
   Allow from .u-aizu.ac.jp
   Allow from .cryst.bbk.ac.uk
   Deny from all
  </Limit>

  <Limit WRITE>
    DenyAll
  </Limit>

</Anonymous>

<Anonymous /home/ccp14/ftp_incoming>
# chrooted area for uploading files for CCP14 with CCP14 as the owner
  
  User ccp14
  Group dlccp14a
  UserAlias ftp ccp14
  AuthAliasOnly on
  RequireValidShell off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"


#  People uploading have to know to use ftp.
#  UserAlias anonymous ftp

<Limit LOGIN>
  AllowAll
</Limit>


  <Directory *>
      <Limit STOR CWD MKD>
      AllowAll
      </Limit>
      <Limit READ RMD DELE RNFR RNTO>
      DenyAll
      </Limit>
  </Directory>

</Anonymous>
</VirtualHost>

<VirtualHost 193.61.32.162>
  ServerName "CCP14 Crystallographic Software Anonymous FTP Area - ftp.ccp14.ac.uk"
#  TimeoutNoTransfer 600
#  TimeoutIdle 600
#  UseReverseDNS off
#  IdentLookups off
  MaxClientsPerHost 4 "Sorry, you may not connect more than four times"
  <Limit LOGIN>
  DenyAll
  </Limit>
  <Anonymous /web_disc/ccp14/web_area/web_live/ccp>
#Get symbolic links to work - will try with a later version of ProFTPD
  ShowSymlinks On
#  CDPath    /web_disc/ccp14/web_area
#  CDPath    /web_disc/ccp14/web_area
  User                          ftp
  Group                         ftp
  RequireValidShell off
  HideGroup  xrdguest
#  HideNoAccess /web_disc/ccp14/web_area/web_live/web-mirrors
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
#  Must be put in a <limit> box for this to work.
#  IgnoreHidden on
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp
  <Limit LOGIN>
    AllowAll
  </Limit>
  MaxClients                    80
  DirFakeGroup  On
  DirFakeUser   On
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message
  AllowOverwrite off
  TransferLog /web_logs/proftpd/anonxferlog_proftpd
  <Limit WRITE>
    DenyAll
  </Limit>
  </Anonymous>
</VirtualHost>

<VirtualHost 193.61.32.163>
  ServerName "Redhat Mirror via Anonymous FTP from the CCP14 Project site - redhat.ccp14.ac.uk"
#  TimeoutNoTransfer 600
#  TimeoutIdle 600
#  UseReverseDNS off
#  IdentLookups off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
  <Limit LOGIN>
  DenyAll
  </Limit>
  <Anonymous /web_disc/ccp14/web_area/redhat>
  User                          ftp
  Group                         ftp
  RequireValidShell off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp
  <Limit LOGIN>
    AllowAll
  </Limit>
#  ShowSymlinks On
  DirFakeGroup  On
  DirFakeUser   On
  MaxClients                    20
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message
  AllowOverwrite off
  TransferLog /web_logs/proftpd/anonxferlog_proftpd
  <Limit WRITE>
    DenyAll
  </Limit>
  </Anonymous>
</VirtualHost>

# Old debian config at dl.ac.uk - rem with new change at Birkbeck college
#<VirtualHost 193.61.32.164>
#  ServerName "Debian Mirror via Anonymous FTP from the CCP14 Project site - debian.ccp14.ac.uk"
##  TimeoutNoTransfer 600
##  TimeoutIdle 600
##  UseReverseDNS off
##  IdentLookups off
#  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
#  <Limit LOGIN>
#  DenyAll
#  </Limit>
#  <Anonymous /web_disc/ccp14/web_area/debian>
#  User                          ftp
#  Group                         ftp
#  RequireValidShell off
#  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
#  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias                     anonymous ftp
#  <Limit LOGIN>
#    AllowAll
#  </Limit>
##  ShowSymlinks On
#  DirFakeGroup  On
#  DirFakeUser   On
#  MaxClients                    20
#  DisplayLogin                  welcome.msg
#  DisplayFirstChdir             .message
#  AllowOverwrite off
#  TransferLog /web_logs/proftpd/anonxferlog_proftpd
#  <Limit WRITE>
#    DenyAll
#  </Limit>
#  </Anonymous>
#</VirtualHost>

<VirtualHost 193.61.32.165>
  ServerName "FreeBSD Mirror via Anonymous FTP from the CCP14 Project site - freebsd.ccp14.ac.uk"
#  TimeoutNoTransfer 600
#  TimeoutIdle 600
#  UseReverseDNS off
#  IdentLookups off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
  <Limit LOGIN>
  DenyAll
  </Limit>
  <Anonymous /web_disc/ccp14/web_area/freebsdftp>
#  ShowSymlinks On
  User                          ftp
  Group                         ftp
  RequireValidShell off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp
  <Limit LOGIN>
    AllowAll
  </Limit>
  DirFakeGroup  On
  DirFakeUser   On
  MaxClients                    20
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message
  AllowOverwrite off
  TransferLog /web_logs/proftpd/anonxferlog_proftpd
  <Limit WRITE>
    DenyAll
  </Limit>
  </Anonymous>
</VirtualHost>

<VirtualHost 193.61.32.166>
  ServerName "CCP14 Restricted Upload FTP server - unauthorized access forbidden - cerebus.ccp14.ac.uk"
#  TimeoutNoTransfer 6600
#  TimeoutIdle 6600
#  IdentLookups on
  RequireValidShell on
  AllowForeignAddress on
  DefaultRoot ~


# Normally, we want users to be able to overwrite their own files
<Directory /*>
  AllowOverwrite   on
</Directory>

<Limit LOGIN>
  Order Allow,Deny
  Allow 127.0.0.1
  Allow 148.666.666.666
  Allow .blah.com
  Allow .blah.net
  Deny from All
</Limit>


<Limit LOGIN>
  Order Allow,Deny
  AllowUser balh
  AllowUser blah2
  DenyAll
</Limit>

<Limit LOGIN>
  Order Allow,Deny
  AllowGroup groupblah
  AllowGroup groupguest
  DenyAll
</Limit>


</VirtualHost>

<VirtualHost 193.61.32.167>
  ServerName "CCP14 Developers FTP server - unauthorized access forbidden - ccp14dev.ccp14.ac.uk"
#  TimeoutNoTransfer 6600
#  TimeoutIdle 6600
#  IdentLookups on
  RequireValidShell off
  AllowForeignAddress on
  DefaultRoot ~


# Normally, we want users to be able to overwrite their own files
<Directory /*>
  AllowOverwrite   on
</Directory>

<Limit LOGIN>
  Order Allow,Deny
  AllowGroup ccp14dv
  DenyAll
</Limit>


#<Limit LOGIN>
#  Order Allow,Deny
#  Allow from .jp
#  Allow from .fr
#  Allow from .uk
#  Deny  from All
#</Limit>


#<Limit LOGIN>
#Order Allow,deny
#AllowUser balh1,blah2
#AllowGroup group1,group2
#</Limit>

</VirtualHost>


<VirtualHost 193.61.35.93>
  ServerName "dldata for Blah"
#  TimeoutNoTransfer 6600
#  TimeoutIdle 6600
#  IdentLookups on
  RequireValidShell off
  AllowForeignAddress on
  DefaultRoot ~


# Normally, we want users to be able to overwrite their own files
<Directory /*>
  AllowOverwrite   on
</Directory>

<Limit LOGIN>
  Order Allow,Deny
  Allow from .cryst.bbk.ac.uk
  Deny  from All
</Limit>


<Limit LOGIN>
Order Allow,deny
AllowUser user2
AllowGroup groupuser,group2
</Limit>

<Anonymous /web_disc/jacques/dldata>
# chrooted area for uploading files for CCP14 with CCP14 as the owner

  User dluser
  Group dlccp14a
#  UserAlias dl
#  AuthAliasOnly on
  RequireValidShell off
  MaxClientsPerHost 5 "Sorry, you may not connect more than five times"


#  People uploading have to know to use ftp.
#  UserAlias anonymous ftp

<Limit LOGIN>
  AllowAll
</Limit>


  <Directory *>
      <Limit READ CWD>
      AllowAll
      </Limit>
      <Limit STOR MKD RMD DELE RNFR RNTO>
      DenyAll
      </Limit>
  </Directory>

</Anonymous>

</VirtualHost>


Manually starting and stopping ProFTPD

To stop ProFTPD, as root type killall proftpd

To start ProFTPD (and thus have it use a fresh /usr/local/etc/proftpd.conf type /usr/local/sbin/proftpd


Automatic Startup of ProFTPD on Boot

The work for automatic startup is pretty much identical to installing the Apache webserver.


What can be said, whatever family that IRIX UNIX comes from, it sucks and it is no wonder Bill Gates is a billionaire selling Windows. Putting something to automatically start up is not that trivial and following is a possibly dodgy implementation. Basically, it seems it is commond just to copy the lpd deamon script the /etc/init.d directory (which then has a link put to it from the /etc/rc2.d directory). Then edit in Proftpd, and edit out LPD.

Thus as root go into the /etc/init.d directory and copy the relevant file; In this case on the CCP14 Server; cp bsdlpr proftpd. Make sure it is exectuable (chmod +x proftpd).

Change the script so you pretty much get something like the following (start-script.txt).

Then type ln -s /etc/init.d/proftpd /etc/rc2.d/S63proftpd (giving the link a number after the LPR deamon showing the order it will be started up in)

Then (still as root), type cp /etc/config/bsdlpr /etc/config/proftpd

Then type ln -s /etc/config/proftpd /var/config/proftpd

In theory, /etc/chkconfig can then be used to check on the status of things. If httpd does not appear by typing chkconfig, try chkconfig httpd on

(Summary of all of this, next killer apps for UNIX will be "c:\config.sys" and "c:\autoexec.bat") Though FreeBSD UNIX is a more civilised option. PS: If you wish to have proftpd started under initd, the following is more appropriate

"Then I changed the line in /etc/inetd.conf from:

ftp   stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 

To:
ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.proftpd"


ftpshut

Date: Thu, 28 Oct 1999 08:29:12 -0400 (EDT)
From: "Andrew C. Ohnstad" [andy@andysaudio.com]
To: proftpd@proftpd.net
Subject: Re: Autostart/stop ftp

Just delete the file /etc/shtumsg when you want the server to start back
up.

=-=Andrew
"Traveling At The Speed of Thought" --- Teenage FanClub

On Thu, 28 Oct 1999, Saunders, Shawn wrote:

> We would like to setup Proftpd to automatically shutdown when we do backups
> (with messaging to clients that FTP will not be available for while) and
> then restart after the backup is complete.  
> 
> Now it appears that we have a utility called ftpshut that will do the
> shutdown part nicely.  Any suggestions on the startbackup procedure?  Or is
> there a utility or facility I have missed.
> 
> Shawn Saunders


Investigating the possibility of Allowing users to change passwords themselves via FTP only accounts

Refer:


Re: [ProFTPD] DefaultRoot configuration and security...

     To: proftpd@proftpd.net 
     Subject: Re: [ProFTPD] DefaultRoot configuration and security... 
     From: Jean-Marc Monnez [monnez.jean-marc@agora.msa.fr] 
     Date: Mon, 04 Dec 2000 10:00:25 +0100 
     Organization: AGORA38 


I am new on this list, and for my first posting I say hello to all of you.

I use proftpd on AIX, and for users I want to be jailed to their home dirs, these
users have to give a password. They wont have to telnet on a shell, but they need
to be able to change this password, so I replaced for these users the usual
/usr/bin/ksh in /etc/password by the command /usr/bin/passwd. It works fine, and
this way the only thing they may try with telnet is change their password.

HTH. Regards.

-- JMM

Robert Sweet wrote :

> I found the list archive, I now have the users jailed to
> their home directories. What is the best way to strip them
> of shell access? I have read that shell /bin/false is not
> the way to do it...? Can someone point me in a direction to
> find the info or help me out. I am setting up ftp access to
> our internet server for clients to upload files to. These
> clients only need ftp access. Is the best way to create a
> user on the system or can it all be done through proftpd?
> tia.
>
> --
> rsweet@socal.rr.com        | The revolution will not be
>                       -o)  | televised.
> Linux, the Choice      /\  |
> of a GNU generation   _\_v |
>                            |


To: proftpd@proftpd.net 
     Subject: Re: [ProFTPD] Is it possible ? 
     From: Michael Grabenstein [mgrabens@popd.isinet.com] 
     Date: Fri, 07 Apr 2000 09:29:43 -0400 


Irwan Hadi wrote:

> First of all I want to thank you for your reply, but my question is what is
> the meaning of "the same format ?"
> so I make a list of
> username:password::::/homedir/
> how about the password ? can it be encrypted or not ?
> if it *can* be encrypted, with which tool should I encrypt it then.
>

    Yes that would be the format...

    I use Perl to encrypt the password, or if you already have a /etc/passwd to
start with, then just copy it...

    An alternative easy way to do this is to encrypt a password and keep the
encrypted version around. Like Change your password to 'ABC123' then as you
create users in the alternate passwd file, paste the encrypted form of that
password into the new logon entry. And instruct the new user to change their
password as soon as they first FTP to the system, or change it for them via FTP
and give them the new password. :-) BTW: once you have the encrypted version of
'ABC123' feel free to change your password back. :-)

    Attached is a simple Perl script that will encrypt a plain text password sent
to it...

    Mark, please feel free to add this to the FAQ. TIA.

    I don't believe proftp has a way of using plain text passwords in the
password file, but Mark can correct me if I am wrong. :-)

Later,
    Mike

#--- Start Cut after this line
#!/usr/bin/perl
use Getopt::Std;
use vars qw($opt_h $opt_p $opt_s);
getopt ("hp:s:");
my ($salt);
if ( (defined($opt_h)) || (! defined($opt_p)) )
 {
   print "Usage: $0 -hps\n";
   print "\t-h -- This Usage message\n";
   print "\t-p <password> -- The password to encrypt\n";
   print "\t-s <salt> -- The salt to use, optional\n\n";
   exit (166);
 }
if ($opt_s =~ /(\w+)/)
 {
   $salt = $1;
 }
 else
  {
    $chr = chr(int(rand(26)+65));
    $salt = $chr;
    $chr = chr(int(rand(26)+97));
    $salt .= $chr;
  }
print crypt($opt_p, $salt) . "\n";
exit (0);
# -- Stop here. Don't get the signature at the bottom...


To: proftpd@proftpd.net 
     Subject: Re: [ProFTPD] Allowing FTP, but denying telnet 
     From: Justin Shore [listuser@vinnie.ksu.ksu.edu]
     Date: Tue, 15 Feb 2000 13:36:46 -0600 


If you setup ProFTPd to require a valid login shell, it parses 
/etc/shell to see if user X's shell is among that list.  If it is 
then it considers them to have a valid shell.  If its not, than 
you'll have to list it.  /etc/shells is a plain text file with the 
full path to a given shell on each line.  I'd also recommend using 
/bin/false.  Do you want the user to be able to change his password? 
If so, then there's another trick that's been used alot.  Make his 
shell /bin/passwd.  Then whenever he telnets in he's instantly given 
the prompt to change his password.  This would only allow them access 
to change their password.  I would highly recommend using ssh if 
you're going to do that though (as a matter of fact, use ssh only. 
Trash telnet).  Again, /bin/passwd would have to be listed in 
/etc/shells if you told ProFTPd to require a valid shell (I can't 
remember the directive off the top of my head).

HTH
   Justin

At 6:57 PM +0000 2/15/00, James Lewis wrote:
>How can I easily add a user, then allow them ftp access, but deny them telnet
>
>(I've tried changing their login shell to /dev/null but this also 
>denies them FTP)
>
>Many thanks
>
>--
>To unsubscribe, send mail to proftpd-request@proftpd.net with "unsubscribe"
>in the subject field of the message.
>
>Please read the documentation and the FAQ before posting a question -- chances
>are it's already been answered.
>
>http://www.proftpd.net           -- The Official ProFTPD web site.
>http://bugs.proftpd.net          -- Bug reporting and feature requests.
>http://www.proftpd.net/docs/     -- The latest ProFTPD documentation and FAQ.


--
Justin Shore
K-State Linux Distro Mirror, Sysadmin
macdaddy@vinnie.ksu.ksu.edu
http://vinnie.ksu.ksu.edu/mirror/rpm2html
ftp://vinnie.ksu.ksu.edu/pub/mirror/linux


Changing Passwords on behalf of Users

(Proftpd can use alternative password files)
From: "Sebastian Wolfgarten" [sebastian@wolfgarten.com]
To: [proftpd@proftpd.net]
Subject: AW: [ProFTPD] Help with updating passwords for users
Date: Fri, 20 Oct 2000 21:55:16 +0200

Hi Mike,

take a look at your proftp.conf file. In SuSE Linux it's proftpd.conf in
/etc/.

Make "locate proftpd.conf" to see where it's really at...Open this file
with your favourite editor "joe proftpd.conf" for example and there
should be a section with "AuthUserFile" and "AuthGroupFile". In this files
you will find the users with their passwords. If it is not in use (means it
has an "#" before it) then maybe you use a sql database to revalidate the
users...you must make an update to the database then. Hhhm, if you use
"authuserfile" then just type in the shell "passwd username" to change the
user's password. If you need more assistence just write me a mail...maybe
post parts of your proftpd.conf

Bye
Sebastian, nexxium interactive gmbh
www.nexxium.de


Time Stamp Problems with ProFTPD

Date: Fri, 20 Oct 2000 19:28:23 -0400
From: John Morrissey [jwm@moe.horde.net]
To: proftpd@proftpd.net
Subject: Re: [ProFTPD] Time stamp problems

On Fri, Oct 20, 2000 at 03:57:11PM -0500, Michael Tucker wrote:
% Note the difference in the apparent time stamp. It appears to be off by 5
% hours, which (I believe) is our offset from GMT here in Houston, Texas.
% 
% The ftp server knows what time it is, though. I include the time in the
% login message, and it's correct.
% 
% I'm running 1.2 (the CVS version from about August 15) on Solaris 8. I
% haven't noticed any other problems.

Somewhere along the line, proftpd was changed to display times in GMT; say
'TimesGMT off' in your proftpd.conf to display file times in your local time
zone.

john


Creating Custom Password files

  • Contributions: ftpasswd updated as of 2001-01-09

    • http://rad.geology.washington.edu/~tj/proftpd/

    • usage: ftpasswd [ -h ] [ --group | --passwd ]
      
      If used with --passwd, ftpasswd creates a file in the passwd(5) format,
      suitable for use with proftpd's AuthUserFile configuration directive.
      You will be prompted for the password to use of the user, which will be
      encrypted, and written out as the encrypted string.


Limiting Uploads with ProFTPD

Date: Tue, 28 Sep 1999 16:27:19 -0400 (EDT)
From: Noah [sitz@onastick.net]
cc: proftpd@tos.net
Subject: Re: [ProFTPD] Limit disk space and amount of connections
On Tue, 28 Sep 1999, Drew Skinner wrote:

> Quota's on user upload capabilities are specified at the system level. Run
> a man page on quota then enable quota against the ufs/xfs file system.

or yo an use proftpd's mod_quota:

ftp://pooh.urbanrage.com/pub/c/mod_quota.c

--noah


PHP/CGI Script for ftpwho?

Date: Wed, 6 Jun 2001 19:32:16 -0700 (Pacific Daylight Time)
From: Vince LaMonica [vjl@cullasaja.com]
To: [proftpd-users@proftpd.org]
Subject: Re: [Proftpd-user] PHP/CGI Script for ftpwho?

On Wed, 6 Jun 2001, h3rb wrote:

} Is there a php/cgi script that will display the results for ftpwho?  Like
} who's connected.  What they are uploading/downloading.  Their bandwidth, or
} percent completed?  Would this be hard to write?   I am by no means a

Well, a *very* simplicitic solution would be to use the passthru()
function:

<?php

passthru(ftpwho);

?>

I'd inclose the above in a 
 formated part of the page. The above
"code" simply passes the output of the ftpwho command to the w3 page. You
can get much fancier like having the page auto-update [simple HTML via
meta-refresh].

HTH,

/vjl/


Host.allow/host.deny when running ProFTPD in inetd mode - not the case here

From: "MacGyver" [macgyver@tos.net]
To: [proftpd@tos.net]
Subject: RE: [ProFTPD] Listening on only one interface
Date: Tue, 5 Oct 1999 03:18:06 -0500
roftpd-request@tos.net

> > IMO, it's not ProFTPD's place to handle the inetd scenario.
>
> Then, DefaultServer has to be on by default when running in inetd mode as
> stock inetd binds to all interfaces - and ProFTPd serves only the primary
> one without using DefaultServer.
>

Nope.

> > You can use tcp_wrappers to accomplish what you're looking for.
>
> Not really, as always the primary hostname (and not the FQDN of
> the specific
> interface a client connects to) is displayed in the welcome message. I
> thought about ipchains-filtering away all ports 21 other than the
> ftp.foobar.com interface, but this doesn't solve this problem
> (besides: this
> is a real hack).
>

Nope.  Simply put, in /etc/hosts.allow:

in.proftpd@pick.your.virtual.host: ALL: twist /usr/sbin/in.proftpd -c
pick.your.virtual.host.proftpd.conf

Done.  Simple, efficient, and works.  Use a different conf file for each
virtual host.  This will accomplish what you're looking to do.

ProFTPD INIT Script

Date: Tue, 5 Oct 1999 11:22:35 +0100 (BST)
From: Mark Lowes [Hamster@wibble.org]
Resent-From: proftpd@tos.net

The entity claiming to be Daniel Roesen wrote...
> Anyone written this yet? Perhaps this should be included in the tarball...

Something which might be of use is the script I knocked up for use here.

I'm sure someone will tell me it can be done more gracefully :)

	Mark


#!/bin/sh
# 
# ProFTPD init script
#
# stop and start do exactly what they say
# buildconfig - Creates config and tests (using configtest patch)
# reconfig    - rolls a new config into place and restarts the server
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
VAR=/var/run/proftpd
NAME=proftpd
DESC=Proftpd
#
#
#
function buildconfig()
{
echo "Creating new config and testing"
echo ""
cd /var/conf/ftp
./rc.ftp.pl

if [ -f /etc/proftpd.conf.new ]
then
   proftpd --configtest -c /etc/proftpd.conf.new
fi
}
#
#
#
function reconfig()
{
   if [ -f /etc/proftpd.conf.new ]
   then
      echo "Installing new config and reloading server"
      echo ""
      cd /etc/
      mv proftpd.conf proftpd.conf.old
      mv proftpd.conf.new proftpd.conf
      echo "new proftp.conf loaded"
      fi
}
#
# Find proftpd pid
#
cd $VAR
for i in proftpd-*
do
   pid=`echo $i | sed "s/proftpd\-//"`
   if [ -d /proc/$pid/ ]
   then
      if [ "`cat /proc/$pid/cmdline | sed -e 's/ .*//'` eq 'proftpd'" ]
      then
         MasterPid=$pid
         echo "Master PID == $MasterPid"
      fi
   fi
done 

case "$1" in
   start)
      echo -n "Starting $DESC: "
      reconfig
      /usr/local/sbin/proftpd
      echo "Done"
      ;;
   stop)
      echo -n "Stopping $DESC: "
      killall proftpd
      echo "Done"
      ;;
   reconfig|reload)
      echo -n "Reconfiguring $DESC "
      reconfig
      kill -HUP $MasterPid
      echo "Done"
      ;;
   buildconf|buildconfig)
      echo -n "Building config for $DESC "
      buildconfig
      ;;
   restart)
      echo -n "Restarting $DESC: "
      kill -HUP $MasterPid
      echo "Done"
      ;;
   *)
      N=/etc/rc.d/init.d/$NAME
      # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
      echo "Usage: $N {start|stop|restart|reconfig|reload}" >&2
      exit 1
      ;;
esac
exit 0

Another ProFTPD INIT Script

#!/bin/sh
#
# Startup script for ProFTPD
#
# chkconfig: 345 85 15
# description: ProFTPD is a highly configurable ftp daemon for unix
#              and unix-like operating systems HTML files and CGI.
# processname: proftpd
# config: /etc/proftp.conf


# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
	echo -n "Starting proftpd: "
	daemon proftpd
	echo
	touch /var/lock/subsys/proftpd
	;;
  stop)
	echo -n "Shutting down proftpd: "
	killproc proftpd
	echo
	rm -f /var/lock/subsys/proftpd
	;;
  status)
	status proftpd
	;;
  restart)
	$0 stop
	$0 start
	;;
  *)
	echo "Usage: $0 {start|stop|status|restart}"
	exit 1
esac

exit 0

Another, Another ProFTPD INIT Script - SysV-Init-Script (RedHat 6.0)

proftpd.init.d

#!/bin/sh
#
# Startup script for ProFTPd
#
# chkconfig: 345 85 15
# description: ProFTPD is an enhanced FTP server with \
#               a focus toward simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#               and a highly customizable server infrastructure, \
#               including support for multiple 'virtual' FTP servers, \
#               anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
#
# By: Osman Elliyasa 
# $Id: proftpd,v 1.9 1999/10/03 17:25:02 root Exp $

# Source function library.
. /etc/rc.d/init.d/functions

FTPSHUT=/opt/sbin/ftpshut

# See how we were called.
case "$1" in
  start)
	echo -n "Starting proftpd: "
	if [ -x ~ftp-master/bin/advert.sh ]; then
		echo -n "Adverts "
		su - ftp-master -c "bin/advert.sh fifo"
	fi
	$0 resume
	daemon proftpd
	echo
	touch /var/lock/subsys/proftpd
	;;
  stop)
	echo -n "Shutting down proftpd: "
	if [ -x ~ftp-master/bin/advert.sh ]; then
		echo -n "Adverts "
		su - ftp-master -c "bin/advert.sh kfifo"
	fi
	$0 suspend
	killproc proftpd
	echo
	rm -f /var/lock/subsys/proftpd
	;;
  status)
	status proftpd
	;;
  restart)
	$0 stop
	$0 start
	;;
  reread)
	echo -n "Re-reading proftpd config: "
	killproc proftpd -HUP
	echo
	;;
  suspend)
  	if [ -f $FTPSHUT ]; then
  		if [ $# -gt 1 ]; then
			shift
			echo -n "Suspending with '$*' "
			$FTPSHUT $*
		else
			echo -n "Suspending NOW "
			$FTPSHUT now "Maintanance in progress"
		fi
	else
		echo -n "No way to suspend "
	fi
	echo
  	;;
  resume)
	if [ -f /etc/shutmsg ]; then
		echo -n "Allowing sessions again "
		rm -f /etc/shutmsg
	else
		echo -n "Was not suspended "
	fi
	echo
  	;;
  *)
	echo -n "Usage: $0 {start|stop|restart|status|reread|resume"
  	if [ "$FTPSHUT" = "" ]; then
		echo "}"
	else
		echo "|suspend}"
		echo "suspend accepts additional arguments which are passed to ftpshut(8)"
	fi
	exit 1
esac

if [ $# -gt 1 ]; then
	shift
	$0 $*
fi

exit 0


 I very need Syntax, Context, and Defaults for some undocumented config directives:

  Module: ratio
   Ratios
   UserRatio
   GroupRatio
   AnonRatio
   HostRatio

  Module: auth
   LoginPasswordPrompt
   DefaultChdir
   UserDirRoot

  Module: core
   DisplayQuit
   DisplayGoAway
   CommandBufferSize
   AllowFilter
   DenyFilter
   DefaultTransferMode
   Class
   Classes
  
  Module: ls
   ShowDotFiles

  Module: pam
   AuthPAMAuthoritative
   PAMConfig
  
  Module: readme
   DisplayReadme

  Module: sample
   FooBarDirective

  What is modules: mod_tar, mod_test?

Best regards,
 Anton                          mailto:fenix@stl.ru


Hampster's ProFTPD conf file

ServerName                      "Frostbite FTPserver"
#ServerType                     inetd
ServerType                      standalone
DeferWelcome                    on
Port                            21
Umask                           002
User                            ftp
Group                           ftp
TransferLog                     /var/spool/syslog/proftpd/xferlog.legacy
DefaultRoot                     /ftp/ftp.linux.co.uk
TimeoutLogin                    120
TimeoutIdle                     600
TimeoutNoTransfer               900
TimeoutStalled                  3600
ScoreboardPath                  /var/run/proftpd
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"
UseReverseDNS                   off

<Global>
        DisplayLogin            welcome.msg
        DisplayFirstChdir       readme
        AllowOverwrite          yes
        AccessGrantMsg          "Welcome to Tux's kingdom oh chilly %u"
        DisplayConnect /ftp/ftp.linux.co.uk/login.msg
        #
        # Turn off Ident lookups
        #
        IdentLookups         off
        #
        # file/dir access
        ExtendedLog             /var/spool/syslog/proftpd/access.log WRITE,READ write
        # Log logins
        ExtendedLog             /var/spool/syslog/proftpd/auth.log AUTH auth
        # Log absolutely every f*cking thing
        ExtendedLog    /var/spool/syslog/proftpd/fascist.log ALL default
        ServerIdent                     on "Linux.co.uk server"
</Global>

<Limit LOGIN>
        DenyAll
</Limit>


# ----------------------------------------------------
# ftp.linux.co.uk ("Linux.co.uk FTP Archive") 
# Contact : zathras@linux.co.uk
#
<VirtualHost 195.200.4.15>
ServerAdmin             zathras@linux.co.uk                     
ServerName              "Linux.co.uk FTP Archive"
TransferLog             /var/spool/syslog/xfer/ftp.linux.co.uk
MaxLoginAttempts        3
RequireValidShell       no
DefaultRoot             /ftp/ftp.linux.co.uk
User                    linux
Group                   linux
AllowOverwrite          yes
DefaultServer           yes
DefaultChdir            /ftp/ftp.linux.co.uk/mirrors 
LoginPasswordPrompt off
DisplayReadme README
#DisplayLogin           welcome.msg

<Anonymous /ftp/ftp.linux.co.uk>
        User                    ftp
        Group                   ftp
        UserAlias               anonymous ftp
        RequireValidShell       no
        MaxClients              20
        AccessGrantMsg          "Welcome to Tux's kingdom oh chilly anonymous user"

        <Directory pub/incoming/*>
                <Limit ALL>
                        DenyAll
                </Limit>
        </Directory>

        <Directory pub/ftech/*>
                <Limit ALL>
                        Order Deny,Allow
                        Allow 212.32.5.0/26
                        Allow 212.32.4.0/24
                        Allow 212.32.17.0/24
                </Limit>
        </Directory>

        <Directory pub/incoming/*>
                <Limit STOR>
                        AllowAll
                </Limit>
                <Limit WRITE DIRS READ>
                        DenyAll
                </Limit>
                <Limit CWD XCWD CDUP>
                        AllowAll
                </Limit>
        </Directory>

</Anonymous>

<Limit ALL>
        AllowUser linux
        DenyAll
</Limit>

</VirtualHost>


Another Example Config file

############ My proftpd.conf:

ServerType standalone
User nobody
Group nobody
MaxInstances 30
TimeoutStalled 300

AllowRetrieveRestart on
AllowStoreRestart on

AuthAliasOnly on
CommandBufferSize 20
DefaultRoot ~/ftpd
DefaultServer on
DeferWelcome on
SystemLog /var/log/ftpd/proftpd.log
ExtendedLog /var/log/ftpd/auth.log AUTH auth
ExtendedLog /var/log/ftpd/access.log READ,WRITE write
ExtendedLog /var/log/ftpd/all.log ALL
TransferLog /var/log/ftpd/xfer.log
SyslogLevel debug
HiddenStor on
LogFormat auth %v [%P] %h %t "%r" %s"
LogFormat default "%h %l %u %t "%r" %s %b"
LogFormat write "%h %l %u %t "%r" %s %b"
MaxClients 5
MaxClientsPerHost 3
PathDenyFilter "(.ftpaccess)|(.htaccess)$"
Port 21
Umask 022

<Directory /*>
  AllowOverwrite on
</Directory>

UserAlias anonymous karel

<Anonymous /var/ftpd>
  User karel
  Group karel
  AuthAliasOnly on
  MaxClients 10
  RequireValidShell no

  AllowRetrieveRestart on
  AllowStoreRestart on


  <Directory *>
    <Limit WRITE>
      DenyAll
    </Limit>
  </Directory>
  <Directory upload>
    <Limit READ WRITE>
      DenyAll
    </Limit>
    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</Anonymous>
<Limit LOGIN>
        AllowAll
</Limit>

<Global>
        AllowOverwrite off              #on/off
        AllowRetrieveRestart on         #on/off
</Global>


Date: Sun, 21 Nov 1999 21:01:10 +0000 (GMT)
From: The Flying Hamster [hamster@vom.tm]
To: proftpd@proftpd.net
Subject: Re: [ProFTPD] Modules? Where?

On Tue, 16 Nov 1999, Patrick Maartense wrote:

> Quick Question..
> Where to get extra Modules for Proftpd??

Pretty much all the modules are included in the source distribution

The modules in the pre9 tarball are

contrib/mod_ldap.c
contrib/mod_linuxprivs.c
contrib/mod_mysql.c
contrib/mod_pgsql.c
contrib/mod_ratio.c
contrib/mod_sqlpw.c
doc/mod_sample.c
modules/mod_auth.c
modules/mod_core.c
modules/mod_linuxprivs.c
modules/mod_log.c
modules/mod_ls.c
modules/mod_pam.c
modules/mod_pgsql.c
modules/mod_ratio.c
modules/mod_readme.c
modules/mod_site.c
modules/mod_tar.c
modules/mod_test.c
modules/mod_unixpw.c
modules/mod_xfer.c

The default compliation includes the following modules

library:~# proftpd -l
Compiled-in modules:
  mod_core.c
  mod_auth.c
  mod_xfer.c
  mod_site.c
  mod_ls.c
  mod_unixpw.c
  mod_log.c

To include additional modules do something like

./configure --with-modules=mod_readme:mod_ldap
make
make install

etc etc

	Mark

-- 
This is a sig, it's not a smart sig or an AI sig, but it's a sig to
replace the sig that died during the death of data... the sig is dead,
long live the sig


Also refer to: Secure FTP transfers via Secure Shell Tunnelling

Date: Mon, 22 Nov 1999 12:52:37 +0200 (EET)
From: typo [typo@pc031.otanner.as.tampere.fi]
To: proftpd@proftpd.net
Subject: Re: [ProFTPD] sniffable passwords on linux and  freebsd3.3-stable

On Mon, 22 Nov 1999, Lachlan Cranswick wrote:

> >o Tunnel your ftp traffic through ssh whenever possible (!!!)
> 
> Is there a web-page on how you would do this with the GUI based
> FTP client programs connecting to a ProFTPD server?

(assuming you're using windows to connect to a *nix server)

1. Launch SSH.
2. Go to the preferences and click on the tab 'forwarding' (or
   'tunneling' in the new SSH2).
3. Select 'local' forwarding (all connections to the specified port on the
   local computer will be forwarded over the SSH connection to the
   specified port on the remote computer), port 21 on both local and
   remote computer (or, if the remote ftp server is using some other port,
   change that remote port accordingly) and fill in the remote computer's
   name/IP.
4. Connect to the remote computer with SSH.
5. Launch your FTP client and connect to your localhost, with the remote
   server's login name and password and you're all set. Everything is now
   tunneled through the SSH secure connection.

If you're using *nix - *nix connections, read through SSH man pages and
look for the -L option (local forwarding).

Securing FTP traffic over an SSH connection when connecting to a Windows
FTP server is a bit more cumbersome and I won't cover it here. Just use
Linux/Unix ;)

	.pi.

--
Petteri Lyytinen -+- typo@cc.tut.fi -+- http://vapaa.intternetti.com/~typo

		Once you stop trying,
			you can start succeeding.

Date: Mon, 22 Nov 1999 12:16:33 +0100 (MET)
From: "V. T. Mueller" [vtmue@uni-freiburg.de]
To: proftpd@proftpd.net
Subject: Re: [ProFTPD] sniffable passwords on linux and  freebsd3.3-stable

The only caveat is that this only works for ftp clients that support
ftp-sessions over *one port only*. If I don't mix it up that's called
passive ftp, where active ftp opens one port for control and one for data.

Of course ssh doesn't know anything about that second port and any
ftp-session attempt will fail until the client is told to work in passive
mode (which is not the default).

Regards,
Volker


Date: Mon, 22 Nov 1999 16:56:22 +0000 (GMT)
From: The Flying Hamster [hamster@vom.tm]
cc: proftpd@proftpd.net
Subject: Re: [ProFTPD] sniffable passwords on linux and  freebsd3.3-stable

On Mon, 22 Nov 1999, Leho Kraav wrote:

> On Mon, 22 Nov 1999 12:16:33 +0100 (MET), you -> about "Re: [ProFTPD] sniffable
> passwords on linux and  freebsd3.3-stable":
> 
> >The only caveat is that this only works for ftp clients that support
> >ftp-sessions over *one port only*. If I don't mix it up that's called
> >passive ftp, where active ftp opens one port for control and one for data.
> 
> AFAIK, that is incorrect. FTP works over two ports, in passive and in active
> mode. Passive mode is when the FTP server is set to listen for the client to
> specify the data connection port, so that the firewalls would let the data
> through on that port. In normal operation, FTP server sends the client
> information on what port to listen to.

[few minutes reading later...]

Passive Mode connections work the same way as normal (Active Mode)
connections, except the data connection is also made from the client to
the server ie made to port ftp-data (20). This avoids the problem of
incoming data connections being blocked by the firewall by making both
connections from the client.

What it boils down to is

Active
	control channel, port 21
	data channel, server specifies random port.

Passive
	control channel, port 21
	data channel, port 20

I guess it's doc time :)

	Mark

-- 
This is a sig, it's not a smart sig or an AI sig, but it's a sig to
replace the sig that died during the death of data... the sig is dead,
long live the sig


SSH Tunnelling via ProFTPD


I see the following logins that are nearly immediately disconnected. Is ProFTPD kicking people off?


Nov 26 15:48:34 5E:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful.
Nov 26 15:48:37 5D:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed.
Nov 26 15:48:41 5E:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful.
Nov 26 15:48:43 5D:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed.
Nov 26 15:48:48 5E:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful.
Nov 26 15:48:50 5D:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed.

Things are possibly OK here. Programs like the lynx ASCII terminal based web-browser have behavour like this that after a directory listing, it will disconnect. If the user decides to continue, it will log in again to do another directory listing.


From: "Thomas Gelf" [thomas@gelf.it]
To: [proftpd-users@proftpd.org]
Subject: Re: [Proftpd-user] Proftpd on Solaris 8
Date: Fri, 6 Apr 2001 00:22:16 +0200

denis> 500 Illegal PORT command. 
denis> 425 Can't build data connection: Connection refused 

hmmm... this happens when I try to connect to any FTP Server
if I am behind a router or firewall doing NAT (masqerading) 
for me. you should configure your client to use PASV mode.

is this a general ftp/nat problem? and is there any other 
solution instead of using passive mode?


From: "Thomas Gelf" [thomas@gelf.it]
To: [proftpd-users@proftpd.org]
Subject: AW: [Proftpd-user] Proftpd on Solaris 8
Date: Fri, 6 Apr 2001 00:25:53 +0200

TJ.> These messages are saying the PORT command issued by your client is for
an
TJ.> IP address different from that of the client.  To allow this, you
TJ.> specifically need to set "AllowForeignAddress on" in your proftpd.conf.

hmmm... allowing foreign addresses should fix this? if you have been
masqueraded too? I don't think that enabling this would be a good idea...


Date: Thu, 5 Apr 2001 22:54:22 +0000 (GMT)
From: TJ Saunders [tj@digisle.net]
X-Sender: tj@guinness.digisle.com
To: proftpd-users@proftpd.org
Subject: Re: AW: [Proftpd-user] Proftpd on Solaris 8

tj>Depends...using AllowForeignAddress works, but only if the IP addresses
tj>involved are not RFC 1918 non-routable addresses. ;)

Ack...I mispoke myself.  The reason I suggested AllowForeignAddress is
that that particular error message, "(address mismatch)", can many times
be resolved using AllowForeignAddress -- but that raises other
considerations, as mentioned in the docs:

  http://www.proftpd.org/docs/configuration.html#AllowForeignAddress

The use of RFC 1918 addresses is a different issue.  My apologies for
adding any confusion...=/

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Axioms in philosophy are not axioms until they are proved upon our pulses:
   we read fine things but never feel them to the full until we have gone
   the same steps as the author.
   
   	John Keats
   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


From: Mike McFaul [mikey@ccs.carleton.ca]
Subject: Re: [Proftpd-user] Proftpd on Solaris 8
To: proftpd-users@proftpd.org
Date: Thu, 5 Apr 2001 22:26:00 -0400 (EDT)

Part of the problem is IPv6 and solaris 8. Change your inetd.conf file
to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd
to resolve the foreign addresses properly.

Proftpd really should have IPv6 support soon, or the install
instructions should mention this problem....

> 
> Hello,
> 
> I try to install proftpd-1.2.0pre10 on a SUN Ultra 10 under Solaris 8.
> I use the basic.conf file. When I would like to see what is there on the
> ftp directorie (toto), I have the message following:
> 
> 220 ProFTPD 1.2.0pre10 Server (ProFTPD Default Installation) [boracay]
> Name (boracay:root): ftptest
> 331 Password required for ftptest.
> Password:
> 230 User ftptest logged in.
> ftp> pwd
> 257 "/toto" is current directory.
> ftp> ls
> 500 Illegal PORT command.
> 425 Can't build data connection: Connection refused
> ftp> put TCP1266
> 500 Illegal PORT command.
> ftp> quit
> 221 Goodbye.
> 
> I have the same message when I want to put a file in this directorie.
> 
> In the log, I have the following message:
> 
> (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,199 (address
> mismatch).
> Apr  5 23:40:56 boracay proftpd[5389]: [ID 567783 daemon.warning]
> boracay (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,200 (address
> mismatch).
> Apr  5 23:41:12 boracay proftpd[5389]: [ID 567783 daemon.notice] boracay
> (0.0.0.0[0.0.0.0]) - FTP session closed.
> 
> In advance thank you for your help. This is the second night I worked
> on.
> 
> Best regards.
> 
> Denis.
> 
> _______________________________________________
> ProFTPD Users List
> [proftpd-users@proftpd.org]
> http://lists.sourceforge.net/lists/listinfo/proftp-user
> 


-- 
Mike McFaul -- phone: 520-2600 ext 3708 -- email: mikey@ccs.carleton.ca


Date: Fri, 6 Apr 2001 03:41:40 +0000 (GMT)
From: TJ Saunders [tj@digisle.net]
To: proftpd-users@proftpd.org
Subject: Re: [Proftpd-user] Proftpd on Solaris 8

mikey>Part of the problem is IPv6 and solaris 8. Change your inetd.conf file
mikey>to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd
mikey>to resolve the foreign addresses properly.
mikey>
mikey>Proftpd really should have IPv6 support soon, or the install
mikey>instructions should mention this problem....

IPv6 support will definitely be in the 1.3.x devel tree.  In the meantime,
there is a post that mentions an IPv6 patch for ProFTPD:

  http://www.proftpd.org/proftpd-devel-archive/00-10/msg00156.html

Hope this helps...

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   The Universe is change; life is opinion.
   
   	-Marcus Aurelius
   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another idea if Netscape or Internet Explorer cannot browse your anonymous FTP area

Date: Thu, 12 Apr 2001 20:51:52 +0100
From: The Flying Hamster (hamster@vom.tm)
To: proftpd-users@proftpd.org
Subject: Re: [Proftpd-user] Additional information on using an HTTP browser

On Thu, Apr 12, 2001 at 03:31:49PM -0700, Lachlan Cranswick wrote:
> 
> In terms of this being a ProFTPD problem(?).  Are you using the latest
> release or CVS of ProFTPD?
> 
> >From memory - Netscape (and maybe IE) use PASV mode for browsing 
> FTP sites(?) - so any FTPD with a bug in the PASV mode could give
> problems with the browsers - that would not be easily
> reproducable with default FTP client software.  A previous verson 
> of ProFTPD did have a problem with PASV - thus using the latest
> ProFTPD may cure  the problem.

Hint for the day:

     MultilineRFC2228 yes


Masquerading the IP Address behind a Firewall

Date: Fri, 13 Apr 2001 10:06:33 +0000 (GMT)
From: TJ Saunders <tj@digisle.net>
To: proftpd-users@proftpd.org
Subject: Re: [Proftpd-user] Wrong IP address returned to incoming user?


blayde>(http://www.proftpd.org/docs/configuration.html) I tried a
blayde>few things, but couldn't seem to get it to work, would you
blayde>be inclined to send the syntax of the command?
blayde>
blayde>I would greatly appreciate it. :)

Sure. =)  The syntax should be documented in the Configuration.html file,
if you download the source code, under the doc/ subdirectory.  Otherwise,
it's:

  MasqueradeAddress <dns-hostname>|<ip-address>

It should appear either in the main configuration content, or in a
<VirtualHost> context.  It's a fairly new directive (appeared in
proftpd-1.2.2rc1), which is why it may not be on the website yet.

Hope this helps...

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Once more upon the waters! yet once more!
   And the waves bound beneath me as as a steed
   That knows his rider.
   
   	-Lord Byron


[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

If you have any queries or comments, please feel free to contact the CCP14