Followers

Wednesday, 31 October 2012

Enable tls/ssl in proftpd

Question: How  to Enable  tls/ssl  in proftpd

Benefits of TLS/SSL
TLS/SSL provides numerous benefits to clients and servers over other methods of authentication, including:
- Strong authentication, message privacy, and integrity
- Interoperability
- Algorithm flexibility
- Ease of deployment
- Ease of use

1- Install  Proftpd and openssl

apt-get install proftpd openssl
 yum install proftpd openssl

  2- Create   SSL Certificates

mkdir /opt/ssl/
 cd   /opt/ssl

3- Generate  ssl certificate  with

openssl req -new -x509 -days 365 -nodes -out proftpd.cert.pem -keyout proftpd.key.pem
Generating a 2048 bit RSA private key
 .....................+++
 ..........+++
 writing new private key to 'proftpd.key.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:NL
 State or Province Name (full name) []:Adam
 Locality Name (eg, city) [Default City]:Adam
 Organization Name (eg, company) [Default Company Ltd]:Unixmen
 Organizational Unit Name (eg, section) []:Unixmen
 Common Name (eg, your name or your server's hostname) []:Unixmen-test
 Email Address []:@unixmen.com

4- Enable TLS In ProFTPd

Edit  /etc/proftpf/proftpd.conf or /etc/proftpd.conf (Ubuntu/Centos)
<IfModule mod_tls.c>
 TLSEngine                  on
 TLSLog                     /var/log/proftpd/tls.log
 TLSProtocol                SSLv23
 TLSOptions                 NoCertRequest
 TLSRSACertificateFile      /opt/ssl/proftpd.cert.pem
 TLSRSACertificateKeyFile   /opt/ssl/proftpd.key.pem
 TLSVerifyClient            off
 TLSRequired                on
 </IfModule>

5- Check if  proftpd ready with:

# proftpd -vv
 ProFTPD Version: 1.3.3g (maint)
 Scoreboard Version: 01040003
 Built: Thu Nov 10 2011 16:20:47 UTC
Loaded modules:
 mod_lang/0.9
 mod_ctrls/0.9.4
 mod_cap/1.0
 mod_vroot/0.9.2
 mod_tls/2.4.2
 mod_auth_pam/1.1
 mod_readme.c
 mod_ident/1.0
 mod_dso/0.5
 mod_facts/0.1
 mod_delay/0.6
 mod_site.c
 mod_log.c
 mod_ls.c
 mod_auth.c
 mod_auth_file/0.8.3
 mod_auth_unix.c
 mod_xfer.c
 mod_core.c
6- Now   start proftpd

/etc/init.d/proftpd  start
 Starting proftpd:                                          [  OK  ]
and is done!

Tuesday, 30 October 2012

ProFTPD module mod_vroot



ProFTPD module mod_vroot



This module is contained in the mod_vroot.c file for ProFTPD 1.3.x, and is not compiled by default. Installation instructions are discussed here. The purpose of this module to is to implement a virtual chroot capability that does not require root privileges. The mod_vroot module provides this capability by using ProFTPD's FS API, available as of 1.2.8rc1.
The most current version of mod_vroot can be found at:
  http://www.castaglia.org/proftpd/

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

Thanks

2003-08-26: Thanks to Oskar Liljeblad for the elegant patch that added symlink support.

Directives


VRootAlias

Syntax: VRootAlias src-path dst-path
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_vroot
Compatibility: 1.3.2 and later The VRootAlias directive is used to create an "alias" of a directory outside of the chroot area into the chroot. The dst-path parameter is a relative path, relative to the chroot area (i.e. the directory in which the session starts). The src-path parameter, on the other hand, is an absolute path, and may be to a file or directory.
For example, you might map a shared upload directory into a user's home directory using:
  <IfModule mod_vroot.c>
    VRootEngine on

    DefaultRoot ~
    VRootAlias /var/ftp/upload ~/upload
  </IfModule>
This will automatically create an "upload" directory to appear in the chroot area (in this case, the user's home directory). Note that this directive will not work if the VRootServerRoot is used.

VRootEngine

Syntax: VRootEngine on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_vroot
Compatibility: 1.2.8rc1 and later The VRootEngine directive enables the virtual chroot engine implemented by mod_vroot. If enabled, the virtual chroot will be used in place of the operating system's chroot(2). This directive affects any DefaultRoot directives and any <Anonymous> contexts within the server context in which the VRootEngine directive appears.

VRootLog

Syntax: VRootLog file
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_vroot
Compatibility: 1.3.0rc1 and later The VRootLog directive is used to specify a log file for mod_vroot's reporting on a per-server basis. The file parameter given must be the full path to the file to use for logging.

VRootOptions

Syntax: VRootOptions opt1 ...
Default: None
Context: "server config" <VirtualHost>, <Global>
Module: mod_vroot
Compatibility: 1.2.9rc2 and later The VRootOptions directive is used to configure various optional behavior of mod_vroot.
Example:
  VRootOptions allowSymlinks
The currently implemented options are:
  • allowSymlinks
    Normally, any symlinks that point outside of the vroot area simply do not work. When the allowSymlinks option is enabled, these symlinks will be allowed. Note that by enabling symlinks, the efficacy of the vroot "jail" is reduced.

VRootServerRoot

Syntax: VRootServerRoot path
Default: None
Context: "server config" <VirtualHost>, <Global>
Module: mod_vroot
Compatibility: 1.3.2rc1 and later The VRootServerRoot directive is used to configure a directory to which the mod_vroot module will perform a real chroot. The idea is that each <VirtualHost> can have its own directory to which a real chroot(2) system call is made; the user-specific home directories will be virtual roots underneath this directory. Thus some measure of security, via the chroot(2) system call, is provided by the kernel, while still allowing symlinked shared folders among users of this <VirtualHost>.
For example:
  <VirtualHost a.b.c.d>
    VRootEngine on
    VRootServerRoot /etc/ftpd/a.b.c.d/
    VRootOptions allowSymlinks
    DefaultRoot ~
    ...

  </VirtualHost>
See also: VRootOptions

Installation

After unpacking and patching the latest proftpd-1.3.x source code, copy the mod_vroot.c file into:
  proftpd-dir/contrib/
Then follow the normal steps for using third-party modules in proftpd:
  ./configure --with-modules=mod_vroot
  make
  make install

Author: $Author: tj $
Last Updated: $Date: 2009/10/19 16:30:18 $

© Copyright 2000-2009 TJ Saunders
All Rights Reserved

How to install and configure vsftpd

This tutorial focuses on how to setup vsftpd server on your linux based VPS or a dedicated server. The vsftpd stands for “Very Secure FTP Daemon”. It is not just secure as the name suggests but also delivers excellent performance by consuming less memory. The tutorial also teaches you how to configure by adding ftp users and locking the directory to individual users.
You can install vsftpd on Ubuntu / Debian, CentOS /Fedora and RHEL linux.

Installing vsftpd on Ubuntu or Debian
sudo apt-get install vsftpd
Installing vsftpd on CentOS / Fedora
yum install vsftpd
How to configure vsftpd:
Now that you’ve installed vsftpd, follow this procedure to configure it. These steps applies for both the linux variants.
Before you get started, stop the vsftpd by typing:
service vsftpd stop
Edit the vsftp.conf
In Ubuntu / Debian:
vi /etc/vsftpd.conf
In Red Hat / CentOS
vi /etc/vsftpd/vsftpd.conf
Make the following changes:
We don’t want anonymous login:
anonymous_enable=NO
Enable local users:
local_enable=YES
The ftpuser should be able to write data:
write_enable=YES
Port 20 need to turned off, makes vsftpd run less privileged:
connect_from_port_20=NO
Chroot everyone:
chroot_local_user=YES
set umask to 022 to make sure that all the files (644) and folders (755) you upload get the proper permissions.
local_umask=022
Now that basic configuration is complete, now let us begin with locking / securing a directory to user.
sudo useradd -d /var/www/path/to/your/dir -s /usr/sbin/nologin ftpuser
Setup a password for the user:
sudo passwd ftpuser
In order to enable the ftpuser read and write the data in your home dir, change the permission and take ownership:
sudo chown -R ftpuser /var/www/path/to/your/dir
sudo chmod 775 /var/www/path/to/your/dir
Create userlist file and add the user:
Ubuntu / Debian:
vi /etc/vsftpd.userlist
CentOS / Fedora
vi /etc/vsftpd/vsftpd.userlist
and add the user:
ftpuser
save the file and open the vsftp.conf file again:
vi /etc/vsftpd.conf
Add the following lines at the end of the file and save it:
# the list of users to give access
userlist_file=/etc/vsftpd.userlist
# this list is on
userlist_enable=YES
# It is not a list of users to deny ftp access
userlist_deny=NO
After completing all these procedures it is almost ready to use it, give it a try but you will get a 500 OOPS permission denied error. To fix it you need to add a nologin to the shell set.
vi /etc/shells
The file should look like this:
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
Add this line at the end:
/usr/sbin/nologin
Now create a usergroup and add the ftpuser to it:
sudo addgroup ftpusers
sudo usermod -Gftpusers ftpuser
Now start the vsftpd:
service vsftpd start
That’s it. Now you have a secure installation of vsftpd on your server.

Article From:
NOOB2GEEK.com