webcp.hostinghacks.net/slackware | proftpd
PREREQUISITES: proftpd binary
The installation commands can be run from a Putty window in a "cut-and-paste" style layout or copied to a script. Notes on Putty best practices can be found here.
set proftp.conf:
cat > /etc/proftpd.conf << "EOF" ServerName "Fat Penguin Hosting" ServerType standalone DefaultServer on DefaultRoot ~ UseReverseDNS no Port 21 Umask 022 MaxInstances 30 IdentLookups off MaxLoginAttempts 3 ListOptions "-a" TimeoutNoTransfer 900 TimeoutIdle 600 TimeoutLogin 300 AllowRetrieveRestart on AllowStoreRestart on User nobody Group nogroup <Global> AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit> </Global> # DisplayLogin welcome.msg # DisplayFirstChdir .message # Report localtime, not GMT # TimesGMT off EOF chmod 644 /etc/proftpd.conf
Slackware doesn't provide a standalone init script. Create one here:
cat > /etc/rc.d/rc.proftpd << "EOF"
#!/bin/sh
# Start/stop/restart a daemon.
#
program_start() {
if [ -x /usr/sbin/proftpd ]; then
echo -n "Starting proftp daemon: "
echo " /usr/sbin/proftpd"
/usr/sbin/proftpd
fi
}
program_stop() {
echo "Stopping proftp daemon: "
killall proftpd 2> /dev/null
}
# no need to adjust anything below:
program_restart() {
program_stop
sleep 1
program_start
}
case "$1" in
'start')
program_start
;;
'stop')
program_stop
;;
'restart')
program_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
EOF
chmod +x /etc/rc.d/rc.proftpd
echo "/etc/rc.d/rc.proftpd start" >> /etc/rc.d/rc.local
/etc/rc.d/rc.proftpd start
Web-cp assigns users a false shell so that they can't log into the system. In this scenario the following modification is needed for control panel compatibility:
echo "/bin/false" >> /etc/shells
cat > /etc/logrotate.d/proftpd << "EOF"
/var/log/xferlog {
missingok
notifempty
postrotate
/usr/bin/kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true
endscript
}
EOF
chmod 644 /etc/logrotate.d/proftpd
mail ftp logs daily:
cat > /etc/cron.daily/watch.ftp.logs << "EOF" #! /bin/sh tail -100 /var/log/xferlog | mail -s "ftp transfers" servadmin@localhost # EOF chmod +x /etc/cron.daily/watch.ftp.logs /etc/cron.daily/watch.ftp.logs
ServerName "Fat Penguin Hosting" - This will be visible during login.
The
ServerType configuration directive is set
to choose between one of two operating modes, inetd or
standalone. inetd
mode covers both the inetd and xinetd.
This directive is mandatory.
Umask 022 - Makes new directories and files with 755 permissions which prevents
them from being group and world writable. If you want group writable use: Umask 002.
<Global>
- allow chmod and overwrites.
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
DefaultRoot ~ - Jail users into their home directories.
RequireValidShell no - There are 2 choices for user login shells:
UseReverseDNS off
- time/bandwidth reducing options
IdentLookups off
MaxInstances 25 - prevents dos attacks in standalone mode.
MaxLoginAttempts 3
- typical ftp settings
LsDefaultOptions "-a"
TimeoutNoTransfer 900
TimeoutIdle 600
TimeoutLogin 300
AllowRetrieveRestart on
AllowStoreRestart on
Adding FTP users:
When creating ftp users from the command line assign a false shell so that they can't log into the system as a shell user:
mkdir -p /home/testftp useradd -s /bin/false -d /home/testftp -g ftp -c "ftp test user" testftp -M chown testftp /home/testftp -R passwd testftp
Note: you can't use the 'root' account to test ftp. It is always denied access. There are actually two choices for false logins: '/bin/false' and '/sbin/nologin'. '/sbin/nologin' will print a friendly (or not so friendly) message before denying a login session while '/bin/false' will simply eject the user.
inetd powered proftpd (alternative to standalone daemon):
mv /etc/inetd.conf /etc/inetd.conf.old cat > /etc/inetd.conf << "EOF" ftp stream tcp nowait root /usr/sbin/tcpd proftpd # echo stream tcp nowait root internal # echo dgram udp wait root internal # discard stream tcp nowait root internal # discard dgram udp wait root internal # daytime stream tcp nowait root internal # daytime dgram udp wait root internal # chargen stream tcp nowait root internal # chargen dgram udp wait root internal # time stream tcp nowait root internal # time dgram udp wait root internal # telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # comsat dgram udp wait root /usr/sbin/tcpd in.comsat # imap2 stream tcp nowait root /usr/sbin/tcpd imapd # finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -u # systat stream tcp nowait nobody /usr/sbin/tcpd /bin/ps -auwwx # netstat stream tcp nowait root /usr/sbin/tcpd /bin/netstat -a EOF chmod 644 /etc/inetd.conf /etc/rc.d/rc.inetd restart nmap localhost
FTP Firewall Rules:
#!/bin/sh iptables -F # IP ADDRESS NET=172.16.106.196 modprobe ip_conntrack_ftp #--------------------------------------------------------------- # If a packet doesn't match the policy is to drop it #--------------------------------------------------------------- iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP #--------------------------------------------------------------- # LOOPBACK #--------------------------------------------------------------- iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #--------------------------------------------------------------- # FTP #--------------------------------------------------------------- #INITIAL CONNECT iptables -A INPUT -p tcp --dport 21 \ -m state --state NEW -j LOG --log-level 7 --log-prefix "FTP CONNECT 21: " iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 \ -m state --state NEW,ESTABLISHED -j ACCEPT ###--------------PASSIVE IN -------------------- iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 \ -m state --state ESTABLISHED,RELATED -j LOG --log-level 7 --log-prefix "PASV IN: " iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 \ -m state --state ESTABLISHED,RELATED -j ACCEPT ###----------------PASV OUT-------------------- iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 \ -m state --state ESTABLISHED,RELATED -j LOG --log-level 7 --log-prefix "PASV OUT: " iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 \ -m state --state ESTABLISHED,RELATED -j ACCEPT #------------------ACTIVE------------------------------ iptables -A INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED \ -j LOG --log-level 7 --log-prefix "FTP IN 20: " iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED \ -j LOG --log-level 7 --log-prefix "FTP OUT 20: " iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
To use the above rules make sure that the ip_conntrack_ftp module is loaded:
lsmod Module Size Used by Not tainted ip_conntrack_ftp 5296 0 (unused) ipt_LOG 4152 7 (autoclean) ipt_state 1048 8 (autoclean) ip_conntrack 26976 2 (autoclean) [ip_conntrack_ftp ipt_state] iptable_filter 2412 1 (autoclean) ip_tables 15096 3 [ipt_LOG ipt_state iptable_filter]
The ip_conntrack_ftp allows for stateful firewalling which allows us to track the state of an FTP connection and specify rules for it with the --state flag. You can permit packets that are part of an already established session with --state ESTABLISHED, or packets that are part of a new session based on an old one (as in the case of active FTP) with --state RELATED.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data. From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1024 (Server responds to client's control port) FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
The ProFTPd PassivePorts directive:
PassivePorts restricts the range of ports from which the server will select when sent the PASV command from a client. The server will randomly choose a number from within the specified range until an open port is found.
The port range selected must be greater than or equal to 1024 and large enough to handle many connections (e.g. 49152-65534, the IANA-registered ephemeral port range).
ftpcount ftpcount shows the current number of connections. ftpshut ftpshut shuts down all proftpd servers at a given time. ftptop ftptop displays running status on connections. ftpwho ftpwho shows current process information for each session. proftpd proftpd is the daemon itself.
if you get this error message: root@serv1:~# /etc/rc.d/rc.proftpd start Starting proftp daemon: /usr/sbin/proftpd - getaddrinfo 'serv1' error: Name or service not known - warning: unable to determine IP address of 'serv1' - error: no valid servers configured - Fatal: error processing configuration file '/etc/proftpd.conf' Then make sure your hostname can resolv ProFTPd seems to want the computer name to be a valid (meaning resolving in DNS) name. You can either change this to something that resolves to your server, or add serv1 to your DNS or /etc/hosts file. see "man hostname" for details
Using IE as an FTP client: Check 'Enable folder view' and 'Use Passive FTP' settings.
First telnet session
(telnet 192.168.1.36 21): 230 User webuser logged in. Access restrictions apply. TYPE I 200 Type set to I. PASV 227 Entering Passive Mode (64,6,181,158,74,235) NLST
In another telnet session:
telnet 64.6.181.158 19179 "425 Possible PASV port theft, cannot open data connection."
An FTP client issues a PORT to the FTP server and defines what port the client will be listening on for the data channel connection. the server establishes a new TCP connection to the client using that TCP port value. Numerous PORT commands are issued during a single FTP session – a new data channel must be established to transfer directory listings and perform file GET and PUT operations.
the PORT command looks like: PORT 192,168,0,3,4,15
To interpret and translate the value 4,15 into a port number
do a decimal to hex translations:
first number (4) translate to hex (0x04)
second number (15) translate to hex (0x0F)
Now take the entire set of hex bytes (0x040F) and translate the bytes
from hex to decimal (1039). (Hex Converter
available at www.bpsoft.com
The port can also be worked out by multiplying the second to last number (4) by 256 and adding the last number (15) to that result: 4*256 + 15 = 1039
To subscribe to the proftp list: proftpd-users-request@proftpd.org
proftp compile: linux.cudeso.be/linuxdoc/proftp.php
castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Authentication.html
how lfs compiles proftp: lfs-proftpd