Can't chroot users in Proftpd 1.3.5b virtualhost

If none of the more specific forums is the right place to ask

Can't chroot users in Proftpd 1.3.5b virtualhost

Postby nasdeb » 2018-05-03 12:22

Hello everyone,


I'm trying to get some Proftpd (1.3.5b) virtualhost working for my system users, and it work well except for one thing:
I can't chroot users in virtualhosts, it works in the general section but if i put the option "DefaultRoot /path" in a virtualhost, it just let user in their home folder when they log in.

What i want to do is chroot my user in different directory for each different virtualhost ( example in vhost1 chroot my users in /home/public and in vhost2 chroot my users in /home/private )



An other thing i'm trying to do is to turn one of my virtualhost into FTPES (for security) but when i try to connect it just give me this message :
"220 ProFTPD 1.3.5b Server (Debian) [::ffff:IPv4 adresse]
AUTH TLS
500 command AUTH not understood"

Just in case this is not a firewall probleme as i have tested to turn IPtables totaly off and i still get the same message.



So if someone want to help me this is my proftpd.conf file :
Code: Select all
Include /etc/proftpd/modules.conf

UseIPv6            on
IdentLookups         off

ServerName         "Debian"
ServerType            standalone
DeferWelcome         off

MultilineRFC2228      on
DefaultServer         on
ShowSymlinks         on

TimeoutNoTransfer      600
TimeoutStalled         600
TimeoutIdle         1200

DisplayLogin                    welcome.msg
DisplayChdir                  .message true
ListOptions                   "-l"

DenyFilter         \*.*/



Port            21



<IfModule mod_dynmasq.c>
</IfModule>

MaxInstances         30

User            proftpd
Group            nogroup

Umask            022  022
AllowOverwrite         on




TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log



<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>






Include /etc/proftpd/conf.d/

<VirtualHost localhost>
Port 210
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine on
TLSEngine on
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>

<Limit LOGIN>
  DenyAll
</Limit>
</VirtualHost>


<VirtualHost localhost>
Port 2100
DefaultRoot /home
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine off
TLSRequired data
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>

<Limit LOGIN>
  DenyAll
</Limit>
</VirtualHost>


And this is my tls.conf file :
Code: Select all
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#

<IfModule mod_tls.c>
#TLSEngine                               on
#TLSLog                                  /var/log/proftpd/tls.log
#TLSProtocol                             SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
#          -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
#TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
#TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile           /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions                      NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions                      AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
#TLSRequired                             on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate                          required off
</IfModule>
nasdeb
 
Posts: 5
Joined: 2018-04-16 21:28

Return to General Questions

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable