I'm trying to get some Proftpd (1.3.5b) virtualhost working for my system users, and it work well except for one thing:
I can't chroot users in virtualhosts, it works in the general section but if i put the option "DefaultRoot /path" in a virtualhost, it just let user in their home folder when they log in.
What i want to do is chroot my user in different directory for each different virtualhost ( example in vhost1 chroot my users in /home/public and in vhost2 chroot my users in /home/private )
An other thing i'm trying to do is to turn one of my virtualhost into FTPES (for security) but when i try to connect it just give me this message :
"220 ProFTPD 1.3.5b Server (Debian) [::ffff:IPv4 adresse]
AUTH TLS
500 command AUTH not understood"
Just in case this is not a firewall probleme as i have tested to turn IPtables totaly off and i still get the same message.
So if someone want to help me this is my proftpd.conf file :
Code: Select all
Include /etc/proftpd/modules.conf
UseIPv6 on
IdentLookups off
ServerName "Debian"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
Port 21
<IfModule mod_dynmasq.c>
</IfModule>
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Include /etc/proftpd/conf.d/
<VirtualHost localhost>
Port 210
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine on
TLSEngine on
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
DenyAll
</Limit>
</VirtualHost>
<VirtualHost localhost>
Port 2100
DefaultRoot /home
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine off
TLSRequired data
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
DenyAll
</Limit>
</VirtualHost>
Code: Select all
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
#TLSEngine on
#TLSLog /var/log/proftpd/tls.log
#TLSProtocol SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
#TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
#TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
#TLSRequired on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
</IfModule>