Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Can't chroot users in Proftpd 1.3.5b virtualhost

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
nasdeb
Posts: 5
Joined: 2018-04-16 21:28

Can't chroot users in Proftpd 1.3.5b virtualhost

#1 Post by nasdeb »

Hello everyone,


I'm trying to get some Proftpd (1.3.5b) virtualhost working for my system users, and it work well except for one thing:
I can't chroot users in virtualhosts, it works in the general section but if i put the option "DefaultRoot /path" in a virtualhost, it just let user in their home folder when they log in.

What i want to do is chroot my user in different directory for each different virtualhost ( example in vhost1 chroot my users in /home/public and in vhost2 chroot my users in /home/private )



An other thing i'm trying to do is to turn one of my virtualhost into FTPES (for security) but when i try to connect it just give me this message :
"220 ProFTPD 1.3.5b Server (Debian) [::ffff:IPv4 adresse]
AUTH TLS
500 command AUTH not understood"

Just in case this is not a firewall probleme as i have tested to turn IPtables totaly off and i still get the same message.



So if someone want to help me this is my proftpd.conf file :

Code: Select all

Include /etc/proftpd/modules.conf

UseIPv6				on
IdentLookups			off

ServerName			"Debian"
ServerType				standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/



Port				21



<IfModule mod_dynmasq.c>
</IfModule>

MaxInstances			30

User				proftpd
Group				nogroup

Umask				022  022
AllowOverwrite			on




TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log



<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>






Include /etc/proftpd/conf.d/

<VirtualHost localhost>
Port 210
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine on
TLSEngine on
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>

<Limit LOGIN>
  DenyAll
</Limit>
</VirtualHost>


<VirtualHost localhost>
Port 2100
DefaultRoot /home
ServerName "localhost"
ServerIdent on "Vhost server"
PassivePorts 49152 65534
#MasqueradeAddress None
ServerAdmin Admin@example.org
Umask 022
TimesGMT off
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User nobody
Group nobody
DirFakeUser on nobody
DirFakeGroup on nobody
DefaultTransferMode binary
AllowForeignAddress off
DeleteAbortedStores off
AllowRetrieveRestart on
AllowStoreRestart on
TransferRate RETR 142
TransferRate STOR 142
TransferRate STOU 142
TransferRate APPE 142
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine off
TLSRequired data
TLSVerifyClient off
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>

<Limit LOGIN>
  DenyAll
</Limit>
</VirtualHost>
And this is my tls.conf file :

Code: Select all

#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#

<IfModule mod_tls.c>
#TLSEngine                               on
#TLSLog                                  /var/log/proftpd/tls.log
#TLSProtocol                             SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using 
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
#          -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key 
# chmod 0640 /etc/ssl/private/proftpd.key
# 
#TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
#TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile 			 /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions                      NoCertRequest EnableDiags 
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions 							AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
#TLSRequired                             on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate                          required off
</IfModule>

Post Reply