4

I have compile version of proftpd 1.3.4d with ftp, ftps, sftp and mysql authentication.
So far I can have working at the same time on port 210: ftp and ftpes and on port 211 the sftp. 

ServerName                      "ProFTPD self contained package"
ServerType                      inetd
Port                            211
UseIPv6                         off
Umask                           022
User                    nobody
Group                   nobody
allowOverwrite          on
SystemLog                       none

<Limit SITE_CHMOD>
  DenyAll
</Limit>

<Global>
DefaultRoot ~
</Global>

<VirtualHost 0.0.0.0>
       Port 210
       SQLUserWhereClause              " (allowed = 'both' OR allowed = 'ftp') "
</VirtualHost>

<IfModule mod_sftp.c>
  <VirtualHost 0.0.0.0>
        SFTPEngine on
        SFTPLog  none
        Port 211
        SFTPHostKey /etc/ssh/ssh_host_dsa_key
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPAuthorizedUserKeys file:../etc/ssh/authorized_keys
        SQLUserWhereClause              " (allowed = 'both' OR allowed = 'sftp') "
        SFTPCompression delayed
        MaxLoginAttempts 6
  </VirtualHost>
</IfModule>

<IfModule mod_dso.c>
    LoadModule mod_tls.c
</IfModule>

<IfModule mod_tls.c>    
    TLSEngine on
    TLSLog /usr/local/proftpd/var/log/etls.log
    TLSRequired on
    TLSRSACertificateFile /usr/local/proftpd/etc/proftpd.cert.pem
    TLSRSACertificateKeyFile /usr/local/proftpd/etc/proftpd.key.pem
    TLSVerifyClient off
    TLSRenegotiate none
    TLSProtocol SSLv3 TLSv1
</IfModule>

This is working what I want to do no wis adding a VirtualHost like this: 

<VirtualHost 0.0.0.0>
       Port 214
       TLSOptions UseImplicitSSL
</VirtualHost>

To have a virtual host accepting only ftps when I try the new virtual host it just does not work at all and ftp ftpes and ftps does almost work but can't finish authentication.

My question here is first do you have comment on my config (but that is optional).
No the real question is

Is what I'm trying to achieve possible and if possible how ?

Castaglia
  • 3,239
  • 3
  • 19
  • 40
Kiwy
  • 162
  • 2
  • 17

1 Answers1

5

It's possible and here's my config file: 

#-----------------------------------------------------------------------
# Server Configuration: those parameters cannot be elsewhere
#-----------------------------------------------------------------------
ServerName                          "ftp daemon"
ServerType                          inetd
UseIPv6                             off

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
        DenyAll
</Limit>

SystemLog                           none
LogFormat                           authentication "%{%F %T}t %P  from: %a to: %{protocol}:%H:%p  user: %U       msg: %S"
LogFormat                           transfer       "%{%F %T}t %P  from: %a to: %{protocol}:%H:%p  user: %U       file: %f        cmd: %m %J"

ScoreboardFile                      /local/proftpd/var/proftpd.scoreboard


TLSProtocol                         SSLv3 TLSv1

<Global>
    #-----------------------------------------------------------------------
    # Generic Configuration
    #-----------------------------------------------------------------------
    DefaultRoot                         ~
    Umask                               022
    allowOverwrite                      on
    User                                nobody
    Group                               nobody
    ExtendedLog                         /var/log/proftpd_auth.log AUTH,EXIT,SEC authentication
    ExtendedLog                         /var/log/proftpd_xfer.log READ,WRITE transfer
    AuthOrder                           mod_sql.c mod_auth_unix.c mod_auth_pam.c

    #-----------------------------------------------------------------------
    # TLS Configuration
    #-----------------------------------------------------------------------
    TLSEngine                                               off
    TLSRSACertificateFile           /usr/local/proftpd/etc/proftpd.cert.pem
    TLSRSACertificateKeyFile        /usr/local/proftpd/etc/proftpd.key.pem
    TLSLog                                                  none
    TLSVerifyClient                                 off
    TLSRenegotiate                                  none
    TLSRequired                                     off
</Global>

# -----------------------------------------------------------------------------
#    __ _              __   __ _         _____ _____                    __
#   / _| |            / /  / _| |       |  ___/  ___|                  / _|
#  | |_| |_ _ __     / /  | |_| |_ _ __ | |__ \ `--.    ___ ___  _ __ | |_
#  |  _| __| '_ \   / /   |  _| __| '_ \|  __| `--. \  / __/ _ \| '_ \|  _|
#  | | | |_| |_) | / /    | | | |_| |_) | |___/\__/ / | (_| (_) | | | | |
#  |_|  \__| .__/ /_/     |_|  \__| .__/\____/\____/   \___\___/|_| |_|_|
#          | |                    | |
#          |_|                    |_|
# -----------------------------------------------------------------------------
<VirtualHost 0.0.0.0>
    Port                                    210
    TLSEngine                               on
</VirtualHost>

# -----------------------------------------------------------------------------
#    __ _         _____                    __
#   / _| |       /  ___|                  / _|
#  | |_| |_ _ __ \ `--.    ___ ___  _ __ | |_
#  |  _| __| '_ \ `--. \  / __/ _ \| '_ \|  _|
#  | | | |_| |_) /\__/ / | (_| (_) | | | | |
#  |_|  \__| .__/\____/   \___\___/|_| |_|_|
#          | |
#          |_|
# -----------------------------------------------------------------------------
<VirtualHost 0.0.0.0>
    Port                                    214
    TLSEngine                               on
    TLSOptions                              UseImplicitSSL
</VirtualHost>

# -----------------------------------------------------------------------------
#   _____  __ _                            __
#  /  ___|/ _| |                          / _|
#  \ `--.| |_| |_ _ __     ___ ___  _ __ | |_
#   `--. \  _| __| '_ \   / __/ _ \| '_ \|  _|
#  /\__/ / | | |_| |_) | | (_| (_) | | | | |
#  \____/|_|  \__| .__/   \___\___/|_| |_|_|
#                | |
#                |_|
# -----------------------------------------------------------------------------
<IfModule mod_sftp.c>
    <VirtualHost 0.0.0.0>
        Port                                    211
        SFTPEngine                              on
        SFTPLog                                 none
        SFTPHostKey                     /etc/ssh/ssh_host_dsa_key
        SFTPHostKey                     /etc/ssh/ssh_host_rsa_key
        SFTPAuthorizedUserKeys  file:../etc/ssh/authorized_keys
        SFTPCompression                 delayed
        MaxLoginAttempts                6
    </VirtualHost>
</IfModule>
Kiwy
  • 162
  • 2
  • 17
  • 1
    config works, except I additionally needed a `Port 0` in the main config – defim Sep 13 '17 at 10:13
  • might be possible but if I'm not mistaken, there's no TCP port 0. Might come from the inetd deamon evolving – Kiwy Sep 14 '17 at 08:56
  • `Port 0` disables that server (main config or virtual host), also helped me. Source: [official documentation](http://www.proftpd.org/docs/directives/linked/config_ref_Port.html) – rbs Mar 05 '19 at 14:44
  • I'm glad it helped you, it took me a while to figure out all that. it was a long time ago though. – Kiwy Mar 05 '19 at 15:13