The steps below detail installing proftpd on an UNIX host. Once installed, the daemon is configured with SSL (to encrypt the ftp session) and additionally setup with a chroot jail ability. This can lock users into a specified directory. The steps herein will detail ‘compiling’ the program from source, and additionally will provide the binaries (for AIX 5.3) for download.
Contents
HTTP Resources Used (Helpful if planning on using IBM cc compiler and/or IBM Linker
Pre-requisites
- GCC 4.0+
- openssl (RPM or bpp)
- gnu make
- proftpd source files (downloaded from: http://www.proftpd.org/ ) Version 1.3.4a was available at the time of writing this how-to.
- user/group creation of ftpd
Compiling Procedure
Once the source file tarball has been downloaded (proftpd-x.x.xx.tar.gz) it needs to be unzipped and extracted from the tarball. Additionally, the steps differ slightly if using the IBM cc Compiler and IBM Linker. The steps here use the GNU gcc compiler and linker, then uses GNU Make. In this example I’ll use /opt/proftpd, and we are changing the default user/group to ftpd.
mkdir -p /tmp/proftpd cd /tmp/proftpd gunzip -c /tmp/proftpd-1.3.4a.tar.gz | tar -xvf - cd proftpd-1.3.4a mkdir /opt/myproftpd env CC=gcc LDFLAGS='-Wl,-static,-rpath,/usr/lib,-rpath,/lib,-rpath,/usr/local/lib' install_user=ftpd install_group=ftpd ./configure \ --prefix=/opt/myproftpd \ --disable-ident \ --with-modules=mod_tls \ --with-libraries=/usr/lib:/lib /opt/freeware/bin/make check (To test if the make will be successful!) /opt/freeware/bin/make /opt/freeware/bin/make install (will create all of the files/directories in prefix dir!)
Compiling Tip:
- –enable-dso \ # CAUSES ERRORS with COMPILATION
- –with-includes=/usr/include/openssl:/usr/include \ # This will force compilation to “prefer” the version of openssl which is currently installed!
SSL Configuration
Once the file has been compiled, it should be validated that it has ‘support’ for TLS. Do this with the following command: ./proftpd -l and look for the line containing mod_tls.c. If it is present, the compile procedure successfully compiled TLS/SSL functionality into the program. You can now create the SSL configuration.
mkdir /opt/myproftpd/keys cd /opt/myproftpd/keys openssl genrsa -out my-ftps.key 2048 (choose a pass phrase) openssl rsa -in my-ftps.key -out my-ftps.key.pem (same pass phrase) openssl req -new -x509 -days 365 -key my-ftps.key -out my-ftps.crt (Enter the pass phrase) Country Name : CA State or Province: ON Locality Name : Toronto Organization Name : your_company_here Organizational Unit Name : your_dept_here Common Name : Your hostname Email Address: root@hostname
Proftpd Configuration File
Edit etc/proftpd.conf and save the following information in it.
#**********************#
# Server configuration #
#**********************#
ServerName n225 (Replace with proper hostname of machine)
ExtendedLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/proftpd.log
User ftpd # may need to comment out existing and replace
Group ftpd # may need to comment out existing and replace
RootLogin off
TimeoutNoTransfer 600
TimeoutLogin 300
TimeoutIdle 600
TimeoutStalled 120
TimeoutSession 28800
#DefaultRoot ~ # (This is for chroot’ing to user’s home directory)
MaxInstances 20
MaxClientsPerHost 10
UseReverseDNS off # (increase performance)
UseFtpUsers off # (we will use virtual users, so we don’t check the file)
AllowOverwrite on
ServerIdent off
IdentLookups off
AccessGrantMsg “Wecome %u on SSL Test server”
#DisplayLogin welcome.msg ## display after login
#### Fix for syslog error: fopen ##
AuthPAM off
#*******************#
# SSL Configuration #
#*******************#
TLSEngine on # (SSL is activate)
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRequired yes # (only SSL connections are allowed)
TLSRSACertificateFile /opt/myproftpd/keys/my-ftps.crt
TLSRSACertificateKeyFile /opt/myproftpd/keys/my-ftps.key.pem
TLSCACertificateFile /opt/myproftpd/keys/my-ftps.crt
TLSVerifyClient off
Launch program for validation
Launch the program. /opt/myproftpd/sbin/proftpd -c /opt/myproftpd/etc/proftpd.conf Also, by default this program will use port 21. If you require a different port, then change it in the etc/proftpd.conf file (or alternate configuration file if used). Once the program is running, you can do a tcpdump, then start a ftp session and upload a file. Afterwords stop the tcpdump session and look at the file with less to validate the session was encrypted.
- Launch tcpdump
tcpdump -i en0 -w /tmp/en0 -s 1500 tcp port 21
- Launch ftp client using SSL (filezilla will use it as ftpes:hostname) Upon attempting a connection, you should get prompted to view and use the supplied SSL certificate. It will then use your login credentials. For testing, upload a text file to the server. Then logout.
- Stop tcpdump (hit Ctrl-c) and view the file
less /tmp/en0
The only text visible should be the initial connection, a STARTTLS command, and the identifying information from the certificate (as listed above).
GOTCHA
As it stands now, the ftp daemon works in either “stand-alone mode” or “inetd service mode”. If you wish to run it as part of inetd or xinetd then a line has to be changed in the proftpd.conf file, and the ftp daemon re-started. In the case of xinetd, a configuration needs to be created first.
xinetd Config File
In /etc/xinetd.d, create a file “proftpd” with the following information:
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /opt/myproftpd/sbin/proftpd
server_args = -c /opt/myproftpd/etc/proftpd.conf
}
Additionally, to combat DDOS you should limit the number of attempted connections to 30 (or less). Running proftpd in standalone mode, just add MaxInstances 30 to the configuration file proftpd.conf. However, if the ServerType is inetd then proftpd is launched by xinetd. So to combat that, you should edit your /etc/xinetd.conf file and ensure the following is in there:
default
{
instances = 60
cps = 25 30
}
includedir /etc/xinetd.d
Known Issues
I have found with this install, if a chroot is used, an error will show up in the syslog such as auth|security:err|error proftpd: PAM: syslog: fopen on /dev/null failed, errno 21 . This error is generated upon closing the ftp connection.
- Error #2:
error setting listen fd IP_TOS: Invalid argument. This error occurs every time after a file is uploaded to the ftp server.