The following was for installation on an SGI O2 running IRIX but should work on most UNIX systems will very little change.

Why Use ProFTPD Also refer to Setting up a multiple IP address interface on an SGI O2 under IRIX 6.5.x for obtaining and configuring the separate IP addresses required for virtual FTP servers to function. The ProFTPD FTP server is a free, open source program for UNIX that is built on a "secure" model and also has a configuration similar to the Apache webserver. It has a lot of options that make it very flexible and enables the administrator to keep control of what is going on. This is expecially so for chrooted areas. While security problems have been encountered in the past (this is not unique to ProFTPD as alerts have been placed on programs such as wuftpd and the standard ftpd have all had alerts on them) but ProFTPD is quick on getting fixes out. ProFTPD Contact: hamster@vom.tm WEB SITE UNIX GPL'd Open Source FTP Server Deamon Original at http://www.proftpd.net UK Mirror 1 ProFTPD Contact: hamster@vom.tm FTP SITE UNIX GPL'd Open Source FTP Server Deamon Original at ftp://ftp.proftpd.org/ CCP14 UK Web Mirror | CCP14 UK FTP Mirror Download: at ftp://ftp.proftpd.org/distrib/ Download: CCP14 UK Web Mirror | Download: CCP14 FTP Mirror

Where to get ProFTPD ProFTPD is obtainable as source code or RPMs: http://www.proftpd.net. Latest version of ProFTPD is presently obtained via: http://www.proftpd.net/download.html. At this time (4th April 2003) ProFTPD 1.2.8 was the latest version: ftp://ftp.proftpd.net/distrib/ ftp://ftp.linux.co.uk/pub/packages/proftpd/distrib/source/ ftp://ftp.nutt.net.au/pub/proftpd/distrib/source/ http://programming.ccp14.ac.uk/ftp-mirror/programming/proftpd/distrib/ ftp://ftp.ccp14.ac.uk/ccp14/ftp-mirror/programming/proftpd/distrib/source/

Latest pre-distribution versions of ProFTPD is also obtainable via the Proftpd CVS system (and CVS images also obtained via tar.gz files): CVS Howto and FAQ: http://www.proftpd.net/cvs.html CCP14 Tutorial on compiling the GNU CVS Client software Tar.gz distribution of the daily CVS: ftp://ftp.linuxceptional.com/proftpd/ Tar.gz distribution of the daily CVS: ftp://ftp.stikman.com/pub/proftpd/ Side issue: PureFTPD (rival to Proftpd ftp daemon deamon) At http://pureftpd.sourceforge.net/ PureFTPD Readme : http://pureftpd.sourceforge.net/README

Also Refer ProFTPD FAQ: http://hamster.wibble.org/proftpd/proftpdfaq.html. Project to put GUI Control over ProFTPD: http://fara.cs.uni-potsdam.de/~tfromm/kproftpd/ ProFTPD module: "mod_wrap, which uses TCP wrappers, and allows for per-user hosts.allow and hosts.deny files": http://rad.geology.washington.edu/~tj/proftpd/

Compiling and Installing ProFTPD This assumes you have CC or GCC compiled. Be wary that the GCC compiler on IRIX 6.5.x can cause strange behaviour with internet style applications and it is better to use the native CC compilers you can get for IRIX from SGI. For compiling GCC, refer to Compiling the GNU GCC/G++ C compiler for information on how to do this. With a decent workstation, this should not be a problem and the ./configure programs should be able to detect make compiling a relatively trivial application. (At this time (4th April 2003) ProFTPD 1.2.8 was the latest version) Extract the ProFTPD distribution file using the command gzip -d < proftpd-1.2.8.tar.gz | tar xvof - Change directory into the proftpd-1.2.8 directory. (if on an SGI - enforce the use of "cc" by going into bash shell and doing env CC=cc ./configure) (if on an SGI and using the September 2000 CVS versions to fix the PASV bug (but to get a successful compile) - go into bash shell and doing env CC=cc ./configure --disable-sendfile) ((if on an SGI and using the August 2001 CVS versions to fix the Permissions bug (but to get a successful compile) - go into bash shell and doing env CC=cc ./configure --disable-sendfile)) Run the ./configure program (it should detect your system and set things up OK) If you have trouble with sed commands inside the configure file, find out which group used by root (e.g., sys) and set the environment variable install_group to sys. Type make to compile ProFTPD Type make install to copy the general executables into the /usr/local/sbin and the configuration proftpd.conf file into /usr/local/etc/. Normally you would have to be the systems administrator.

Setting up/Configuring ProFTPD Basically, the way I did this was lots of trial and error, reading the on-line documentation and trying again. After an hour or 5 (I was not in that big a rush), I was there (but very happy with the result - the standard ftpd is much harder to set up in a secure fashion). The following example should make it easier to install. The default is to install the /usr/local/etc/proftpd.conf file as read only. So you have to a chmod +w proftpd.conf to be able to edit the file. Then after finishing editing the file, do a chmod -w proftpd.conf to make it read-only. Note that proftpd is using the list of names in the /etc/ftpusers file to block access. # Use use the /etc/ftpusers file to deny logins and use the DenyAll UseFtpUsers On To allow FTP Secure Shell tunnelling, create special IP address Virtual domains (where anonymous logings are not allowed) with AllowForeignAddress on where users can log in via Secure Shell tunnelling. This is not something to enable on an IP address that allows anonymous logins. Also refer to: Secure FTP transfers via Secure Shell Tunnelling ProFTPD Documentation: http://www.proftpd.net/docs/index.html Configuration directives: http://www.proftpd.net/docs/configuration.html Frequently Asked Questions (Frequently Asked Questions): http://www.proftpd.net/docs/proftpdfaq.html Frequently Asked Questions (Single html file): http://www.proftpd.net/docs/proftpdfaq-full.html CVS Howto and FAQ: http://www.proftpd.net/docs/cvs.html CCP14 Tutorial on compiling the GNU CVS Client software User guide (draft): http://hamster.wibble.org/proftpd/proftpd_userguide.html Also Refer ProFTPD FAQ: http://hamster.wibble.org/proftpd/proftpdfaq.html. Also Refer ProFTPD BOOK (draft): http://hamster.wibble.org/proftpd/book1.html. If you have problems getting directory listings after logging onto a server with Proftpd, refer to "PassivePorts" at : http://www.proftpd.org/docs/directives/linked/config_ref_PassivePorts.html. Also refer to How the FTP protocol Challenges Firewall Security : http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html. Information on placing ProFTPD behind a NAT : http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-NAT.txt.

Something to be aware of with allow/deny in proftpd vs apache Resent-From: proftpd@tos.net Reply-To: proftpd@tos.net X-Mailing-List: [proftpd@proftpd.net] archive/latest/929 X-Loop: proftpd@proftpd.net Resent-Sender: proftpd-request@tos.net On Thu, Sep 30, 1999 at 07:55:37PM -0700, Jeremy Chadwick wrote: > On Fri, Oct 01, 1999 at 02:00:24AM +0200, th+lists99@coodex.de wrote: > > I just noticed that - IIRC - the default access policy when using > > "order" with ProFTPd is different from that with Apache: > > > > With ProFTPd, "order allow,deny" grants access by default and "order > > deny,access" denies access by default. > > With Apache it's just the other way! > > I posted this ~1 week ago. > > Apache is backwards. I say this because the "Apache way" doesn't > apply logically to doing anything network-oriented, primarily > firewalling rules. You don't put your deny statements before > your allows; it just doesn't make sense, period. > > It'd be silly to change the method ProFTPD, and it'd be silly > to change the order in Apache, especially since both are so > far along the development line. "If it ain't broke, don't fix > it." You hit the nail on the head. I come from a rather rigorous network (read: Cisco) background, and had always found the Apache "way" to be rather backwards; thus the difference you see in proftpd. -- "I am Dyslexic of Borg. Prepare to have your ass laminated." -- To unsubscribe, send mail to proftpd-request@proftpd.net with "unsubscribe" in the subject field of the message.

ProFTPD Configuration file # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. # 23rd September 1999 - start hacking away on this - Lachlan Cranswick # The main server is restricted to authorized users - the other IP/address # virtual servers for anonymous access. ServerName "CCP14 Restricted User Area - Authorised Users Only" ServerType standalone # If there is no explicite virtual server defined for the IP # address, then the connection will be refused. DefaultServer off # Only advertise FTP on desired IP addresses # SocketBindTight on # Bind 193.61.32.164 #Undocumented features # ServerIdent off # DisplayConnect /path/to/banner # RootLogin on # AllowForeignAddress on # If Slow DNS return lookups # UseReverseDNS off # IdentLookups off # The address the server will report as being the admin ServerAdmin ccp14@ccp14.ac.uk # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 SystemLog /web_logs/proftpd/ftp_logins TransferLog /web_logs/proftpd/xferlog LogFormat default "%h %l %u %t \"%r\" %s %b" # Display .files when doing a directory listing # LsDefaultOptions "-a" # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 100 # Set the user and group that the server normally runs at. User nobody Group nobody # Normally, we want files to be overwriteable. # <Directory /*> # AllowOverwrite on # </Directory> # Use use the /etc/ftpusers file to deny logins and use the DenyAll UseFtpUsers On # Jail logins to their user areas. Means if you want to copy some # root files off, they will first have to be manually copied to a # The following line would chroot users but not the root account. # Bad form to log in via FTP as root. # DefaultRoot ~ users,!root # relevant user area <Global> #UseReverseDNS off #IdentLookups off DefaultRoot ~ DenyFilter '%' DenyFilter \*.*/ PassivePorts 49152 65534 # PassivePorts 6001 6007 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # CDPath /etc # CDPath /usr/local # AccessGrantMsg "Guest access granted for %u." # DeferWelcome on </Global> # DisplayConnect /ftp/.msg.connect # DisplayGoAway /ftp/.msg.goaway # <Anonymous /ftp/> # DisplayLogin /.msg.login # DisplayQuit /.msg.bye # Also big timeout for the restricted user server mainly for doing webwork TimeoutNoTransfer 600 TimeoutIdle 600 # Was Limited to allow logins to www.ccp14.ac.uk from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and other domains # Change this to force upload via cerebus.ccp14.ac.uk and ccp14dev.ccp14.ac.uk virtual domains <Limit LOGIN> DenyAll </Limit> # Anonymous upload area for CCP14 - debian.ccp14.ac.uk www.ccp14.ac.uk <VirtualHost 193.61.32.164> MaxClientsPerHost 6 "Sorry, you may not connect more than four times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/web_live> # chrooted Mirror user account for mirroring. Can only copy # from the mirror user at /web_disc/ccp14/web_area/web_live (~mirror) User mirror Group user AnonRequirePassword on MaxClientsPerHost 5 "Sorry, you may not connect more than five times" #only enable ability to get into the mirror area for mirroring from trusted hosts # Limit from dl.ac.uk, ccp14.ac.uk iucr.ac.uk and others "named" domains # AllowUser mirror <Limit LOGIN> Order Allow,Deny Allow from .dl.ac.uk Allow from .minerals.csiro.au Allow from .u-aizu.ac.jp Allow from .cryst.bbk.ac.uk Deny from all </Limit> <Limit WRITE> DenyAll </Limit> </Anonymous> <Anonymous /home/ccp14/ftp_incoming> # chrooted area for uploading files for CCP14 with CCP14 as the owner User ccp14 Group dlccp14a UserAlias ftp ccp14 AuthAliasOnly on RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # People uploading have to know to use ftp. # UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> <Directory *> <Limit STOR CWD MKD> AllowAll </Limit> <Limit READ RMD DELE RNFR RNTO> DenyAll </Limit> </Directory> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.162> ServerName "CCP14 Crystallographic Software Anonymous FTP Area - ftp.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 4 "Sorry, you may not connect more than four times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/web_live/ccp> #Get symbolic links to work - will try with a later version of ProFTPD ShowSymlinks On # CDPath /web_disc/ccp14/web_area # CDPath /web_disc/ccp14/web_area User ftp Group ftp RequireValidShell off HideGroup xrdguest # HideNoAccess /web_disc/ccp14/web_area/web_live/web-mirrors MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # Must be put in a <limit> box for this to work. # IgnoreHidden on # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> MaxClients 80 DirFakeGroup On DirFakeUser On DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.163> ServerName "Redhat Mirror via Anonymous FTP from the CCP14 Project site - redhat.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/redhat> User ftp Group ftp RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> # ShowSymlinks On DirFakeGroup On DirFakeUser On MaxClients 20 DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> # Old debian config at dl.ac.uk - rem with new change at Birkbeck college #<VirtualHost 193.61.32.164> # ServerName "Debian Mirror via Anonymous FTP from the CCP14 Project site - debian.ccp14.ac.uk" ## TimeoutNoTransfer 600 ## TimeoutIdle 600 ## UseReverseDNS off ## IdentLookups off # MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # <Limit LOGIN> # DenyAll # </Limit> # <Anonymous /web_disc/ccp14/web_area/debian> # User ftp # Group ftp # RequireValidShell off # MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # <Limit LOGIN> # AllowAll # </Limit> ## ShowSymlinks On # DirFakeGroup On # DirFakeUser On # MaxClients 20 # DisplayLogin welcome.msg # DisplayFirstChdir .message # AllowOverwrite off # TransferLog /web_logs/proftpd/anonxferlog_proftpd # <Limit WRITE> # DenyAll # </Limit> # </Anonymous> #</VirtualHost> <VirtualHost 193.61.32.165> ServerName "FreeBSD Mirror via Anonymous FTP from the CCP14 Project site - freebsd.ccp14.ac.uk" # TimeoutNoTransfer 600 # TimeoutIdle 600 # UseReverseDNS off # IdentLookups off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" <Limit LOGIN> DenyAll </Limit> <Anonymous /web_disc/ccp14/web_area/freebsdftp> # ShowSymlinks On User ftp Group ftp RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> DirFakeGroup On DirFakeUser On MaxClients 20 DisplayLogin welcome.msg DisplayFirstChdir .message AllowOverwrite off TransferLog /web_logs/proftpd/anonxferlog_proftpd <Limit WRITE> DenyAll </Limit> </Anonymous> </VirtualHost> <VirtualHost 193.61.32.166> ServerName "CCP14 Restricted Upload FTP server - unauthorized access forbidden - cerebus.ccp14.ac.uk" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell on AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny Allow 127.0.0.1 Allow 148.666.666.666 Allow .blah.com Allow .blah.net Deny from All </Limit> <Limit LOGIN> Order Allow,Deny AllowUser balh AllowUser blah2 DenyAll </Limit> <Limit LOGIN> Order Allow,Deny AllowGroup groupblah AllowGroup groupguest DenyAll </Limit> </VirtualHost> <VirtualHost 193.61.32.167> ServerName "CCP14 Developers FTP server - unauthorized access forbidden - ccp14dev.ccp14.ac.uk" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell off AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny AllowGroup ccp14dv DenyAll </Limit> #<Limit LOGIN> # Order Allow,Deny # Allow from .jp # Allow from .fr # Allow from .uk # Deny from All #</Limit> #<Limit LOGIN> #Order Allow,deny #AllowUser balh1,blah2 #AllowGroup group1,group2 #</Limit> </VirtualHost> <VirtualHost 193.61.35.93> ServerName "dldata for Blah" # TimeoutNoTransfer 6600 # TimeoutIdle 6600 # IdentLookups on RequireValidShell off AllowForeignAddress on DefaultRoot ~ # Normally, we want users to be able to overwrite their own files <Directory /*> AllowOverwrite on </Directory> <Limit LOGIN> Order Allow,Deny Allow from .cryst.bbk.ac.uk Deny from All </Limit> <Limit LOGIN> Order Allow,deny AllowUser user2 AllowGroup groupuser,group2 </Limit> <Anonymous /web_disc/jacques/dldata> # chrooted area for uploading files for CCP14 with CCP14 as the owner User dluser Group dlccp14a # UserAlias dl # AuthAliasOnly on RequireValidShell off MaxClientsPerHost 5 "Sorry, you may not connect more than five times" # People uploading have to know to use ftp. # UserAlias anonymous ftp <Limit LOGIN> AllowAll </Limit> <Directory *> <Limit READ CWD> AllowAll </Limit> <Limit STOR MKD RMD DELE RNFR RNTO> DenyAll </Limit> </Directory> </Anonymous> </VirtualHost>

Manually starting and stopping ProFTPD To stop ProFTPD, as root type killall proftpd To start ProFTPD (and thus have it use a fresh /usr/local/etc/proftpd.conf type /usr/local/sbin/proftpd Automatic Startup of ProFTPD on Boot The work for automatic startup is pretty much identical to installing the Apache webserver.

What can be said, whatever family that IRIX UNIX comes from, it sucks and it is no wonder Bill Gates is a billionaire selling Windows. Putting something to automatically start up is not that trivial and following is a possibly dodgy implementation. Basically, it seems it is commond just to copy the lpd deamon script the /etc/init.d directory (which then has a link put to it from the /etc/rc2.d directory). Then edit in Proftpd, and edit out LPD. Thus as root go into the /etc/init.d directory and copy the relevant file; In this case on the CCP14 Server; cp bsdlpr proftpd. Make sure it is exectuable (chmod +x proftpd). Change the script so you pretty much get something like the following (start-script.txt). Then type ln -s /etc/init.d/proftpd /etc/rc2.d/S63proftpd (giving the link a number after the LPR deamon showing the order it will be started up in) Then (still as root), type cp /etc/config/bsdlpr /etc/config/proftpd Then type ln -s /etc/config/proftpd /var/config/proftpd In theory, /etc/chkconfig can then be used to check on the status of things. If httpd does not appear by typing chkconfig, try chkconfig httpd on (Summary of all of this, next killer apps for UNIX will be "c:\config.sys" and "c:\autoexec.bat") Though FreeBSD UNIX is a more civilised option. PS: If you wish to have proftpd started under initd, the following is more appropriate "Then I changed the line in /etc/inetd.conf from: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a To: ftp stream tcp nowait root /usr/sbin/tcpd in.proftpd"

ftpshut Date: Thu, 28 Oct 1999 08:29:12 -0400 (EDT) From: "Andrew C. Ohnstad" [andy@andysaudio.com] To: proftpd@proftpd.net Subject: Re: Autostart/stop ftp Just delete the file /etc/shtumsg when you want the server to start back up. =-=Andrew "Traveling At The Speed of Thought" --- Teenage FanClub On Thu, 28 Oct 1999, Saunders, Shawn wrote: > We would like to setup Proftpd to automatically shutdown when we do backups > (with messaging to clients that FTP will not be available for while) and > then restart after the backup is complete. > > Now it appears that we have a utility called ftpshut that will do the > shutdown part nicely. Any suggestions on the startbackup procedure? Or is > there a utility or facility I have missed. > > Shawn Saunders

Investigating the possibility of Allowing users to change passwords themselves via FTP only accounts Refer: http://www.proftpd.org/proftpd-l-archive/00-10/msg00032.html UserPassword: http://www.proftpd.net/docs/configuration.html#UserPassword GroupPassword: http://www.proftpd.net/docs/configuration.html#GroupPassword Possible way to have users be able to change their password?: http://www.proftpd.org/proftpd-l-archive/00-12/msg00051.html Possible way to have users be able to change their password?: http://www.proftpd.org/proftpd-l-archive/00-04/msg00101.html Possible way to have users be able to change their password?: http://www.proftpd.org/proftpd-l-archive/00-02/msg00276.html Re: [ProFTPD] DefaultRoot configuration and security... To: proftpd@proftpd.net Subject: Re: [ProFTPD] DefaultRoot configuration and security... From: Jean-Marc Monnez [monnez.jean-marc@agora.msa.fr] Date: Mon, 04 Dec 2000 10:00:25 +0100 Organization: AGORA38 I am new on this list, and for my first posting I say hello to all of you. I use proftpd on AIX, and for users I want to be jailed to their home dirs, these users have to give a password. They wont have to telnet on a shell, but they need to be able to change this password, so I replaced for these users the usual /usr/bin/ksh in /etc/password by the command /usr/bin/passwd. It works fine, and this way the only thing they may try with telnet is change their password. HTH. Regards. -- JMM Robert Sweet wrote : > I found the list archive, I now have the users jailed to > their home directories. What is the best way to strip them > of shell access? I have read that shell /bin/false is not > the way to do it...? Can someone point me in a direction to > find the info or help me out. I am setting up ftp access to > our internet server for clients to upload files to. These > clients only need ftp access. Is the best way to create a > user on the system or can it all be done through proftpd? > tia. > > -- > rsweet@socal.rr.com | The revolution will not be > -o) | televised. > Linux, the Choice /\ | > of a GNU generation _\_v | > | To: proftpd@proftpd.net Subject: Re: [ProFTPD] Is it possible ? From: Michael Grabenstein [mgrabens@popd.isinet.com] Date: Fri, 07 Apr 2000 09:29:43 -0400 Irwan Hadi wrote: > First of all I want to thank you for your reply, but my question is what is > the meaning of "the same format ?" > so I make a list of > username:password::::/homedir/ > how about the password ? can it be encrypted or not ? > if it *can* be encrypted, with which tool should I encrypt it then. > Yes that would be the format... I use Perl to encrypt the password, or if you already have a /etc/passwd to start with, then just copy it... An alternative easy way to do this is to encrypt a password and keep the encrypted version around. Like Change your password to 'ABC123' then as you create users in the alternate passwd file, paste the encrypted form of that password into the new logon entry. And instruct the new user to change their password as soon as they first FTP to the system, or change it for them via FTP and give them the new password. :-) BTW: once you have the encrypted version of 'ABC123' feel free to change your password back. :-) Attached is a simple Perl script that will encrypt a plain text password sent to it... Mark, please feel free to add this to the FAQ. TIA. I don't believe proftp has a way of using plain text passwords in the password file, but Mark can correct me if I am wrong. :-) Later, Mike #--- Start Cut after this line #!/usr/bin/perl use Getopt::Std; use vars qw($opt_h $opt_p $opt_s); getopt ("hp:s:"); my ($salt); if ( (defined($opt_h)) || (! defined($opt_p)) ) { print "Usage: $0 -hps\n"; print "\t-h -- This Usage message\n"; print "\t-p <password> -- The password to encrypt\n"; print "\t-s <salt> -- The salt to use, optional\n\n"; exit (166); } if ($opt_s =~ /(\w+)/) { $salt = $1; } else { $chr = chr(int(rand(26)+65)); $salt = $chr; $chr = chr(int(rand(26)+97)); $salt .= $chr; } print crypt($opt_p, $salt) . "\n"; exit (0); # -- Stop here. Don't get the signature at the bottom... To: proftpd@proftpd.net Subject: Re: [ProFTPD] Allowing FTP, but denying telnet From: Justin Shore [listuser@vinnie.ksu.ksu.edu] Date: Tue, 15 Feb 2000 13:36:46 -0600 If you setup ProFTPd to require a valid login shell, it parses /etc/shell to see if user X's shell is among that list. If it is then it considers them to have a valid shell. If its not, than you'll have to list it. /etc/shells is a plain text file with the full path to a given shell on each line. I'd also recommend using /bin/false. Do you want the user to be able to change his password? If so, then there's another trick that's been used alot. Make his shell /bin/passwd. Then whenever he telnets in he's instantly given the prompt to change his password. This would only allow them access to change their password. I would highly recommend using ssh if you're going to do that though (as a matter of fact, use ssh only. Trash telnet). Again, /bin/passwd would have to be listed in /etc/shells if you told ProFTPd to require a valid shell (I can't remember the directive off the top of my head). HTH Justin At 6:57 PM +0000 2/15/00, James Lewis wrote: >How can I easily add a user, then allow them ftp access, but deny them telnet > >(I've tried changing their login shell to /dev/null but this also >denies them FTP) > >Many thanks > >-- >To unsubscribe, send mail to proftpd-request@proftpd.net with "unsubscribe" >in the subject field of the message. > >Please read the documentation and the FAQ before posting a question -- chances >are it's already been answered. > >http://www.proftpd.net -- The Official ProFTPD web site. >http://bugs.proftpd.net -- Bug reporting and feature requests. >http://www.proftpd.net/docs/ -- The latest ProFTPD documentation and FAQ. -- Justin Shore K-State Linux Distro Mirror, Sysadmin macdaddy@vinnie.ksu.ksu.edu http://vinnie.ksu.ksu.edu/mirror/rpm2html ftp://vinnie.ksu.ksu.edu/pub/mirror/linux

Changing Passwords on behalf of Users (Proftpd can use alternative password files) From: "Sebastian Wolfgarten" [sebastian@wolfgarten.com] To: [proftpd@proftpd.net] Subject: AW: [ProFTPD] Help with updating passwords for users Date: Fri, 20 Oct 2000 21:55:16 +0200 Hi Mike, take a look at your proftp.conf file. In SuSE Linux it's proftpd.conf in /etc/. Make "locate proftpd.conf" to see where it's really at...Open this file with your favourite editor "joe proftpd.conf" for example and there should be a section with "AuthUserFile" and "AuthGroupFile". In this files you will find the users with their passwords. If it is not in use (means it has an "#" before it) then maybe you use a sql database to revalidate the users...you must make an update to the database then. Hhhm, if you use "authuserfile" then just type in the shell "passwd username" to change the user's password. If you need more assistence just write me a mail...maybe post parts of your proftpd.conf Bye Sebastian, nexxium interactive gmbh www.nexxium.de

Time Stamp Problems with ProFTPD Date: Fri, 20 Oct 2000 19:28:23 -0400 From: John Morrissey [jwm@moe.horde.net] To: proftpd@proftpd.net Subject: Re: [ProFTPD] Time stamp problems On Fri, Oct 20, 2000 at 03:57:11PM -0500, Michael Tucker wrote: % Note the difference in the apparent time stamp. It appears to be off by 5 % hours, which (I believe) is our offset from GMT here in Houston, Texas. % % The ftp server knows what time it is, though. I include the time in the % login message, and it's correct. % % I'm running 1.2 (the CVS version from about August 15) on Solaris 8. I % haven't noticed any other problems. Somewhere along the line, proftpd was changed to display times in GMT; say 'TimesGMT off' in your proftpd.conf to display file times in your local time zone. john

Creating Custom Password files Contributions: ftpasswd updated as of 2001-01-09 http://rad.geology.washington.edu/~tj/proftpd/ usage: ftpasswd [ -h ] [ --group | --passwd ] If used with --passwd, ftpasswd creates a file in the passwd(5) format, suitable for use with proftpd's AuthUserFile configuration directive. You will be prompted for the password to use of the user, which will be encrypted, and written out as the encrypted string.

Limiting Uploads with ProFTPD Date: Tue, 28 Sep 1999 16:27:19 -0400 (EDT) From: Noah [sitz@onastick.net] cc: proftpd@tos.net Subject: Re: [ProFTPD] Limit disk space and amount of connections On Tue, 28 Sep 1999, Drew Skinner wrote: > Quota's on user upload capabilities are specified at the system level. Run > a man page on quota then enable quota against the ufs/xfs file system. or yo an use proftpd's mod_quota: ftp://pooh.urbanrage.com/pub/c/mod_quota.c --noah

PHP/CGI Script for ftpwho? Date: Wed, 6 Jun 2001 19:32:16 -0700 (Pacific Daylight Time) From: Vince LaMonica [vjl@cullasaja.com] To: [proftpd-users@proftpd.org] Subject: Re: [Proftpd-user] PHP/CGI Script for ftpwho? On Wed, 6 Jun 2001, h3rb wrote: } Is there a php/cgi script that will display the results for ftpwho? Like } who's connected. What they are uploading/downloading. Their bandwidth, or } percent completed? Would this be hard to write? I am by no means a Well, a *very* simplicitic solution would be to use the passthru() function: <?php passthru(ftpwho); ?> I'd inclose the above in a formated part of the page. The above "code" simply passes the output of the ftpwho command to the w3 page. You can get much fancier like having the page auto-update [simple HTML via meta-refresh]. HTH, /vjl/

Host.allow/host.deny when running ProFTPD in inetd mode - not the case here From: "MacGyver" [macgyver@tos.net] To: [proftpd@tos.net] Subject: RE: [ProFTPD] Listening on only one interface Date: Tue, 5 Oct 1999 03:18:06 -0500 roftpd-request@tos.net > > IMO, it's not ProFTPD's place to handle the inetd scenario. > > Then, DefaultServer has to be on by default when running in inetd mode as > stock inetd binds to all interfaces - and ProFTPd serves only the primary > one without using DefaultServer. > Nope. > > You can use tcp_wrappers to accomplish what you're looking for. > > Not really, as always the primary hostname (and not the FQDN of > the specific > interface a client connects to) is displayed in the welcome message. I > thought about ipchains-filtering away all ports 21 other than the > ftp.foobar.com interface, but this doesn't solve this problem > (besides: this > is a real hack). > Nope. Simply put, in /etc/hosts.allow: in.proftpd@pick.your.virtual.host: ALL: twist /usr/sbin/in.proftpd -c pick.your.virtual.host.proftpd.conf Done. Simple, efficient, and works. Use a different conf file for each virtual host. This will accomplish what you're looking to do.

ProFTPD INIT Script Date: Tue, 5 Oct 1999 11:22:35 +0100 (BST) From: Mark Lowes [Hamster@wibble.org] Resent-From: proftpd@tos.net The entity claiming to be Daniel Roesen wrote... > Anyone written this yet? Perhaps this should be included in the tarball... Something which might be of use is the script I knocked up for use here. I'm sure someone will tell me it can be done more gracefully :) Mark #!/bin/sh # # ProFTPD init script # # stop and start do exactly what they say # buildconfig - Creates config and tests (using configtest patch) # reconfig - rolls a new config into place and restarts the server # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin VAR=/var/run/proftpd NAME=proftpd DESC=Proftpd # # # function buildconfig() { echo "Creating new config and testing" echo "" cd /var/conf/ftp ./rc.ftp.pl if [ -f /etc/proftpd.conf.new ] then proftpd --configtest -c /etc/proftpd.conf.new fi } # # # function reconfig() { if [ -f /etc/proftpd.conf.new ] then echo "Installing new config and reloading server" echo "" cd /etc/ mv proftpd.conf proftpd.conf.old mv proftpd.conf.new proftpd.conf echo "new proftp.conf loaded" fi } # # Find proftpd pid # cd $VAR for i in proftpd-* do pid=`echo $i | sed "s/proftpd\-//"` if [ -d /proc/$pid/ ] then if [ "`cat /proc/$pid/cmdline | sed -e 's/ .*//'` eq 'proftpd'" ] then MasterPid=$pid echo "Master PID == $MasterPid" fi fi done case "$1" in start) echo -n "Starting $DESC: " reconfig /usr/local/sbin/proftpd echo "Done" ;; stop) echo -n "Stopping $DESC: " killall proftpd echo "Done" ;; reconfig|reload) echo -n "Reconfiguring $DESC " reconfig kill -HUP $MasterPid echo "Done" ;; buildconf|buildconfig) echo -n "Building config for $DESC " buildconfig ;; restart) echo -n "Restarting $DESC: " kill -HUP $MasterPid echo "Done" ;; *) N=/etc/rc.d/init.d/$NAME # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $N {start|stop|restart|reconfig|reload}" >&2 exit 1 ;; esac exit 0

Another ProFTPD INIT Script #!/bin/sh # # Startup script for ProFTPD # # chkconfig: 345 85 15 # description: ProFTPD is a highly configurable ftp daemon for unix # and unix-like operating systems HTML files and CGI. # processname: proftpd # config: /etc/proftp.conf # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Starting proftpd: " daemon proftpd echo touch /var/lock/subsys/proftpd ;; stop) echo -n "Shutting down proftpd: " killproc proftpd echo rm -f /var/lock/subsys/proftpd ;; status) status proftpd ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 esac exit 0

Another, Another ProFTPD INIT Script - SysV-Init-Script (RedHat 6.0) proftpd.init.d #!/bin/sh # # Startup script for ProFTPd # # chkconfig: 345 85 15 # description: ProFTPD is an enhanced FTP server with \ # a focus toward simplicity, security, and ease of configuration. \ # It features a very Apache-like configuration syntax, \ # and a highly customizable server infrastructure, \ # including support for multiple 'virtual' FTP servers, \ # anonymous FTP, and permission-based directory visibility. # processname: proftpd # config: /etc/proftp.conf # # By: Osman Elliyasa # $Id: proftpd,v 1.9 1999/10/03 17:25:02 root Exp $ # Source function library. . /etc/rc.d/init.d/functions FTPSHUT=/opt/sbin/ftpshut # See how we were called. case "$1" in start) echo -n "Starting proftpd: " if [ -x ~ftp-master/bin/advert.sh ]; then echo -n "Adverts " su - ftp-master -c "bin/advert.sh fifo" fi $0 resume daemon proftpd echo touch /var/lock/subsys/proftpd ;; stop) echo -n "Shutting down proftpd: " if [ -x ~ftp-master/bin/advert.sh ]; then echo -n "Adverts " su - ftp-master -c "bin/advert.sh kfifo" fi $0 suspend killproc proftpd echo rm -f /var/lock/subsys/proftpd ;; status) status proftpd ;; restart) $0 stop $0 start ;; reread) echo -n "Re-reading proftpd config: " killproc proftpd -HUP echo ;; suspend) if [ -f $FTPSHUT ]; then if [ $# -gt 1 ]; then shift echo -n "Suspending with '$*' " $FTPSHUT $* else echo -n "Suspending NOW " $FTPSHUT now "Maintanance in progress" fi else echo -n "No way to suspend " fi echo ;; resume) if [ -f /etc/shutmsg ]; then echo -n "Allowing sessions again " rm -f /etc/shutmsg else echo -n "Was not suspended " fi echo ;; *) echo -n "Usage: $0 {start|stop|restart|status|reread|resume" if [ "$FTPSHUT" = "" ]; then echo "}" else echo "|suspend}" echo "suspend accepts additional arguments which are passed to ftpshut(8)" fi exit 1 esac if [ $# -gt 1 ]; then shift $0 $* fi exit 0

I very need Syntax, Context, and Defaults for some undocumented config directives: Module: ratio Ratios UserRatio GroupRatio AnonRatio HostRatio Module: auth LoginPasswordPrompt DefaultChdir UserDirRoot Module: core DisplayQuit DisplayGoAway CommandBufferSize AllowFilter DenyFilter DefaultTransferMode Class Classes Module: ls ShowDotFiles Module: pam AuthPAMAuthoritative PAMConfig Module: readme DisplayReadme Module: sample FooBarDirective What is modules: mod_tar, mod_test? Best regards, Anton mailto:fenix@stl.ru

Hampster's ProFTPD conf file ServerName "Frostbite FTPserver" #ServerType inetd ServerType standalone DeferWelcome on Port 21 Umask 002 User ftp Group ftp TransferLog /var/spool/syslog/proftpd/xferlog.legacy DefaultRoot /ftp/ftp.linux.co.uk TimeoutLogin 120 TimeoutIdle 600 TimeoutNoTransfer 900 TimeoutStalled 3600 ScoreboardPath /var/run/proftpd LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat write "%h %l %u %t \"%r\" %s %b" UseReverseDNS off <Global> DisplayLogin welcome.msg DisplayFirstChdir readme AllowOverwrite yes AccessGrantMsg "Welcome to Tux's kingdom oh chilly %u" DisplayConnect /ftp/ftp.linux.co.uk/login.msg # # Turn off Ident lookups # IdentLookups off # # file/dir access ExtendedLog /var/spool/syslog/proftpd/access.log WRITE,READ write # Log logins ExtendedLog /var/spool/syslog/proftpd/auth.log AUTH auth # Log absolutely every f*cking thing ExtendedLog /var/spool/syslog/proftpd/fascist.log ALL default ServerIdent on "Linux.co.uk server" </Global> <Limit LOGIN> DenyAll </Limit> # ---------------------------------------------------- # ftp.linux.co.uk ("Linux.co.uk FTP Archive") # Contact : zathras@linux.co.uk # <VirtualHost 195.200.4.15> ServerAdmin zathras@linux.co.uk ServerName "Linux.co.uk FTP Archive" TransferLog /var/spool/syslog/xfer/ftp.linux.co.uk MaxLoginAttempts 3 RequireValidShell no DefaultRoot /ftp/ftp.linux.co.uk User linux Group linux AllowOverwrite yes DefaultServer yes DefaultChdir /ftp/ftp.linux.co.uk/mirrors LoginPasswordPrompt off DisplayReadme README #DisplayLogin welcome.msg <Anonymous /ftp/ftp.linux.co.uk> User ftp Group ftp UserAlias anonymous ftp RequireValidShell no MaxClients 20 AccessGrantMsg "Welcome to Tux's kingdom oh chilly anonymous user" <Directory pub/incoming/*> <Limit ALL> DenyAll </Limit> </Directory> <Directory pub/ftech/*> <Limit ALL> Order Deny,Allow Allow 212.32.5.0/26 Allow 212.32.4.0/24 Allow 212.32.17.0/24 </Limit> </Directory> <Directory pub/incoming/*> <Limit STOR> AllowAll </Limit> <Limit WRITE DIRS READ> DenyAll </Limit> <Limit CWD XCWD CDUP> AllowAll </Limit> </Directory> </Anonymous> <Limit ALL> AllowUser linux DenyAll </Limit> </VirtualHost> Another Example Config file ############ My proftpd.conf: ServerType standalone User nobody Group nobody MaxInstances 30 TimeoutStalled 300 AllowRetrieveRestart on AllowStoreRestart on AuthAliasOnly on CommandBufferSize 20 DefaultRoot ~/ftpd DefaultServer on DeferWelcome on SystemLog /var/log/ftpd/proftpd.log ExtendedLog /var/log/ftpd/auth.log AUTH auth ExtendedLog /var/log/ftpd/access.log READ,WRITE write ExtendedLog /var/log/ftpd/all.log ALL TransferLog /var/log/ftpd/xfer.log SyslogLevel debug HiddenStor on LogFormat auth %v [%P] %h %t "%r" %s" LogFormat default "%h %l %u %t "%r" %s %b" LogFormat write "%h %l %u %t "%r" %s %b" MaxClients 5 MaxClientsPerHost 3 PathDenyFilter "(.ftpaccess)|(.htaccess)$" Port 21 Umask 022 <Directory /*> AllowOverwrite on </Directory> UserAlias anonymous karel <Anonymous /var/ftpd> User karel Group karel AuthAliasOnly on MaxClients 10 RequireValidShell no AllowRetrieveRestart on AllowStoreRestart on <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> <Directory upload> <Limit READ WRITE> DenyAll </Limit> <Limit STOR> AllowAll </Limit> </Directory> </Anonymous> <Limit LOGIN> AllowAll </Limit> <Global> AllowOverwrite off #on/off AllowRetrieveRestart on #on/off </Global>

Date: Sun, 21 Nov 1999 21:01:10 +0000 (GMT) From: The Flying Hamster [hamster@vom.tm] To: proftpd@proftpd.net Subject: Re: [ProFTPD] Modules? Where? On Tue, 16 Nov 1999, Patrick Maartense wrote: > Quick Question.. > Where to get extra Modules for Proftpd?? Pretty much all the modules are included in the source distribution The modules in the pre9 tarball are contrib/mod_ldap.c contrib/mod_linuxprivs.c contrib/mod_mysql.c contrib/mod_pgsql.c contrib/mod_ratio.c contrib/mod_sqlpw.c doc/mod_sample.c modules/mod_auth.c modules/mod_core.c modules/mod_linuxprivs.c modules/mod_log.c modules/mod_ls.c modules/mod_pam.c modules/mod_pgsql.c modules/mod_ratio.c modules/mod_readme.c modules/mod_site.c modules/mod_tar.c modules/mod_test.c modules/mod_unixpw.c modules/mod_xfer.c The default compliation includes the following modules library:~# proftpd -l Compiled-in modules: mod_core.c mod_auth.c mod_xfer.c mod_site.c mod_ls.c mod_unixpw.c mod_log.c To include additional modules do something like ./configure --with-modules=mod_readme:mod_ldap make make install etc etc Mark -- This is a sig, it's not a smart sig or an AI sig, but it's a sig to replace the sig that died during the death of data... the sig is dead, long live the sig

Also refer to: Secure FTP transfers via Secure Shell Tunnelling Date: Mon, 22 Nov 1999 12:52:37 +0200 (EET) From: typo [typo@pc031.otanner.as.tampere.fi] To: proftpd@proftpd.net Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable On Mon, 22 Nov 1999, Lachlan Cranswick wrote: > >o Tunnel your ftp traffic through ssh whenever possible (!!!) > > Is there a web-page on how you would do this with the GUI based > FTP client programs connecting to a ProFTPD server? (assuming you're using windows to connect to a *nix server) 1. Launch SSH. 2. Go to the preferences and click on the tab 'forwarding' (or 'tunneling' in the new SSH2). 3. Select 'local' forwarding (all connections to the specified port on the local computer will be forwarded over the SSH connection to the specified port on the remote computer), port 21 on both local and remote computer (or, if the remote ftp server is using some other port, change that remote port accordingly) and fill in the remote computer's name/IP. 4. Connect to the remote computer with SSH. 5. Launch your FTP client and connect to your localhost, with the remote server's login name and password and you're all set. Everything is now tunneled through the SSH secure connection. If you're using *nix - *nix connections, read through SSH man pages and look for the -L option (local forwarding). Securing FTP traffic over an SSH connection when connecting to a Windows FTP server is a bit more cumbersome and I won't cover it here. Just use Linux/Unix ;) .pi. -- Petteri Lyytinen -+- typo@cc.tut.fi -+- http://vapaa.intternetti.com/~typo Once you stop trying, you can start succeeding. Date: Mon, 22 Nov 1999 12:16:33 +0100 (MET) From: "V. T. Mueller" [vtmue@uni-freiburg.de] To: proftpd@proftpd.net Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable The only caveat is that this only works for ftp clients that support ftp-sessions over *one port only*. If I don't mix it up that's called passive ftp, where active ftp opens one port for control and one for data. Of course ssh doesn't know anything about that second port and any ftp-session attempt will fail until the client is told to work in passive mode (which is not the default). Regards, Volker

Date: Mon, 22 Nov 1999 16:56:22 +0000 (GMT) From: The Flying Hamster [hamster@vom.tm] cc: proftpd@proftpd.net Subject: Re: [ProFTPD] sniffable passwords on linux and freebsd3.3-stable On Mon, 22 Nov 1999, Leho Kraav wrote: > On Mon, 22 Nov 1999 12:16:33 +0100 (MET), you -> about "Re: [ProFTPD] sniffable > passwords on linux and freebsd3.3-stable": > > >The only caveat is that this only works for ftp clients that support > >ftp-sessions over *one port only*. If I don't mix it up that's called > >passive ftp, where active ftp opens one port for control and one for data. > > AFAIK, that is incorrect. FTP works over two ports, in passive and in active > mode. Passive mode is when the FTP server is set to listen for the client to > specify the data connection port, so that the firewalls would let the data > through on that port. In normal operation, FTP server sends the client > information on what port to listen to. [few minutes reading later...] Passive Mode connections work the same way as normal (Active Mode) connections, except the data connection is also made from the client to the server ie made to port ftp-data (20). This avoids the problem of incoming data connections being blocked by the firewall by making both connections from the client. What it boils down to is Active control channel, port 21 data channel, server specifies random port. Passive control channel, port 21 data channel, port 20 I guess it's doc time :) Mark -- This is a sig, it's not a smart sig or an AI sig, but it's a sig to replace the sig that died during the death of data... the sig is dead, long live the sig

SSH Tunnelling via ProFTPD http://rad.geology.washington.edu/~tj/proftpd/doc/contrib/ProFTPD-mini-HOWTO-SSH.html

I see the following logins that are nearly immediately disconnected. Is ProFTPD kicking people off? Nov 26 15:48:34 5E:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:37 5D:sv1 proftpd[151561]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Nov 26 15:48:41 5E:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:43 5D:sv1 proftpd[150121]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Nov 26 15:48:48 5E:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - ANON anonymous: Login successful. Nov 26 15:48:50 5D:sv1 proftpd[158258]: 193.62.124.195 (cu11.aecl.ca[132.225.5.79]) - FTP session closed. Things are possibly OK here. Programs like the lynx ASCII terminal based web-browser have behavour like this that after a directory listing, it will disconnect. If the user decides to continue, it will log in again to do another directory listing.

From: "Thomas Gelf" [thomas@gelf.it] To: [proftpd-users@proftpd.org] Subject: Re: [Proftpd-user] Proftpd on Solaris 8 Date: Fri, 6 Apr 2001 00:22:16 +0200 denis> 500 Illegal PORT command. denis> 425 Can't build data connection: Connection refused hmmm... this happens when I try to connect to any FTP Server if I am behind a router or firewall doing NAT (masqerading) for me. you should configure your client to use PASV mode. is this a general ftp/nat problem? and is there any other solution instead of using passive mode? From: "Thomas Gelf" [thomas@gelf.it] To: [proftpd-users@proftpd.org] Subject: AW: [Proftpd-user] Proftpd on Solaris 8 Date: Fri, 6 Apr 2001 00:25:53 +0200 TJ.> These messages are saying the PORT command issued by your client is for an TJ.> IP address different from that of the client. To allow this, you TJ.> specifically need to set "AllowForeignAddress on" in your proftpd.conf. hmmm... allowing foreign addresses should fix this? if you have been masqueraded too? I don't think that enabling this would be a good idea... Date: Thu, 5 Apr 2001 22:54:22 +0000 (GMT) From: TJ Saunders [tj@digisle.net] X-Sender: tj@guinness.digisle.com To: proftpd-users@proftpd.org Subject: Re: AW: [Proftpd-user] Proftpd on Solaris 8 tj>Depends...using AllowForeignAddress works, but only if the IP addresses tj>involved are not RFC 1918 non-routable addresses. ;) Ack...I mispoke myself. The reason I suggested AllowForeignAddress is that that particular error message, "(address mismatch)", can many times be resolved using AllowForeignAddress -- but that raises other considerations, as mentioned in the docs: http://www.proftpd.org/docs/configuration.html#AllowForeignAddress The use of RFC 1918 addresses is a different issue. My apologies for adding any confusion...=/ TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Axioms in philosophy are not axioms until they are proved upon our pulses: we read fine things but never feel them to the full until we have gone the same steps as the author. John Keats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Mike McFaul [mikey@ccs.carleton.ca] Subject: Re: [Proftpd-user] Proftpd on Solaris 8 To: proftpd-users@proftpd.org Date: Thu, 5 Apr 2001 22:26:00 -0400 (EDT) Part of the problem is IPv6 and solaris 8. Change your inetd.conf file to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd to resolve the foreign addresses properly. Proftpd really should have IPv6 support soon, or the install instructions should mention this problem.... > > Hello, > > I try to install proftpd-1.2.0pre10 on a SUN Ultra 10 under Solaris 8. > I use the basic.conf file. When I would like to see what is there on the > ftp directorie (toto), I have the message following: > > 220 ProFTPD 1.2.0pre10 Server (ProFTPD Default Installation) [boracay] > Name (boracay:root): ftptest > 331 Password required for ftptest. > Password: > 230 User ftptest logged in. > ftp> pwd > 257 "/toto" is current directory. > ftp> ls > 500 Illegal PORT command. > 425 Can't build data connection: Connection refused > ftp> put TCP1266 > 500 Illegal PORT command. > ftp> quit > 221 Goodbye. > > I have the same message when I want to put a file in this directorie. > > In the log, I have the following message: > > (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,199 (address > mismatch). > Apr 5 23:40:56 boracay proftpd[5389]: [ID 567783 daemon.warning] > boracay (0.0.0.0[0.0.0.0]) - Refused PORT 192,168,4,8,133,200 (address > mismatch). > Apr 5 23:41:12 boracay proftpd[5389]: [ID 567783 daemon.notice] boracay > (0.0.0.0[0.0.0.0]) - FTP session closed. > > In advance thank you for your help. This is the second night I worked > on. > > Best regards. > > Denis. > > _______________________________________________ > ProFTPD Users List > [proftpd-users@proftpd.org] > http://lists.sourceforge.net/lists/listinfo/proftp-user > -- Mike McFaul -- phone: 520-2600 ext 3708 -- email: mikey@ccs.carleton.ca Date: Fri, 6 Apr 2001 03:41:40 +0000 (GMT) From: TJ Saunders [tj@digisle.net] To: proftpd-users@proftpd.org Subject: Re: [Proftpd-user] Proftpd on Solaris 8 mikey>Part of the problem is IPv6 and solaris 8. Change your inetd.conf file mikey>to show 'tcp' as the service type, not 'tcp6'. This will allow proftpd mikey>to resolve the foreign addresses properly. mikey> mikey>Proftpd really should have IPv6 support soon, or the install mikey>instructions should mention this problem.... IPv6 support will definitely be in the 1.3.x devel tree. In the meantime, there is a post that mentions an IPv6 patch for ProFTPD: http://www.proftpd.org/proftpd-devel-archive/00-10/msg00156.html Hope this helps... TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Universe is change; life is opinion. -Marcus Aurelius ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Another idea if Netscape or Internet Explorer cannot browse your anonymous FTP area Date: Thu, 12 Apr 2001 20:51:52 +0100 From: The Flying Hamster (hamster@vom.tm) To: proftpd-users@proftpd.org Subject: Re: [Proftpd-user] Additional information on using an HTTP browser On Thu, Apr 12, 2001 at 03:31:49PM -0700, Lachlan Cranswick wrote: > > In terms of this being a ProFTPD problem(?). Are you using the latest > release or CVS of ProFTPD? > > >From memory - Netscape (and maybe IE) use PASV mode for browsing > FTP sites(?) - so any FTPD with a bug in the PASV mode could give > problems with the browsers - that would not be easily > reproducable with default FTP client software. A previous verson > of ProFTPD did have a problem with PASV - thus using the latest > ProFTPD may cure the problem. Hint for the day: MultilineRFC2228 yes

Masquerading the IP Address behind a Firewall Date: Fri, 13 Apr 2001 10:06:33 +0000 (GMT) From: TJ Saunders <tj@digisle.net> To: proftpd-users@proftpd.org Subject: Re: [Proftpd-user] Wrong IP address returned to incoming user? blayde>(http://www.proftpd.org/docs/configuration.html) I tried a blayde>few things, but couldn't seem to get it to work, would you blayde>be inclined to send the syntax of the command? blayde> blayde>I would greatly appreciate it. :) Sure. =) The syntax should be documented in the Configuration.html file, if you download the source code, under the doc/ subdirectory. Otherwise, it's: MasqueradeAddress <dns-hostname>|<ip-address> It should appear either in the main configuration content, or in a <VirtualHost> context. It's a fairly new directive (appeared in proftpd-1.2.2rc1), which is why it may not be on the website yet. Hope this helps... TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once more upon the waters! yet once more! And the waves bound beneath me as as a steed That knows his rider. -Lord Byron