Re: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
Bonjour Jean-Fransoué,
Je te conseille de monter d'un cran en n'employant plus
le ftp directement, voici le tutoriel qui te permettra
d'augmenter la sécurité :
https://www.digitalocean.com/community/tutorials/how-to-configure-proftpd-to-use-sftp-instead-of-ftp
et pour faire passer la pilule :
https://www.youtube.com/watch?v=44FWZ03kWog
désolé, mais je ne vois que cette solution
Bonne chance pour la suite
Bien à toi
Bernard
----- Mail original -----
> De: "Jean-François Bachelet" <jfbachelet@free.fr>
> À: debian-user-french@lists.debian.org
> Envoyé: Dimanche 22 Août 2021 17:20:42
> Objet: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
>
> Hello folks ^^)
>
>
> bon, le passage de buster à bullseye sur serveur ne se fait pas sans
> problèmes :(
>
>
> dabort, mon proftpd ne voulait pas se mettre à jour : résolu en
> désinstallant tout proftpd (plus rien ne faisant référence à lui sur
> le
> serveur) puis install proftpd-basic qui appelle correctement les
> dépendances.
>
> un problème de moins ;
>
> ensuite restauration des nouvelles confs et redémarrage du serveur ;
>
> essaie de connexion ftps avec filezilla comme ça fonctionnait sous
> buster : niet ! 'vous vous êtes déjà connecté à ce serveur en ftp
> over
> tls mais ce serveur ne supporte pas ftp over tls' ! un comble !
>
>
> c'est quoi le problème maintenant ???
>
>
> voilà les confs :
>
>
> proftpd.conf :
>
> #
> # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration
> file.
> # To really apply changes, reload proftpd after modifications, if
> # it runs in daemon mode. It is not required in inetd/xinetd mode.
> #
>
> # Includes DSO modules
> Include /etc/proftpd/modules.conf
>
> # Set off to disable IPv6 support which is annoying on IPv4 only
> boxes.
> UseIPv6 on
> # If set on you can experience a longer connection delay in many
> cases.
> <IfModule mod_ident.c>
> IdentLookups off
> </IfModule>
>
> ServerName "ftp3.myownfqdn"
> # Set to inetd only if you would run proftpd by inetd/xinetd/socket.
> # Read README.Debian for more information on proper configuration.
> ServerType standalone
> DeferWelcome off
>
> # Disable MultilineRFC2228 per
> https://github.com/proftpd/proftpd/issues/1085
> <https://github.com/proftpd/proftpd/issues/1085>
> # MultilineRFC2228on
> DefaultServer on
> ShowSymlinks on
>
> TimeoutNoTransfer 600
> TimeoutStalled 600
> TimeoutIdle 1200
>
> DisplayLogin welcome.msg
> DisplayChdir .message true
> ListOptions "-l"
>
> DenyFilter \*.*/
>
> # Use this to jail all users in their homes
> DefaultRoot ~
>
> # Users require a valid shell listed in /etc/shells to login.
> # Use this directive to release that constrain.
> # RequireValidShelloff
>
> # Port 21 is the standard FTP port.
> Port 21
>
> # In some cases you have to specify passive ports range to by-pass
> # firewall limitations. Ephemeral ports can be used for that, but
> # feel free to use a more narrow range.
> PassivePorts 49152 49252
>
> # If your host was NATted, this option is useful in order to
> # allow passive tranfers to work. You have to use your public
> # address and opening the passive ports used on your firewall as
> well.
> # MasqueradeAddress 1.2.3.4
>
> # This is useful for masquerading address with dynamic IPs:
> # refresh any configured MasqueradeAddress directives every 8 hours
> <IfModule mod_dynmasq.c>
> # DynMasqRefresh 28800
> </IfModule>
>
> # To prevent DoS attacks, set the maximum number of child processes
> # to 30. If you need to allow more than 30 concurrent connections
> # at once, simply increase this value. Note that this ONLY works
> # in standalone mode, in inetd mode you should use an inetd server
> # that allows you to limit maximum number of processes per service
> # (such as xinetd)
> MaxInstances 30
>
> # Set the user and group that the server normally runs at.
> User proftpd
> Group nogroup
>
> # Umask 022 is a good standard umask to prevent new files and dirs
> # (second parm) from being group and world writable.
> Umask 022 022
> # Normally, we want files to be overwriteable.
> AllowOverwrite on
>
> # Uncomment this if you are using NIS or LDAP via NSS to retrieve
> passwords:
> # PersistentPasswd off
>
> # This is required to use both PAM-based authentication and local
> passwords
> # AuthOrder mod_auth_pam.c* mod_auth_unix.c
>
> # Be warned: use of this directive impacts CPU average load!
> # Uncomment this if you like to see progress and transfer rate with
> ftpwho
> # in downloads. That is not needed for uploads rates.
> #
> # UseSendFile off
>
> TransferLog /var/log/proftpd/xferlog
> SystemLog /var/log/proftpd/proftpd.log
>
> # Logging onto /var/log/lastlog is enabled but set to off by default
> #UseLastlog on
>
> # In order to keep log file dates consistent after chroot, use
> timezone info
> # from /etc/localtime. If this is not set, and proftpd is configured
> to
> # chroot (e.g. DefaultRoot or <Anonymous>), it will use the
> non-daylight
> # savings timezone regardless of whether DST is in effect.
> SetEnv TZ :/etc/localtime
>
> <IfModule mod_quotatab.c>
> QuotaEngine off
> </IfModule>
>
> <IfModule mod_ratio.c>
> Ratios off
> </IfModule>
>
>
> # Delay engine reduces impact of the so-called Timing Attack
> described in
> # http://www.securityfocus.com/bid/11430/discuss
> <http://www.securityfocus.com/bid/11430/discuss>
> # It is on by default.
> <IfModule mod_delay.c>
> DelayEngine on
> </IfModule>
>
> <IfModule mod_ctrls.c>
> ControlsEngine off
> ControlsMaxClients 2
> ControlsLog /var/log/proftpd/controls.log
> ControlsInterval 5
> ControlsSocket /var/run/proftpd/proftpd.sock
> </IfModule>
>
> <IfModule mod_ctrls_admin.c>
> AdminControlsEngine off
> </IfModule>
>
> #
> # Alternative authentication frameworks
> #
> #Include /etc/proftpd/ldap.conf
> #Include /etc/proftpd/sql.conf
>
> #
> # This is used for FTPS connections
> #
> Include /etc/proftpd/tls.conf
>
> #
> # This is used for SFTP connections
> #
> #Include /etc/proftpd/sftp.conf
>
> #
> # This is used for other add-on modules
> #
> #Include /etc/proftpd/dnsbl.conf
> #Include /etc/proftpd/geoip.conf
> #Include /etc/proftpd/snmp.conf
>
> #
> # Useful to keep VirtualHost/VirtualRoot directives separated
> #
> #Include /etc/proftpd/virtuals.conf
>
> # A basic anonymous configuration, no upload directories.
>
> # <Anonymous ~ftp>
> # User ftp
> # Group nogroup
> # # We want clients to be able to login with "anonymous" as well as
> "ftp"
> # UserAlias anonymous ftp
> # # Cosmetic changes, all files belongs to ftp user
> # DirFakeUser on ftp
> # DirFakeGroup on ftp
> #
> # RequireValidShell off
> #
> # # Limit the maximum number of anonymous logins
> # MaxClients 10
> #
> # # We want 'welcome.msg' displayed at login, and '.message'
> displayed
> # # in each newly chdired directory.
> # DisplayLogin welcome.msg
> # DisplayChdir .message
> #
> # # Limit WRITE everywhere in the anonymous chroot
> # <Directory *>
> # <Limit WRITE>
> # DenyAll
> # </Limit>
> # </Directory>
> #
> # # Uncomment this if you're brave.
> # # <Directory incoming>
> # # # Umask 022 is a good standard umask to prevent new files and
> dirs
> # # # (second parm) from being group and world writable.
> # # Umask022 022
> # # <Limit READ WRITE>
> # # DenyAll
> # # </Limit>
> # # <Limit STOR>
> # # AllowAll
> # # </Limit>
> # # </Directory>
> #
> # </Anonymous>
>
> # Include other custom configuration files
> # !! Please note, that this statement will read /all/ file from this
> subdir,
> # i.e. backup files created by your editor, too !!!
> # Eventually create file patterns like this:
> /etc/proftpd/conf.d/*.conf
> #
> Include /etc/proftpd/conf.d/
>
> # Allow Tranfer Resume
> AllowStoreRestart on
> AllowRetrieveRestart on
>
> <Global>
> DefaultRoot ~
> RootLogin off
> UseFtpUsers on
> </Global>
>
>
> et tls.conf :
>
> #
> # Proftpd sample configuration for FTPS connections.
> #
> # Note that FTPS impose some limitations in NAT traversing.
> # See http://www.castaglia.org/proftpd/doc/co ... O-TLS.html
> <http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html>
> # for more information.
> #
>
> <IfModule mod_tls.c>
> TLSEngine on
> TLSLog /var/log/proftpd/tls.log
> TLSProtocol TLSv1.2
> #
> # Server SSL certificate. You can generate a self-signed certificate
> using
> # a command like:
> #
> # openssl req -x509 -newkey rsa:1024 \
> # -keyout /etc/ssl/private/proftpd.key -out
> /etc/ssl/certs/proftpd.crt \
> # -nodes -days 365
> #
> # The proftpd.key file must be readable by root only. The other file
> can be
> # readable by anyone.
> #
> # chmod 0600 /etc/ssl/private/proftpd.key
> # chmod 0640 /etc/ssl/private/proftpd.key
> #
> TLSRSACertificateFile /etc/ssl/proftpd/proftpd.crt
> TLSRSACertificateKeyFile /etc/ssl/proftpd/private/proftpd.key
> #
> # CA the server trusts...
> #TLSCACertificateFile /etc/ssl/certs/CA.pem
> # ...or avoid CA cert and be verbose
> #TLSOptions NoCertRequest EnableDiags
> # ... or the same with relaxed session use for some clients (e.g.
> FireFtp)
> TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
> #
> #
> # Per default drop connection if client tries to start a renegotiate
> # This is a fix for CVE-2009-3555 but could break some clients.
> #
> #TLSOptions AllowClientRenegotiations
> #
> # Authenticate clients that want to use FTP over TLS?
> #
> #TLSVerifyClient off
> #
> # Are clients required to use FTP over TLS when talking to this
> server?
> #
> TLSRequired on
> #
> # Allow SSL/TLS renegotiations when the client requests them, but
> # do not force the renegotations. Some clients do not support
> # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
> # clients will close the data connection, or there will be a timeout
> # on an idle data connection.
> #
> TLSRenegotiate required off
> </IfModule>
>
>
> avec ces confs, le ftp over tls fonctionnait parfaitement sous buster
> et
> plus du tout sous bullseye...
>
> les clés ssl sont à leur place donc qu'est-ce qui va plus ici ?
>
>
> grrr!
>
> Jeff
>
Reply to: