Re: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(

To: debian-user-french@lists.debian.org
Subject: Re: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
From: Hugues Larrive <hlarrive@pm.me>
Date: Mon, 23 Aug 2021 12:26:16 +0000
Message-id: <[🔎] cYebVsG3fW7ARvzZg6ePJVJxTHNAei2hpnMDpFhoDq_gWyZulmvYRb6FzVX5aa-HBEaZPAWB0QwuSarya8R52Tle6ICBV4vRGPTTf-5dob4=@pm.me>
Reply-to: Hugues Larrive <hlarrive@pm.me>
In-reply-to: <[🔎] 018e856a-2cab-8ab2-4362-79d35eae5443@free.fr>
References: <[🔎] 018e856a-2cab-8ab2-4362-79d35eae5443@free.fr>
Bonjour,

C'est un peu nul comme réponse mais la dernière fois que j'ai eu
un problème avec proftpd (il y a environ 15 ans), j'ai essayé
vsftpd qui m'a semblé beaucoup plus simple à administrer et à
maintenir. J'ai gardé un mauvais souvenir de proftpd (il fallait
que je remettes "les mains dans le cambouis" à chaque mise à
jour).

Cordialement
Hugues

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Le dimanche 22 août 2021 à 17:20, Jean-François Bachelet <jfbachelet@free.fr> a écrit :

> Hello folks ^^)
>
> bon, le passage de buster à bullseye sur serveur ne se fait pas sans
>
> problèmes :(
>
> dabort, mon proftpd ne voulait pas se mettre à jour : résolu en
>
> désinstallant tout proftpd (plus rien ne faisant référence à lui sur le
>
> serveur) puis install proftpd-basic qui appelle correctement les
>
> dépendances.
>
> un problème de moins ;
>
> ensuite restauration des nouvelles confs et redémarrage du serveur ;
>
> essaie de connexion ftps avec filezilla comme ça fonctionnait sous
>
> buster : niet ! 'vous vous êtes déjà connecté à ce serveur en ftp over
>
> tls mais ce serveur ne supporte pas ftp over tls' ! un comble !
>
> c'est quoi le problème maintenant ???
>
> voilà les confs :
>
> proftpd.conf :
>
> /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
> ========================================================================
>
> To really apply changes, reload proftpd after modifications, if
> ===============================================================
>
> it runs in daemon mode. It is not required in inetd/xinetd mode.
> ================================================================
>
> Includes DSO modules
> ====================
>
> Include /etc/proftpd/modules.conf
>
> Set off to disable IPv6 support which is annoying on IPv4 only boxes.
> =====================================================================
>
> UseIPv6 on
>
> If set on you can experience a longer connection delay in many cases.
> =====================================================================
>
> <IfModule mod_ident.c>
>
> IdentLookups off
>
> </IfModule>
>
> ServerName "ftp3.myownfqdn"
>
> Set to inetd only if you would run proftpd by inetd/xinetd/socket.
> ==================================================================
>
> Read README.Debian for more information on proper configuration.
> ================================================================
>
> ServerType standalone
>
> DeferWelcome off
>
> Disable MultilineRFC2228 per
> ============================
>
> https://github.com/proftpd/proftpd/issues/1085
>
> https://github.com/proftpd/proftpd/issues/1085
>
> MultilineRFC2228on
> ==================
>
> DefaultServer on
>
> ShowSymlinks on
>
> TimeoutNoTransfer 600
>
> TimeoutStalled 600
>
> TimeoutIdle 1200
>
> DisplayLogin welcome.msg
>
> DisplayChdir .message true
>
> ListOptions "-l"
>
> DenyFilter \./
>
> Use this to jail all users in their homes
> =========================================
>
> DefaultRoot ~
>
> Users require a valid shell listed in /etc/shells to login.
> ===========================================================
>
> Use this directive to release that constrain.
> =============================================
>
> RequireValidShelloff
> ====================
>
> Port 21 is the standard FTP port.
> =================================
>
> Port 21
>
> In some cases you have to specify passive ports range to by-pass
> ================================================================
>
> firewall limitations. Ephemeral ports can be used for that, but
> ===============================================================
>
> feel free to use a more narrow range.
> =====================================
>
> PassivePorts 49152 49252
>
> If your host was NATted, this option is useful in order to
> ==========================================================
>
> allow passive tranfers to work. You have to use your public
> ===========================================================
>
> address and opening the passive ports used on your firewall as well.
> ====================================================================
>
> MasqueradeAddress 1.2.3.4
> =========================
>
> This is useful for masquerading address with dynamic IPs:
> =========================================================
>
> refresh any configured MasqueradeAddress directives every 8 hours
> =================================================================
>
> <IfModule mod_dynmasq.c>
>
> DynMasqRefresh 28800
> ====================
>
> </IfModule>
>
> To prevent DoS attacks, set the maximum number of child processes
> =================================================================
>
> to 30. If you need to allow more than 30 concurrent connections
> ===============================================================
>
> at once, simply increase this value. Note that this ONLY works
> ==============================================================
>
> in standalone mode, in inetd mode you should use an inetd server
> ================================================================
>
> that allows you to limit maximum number of processes per service
> ================================================================
>
> (such as xinetd)
> ================
>
> MaxInstances 30
>
> Set the user and group that the server normally runs at.
> ========================================================
>
> User proftpd
>
> Group nogroup
>
> Umask 022 is a good standard umask to prevent new files and dirs
> ================================================================
>
> (second parm) from being group and world writable.
> ==================================================
>
> Umask 022 022
>
> Normally, we want files to be overwriteable.
> ============================================
>
> AllowOverwrite on
>
> Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
> ==========================================================================
>
> PersistentPasswd off
> ====================
>
> This is required to use both PAM-based authentication and local passwords
> =========================================================================
>
> AuthOrder mod_auth_pam.c* mod_auth_unix.c
> =========================================
>
> Be warned: use of this directive impacts CPU average load!
> ==========================================================
>
> Uncomment this if you like to see progress and transfer rate with ftpwho
> ========================================================================
>
> in downloads. That is not needed for uploads rates.
> ===================================================
>
> UseSendFile off
> ===============
>
> TransferLog /var/log/proftpd/xferlog
>
> SystemLog /var/log/proftpd/proftpd.log
>
> Logging onto /var/log/lastlog is enabled but set to off by default
> ==================================================================
>
> #UseLastlog on
>
> In order to keep log file dates consistent after chroot, use timezone info
> ==========================================================================
>
> from /etc/localtime. If this is not set, and proftpd is configured to
> =====================================================================
>
> chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
> ======================================================================
>
> savings timezone regardless of whether DST is in effect.
> ========================================================
>
> SetEnv TZ :/etc/localtime
>
> <IfModule mod_quotatab.c>
>
> QuotaEngine off
>
> </IfModule>
>
> <IfModule mod_ratio.c>
>
> Ratios off
>
> </IfModule>
>
> Delay engine reduces impact of the so-called Timing Attack described in
> =======================================================================
>
> http://www.securityfocus.com/bid/11430/discuss
> ==============================================
>
> http://www.securityfocus.com/bid/11430/discuss
>
> It is on by default.
> ====================
>
> <IfModule mod_delay.c>
>
> DelayEngine on
>
> </IfModule>
>
> <IfModule mod_ctrls.c>
>
> ControlsEngine off
>
> ControlsMaxClients 2
>
> ControlsLog /var/log/proftpd/controls.log
>
> ControlsInterval 5
>
> ControlsSocket /var/run/proftpd/proftpd.sock
>
> </IfModule>
>
> <IfModule mod_ctrls_admin.c>
>
> AdminControlsEngine off
>
> </IfModule>
>
> Alternative authentication frameworks
> =====================================
>
> #Include /etc/proftpd/ldap.conf
>
> #Include /etc/proftpd/sql.conf
>
> This is used for FTPS connections
> =================================
>
> Include /etc/proftpd/tls.conf
>
> This is used for SFTP connections
> =================================
>
> #Include /etc/proftpd/sftp.conf
>
> This is used for other add-on modules
> =====================================
>
> #Include /etc/proftpd/dnsbl.conf
>
> #Include /etc/proftpd/geoip.conf
>
> #Include /etc/proftpd/snmp.conf
>
> Useful to keep VirtualHost/VirtualRoot directives separated
> ===========================================================
>
> #Include /etc/proftpd/virtuals.conf
>
> A basic anonymous configuration, no upload directories.
> =======================================================
>
> <Anonymous ~ftp>
> ================
>
> User ftp
> ========
>
> Group nogroup
> =============
>
> # We want clients to be able to login with "anonymous" as well as "ftp"
> =======================================================================
>
> UserAlias anonymous ftp
> =======================
>
> # Cosmetic changes, all files belongs to ftp user
> =================================================
>
> DirFakeUser on ftp
> ==================
>
> DirFakeGroup on ftp
> ===================
>
> RequireValidShell off
> =====================
>
> # Limit the maximum number of anonymous logins
> ==============================================
>
> MaxClients 10
> =============
>
> # We want 'welcome.msg' displayed at login, and '.message' displayed
> ====================================================================
>
> # in each newly chdired directory.
> ==================================
>
> DisplayLogin welcome.msg
> ========================
>
> DisplayChdir .message
> =====================
>
> # Limit WRITE everywhere in the anonymous chroot
> ================================================
>
> <Directory *>
> =============
>
> <Limit WRITE>
> =============
>
> DenyAll
> =======
>
> </Limit>
> ========
>
> </Directory>
> ============
>
> # Uncomment this if you're brave.
> =================================
>
> # <Directory incoming>
> ======================
>
> # # Umask 022 is a good standard umask to prevent new files and dirs
> ====================================================================
>
> # # (second parm) from being group and world writable.
> ======================================================
>
> # Umask022 022
> ==============
>
> # <Limit READ WRITE>
> ====================
>
> # DenyAll
> =========
>
> # </Limit>
> ==========
>
> # <Limit STOR>
> ==============
>
> # AllowAll
> ==========
>
> # </Limit>
> ==========
>
> # </Directory>
> ==============
>
> </Anonymous>
> ============
>
> Include other custom configuration files
> ========================================
>
> !! Please note, that this statement will read /all/ file from this subdir,
> ==========================================================================
>
> i.e. backup files created by your editor, too !!!
> =================================================
>
> Eventually create file patterns like this: /etc/proftpd/conf.d/*.conf
> =====================================================================
>
> Include /etc/proftpd/conf.d/
>
> Allow Tranfer Resume
> ====================
>
> AllowStoreRestart on
>
> AllowRetrieveRestart on
>
> <Global>
>
> DefaultRoot ~
>
> RootLogin off
>
> UseFtpUsers on
>
> </Global>
>
> et tls.conf :
>
> Proftpd sample configuration for FTPS connections.
> ==================================================
>
> Note that FTPS impose some limitations in NAT traversing.
> =========================================================
>
> See http://www.castaglia.org/proftpd/doc/co ... O-TLS.html
> ==========================================================
>
> http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
>
> for more information.
> =====================
>
> <IfModule mod_tls.c>
>
> TLSEngine on
>
> TLSLog /var/log/proftpd/tls.log
>
> TLSProtocol TLSv1.2
>
> Server SSL certificate. You can generate a self-signed certificate using
> ========================================================================
>
> a command like:
> ===============
>
> openssl req -x509 -newkey rsa:1024 \
> ====================================
>
> -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
> ======================================================================
>
> -nodes -days 365
> ================
>
> The proftpd.key file must be readable by root only. The other file can be
> =========================================================================
>
> readable by anyone.
> ===================
>
> chmod 0600 /etc/ssl/private/proftpd.key
> =======================================
>
> chmod 0640 /etc/ssl/private/proftpd.key
> =======================================
>
> TLSRSACertificateFile /etc/ssl/proftpd/proftpd.crt
>
> TLSRSACertificateKeyFile /etc/ssl/proftpd/private/proftpd.key
>
> CA the server trusts...
> =======================
>
> #TLSCACertificateFile /etc/ssl/certs/CA.pem
>
> ...or avoid CA cert and be verbose
> ==================================
>
> #TLSOptions NoCertRequest EnableDiags
>
> ... or the same with relaxed session use for some clients (e.g. FireFtp)
> ========================================================================
>
> TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
>
> Per default drop connection if client tries to start a renegotiate
> ==================================================================
>
> This is a fix for CVE-2009-3555 but could break some clients.
> =============================================================
>
> #TLSOptions AllowClientRenegotiations
>
> Authenticate clients that want to use FTP over TLS?
> ===================================================
>
> #TLSVerifyClient off
>
> Are clients required to use FTP over TLS when talking to this server?
> =====================================================================
>
> TLSRequired on
>
> Allow SSL/TLS renegotiations when the client requests them, but
> ===============================================================
>
> do not force the renegotations. Some clients do not support
> ===========================================================
>
> SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
> ==================================================================
>
> clients will close the data connection, or there will be a timeout
> ==================================================================
>
> on an idle data connection.
> ===========================
>
> TLSRenegotiate required off
>
> </IfModule>
>
> avec ces confs, le ftp over tls fonctionnait parfaitement sous buster et
>
> plus du tout sous bullseye...
>
> les clés ssl sont à leur place donc qu'est-ce qui va plus ici ?
>
> grrr!
>
> Jeff
Reply to:
References:
- multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
  - From: Jean-François Bachelet <jfbachelet@free.fr>
Prev by Date: Re: serveur Debian testing avec deux ethernet (et routage)
Next by Date: Re: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
Previous by thread: Re: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur :-(
Next by thread: serveur Debian testing avec deux ethernet (et routage)
Index(es):
- Date
- Thread