Void's Forums

[Buzza24]

Hey guys,

I am almost totally migrated to Linux except for a few things.
The one that is really bothering me is that I can't FTP to my server (running RH9 and proftpd) using either gftp or kbear but I can't FTP perfectly when in WIndows and using Filezilla.
I triple-checked both client and server and I can't see anything wrong. But I'm sure it's a client problem. I am running Fedora 1 at the moment.

What do I do?

Oh... and the other thing that's stopping me is I havent yet got video editing working perfectly yet. But that's another time.

Thanks,
buzza

[Void Main]

Did you configure a firewall (iptables) on either the client or server or both? Are you running proftpd in daemon mode or inetd mode? If you are running it in inetd mode have you configured xinetd? Since you posted this in the Red Hat/Fedora forum I assume you are using one of those in which case I am curious why you didn't have a go with vsftpd instead of proftpd (not that there is anything wrong with either, just that vsftpd comes with RH/Fedora).

[byrdman]

speaking of vsftpd, I was wanting to know the most secure way to run it. I hear that SANS, which I have become a big fan of, really likes it. Since my web/ftp server just crashed because of hw issues, I get to rebuild it with FC1/2. (not sure which one yet)
anywho, does anyone have a really good config to really secure up the vsftpd?
I want one login, say ftpadmin to be able to have write access to all the 'child' logins that I create. I work for a company where the 'admin' login controls the 'child' logins. But at the same time the 'admin' login is chrooted...!?

[Buzza24]

well as far as that goes I have to admit that I don't know much about.
Though i have been using linux for a while, you could still call me a newbie.
I have no idea about setting up iptables and xientd. But i doo know that I am running Proftp
in stand-alone.

Reason I am using proftp instead of vsftp is because I was told by Doogee that it was better and more secure if I remember correctly.
Anyway, if u need more info just ask.

also the server firewall can't be the problem becuase it allows transfer from windows machines.

[byrdman]

Hey, I just noticed that me and Buzza had the EXACT same number of posts, so I wanted to post this just to be one up!!!!
Sorry for being annoying but I thought it was funny
byrd

[Void Main]

For the record proftpd is not more secure than vsftpd. It might be more secure than wu-ftpd but not vsftpd. vsftpd is built with security as it's primary focus (hence the name "very secure ftpd"). byrdman, I'll try and get an answer for you soon if nobody else gets it.

http://vsftpd.beasts.org/

[Void Main]

This README seems to cover your user question:
ftp://vsftpd.beasts.org/users/cevans/un ... S_2/README

I'm not sure but I think it expands on these config files:
ftp://vsftpd.beasts.org/users/cevans/un ... UAL_USERS/

[Buzza24]

well it's all good now.

I installed vsftpd and it's works fine. not one problem yet.

Just before I go, here is the address of the webserver that I have working on.
http://buzza.kicks-ass.net/

Thanks,
Buzza

[Void Main]

Heh heh, very nice!

[ZiaTioN]

Glad to see you chose to run your webserver on the only viable option as far as I am concerned, which is Linux using Apache ( I hope that is what you are using ). If you have any further questions as far as administering apache goes ask away, I am sure we can give you any help required. I know this ia a Linux site mainly but if you have any html or any other web design questions I will probably be able to help you out. I am sure Void can too, I mean he designed this sight didn't he?

I actually stold his idea of using a programming format for my index page. I used Perl syntax though instead of C but you get the idea. Anyway good luck with the Christian sites, it is good to see someone use techologic skills for a decent cause.

Oh and my site I am refering too is www.perlskripts.com.

[Void Main]

speaking of vsftpd, I was wanting to know the most secure way to run it. I hear that SANS, which I have become a big fan of, really likes it. Since my web/ftp server just crashed because of hw issues, I get to rebuild it with FC1/2. (not sure which one yet)
anywho, does anyone have a really good config to really secure up the vsftpd?
I want one login, say ftpadmin to be able to have write access to all the 'child' logins that I create. I work for a company where the 'admin' login controls the 'child' logins. But at the same time the 'admin' login is chrooted...!?

Ok, I worked out an example config that does what you want. In my example I have added 4 more users to my system. "ftpadmin" is the user that needs access to all the other ftp users and with read/write access to their stuff. Then I created users "ftp1", "ftp2", and "ftp3".

I used the plain old adduser command:

Code: Select all

# adduser ftpadmin
# adduser ftp1
# adduser ftp2
# adduser ftp3


Then I changed the /etc/passwd file so that all users had the same primary group as the "ftpadmin" user (in this example the "ftpadmin" group ID happened to be 10025) and set their login shell to "/sbin/nologin" so they wouldn't be able to get a shell login. I also made the regular ftp users' home directories as subdirectories of the ftpadmin user. Here's the relevant part of the passwd file:

Code: Select all

ftpadmin:x:10025:10025:FTP Admin:/home/ftpadmin:/bin/false
ftp1:x:10026:10025:FTP User 1:/home/ftpadmin/ftp1:/sbin/nologin
ftp2:x:10027:10025:FTP User 2:/home/ftpadmin/ftp2:/sbin/nologin
ftp3:x:10028:10025:FTP User 3:/home/ftpadmin/ftp3:/sbin/nologin


Then I set up the directory structure as needed:

Code: Select all

# cd /home
# rm -rf ftp1 ftp2 ftp3 ftpadmin
# mkdir ftpadmin
# mkdir ftpadmin/ftp1
# mkdir ftpadmin/ftp2
# mkdir ftpadmin/ftp3
# chown -R ftpadmin:ftpadmin ftpadmin
# chmod -R 770 ftpadmin


Then I created a chroot list as /etc/vsftpd.chroot_list:

Code: Select all

ftpadmin
ftp1
ftp2
ftp3


And set up my /etc/vsftpd.conf file like this:
http://voidmain.is-a-geek.net/files/vsftpd/vsftpd.conf

Here it is with the comments removed:

Code: Select all

write_enable=YES
local_umask=002
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=Welcome to Void Main's FTP server.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES


When the normal ftp users log in they are chrooted to their directory and that is all they see. When the ftpadmin user logs in they are chrooted to their directory, however the other users directories are subdirectories of the ftpadmin ID so ftpadmin has access to them all. Since the umask is 002 any new files created will be rwx for the group and all files will be created group owned by ftpadmin. Users that are not in the vsftpd.chroot_list file will not be chrooted and have a normal full ftp login access.

Here are all the files:
http://voidmain.is-a-geek.net/files/vsftpd/

[byrdman]

Void, I seem to remember you helped us write a script that simplified our asp webcam script to perl. you also wrote cron scripts that copied the webcam pix that were sent to the account's home dir and placed them in the right folder under the website. Well of course you heard that our website crashed and, being the great net admin that I am , did not have a back up because....well....I just didn't
I remember the script was something like this:
LATEST='tail -200 /var/log/xferlog grep something something -someswitch etc... \
cp -f $LATEST /loc/of/webcam/folder...


there was one to copy the live picture and one to copy archives because in our crontab there was a webcamlive and a webcam archive...
could you help a poor sap out, I will buy you a Chevy's lunch!!!

[Void Main]

Yes, I somewhat remember doing that. I would need a copy of the xfer log and a directory/name where you want the most current image placed and what the image name(s) are in the log and it should be pretty simple. You can either email a portion of the log (gzipped) or upload it to my ftp server in the /upload directory (if you upload it you will not be able to see it or download it, it will appear to just go into a black hole but it will be there). I will not be able to look at it until this evening if you ftp it but I might be able to get what you want earlier than that if you email it.

[byrdman]

as far as the vsftpd config, if I have the /etc/passwd file with the users shell as /bin/false or /sbin/nologin they do not have access to the ftp site. If I change it to /bin/bash they log right in. Any ideas?

[Void Main]

Is /sbin/nologin and/or /bin/false listed in your /etc/shells file (they should be) and do the files actually exist?