Proftpd help

[worker201]

Yeah, I suppose I have it misconfigured. I wanted to be sure that the access was set up exactly the way I wanted it, so I made my own proftpd.conf file. It works just fine if I login as myself (nonroot user), and that can even be done from a remote computer. But it is not accepting anonymous logins, even though I copied most of the options straight from the various sample config files.

You've been a real help so far - I now know how to kill -1 and setup inetd. The ps and netstat commands have also been absolutely priceless. I totally did not understand iptables, but that's okay, I'll get around to it eventually.

So I guess the thing to do now is start over with the original default proftpd.conf file. --If I can find it, it has foolishly been written over-- Once I get it working with that (and I have no doubts that it will now), I can add options later.

Hopefully, things will go a lot smoother tomorrow.

[Void Main]

But the one thing I have asked you about several times that you've never indicated you did was to comment out the "ftp" line in /etc/ftpusers. Did you do that? Also, does the ftp user exist in your /etc/passwd? Anonymous access will not work without doing that. You have also not indicated whether or not you have check the system logs for related error messages. It's really very hard for me to figure out where you are at when I don't get answers to all of the questions that I ask. Sorry but you are making this *extremely* hard on me. :) It almost seems as if you are trying to turn a mole hill into rocket science, or is that a paper airplane into a mountain? I know it's something like that. :)

[worker201]

Yes, ftp has been commented out in etc/ftpusers. Sorry, I had that taken care of long before I came here for help. And ftp does exist in etc/passwd. In that file, ftp's home was not the home I had selected in my .conf file, so I changed it.

From now on, I will address all questions in the order that they are received

[worker201]

Okay, I downloaded the Slackware proftpd package to my Fedora2 box and extracted the default .conf file, and then transferred it to the Slackbox. No surprise to you, it worked perfectly! I have since made a couple adjustments, and now everything works according to plan. So my proftpd troubles are over for now.

Thanks a ton!

[Void Main]

Whew! You had me going there for a while. :) One thing did come out of this. I am $100 lighter and now have Slack 10 installed so if anyone else has any issues I'll be in a much better position to help. :)

[worker201]

Any ideas what I can do to increase security without reducing access? I certainly don't want any warez doodz crapping up my ftp space, and I don't really want anyone to gain access to any higher directories. I'll keep a good watch on the logs, but is there anything beyond that which might prevent any attacks?

[Void Main]

This server is connected directly to the internet? I assume it has to be this way for users to put/get stuff from outside your company? I certainly would put it behind a firewall, preferably in a DMZ and restrict access to only just what is absolutely necessary. Watching the security lists on ProFTPD wouldn't hurt either. Of course these are just scratching the surface of what I would suggest. If you want more I can rattle on this subject for a long long time.

[worker201]

Wow, it should be connected to the internet, but I'm having trouble accessing it from home. I'm at a large university, and from inside their network, I can access it via foo.bar.edu. Obviously, that name means nothing outside their network. Call me a newb, but just how the heck do I access it from outside?

Ooh, this is weird. I can ping foo.bar.edu from home, but I cannot telnet in. I guess that means they have some kind of major network firewall? I assure you, I can get anything out, but it looks like getting anything in is going to be another story. So the ftp server won't be quite as useful as I thought it would be. On the other hand, this increases security pretty well. You have to be on the campus network (probably on our department network) to access it.

Any way around this? My security is probably okay if all outside connections are blocked. If it turns out I can get open to the outside, I will happily read 10-20 pages of security info

[Void Main]

Well the first thing I would suggest if it's connected to the internet is to *not* have telnet and ftp access as I mentioned at the beginning of this thread. telnet and ftp are not encrypted and it is trivial to sniff out passwords and gain access to your system if you use these protocols for real user logins. It's back to "ssh". Of course if you want anonymous up/download then it's anonyous FTP but for anonymous only. For real user logins only allow ssh.

Of course if you can't get to your server then you would have to assume the campus has firewalls set up and are not allowing FTP. Without knowing the address and more information it's hard to say what you are dealing with. I could probably tell you more if I knew the hostname and the IP address of your server. If you want you can send it to me in a private message and I can do a couple of quick checks. If you don't want to send me the address I completely understand and it's no big deal. I can still give you the steps to figure it out. I don't have time right this second but I can put together some steps for you to check this evening.

[Void Main]

Since you now are back on track and are interested in a secure transfer and login method then we might as well change the topic to ssh. ssh replaces both ftp and telnet and all communication is encrypted. Of course you may have other reasons for wanting to allow anonymous FTP access. If it's just you, and other users that you want to allow a higher level of access for (telnet for instance) then all you have to do is run the ssh daemon (I'll bet it's running right now on your Slack box).

From the client side you would use the "ssh" command instead of "telnet" to connect to your machine. ssh has far more capabilities than both telnet and ftp have. For file transfer you have several client commands that you can use "scp" (secure copy), "sftp" (secure ftp, works much like regular ftp), and more. You also can also do graphical file transfers to/from your server using the KDE or GNOME file managers (Konqueror or Nautilus).

If you have to use Windows (I can't imagine having to) on the client side you can download and install the Windows versions of the command line clients or there are several graphical clients that you can install and use. If you have ever used WS_FTP then you will like WinSCP:

Screenshot:
http://winscp.sourceforge.net/eng/scree ... mander.gif
Main site:
http://winscp.sourceforge.net/eng/

Many other Windows based tools can be downloaded here:
http://www.openssh.org/windows.html
Main OpenSSH site:
http://www.openssh.org/

Whether you use telnet/ftp or ssh I would also not allow connections from just anywhere. First off I would never use telnet/ftp over the internet anymore as you know but even for ssh I restrict access down so connections can only be made from specific addresses or address ranges, if you can.

Also, since you are behind a firewall most of your ports are not open to anyone on the internet. I assume that they are open to anyone else on campus though and for that reason I would turn off any services that you are not using. See your nmap output to see what ports are open and shut down any associated services that have those ports open that you do not need. Restrict access to the ports that DO have to stay open to the addresses or ranges that need to connect (you can use iptables for this or in some cases TCP wrappers). The fewer services that are exposed the fewer possible holes will be available to be exploited. Just remember that you could be hacked from your own network, all it would take would be a bad apple, or another system on your network that has been exploited and used as a hopping point.

Ok, now that you have only minimal services exposed on your system and have those select services restricted to specific addresses you would want to make sure you keep those services updated with any security updates. And of course you have to have those services securely configured (use good passwords, etc, etc).

If you want to take it to the next level you might want to do intrusion detection using various tools like snort, tripwire, etc, etc. It all depends on how paranoid you want to be. I don't think you can be too paranoid but obviously to have a very secure system it can take a lot of work. Security is a process that is ongoing.

[worker201]

I guess my primary concern in security is to keep anyone who gets ftp access from gaining further access into my computer. I want to keep the ftp port open to share my data with colleagues and interested parties around the world, but I do not want anyone leaving the anonymous ftp area. Currently, that's set to /usr/local/ftp. So I don't want anyone to be able to login anonymously and somehow get root access, or even /usr/local access. I understand from the proftpd website that this can be done, but it takes a lot of hard work. Following 2600 mentality, I need to know how this would be done, so I can prevent it from happening.

ssh and sftp might be options for the future, but I have good reasons to want to allow anonymous ftp. So I'm thinking that other methods of securing proftpd and my computer as a whole are more worthwhile. I already use strong passwords. I am interested in learning a lot more about what else I can do to improve the security of an open ftp port.

[Void Main]

If you only want to share data with your colleagues around the world (download only, no upload that is) I actually prever using Apache for this (http rather than ftp). For example:

http://voidmain.is-a-geek.net/files/

Apache has had a great track record and since I also want to server web pages I like reducing the number of protocols to just one. I actually do also run FTP on the void site but mainly only for uploads. I also have switched to vsftpd where I used to run wu-ftpd and then proftpd. I haven't heard of vsftpd ever being exploited.

ftp://voidmain.is-a-geek.net/