Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ProFTPd problem 1

Status
Not open for further replies.

Donboy

IS-IT--Management
Aug 20, 2002
73
US
Ok, I have read countless posts about this subject on several different websites, and I have also read the documentation on this too, but to no avail.

Here are my problems:

First, I want to eliminate anonymous logins and have the users login with specific usernames/passwords. The documentation is pretty vauge about this, saying that I only need to remove the <anonymous> statements from the config file. I have done this, but unfortunately I can still login anonymously and see the &quot;pub&quot; directory.

Second, I want to jail my users to their home directories. The documentation and many other forums have said that I only need to include the DefaultRoot ~ parameter to the config file, but that's not working either.

My users are all part of the &quot;MyUsers&quot; group. Their home directories are all chmod 755 and each of their directories are part of the &quot;MyUsers&quot; group. (Don't know if this helps, but I've found that ownership and permissions play a bigger role in ProFTPd than I had originally thought.)

Here is my config file. Any help and or advice here would be good. Commented lines removed for clarity.

ServerName &quot;FTP Server&quot;
ServerType standalone
DefaultServer on
RequireValidShell off
TimeoutStalled 1000
Port 21
Umask 022
MaxInstances 30
User nobody
Group nobody
<Directory /*>
AllowOverwrite on
</Directory>
DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~
DefaultChdir ~/home
 
Did you remember to restart the proftpd daemon after making changes to the proftpd.conf file? Try the below config and see if it works. Set 770 permissions on the /var/ftp directory and change the ownership to Create a new user and place the user in the Create a group called &quot;ftpusers&quot; and place that user account in that group as well. Let me know if it works.




ServerName &quot;My FTP Server&quot;
ServerType standalone
ServerAdmin root@foo.org
DefaultServer on
DefaultRoot /var/ftp
DefaultChdir /var/ftp
Port 21
Umask 007
MaxInstances 15
User Group UseReverseDNS off

<Directory />
AllowOverwrite on

<Limit WRITE>
DenyGroup !ftpadmins
</Limit>

<Limit READ>
DenyGroup !ftpusers,!ftpadmins
</Limit>

</Directory>





About your config...

&quot;DefaultChdir ~/home&quot;, should be just &quot;DefaultChdir ~&quot;.

&quot;<Directory /*>&quot; should be just &quot;<Directory />&quot;

Put the last 4 lines in your config above any <Directory> directives.



ChrisP
 
Ok, I made 2 groups: and ftpusers. I also had to create a user called &quot; so that I could change the ownership for /ftp/var to Your instructions were a little fuzzy here, so I'm not 100% sure if that's what you're saying I should have done. Please correct me if I was wrong.

So like I said, I changed the directory /var/ftp to be owned by and be in the I also made its permissions 770.

After this, I went to my /home directory and made each of the 3 user directories members of The ownership of these folders was left the same - they are owned by the user's name. Is that what I should have done?

I also made each of my 3 users members of the group: and ftpusers.

I'm not really sure why you wanted me to make the group and change all of the users to that group, since I already had a group made called MyUsers which could have served this purpose since all of my users were already members of this group, right?

Anyway, after doing all of this, I restarted the FTP server. Then, I tried logging in anonymously. My FTP client said that Anonymous logins were Ok and to use email address as password. Then it said Unable to set anonymous privliges, and Login incorrect.

This serves the purpose since it disallows anonymous logins, but it doesn't seem very elegant because my FTP client kept retrying over and over to reconnect until the max number of retries had been reached.

Is there some way to make it display some kind of rejection message instead of continuing to retry over and over?

Now, when I tried logging in as an authentic user, it doesn't do anything differently. I'm still able to login and it starts by showing me the user's home directory. And going up one level you can see the other home directories (which is actually what I ultimately want, but should not be possible at this point) and I'm also able to chdir up to the top level directory and see the whole server.

PS: I'm using Webmin to handle the creation of users and groups. I'm not a command line junky, so if there are better ways I should be making users and groups, please let me know what commands and arguments I should be using at the command prompt if that's what you'd prefer I use. I also changed the folder group and permissions using the GUI where I right-clicked on the folder and chose properties to alter this stuff.

Sorry for making my reply so verbose, but I wanted to make sure you can see everything I'm doing so you can point out anything I might have been doing wrong.
 
Also, here is my revised config file.

ServerName &quot;FTP Server&quot;
ServerType standalone
ServerAdmin webmaster@roleplayinggames.net
DefaultServer on
DefaultRoot /var/ftp
DefaultChdir /var/ftp
RequireValidShell off
TimeoutStalled 300
TimeoutNoTransfer 1000
UseReverseDNS off
Port 21
Umask 007
MaxInstances 15
User Group
<Directory />
AllowOverwrite on
<Limit WRITE>
DenyGroup !ftpadmins
</Limit>
<Limit READ>
DenyGroup !ftpusers, !ftpadmins
</Limit>
</Directory>
 
If you really are using the config that you posted above, you should not be able to access any users home directory. Everybody should be locked (jailed) into /var/ftp. Check that caching is turned off on your FTP client. How are you restarting the proftpd daemon? Are the permissions on /var/ftp set to 770 with the user and group owning the directory?

My config above is just a test to see if you can get it working like that, before we set it up exactly how you want it with everybody logging into their homedirs.

ChrisP
 
Yeah, that's my config file, only the commented lines were removed for clarity. I'll repost it again *exactly* with no changes made whatsoever (see below).

I don't know if caching is turned off in the FTP client, but sometimes if things don't appear exactly as they should, I can refresh and see what it really looks like. I'm using FlashFXP 2.0. I also just tried it from another machine to be sure and it still does the same thing. My users are being taken to their home directories and they can keep going up one level to the top of the file structure.

To restart the FTP daemon, I'm using Webmin's interface. I go into the ProFTPd icon in Webmin and there's a button I can click on to restart the service. I know this works because whenever I make changes, I can see the changes have been applied after clicking the button. But if you want me to be sure, please let me know what I should be keying in at the command line to restart it. Like I said, I'm not so good with command line stuff. I'm a new user to Linux.

I just double-checked and my permissions on /var/ftp are 770. At this moment, I'm unable to verify the ownership and group name for /var/ftp, but I'm pretty sure it's correct. I did everything as you specified.

Maybe I just need to delete these old users and start over from scratch. Or maybe I should think about a different FTP system other than ProFTPd. Are there better ones out there?

Here's my config file with all the trimmings.

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# &quot;nobody&quot; and &quot;ftp&quot; for normal operation and anon.

ServerName &quot;FTP Server&quot;
ServerType standalone
ServerAdmin webmaster@roleplayinggames.net
DefaultServer on
DefaultRoot /var/ftp
DefaultChdir /var/ftp
RequireValidShell off
TimeoutStalled 300
TimeoutNoTransfer 1000
UseReverseDNS off

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.

Umask 007

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)

MaxInstances 15

# Set the user and group that the server normally runs at.
User Group
# Normally, we want files to be overwriteable.

<Directory />
AllowOverwrite on
<Limit WRITE>
DenyGroup !ftpadmins
</Limit>
<Limit READ>
DenyGroup !ftpusers, !ftpadmins
</Limit>
</Directory>
 
How did you install ProFTPd (RPM or source)? I would highly recommend installing from source. Is it possible that you have more than one instance of proftpd on your system or maybe your editing the wrong config file?

To restart the daemon from the command line, try something like this...

kill `pidof /usr/local/proftpd/sbin/proftpd`
/usr/local/proftpd/bin/proftpd


ChrisP
 
I didn't install it. ProFTPd was already loaded when I installed Red Hat 9.1 out of the box. I just looked and it turns out I'm running 1.2.2 of ProFTPd. Do you think all these problems have to do with running an older version? I just looked and they have 1.2.8 out. I wouldn't think it would matter, but you never know.

I tried entering the stuff you said at the command line, and it didn't work. I did a locate on proftpd and it looks like most everything is under /usr/local/var.
 
If I were you, I would reinstall from source using the latest version. Download the newest 1.2.8 tar.gz file and do this...

# Stop the ProFTPd daemon and then completely uninstall the ProFTPd RPM
rpm -e proftpd

# Download the newest version from and install
tar proftpd-1.2.8.tar.gz -C /usr/local/src
cd /usr/local/src/proftpd-1.2.8
./configure --prefix=/usr/local/proftpd
make && make install

# Backup the original config file
cp /usr/local/proftpd/etc/proftpd /usr/local/proftpd/etc/proftpd.orig

# Delete everything in the proftpd.conf file and replace it with my config posted above.

mkdir /var/ftp
chown /var/ftp -R
chmod 770 /var/ftp -R

useradd testuser
passwd testuser
gpasswd -a testuser
# Start the ProFTPd daemon
/usr/local/proftpd/sbin/proftpd


Log in using an FTP client. You should be locked into /var/ftp.



ChrisP
 
damn, I posted the above using the wrong username (forgot to log off).

ChrisP
 
Uhhh, got a problem on the first step, boss. I did a rpm -e proftpd and it says &quot;Error, package proftpd not installed&quot;. That's really odd because I've gotten pretty far with this for the package not to have been installed.

What should I do now?
 
Check the RPM database to see if it was installed from an RPM package...

rpm -qa | grep -i ftp

If you find it, uninstall it with the -e switch. You probably just have the wrong package name. Maybe its ProFTPd, instead of proftpd.

ChrisP
 
The list returned about 8 items and none of them had anything to say about ProFTPd. The kind of stuff I got was tftp, tftp server, lftp, vsftpd, ftpcopy, and a couple of others. All of them had version numbers after each.
 
Is it possible it was installed from source, rather than RPM? What OS and version are you using again?

updatedb && locate proftpd


ChrisP
 
Regardless of how ProFTPd is installed right now, follow my directions a few posts up about installing 1.2.8 from source into /usr/local/proftpd. You can have multiple instances of ProFTPd running on the same system, as long as they aren't trying to bind to the same port, so make sure you stop the old version before installing the new one.

I still need to know the answer to the last post about the OS/version and where your current proftpd installation is located.

ChrisP
 
Ok, i did a locate on proftpd and from what I can tell, it's installed at /usr/local/var/proftpd/ because there's a whole bunch of stuff in there. It looks like my config files are located under /etc/proftpd/.

I did a ps -ef at the command line and it showed me the process running and the PID numbers. I did a kill on the PID number and did a ps -ef again and it seemed like the process was successfully killed. I hope that was right.

I'm running Red Hat 9.1.

I don't have enough time at the moment to finish your instructions, so I'm going to have to resume this later (in a few hours) but I figured I'd take this opportunity to let you know where I was and see if this was right.
 
Red Hat 9.1?? They're only up to 9.0.

Run &quot;rpm -qf /usr/local/var/proftpd/somefile&quot; to see which package those files were installed from. Then you can do a &quot;rpm -e package_name&quot; to uninstall.

ChrisP
 
Hmmm, you may be right about that. I just bought the boxed set from a retail store, and when I was installing I could almost *swear* I saw it say 9.1. But I'll defer to your better judgment.

I did what you said, but it says it was not installed from any package. Man, this is weird.

Another question: Assuming this wasn't installed from an RPM, how do I go about uninstalling it in that case? What's the &quot;right&quot; way to go about removing unwanted programs like this. I figured I would just go ahead and install the new one and remove the original one later.

Also, I was poking around the web (before I opened this thread) and I found a command line statement that I entered that would start this up when the machine boots. The command was echo '/usr/local/sbin/proftpd -c /etc/proftpd/proftpd.conf' >> /etc/rc.d/rc.local

How do I go about removing this so the wrong one doesn't try starting up on boot? Or better yet, how can I change this so the right version will start on boot?

Looking in that folder, I found a file under /usr/local/sbin/ It was simply &quot;proftpd&quot; and was about 225kb and looks to be a binary file.
 
The echo command you mentioned above adds everything before the >> to the end of the /etc/rc.d/rc.local file. Edit the rc.local file and remove the line at the end that starts ProFTPd.

If ProFTPd wasn't installed from an RPM, then its hard to give you an answer on how to uninstall it since I don't know what was done. For now, just stop the daemon and leave it as is. Follow the instructions above and get the new version up and running. Rename the proftpd binary inside of /usr/local/sbin to something like proftpd.old.

Do you definitely have a version of Red Hat installed? Does anybody else have access to the box besides you?

ChrisP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top