ProFTPd + SSL Woes

Message

Sakkath · Post by **Sakkath** » Thu Sep 28, 2006 11:10 pm

When I log into my FTPd with SSL, I get this

ftp> ls
500 Illegal PORT command
ftp: bind: Address already in use
ftp>

It works fine without an SSL connection.
This is my proftpd.conf

Code: Select all

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"
ServerType          standalone
DefaultServer       on
RequireValidShell   off
AuthPAM             off
AuthPAMConfig       ftp
SystemLog           /var/log/proftpd/proftpd.log

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            proftpd
Group                           proftpd

# Normally, we want files to be overwriteable.
<Directory />
  AllowOverwrite                on
</Directory>

# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

</Anonymous>

#SSL Setup

TLSEngine                         on 
TLSLog                              /var/log/profptd/tls.log
TLSProtocol                       SSLv23
TLSOptions                        NoCertReques
TLSRSACertificateFile          /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile    /etc/ssl/certs/proftpd.key.pem
TLSVerifyClient                  off
TLSRequired                      off

# MySQL setup

# Password type
SQLAuthTypes              Plaintext

# Authentication type
SQLAuthenticate           users

# Use only SQL when authenticating, and not the system's /etc/passwd
# If the user's information is not in SQL, they're not a user to use
# this server.

AuthOrder mod_sql.c

# DB connect info. Format: database_name@server_address database_username databa                                             se_password
SQLConnectInfo           ftp@localhost ftp *****

# Default UID/GID. Change to suit needs.
SQLDefaultUID             65534
SQLDefaultGID             100

# Mininum UID/GID. Change to suit needs.
SQLMinUserUID            1000
SQLMinUserGID            100

# Database query. Format: ** defined below **
SQLUserInfo                ftp username passwd uid gid ftpdir homedir

# Jail users in ftpdir
DefaultRoot             ~

SQLLogFile                      /var/log/proftpd/mysql.log

# Fast logins
IdentLookups off

Sakkath · Post by **Sakkath** » Fri Sep 29, 2006 8:36 pm

Bump.

Sakkath · Post by **Sakkath** » Sun Oct 01, 2006 7:33 pm

Bump.

Sakkath · Post by **Sakkath** » Mon Oct 02, 2006 9:08 pm

Bump.

Sakkath · Post by **Sakkath** » Tue Oct 03, 2006 11:05 pm

Come on, bump! :'( Nothing at all? :'(

Sakkath · Post by **Sakkath** » Wed Oct 04, 2006 9:09 pm

xming · Post by **xming** » Wed Oct 04, 2006 10:11 pm

poor Sakkat

This could be a firewall problem, do you have a 2 firewalls between client and server?

wellwhoopdedooo · Post by **wellwhoopdedooo** » Wed Oct 04, 2006 10:52 pm

There's NAT or a firewall between you and the FTP server, correct?

Sakkath · Post by **Sakkath** » Thu Oct 05, 2006 2:38 am

Yeah, not the server-side, but yes, client-side.

Thank you so much for a reply!

wellwhoopdedooo · Post by **wellwhoopdedooo** » Thu Oct 05, 2006 4:40 pm

Yeah, that's your issue. Because the FTP communication is encrypted, the FTP proxy that's (almost certainly) built into your firewall can't interpret the traffic. IPTables uses ftp_conntrack; you can turn that off but then your regular FTP won't work. If you're in active mode, when you open a data channel a connection is made back to your computer. The firewall sees the PORT command and translates it for the FTP server to your actual external IP, and forwards the port to your system. In passive mode, the firewall normally wouldn't be an issue, but some FTP proxies get confused if you're using explicit SSL.

My advice to you is, if you have to use SSL FTP, use implicit SSL. That will prevent your FTP proxy from getting in the way. You'll have to manage the holes for your data channels manually, or at least use passive mode, but it's a lot easier than explicit. Which isn't saying much.

To be honest, my suggestion is to set up SSH file transfers. Even configuring Apache to do WebDAV over HTTPS is way easier than FTP SSL (which also isn't saying much). I just spent the last two weeks setting this up at work, and it's a nightmare of fighting with firewalls and invisible, impossible to turn off FTP proxies. Even after getting the server set properly, the clients almost always need special setup. This will absolutely be more pain than it's worth for you.

Sakkath · Post by **Sakkath** » Thu Oct 05, 2006 7:22 pm

So, even of the client doesn't have NAT? The server doesn't have iptables running at the moment, nor is it behind NAT.

So what is "implicit" SSL? _Only_ allow SSL connections?

To be honest, WebDav sounds like a good idea, but I don't even know how to configure Apache with SSL.

SFTP isn't a solution since all these users are virtual in ProFTPd.

xming · Post by **xming** » Thu Oct 05, 2006 10:32 pm

if there is only ONE fw at the client side then you should be able to connect with passive ftp. Force that in your client.

if there are 2 FW then you are out of luck.

NAT does not play a great deal here.

wellwhoopdedooo · Post by **wellwhoopdedooo** » Thu Oct 05, 2006 10:49 pm

Implicit SSL is where you just wrap the whole FTP conversation in SSL. Your FTP server is, or could potentially be, unaware that SSL is even involved. With explicit SSL, the AUTH TLS command is sent at the beginning, and any part of the conversation after authentication could or could not be encrypted, you have to check your options and defaults carefully on both the client and server.

If the client isn't behind NAT it gets a lot easier, but you're still not out of the woods. Your firewall could be interfering still. If you're using IPTables the best way around it is to run your FTP server on a port other than 21, or failing that, disable conntrack_ftp.

I'm going to recommend the WebDAV. Not only are you having this problem, but 95% of the people that try to connect to your FTP server will have it too. Linux has plenty of WebDAV clients, Windows has a built-in WebDAV client, and you'll find tons of info on setting up SSL Apache, and mod_dav. You'll hit a brick wall troubleshooting this unless you can interpret packet captures, know the FTP protocol inside and out, and maybe do a little C coding. At that point you'll still run into troubles with client firewalls neither of you control.

Sakkath · Post by **Sakkath** » Fri Oct 06, 2006 7:36 pm

I guess I better use WebDav then ^.^. If I encounter any issues, can I count on you to help me?

So, with implicit SSL, there can't be any normal, non-ssl connections?

wellwhoopdedooo · Post by **wellwhoopdedooo** » Fri Oct 06, 2006 9:55 pm

I'll lend a hand, and I've set it up a few times, but I'm not promising anything.

First thing you want to do is follow this guide: http://gentoo-wiki.com/HOWTO_WebDav

Actually, if all goes well that's all you need to do for a basic setup. Get it working according to the guide first, customize from there.

xming · Post by **xming** » Sat Oct 07, 2006 8:26 am

Sakkath wrote: So, with implicit SSL, there can't be any normal, non-ssl connections?

no, it's IMPLICIT.

Sakkath · Post by **Sakkath** » Sat Oct 07, 2006 8:41 pm

xming wrote:
Sakkath wrote: So, with implicit SSL, there can't be any normal, non-ssl connections?
no, it's IMPLICIT.

Dude, if I knew what that was I wouldn't be questioning you ^.^

Sakkath · Post by **Sakkath** » Fri Oct 13, 2006 12:08 am

So what about TLS? Same situation? And as far as implicit and explicit go, they are both a "no-go" basically?

Sakkath · Post by **Sakkath** » Sat Oct 14, 2006 1:21 pm

Bump.

xming · Post by **xming** » Sun Oct 15, 2006 9:36 am

implicit means that the connection has to use tls, with expliciet it means that the server supports tls but it does not have to use tls. So explicit will work when it's not using tls.

FTP + SSL/TLS with 2 FW (or NAT) will just bring your FW to the ealry '90s ACL, you will loosing all the security if you just want to use the TLS.

So either use a separate acount ot use something else.

Sakkath · Post by **Sakkath** » Sun Oct 15, 2006 3:26 pm

I'll just keep it normal then ^.^.