ProFTPd & SSHd, opening up to the Internet while maintaining security

Xolo · 12-08-2004, 01:30 AM

Good day,

I have a Mandrake 9.0 server running ProFTPd and SSHd.
I want both servers to be accessible from the Internet, while maintaining a decent security
level for non-critical data.
The box itself is running at the paranoid level, so everything is sealed off (more or less?)
I have opened port 21 and 22 for FTP and SSH respectively in the firewall.

Problems I ran into are;

ProFTPd runs, has a separate disk for /var/ftp and can serve files from there with the separate
username/password I created for that purpose. Anonymous access was left unconfigured.
What doesn't seem to work with this setup is:
From the outside (office, or other locations across the globe) using an ftp client program to
access ProFTPd. however, accessing the server through a webbrowser using the address
ftp://user

assword@server.net seems to work just fine.
From the inside: either a browser or a client program works just fine.
Question: How do I enable both ftp client logins and browser logins from the outside?

SSHd runs, mostly with default settings. a few select users are granted access to SSH.
What doesn't seem to work with this setup is:
SSHd doesn't seem to allow connections, instead when you try to ssh into the machine
you get hung up for a second or two, and get disconnected. The port is open, and the
service is running, so I assume this has to do with a security setting somewhere but I
have been unable to pinpoint which setting exactly should be changed.
connecting fails regardless of trying to connect from the inside or the outside of the box.
Question: How do I get SSHd to accept connections? are there certificates/keys I need
to set up, and if yes, how? when using certificates/keys, how do I utilise these when using
a client program such as PuTTY or on the command line ssh client?

Thanks in advance and have a nice day.

monroetech · 12-08-2004, 09:58 AM

Ok, let me try and break this down.

First - You are behind a router correct?
If this is so, you have to toggle the option in your FTP client for "PASV" I forget which one works exactly....
Toggle that on - try to login - if it dont work, toggle it off and try again..... It has to do with your client sending commands like cd etc, on a different port then 21- It's been so long sence I ran into this problem I forget.

As far as your SSH problem....
Take a look at your sshd_config file - usually in /etc/ssh/

You should have a section at the bottom that looks like this:

AllowGroups users
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd no
StrictModes yes
RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
AllowUsers user1 user2 user3
GatewayPorts no
AllowTcpForwarding yes
KeepAlive no
Protocol 2
UsePrivilegeSeparation yes

Change where it says user1 ... etc... to the actual user names of the persons you wish to have access to ssh on your system.

Also, if you look at the second to last line - It says Protocol 2 - I would only use this as it is the most secure way- By default It says Protocol 1,2

Hope this helps some......

Xolo · 12-09-2004, 01:55 PM

Thank you for your reply.
I'll try to check that (and modify appropriately if it isn't present yet) when I have a spare moment.

Xolo · 12-11-2004, 04:31 PM

I forgot to answer some other things as well so here they are.

Yes, I am behind a router. currently i've disabled port forwarding to my server while i'm altering settings.
The rules I created for port forwarding are for TCP traffic on ports 21 and 22.
From my office i've been using SmartFTP to get into my server, and i've found that the default setting
for this client was to use passive ftp, and it doesn't connect like that, so I'll try turning that off, and i'll
tell my users to try turning passive ftp off as well.

Now for SSHd, i've dug out the sshd_config file.. here is the contents (edited for user privacy):

Code:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 1,2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
RhostsAuthentication no
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
RSAAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ReverseMappingCheck no
GatewayPorts no
AllowTcpForwarding yes
LoginGraceTime 120
KeepAlive yes
DenyGroups adm apache bin ctools user5 ftp games gdm lp machines mail mysql named news nogroup postdrop postfix postgres root rpm sshd
AllowGroups user1 user2 user3 user4
AllowUsers user1 user2 user3 user4
KeyRegenerationInterval 1800

I didn't change anything further in this file yet, i'll take note of your advice to only permit protocol 2 and
change it later when I manage to get the logins working.

Thanks for your time