LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-15-2009, 09:54 PM   #1
CCTVGuru
LQ Newbie
 
Registered: Jun 2009
Posts: 13

Rep: Reputation: 1
ProFTPD in Slackware - Virtual Server FTP User Authorisation


Hello Everyone,

I am a in Linux and spent about 2 weeks in searching in forums and Google for help regarding the following situation:


We have just launched a Slackware 12 based server (2 Ethernet cards)

It is registered as DNS and Mail server, those operations are fine.
There is a ProFTPD server features installed as well, and 3 virtual domains registered (using the web interface - I am not so good in using direct typing by PuTTY screen until I get good with the commands..(But if I have to, I will do it that way, of course)..

The immediate problem I am facing is: By using Core FTP program (from Vista PC) I am trying to upload web page contents to a pre-arranged folders in:
/usr/local/apache2/htdocs/(domain1.com)

by using ftp.domain1.com and user name / pass with admin rights; (I have tried with "ftp" user as well - same result!)
COnnection session gives me error:

(11004-100)
The requested name is valid, but no data of the requested type was found.

I have checked a few times about the reasons for this error, suggestion were wrong syntax of character in the command line.

May I have some specific tuitorial link about the whole process of operating the ProFTPD server, and more specifically about:

Typical Files/Contents of Files for User Assignment (User/Pass);

(Copy of the relevant /etc/passwd line - this user logs are OK:


Quote:
netadmin:x:2000:100:Network Administrator 02000,,011 312 0236,,083 630 9491:/home/netadmin:/bin/bash

My FTP User (gives me same error 11004-100) listing in the same file is:

Quote:
ftp:x:14:50::/home/ftp:/bin/false


The current content of my proftpd.conf file (I DID NOT MANUALLY AMENDED IT'S CONTENTS SINCE REGISTERING FTP.DOMAIN1.COM AND DOMAIN2.COM THROUGH THE WEB INTERFACE) in /usr/local/etc/proftpd.conf is:

Quote:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.
Port 21

# Don't use IPv6 support by default.
UseIPv6 off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

Tips about assigning Virtual Domains (we are intending to run multiple domains on the same server) and Different Users (per domain)

I think this will be at least the basic to start using the server and uploading web site content.

Most of my searches were resultig in the setting up of the server, most of the posts were around Anonymous FTP USer arrangements, but I have not noticed any specific references towards the files directly related to User / Access administration related to FTP

What do I miss here? Please help, Thank you in advance. AT least the typicall files where I can check and edit / uncomment the lines related to this problem.

I have an intuitive feeling that problem is related to SITE CHMOD setting options but not sure..


Apologies about the long and probably confusing explanations around my question, but my intentions were to be more specific in describing the problem I am facing at the moment.

Thank you in Advance!
 
Old 06-15-2009, 10:45 PM   #2
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
Verify thest things first.

Configure FTP Server, proftpd:
cd /etc
Edit proftpd.conf near the top of the file. It should look like this:
#ServerType standalone
ServerType inetd
This causes the inetd Daemon to listen and start proftpd as needed.
Next, edit inetd.conf. Look for the line:
# These are standard services:
Below you will see this ftp line. Uncomment it so it look like this
and proftp will be started/controlled by inetd.
# Professional File Transfer Protocol (FTP) server.
ftp stream tcp nowait root /usr/sbin/tcpd proftpd
Now add it's log files to the logrotate script:
su -
cd /etc/logrotate.d
vi syslog and add:
/var/log/proftpd.log to the list

Most of these things are already properly configured on Slackware. That wasn't always the case. Just check and make sure, you may not have to do anything.

I'm going to guess your problem is this:
Quote:
ftp:x:14:50::/home/ftp:/bin/false
You can't log in when the login shell is /bin/false. It needs to be a valid shell like /bin/bash or whatever you like to use.

/bin/false is a fairly new configuration setting in Slackware. It's an extra security measure to prevent logins to accounts you haven't configured properly. When you want to enable these things you have to change the shell to something valid.

Post back if you have any more issues. I'll try to check back and make sure we get it working for you.
 
Old 06-16-2009, 12:06 AM   #3
CCTVGuru
LQ Newbie
 
Registered: Jun 2009
Posts: 13

Original Poster
Rep: Reputation: 1
Thanks a Lot, meetscott,

I have amended cd /etc/logrotate.d
to:
Quote:
/var/log/cron /var/log/debug /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler /var/log/syslog /var/log/proftpd.log {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2>/dev/null` 2>/dev/null || true
endscript
}
and also amended to

ftp:x:14:50::/home/ftp:/bin/bash

and will keep trying further.
Later on I will try to sort out my directories etc. and specify each user with specific access area.

Your help was great bearing in mind I am not totally confident within the entire spectrum of what I am doing here...

But looks like with help like this I can get further!

Much Appreciated!

CCTVGuru
 
Old 06-16-2009, 12:13 AM   #4
Nikosis
Member
 
Registered: Dec 2005
Location: In front of the monitor
Distribution: Slackware
Posts: 310

Rep: Reputation: 59
Quote:
You can't log in when the login shell is /bin/false. It needs to be a valid shell like /bin/bash or whatever you like to use
Nope, actually you don't need a valid shell to login

I think you're missing these two lines in <anonymous></anonymous>
Code:
AnonRequirePassword	off
RequireValidShell	off
Quote:
/bin/false is a fairly new configuration setting in Slackware.
I'm not quite sure what did you mean by that
 
Old 06-16-2009, 09:37 AM   #5
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
Quote:
Originally Posted by Nikosis View Post
Nope, actually you don't need a valid shell to login

I think you're missing these two lines in <anonymous></anonymous>
Code:
AnonRequirePassword	off
RequireValidShell	off

I'm not quite sure what did you mean by that
Correct, you don't need a valid login shell to use ftp. But, he mentioned he was trying to use the ftp user. So to login as that user, you need a login shell. But to clarify, he doesn't need a valid login shell to login into the ftp prompt, only the shell prompt. It was late, and I wasn't thinking clearly.

Second, and I think it was Slackware 12.2, most of the system users, like apache, ftp, and many others, had /etc/passwd amended to include /bin/false for logins. Prior, this wasn't added. If I'm remembering right, the accounts were only disabled before. /bin/false was an added layer of protection.

One last thing... why not use sftp or scp to transfer the files? FTP isn't necessary, although the transfer is little faster because the encryption overhead isn't there. Just a thought, but running an FTP server is a little less secure.

Remember to check your logs because you will invariably get Dictionary attacks on your FTP server. You'll get them on your ssh server too, but having only one service to attack is generally better than two. Strong passwords are a must! Easy ones get guessed. These are the logs to check:
/var/log/messages
/var/log/secure/
/var/log/proftpd.log (as you configured in logrotate)

You also may consider a firewall to help with this if the Dictionary attacks get to be a problem. Here's an example of one I wrote with the help of Martin Wolf on his blog:
http://mwolf.net/archive/iptables-against-ssh/

Sorry for the confusion on /bin/false earlier. Nikosis, thanks for the correction.
 
Old 06-16-2009, 01:50 PM   #6
CCTVGuru
LQ Newbie
 
Registered: Jun 2009
Posts: 13

Original Poster
Rep: Reputation: 1
Hello meetscott and Nikosis,

Thank you for the discussion arising around my situation; What I ahve done in eantime, is:


Amended passwd file content to:

Quote:
ftp:x:14:50::/home/ftp:/bin/false
After checking the suggested:

/var/log/messages content is with plenty attempts to breakin (constant attacks; Failed password attempts etc. - suggetsts that I have to go fora stronger level passwords or special firewall as siggested in meetscott's post.

/var/log/secure reflects I think quite correctly all logging history for users (all of them are authorized users)


Recent contents of proftpd.log is:

Quote:
Jun 16 18:46:47 vmn proftpd[3287]: warning: the DisplayFirstChdir directive is deprecated and will be removed in a future release. Please use the DisplayChdir directive.
Jun 16 18:46:47 vmn proftpd[3287]: Fatal: <Directory>: relative path not allowed in non-<Anonymous> sections on line 76 of '/etc/proftpd.conf'

Results with attempts to log in - CORE FTP Program:

Anyway, I have tried to kog in as an ftp user and I has the same problematic results:


When I use the logging as a Hostname/IP/Server name: ftp.domain1.com, I am receiving


Quote:
Resolving ftp.domain1.com...
Can't establish connection --> ftp.domain1.com:21 @ Tue Jun 16 19:47:46 2009 (11004-100)
The requested name is valid, but no data of the requested type was found.

When I use only the public IP address, or domain1.com (without ftp. !) - I am receiving the failure message:

Quote:
Resolving domain1.com...
Connect socket #1064 to 123.456.789.012, port 21...
Can't establish connection --> domain1.com:21 @ Tue Jun 16 18:47:24 2009 (0-38)
I hear clearly the recommendations of meetscott to consider higher security options as an alternative to the traditional FTP, and I will try to learn about them as I go along.
In the recent past I was using (really as an User!) the Core FTP program to upload web site contents and it was fine for me.



The bottom line now is: Anonymous users ARE NOT a must at this stage, only assigned users will be allowed to upload web page contents to the folders assigned / allowed for them.
Sometimes later we can consider allowing anonymous FTP user access, but definitely not rigt now.

I am using the much easier Webmin web interface and if any straightforward tuitorials are available - I would attend to them if recommended.

Another clarification: I am not working on the server directly - I am logging into it remotely via secure wireless link; I think the server type definitely IS inetd I guess in this situation.


Anyway, I highly appreciate the input of both of you, and hope to resolve the situation I am stuck in at the moment...



Kindest Regards,

CCTVGuru
 
Old 06-16-2009, 02:01 PM   #7
CCTVGuru
LQ Newbie
 
Registered: Jun 2009
Posts: 13

Original Poster
Rep: Reputation: 1
... Just to confirm the content of proftpd.conf file as I am going to amend it:

Quote:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.
Port 21

# Don't use IPv6 support by default.
UseIPv6 off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
# DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.


# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message

AnonRequirePassword off
RequireValidShell off

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

Hope it is correct, I will keep trying.
 
Old 06-17-2009, 09:36 AM   #8
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
Quote:
ServerType standalone
should be changed to
Quote:
ServerType inetd
.

I think that should get you up and running. I don't use stand alone, but it should have to be running all the time if you do. With the inetd configuration change I'm suggesting, you probably won't see ftp processes running using
Quote:
ps aux | grep ftp
unless you are actually using it because inetd will start it as needed.
 
Old 06-22-2009, 01:50 AM   #9
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
CCTVGuru, I'm interested to know if you ever got this working. Please let us know if this is resolved! I hate to see the thread left hanging if there's something else that's possibly been missed. You are not the only one who may have had issues with this ;-)
 
Old 06-22-2009, 11:45 PM   #10
CCTVGuru
LQ Newbie
 
Registered: Jun 2009
Posts: 13

Original Poster
Rep: Reputation: 1
Thank you for following up and your concern, meetscott!

This FTP ... ....

I still could NOT come right unfortunately and trying small silly things like experimenting with port forwarding and trying to read around for the recommended best content for proftpd.conf;

If you have any working file content please post it here and I'll try edit it !

Port forwarding was an idea to try hard, because as I said the server is sitting 2 hops away from me (over wireless link).

Now I am having another frustrating situation here: Mail services are not right! Sendmail announces:

Quote:
Failed to start sendmail :
sh: /etc/rc.d/rc.sendmail: Permission denied
The content of the file is:

Quote:
#!/bin/sh
# Start/stop/restart sendmail.

# Start sendmail:
sendmail_start() {
if [ -x /usr/sbin/sendmail ]; then
echo "Starting sendmail MTA daemon: /usr/sbin/sendmail -L sm-mta -bd -q25m"
/usr/sbin/sendmail -L sm-mta -bd -q25m
echo "Starting sendmail MSP queue runner: /usr/sbin/sendmail -L sm-msp-queue -Ac -q25m"
/usr/sbin/sendmail -L sm-msp-queue -Ac -q25m
fi
}

# Stop sendmail:
sendmail_stop() {
killall sendmail
}

# Restart sendmail:
sendmail_restart() {
sendmail_stop
sleep 1
sendmail_start
}

case "$1" in
'start')
sendmail_start
;;
'stop')
sendmail_stop
;;
'restart')
sendmail_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

I am not sure, but just to ask: Isn't necessary for listing some user details in this content? Why does it then reject me even as an admin user logged in???

Quite frustrating situation over here... Someone suggested move away from Slackware and go to Centos. So much done so far with this server and abandoning it is not a pleasure... Please give some comments if you can, Much Appreciated!!


I'll continue the battle and as soon as it comes right, will announce by post. Any recommendations are most welcome here, in meantime.

Hope NOT Lost!

Cheers!
 
Old 06-26-2009, 02:07 PM   #11
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
I'm pasting the contents of my working proftpd.conf file from the /etc directory. There are almost no customizations in it. It's close to the default shipped in Slackware. I use ftp on my lan all the time because it's faster than ssh. I use ssh outside my lan or for things I don't care about getting sniffed, I'll still use ftp.

I'll get back to you on the sendmail configuration. I use that on multiple servers as well. Sendmail is not easy and I was going to point you to http://shilo.is-a-geek.com/slack/ but I guess that's down now. I have some notes about Slackware and setting up email either with an ISP available or with MX records. Are you at home through an ISP? Let me know so I can supply the proper information and specific instructions.

Keep in mind... in my opinion, there is nothing more difficult to set up in Linux than sendmail. That's just been my experience and opinion. But the steps are pretty simple once they are laid out for you. Sendmail's configuration difficulty is the reason why so many people are using things like qmail or postfix. I still use Sendmail and the reference I have on it is over a 1000 pages!

Quote:
# This is a basic ProFTPD configuration file.
# It establishes a single server and a single anonymous login.
# It assumes that you have a user/group "nobody" and "ftp"
# for normal/anonymous operation.

ServerName "ProFTPD Default Installation"
#ServerType standalone
ServerType inetd
DefaultServer on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# This next option is required for NIS or NIS+ to work properly:
#PersistentPasswd off

SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>

# A basic anonymous FTP server configuration.
# To enable this, remove the user ftp from /etc/ftpusers.
<Anonymous ~ftp>
RequireValidShell off
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 50

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
# <Directory incoming/*>
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>

</Anonymous>

Last edited by meetscott; 06-26-2009 at 02:09 PM.
 
Old 07-27-2009, 11:26 PM   #12
meetscott
Samhain Slackbuild Maintainer
 
Registered: Sep 2004
Location: Phoenix, AZ, USA
Distribution: Slackware
Posts: 407

Rep: Reputation: 42
I've been very busy lately. Sorry for the delay in checking on this.

I wanted to mention that the default install of Slackware should allow you to start the sendmail daemon. It is also important to note that the directory tree leading up to the root or "/" of the file system only be owned and writable by the root user for security reasons. The path leading up to sendmail configuration files can be a security problem if this is not followed.

I think there is something wrong with your file system permissions to give you a "Permission denied" error. That's the best I can do for your particular problem with this amount of information.

The next thing I need, to help you with Sendmail configuration, is whether you are configuring MX records or just using your ISP as a "Smart Host."

I hope you haven't given up. System administration is a high paying skill. I actually write code for a living but I end up doing a lot of System Adminstration as well. Be patient as you learn about this stuff. It takes years to really exploit some of these features. It is what makes this forum and Linux in general so much fun!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I have an ftp server on proftpd and... trist007 Linux - Newbie 5 07-07-2008 12:39 PM
proftpd (ftp server) Adrian13 Linux - Software 3 10-18-2004 04:22 PM
Is virtual user for mail (postfix) and ftp (proftpd) possible pembo13 Linux - Software 0 01-11-2004 03:30 PM
HELP! need proftpd.conf for single user ftp bruhv-ahh Linux - Software 2 12-31-2003 06:08 AM


All times are GMT -5. The time now is 02:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration