From 14ddb7ef19ec2a12f32ea9a02b028f9bfdec322d Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:45:22 +0100 Subject: [PATCH 1/6] Create proftpd.conf --- configs/debian/proftpd.conf | 197 ++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 configs/debian/proftpd.conf diff --git a/configs/debian/proftpd.conf b/configs/debian/proftpd.conf new file mode 100644 index 0000000..7784a35 --- /dev/null +++ b/configs/debian/proftpd.conf @@ -0,0 +1,197 @@ +# +# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. +# To really apply changes, reload proftpd after modifications, if +# it runs in daemon mode. It is not required in inetd/xinetd mode. +# +# based on original proftpd debian jessie +# Includes DSO modules + +Include /etc/proftpd/modules.conf + +# Set off to disable IPv6 support which is annoying on IPv4 only boxes. +UseIPv6 on +# If set on you can experience a longer connection delay in many cases. +IdentLookups off + + + +ServerName "debian" +ServerType standalone +DeferWelcome off + +MultilineRFC2228 on +DefaultServer on +ShowSymlinks on + +TimeoutNoTransfer 600 +TimeoutStalled 600 +TimeoutIdle 1200 + +DisplayLogin welcome.msg +DisplayChdir .message true +ListOptions "-l" + +DenyFilter \*.*/ + +# Use this to jail all users in their homes +DefaultRoot ~ + +# Users require a valid shell listed in /etc/shells to login. +# Use this directive to release that constrain. +RequireValidShell off + +# Port 21 is the standard FTP port. +Port 21 + +# In some cases you have to specify passive ports range to by-pass +# firewall limitations. Ephemeral ports can be used for that, but +# feel free to use a more narrow range. +# PassivePorts 49152 65534 + +# If your host was NATted, this option is useful in order to +# allow passive tranfers to work. You have to use your public +# address and opening the passive ports used on your firewall as well. +# MasqueradeAddress 1.2.3.4 + +# This is useful for masquerading address with dynamic IPs: +# refresh any configured MasqueradeAddress directives every 8 hours + +# DynMasqRefresh 28800 + + +# To prevent DoS attacks, set the maximum number of child processes +# to 30. If you need to allow more than 30 concurrent connections +# at once, simply increase this value. Note that this ONLY works +# in standalone mode, in inetd mode you should use an inetd server +# that allows you to limit maximum number of processes per service +# (such as xinetd) +MaxInstances 30 + +# Set the user and group that the server normally runs at. +User proftpd +Group nogroup + +# Umask 022 is a good standard umask to prevent new files and dirs +# (second parm) from being group and world writable. +Umask 022 022 +# Normally, we want files to be overwriteable. +AllowOverwrite on + +# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: +# PersistentPasswd off + +# This is required to use both PAM-based authentication and local passwords +# AuthOrder mod_auth_pam.c* mod_auth_unix.c +AuthOrder mod_sql.c # mod_auth_pam.c* mod_auth_unix.c + + +CreateHome on 775 + + +# Be warned: use of this directive impacts CPU average load! +# Uncomment this if you like to see progress and transfer rate with ftpwho +# in downloads. That is not needed for uploads rates. +# +# UseSendFile off + +TransferLog /var/log/proftpd/xferlog +SystemLog /var/log/proftpd/proftpd.log + +# Logging onto /var/log/lastlog is enabled but set to off by default +#UseLastlog on + +# In order to keep log file dates consistent after chroot, use timezone info +# from /etc/localtime. If this is not set, and proftpd is configured to +# chroot (e.g. DefaultRoot or ), it will use the non-daylight +# savings timezone regardless of whether DST is in effect. +#SetEnv TZ :/etc/localtime + + +QuotaEngine off + + + +Ratios off + + + +# Delay engine reduces impact of the so-called Timing Attack described in +# http://www.securityfocus.com/bid/11430/discuss +# It is on by default. + +DelayEngine on + + + +ControlsEngine off +ControlsMaxClients 2 +ControlsLog /var/log/proftpd/controls.log +ControlsInterval 5 +ControlsSocket /var/run/proftpd/proftpd.sock + + + +AdminControlsEngine off + + +# +# Alternative authentication frameworks +# +#Include /etc/proftpd/ldap.conf +Include /etc/proftpd/sql.conf + +# +# This is used for FTPS connections +# +#Include /etc/proftpd/tls.conf + +# +# Useful to keep VirtualHost/VirtualRoot directives separated +# +#Include /etc/proftpd/virtuals.conf + +# A basic anonymous configuration, no upload directories. + +# +# User ftp +# Group nogroup +# # We want clients to be able to login with "anonymous" as well as "ftp" +# UserAlias anonymous ftp +# # Cosmetic changes, all files belongs to ftp user +# DirFakeUser on ftp +# DirFakeGroup on ftp +# +# RequireValidShell off +# +# # Limit the maximum number of anonymous logins +# MaxClients 10 +# +# # We want 'welcome.msg' displayed at login, and '.message' displayed +# # in each newly chdired directory. +# DisplayLogin welcome.msg +# DisplayChdir .message +# +# # Limit WRITE everywhere in the anonymous chroot +# +# +# DenyAll +# +# +# +# # Uncomment this if you're brave. +# # +# # # Umask 022 is a good standard umask to prevent new files and dirs +# # # (second parm) from being group and world writable. +# # Umask 022 022 +# # +# # DenyAll +# # +# # +# # AllowAll +# # +# # +# +# + +# Include other custom configuration files +Include /etc/proftpd/conf.d/ From ac5525254445ccf06d47896e32394c0e0d5005e8 Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:46:43 +0100 Subject: [PATCH 2/6] Create modules.conf --- configs/debian/modules.conf | 97 +++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 configs/debian/modules.conf diff --git a/configs/debian/modules.conf b/configs/debian/modules.conf new file mode 100644 index 0000000..06f2aeb --- /dev/null +++ b/configs/debian/modules.conf @@ -0,0 +1,97 @@ +# +# This file is used to manage DSO modules and features. +# +# based on default config proftpd debian jessie + +# This is the directory where DSO modules reside + +ModulePath /usr/lib/proftpd + +# Allow only user root to load and unload modules, but allow everyone +# to see which modules have been loaded + +ModuleControlsACLs insmod,rmmod allow user root +ModuleControlsACLs lsmod allow user * + +LoadModule mod_ctrls_admin.c +LoadModule mod_tls.c + +# Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other +# SQL backend engine to use this module and the required backend. +# This module must be mandatory loaded before anyone of +# the existent SQL backeds. +LoadModule mod_sql.c + +# Install proftpd-mod-ldap to use this +#LoadModule mod_ldap.c + +# +# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives +# are required to have SQL authorization working. You can also comment out the +# unused module here, in alternative. +# + +# Install proftpd-mod-mysql and decomment the previous +# mod_sql.c module to use this. +LoadModule mod_sql_mysql.c + +# Install proftpd-mod-pgsql and decomment the previous +# mod_sql.c module to use this. +#LoadModule mod_sql_postgres.c + +# Install proftpd-mod-sqlite and decomment the previous +# mod_sql.c module to use this +#LoadModule mod_sql_sqlite.c + +# Install proftpd-mod-odbc and decomment the previous +# mod_sql.c module to use this +#LoadModule mod_sql_odbc.c + +# Install one of the previous SQL backends and decomment +# the previous mod_sql.c module to use this +LoadModule mod_sql_passwd.c + +LoadModule mod_radius.c +LoadModule mod_quotatab.c +LoadModule mod_quotatab_file.c + +# Install proftpd-mod-ldap to use this +#LoadModule mod_quotatab_ldap.c + +# Install one of the previous SQL backends and decomment +# the previous mod_sql.c module to use this +#LoadModule mod_quotatab_sql.c +LoadModule mod_quotatab_radius.c +LoadModule mod_wrap.c +LoadModule mod_rewrite.c +LoadModule mod_load.c +LoadModule mod_ban.c +LoadModule mod_wrap2.c +LoadModule mod_wrap2_file.c +# Install one of the previous SQL backends and decomment +# the previous mod_sql.c module to use this +#LoadModule mod_wrap2_sql.c +LoadModule mod_dynmasq.c +LoadModule mod_exec.c +LoadModule mod_shaper.c +LoadModule mod_ratio.c +LoadModule mod_site_misc.c + +LoadModule mod_sftp.c +LoadModule mod_sftp_pam.c +# Install one of the previous SQL backends and decomment +# the previous mod_sql.c module to use this +#LoadModule mod_sftp_sql.c + +LoadModule mod_facl.c +LoadModule mod_unique_id.c +LoadModule mod_copy.c +LoadModule mod_deflate.c +LoadModule mod_ifversion.c +LoadModule mod_tls_memcache.c + +# Install proftpd-mod-geoip to use the GeoIP feature +#LoadModule mod_geoip.c + +# keep this module the last one +LoadModule mod_ifsession.c From 84e58c3912dba3b99780970213fa50951705457c Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:49:31 +0100 Subject: [PATCH 3/6] Create sql.conf --- configs/debian/sql.conf | 56 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 configs/debian/sql.conf diff --git a/configs/debian/sql.conf b/configs/debian/sql.conf new file mode 100644 index 0000000..0ba22ec --- /dev/null +++ b/configs/debian/sql.conf @@ -0,0 +1,56 @@ +# +# Proftpd sample configuration for SQL-based authentication. +# +# (This is not to be used if you prefer a PAM-based SQL authentication) +# +# based on default proftpd config debian jessie, modify ^SQLConnectInfo + + +# Choose a SQL backend among MySQL or PostgreSQL. +# Both modules are loaded in default configuration, so you have to specify the backend +# or comment out the unused module in /etc/proftpd/modules.conf. +# Use 'mysql' or 'postgres' as possible values. +# +#SQLBackend mysql +# +#SQLEngine on +#SQLAuthenticate on +# +# Use both a crypted or plaintext password +#SQLAuthTypes Crypt Plaintext +# +# Use a backend-crypted or a crypted password +#SQLAuthTypes Backend Crypt +# +# Connection +#SQLConnectInfo proftpd@sql.example.com proftpd_user proftpd_password +# +# Describes both users/groups tables +# +#SQLUserInfo users userid passwd uid gid homedir shell +#SQLGroupInfo groups groupname gid members + +SQLLogFile /var/log/proftpd/proftpd-mysql.log +CreateHome on 775 +SQLBackend mysql +SQLEngine on +SQLPasswordEngine on +SQLAuthenticate on +SQLAuthTypes Crypt +SQLConnectInfo proftpd@localhost proftpd +SQLUserInfo users userid passwd uid gid homedir shell +SQLGroupInfo groups groupname gid members +SQLUserWhereClause "disabled != 1" +SQLLog PASS updatecount +SQLNamedQuery updatecount UPDATE "login_count=login_count+1, last_login=now() WHERE userid='%u'" users + + # Used to track xfer traffic per user (without invoking a quota) +SQLLog RETR bytes-out-count +SQLNamedQuery bytes-out-count UPDATE "bytes_out_used=bytes_out_used+%b WHERE userid='%u'" users +SQLLog RETR files-out-count +SQLNamedQuery files-out-count UPDATE "files_out_used=files_out_used+1 WHERE userid='%u'" users + +SQLLog STOR bytes-in-count +SQLNamedQuery bytes-in-count UPDATE "bytes_in_used=bytes_in_used+%b WHERE userid='%u'" users +SQLLog STOR files-in-count +SQLNamedQuery files-in-count UPDATE "files_in_used=files_in_used+1 WHERE userid='%u'" users From 060b81cf8853d92c19bc2304816c5dda666d6fad Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:51:22 +0100 Subject: [PATCH 4/6] Create debian_example.conf --- configs/debian_example.conf | 81 +++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 configs/debian_example.conf diff --git a/configs/debian_example.conf b/configs/debian_example.conf new file mode 100644 index 0000000..9b05676 --- /dev/null +++ b/configs/debian_example.conf @@ -0,0 +1,81 @@ + + * @copyright Christian Beer + * @copyright Lex Brugman + */ + +$cfg = array(); + +$cfg['table_users'] = "users"; +$cfg['field_userid'] = "userid"; +$cfg['field_id'] = "id"; +$cfg['field_uid'] = "uid"; +$cfg['field_ugid'] = "gid"; +$cfg['field_passwd'] = "passwd"; +$cfg['field_homedir'] = "homedir"; +$cfg['field_shell'] = "shell"; +$cfg['field_title'] = "title"; +$cfg['field_name'] = "name"; +$cfg['field_company'] = "company"; +$cfg['field_email'] = "email"; +$cfg['field_comment'] = "comment"; +$cfg['field_disabled'] = "disabled"; +$cfg['field_login_count'] = "login_count"; +$cfg['field_last_login'] = "last_login"; +$cfg['field_last_modified'] = "last_modified"; +$cfg['field_bytes_in_used'] = "bytes_in_used"; +$cfg['field_bytes_out_used'] = "bytes_out_used"; +$cfg['field_files_in_used'] = "files_in_used"; +$cfg['field_files_out_used'] = "files_out_used"; + +$cfg['table_groups'] = "groups"; +$cfg['field_groupname'] = "groupname"; +$cfg['field_gid'] = "gid"; +$cfg['field_members'] = "members"; + +$cfg['default_uid'] = "8000"; //if empty next incremental will be default +$cfg['default_homedir'] = "/home/web"; +// Use either SHA1 or MD5 or any other supported by your MySQL-Server and ProFTPd +// "pbkdf2" is supported if you are using ProFTPd 1.3.5. +// "crypt" uses the unix crypt() function. +// "OpenSSL:sha1" other digest-names also possible; see: http://www.proftpd.org/docs/directives/configuration_full.html#SQLAUTHTYPES +$cfg['passwd_encryption'] = "crypt"; +$cfg['min_passwd_length'] = "4"; +$cfg['max_userid_length'] = "32"; +$cfg['max_groupname_length'] = "32"; +// the expressions used to validate user and groupnames are used in two places +// on the website (HTML5) and on the server (PHP) +// the HTML5 validation doesn't understand the i modifier so you need to specify lowercase and uppercase characters +// for some reason the PHP validation still needs the i modifier so just leave it in +$cfg['userid_regex'] = "/^([a-zA-Z][a-zA-Z0-9_\-]{0,".($cfg['max_userid_length']-1)."})$/i"; //every username must comply with this regex +$cfg['groupname_regex'] = "/^([a-zA-Z][a-zA-Z0-9_\-]{0,".($cfg['max_groupname_length']-1)."})$/i"; //every username must comply with this regex +// Set any of these to -1 to remove the constraint +$cfg['min_uid'] = 8000; +$cfg['max_uid'] = 8999; +$cfg['min_gid'] = 8000; +$cfg['max_gid'] = 8999; +// Uncomment this to read crypt() settings from login.defs. +// $cfg['read_login_defs'] = true; + +// next option activates a userid filter on users.php. Usefull if you want to manage a lot of users +// that have a prefix like "pre-username", the first occurence of separator is recognized only! +$cfg['userid_filter_separator'] = ""; // try "-" or "_" as separators + +// use this block for a mysql backend +$cfg['db_type'] = "mysqli"; // if unset, 'db_type' defaults to mysqli +$cfg['db_host'] = "localhost"; +$cfg['db_name'] = "proftpd"; +$cfg['db_user'] = "proftpd"; +$cfg['db_pass'] = "yourdbpasswordhere"; + +// use this block for an sqlite3 backend +//$cfg['db_type'] = "sqlite3"; +//$cfg['db_path'] = "configs/"; +//$cfg['db_name'] = "auth.sqlite3"; +?> From a19416b90b3c25290fed5545ec22e12e2ccc3cd9 Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:52:23 +0100 Subject: [PATCH 5/6] Update and rename debian_example.conf to debian_config_example.php --- configs/{debian_example.conf => debian_config_example.php} | 2 ++ 1 file changed, 2 insertions(+) rename configs/{debian_example.conf => debian_config_example.php} (99%) diff --git a/configs/debian_example.conf b/configs/debian_config_example.php similarity index 99% rename from configs/debian_example.conf rename to configs/debian_config_example.php index 9b05676..90904d5 100644 --- a/configs/debian_example.conf +++ b/configs/debian_config_example.php @@ -8,6 +8,8 @@ * @copyright Ricardo Padilha * @copyright Christian Beer * @copyright Lex Brugman + * + * rename to config.php */ $cfg = array(); From 14a416b0a28931108a58d2094a8e6deeab342954 Mon Sep 17 00:00:00 2001 From: Robert Tulke Date: Tue, 24 Jan 2017 02:56:07 +0100 Subject: [PATCH 6/6] Update CHANGELOG --- CHANGELOG | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 90b1465..8153cf9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,8 +6,13 @@ * @copyright Lex Brugman * @copyright Christian Beer * @copyright Ricardo Padilha + * @copyright Robert Tulke */ +Release: 2.2.1 +Changes: +* added working Debian Proftpd Settings + Release: 2.2 Changes: * added UID/GID limits (from Greg Arnold)