Thursday, June 16, 2011

Proftpd

HOWTO : Create a FTP server with user access (proftpd)

There's some support for this guide in the hoary section
Some questions are already answered in the OLD THREAD ,if you need support you should read it before posting here.


I created this How to for people who want to share files with friends using FTP protocol, like FTPservU under windows. The way i give you is not the only one, I hope my How to is enough clear.
This FTP server will allow only users with the good password (persons to whom you gave the password and username). So you will be sure that only known persons will access your FTP server.

A- The GUI way (for beginners only)

For those who are new to linux and don't want to use a FTP server without GUI, or just for those who don't use often their FTP server and wish to set it quickly without a high level of security, there is a GTK GUI for proftpd.
Be careful, it's less secure than configuring yourself your server.

1- Install proftpd and gproftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd gproftpd
2-Play with the GUI and set up quickly your server.
Beware no support is offered here for this tool but it shouldn't be too hard to use.


B- The secure way


1-
Install proftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd
2- Add this line in /etc/shells file (sudo gedit /etc/shells to open the file) :
Code:
/bin/false
Create a /home/FTP-shared directory :
Code:
cd /home
sudo mkdir FTP-shared
Create a user named userftp which will be used only for ftp access. This user don't need a valid shell (more secure) therefore select /bin/false shell for userftp and /home/FTP-shared as home directory (property button in user and group window).
To make this section clearer, i give you the equivalent command line to create the user, but it would be better to use the GUI (System > Administration > User & Group) to create the user since users here often got problems with the user creation and the password (530 error) with the command line, so i really advice to use the GUI :
Code:
sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false
sudo passwd userftp
In FTP-shared directory create a download and an upload directory :
Code:
cd /home/FTP-shared/
sudo mkdir download
sudo mkdir upload
Now we have to set the good permissions for these directories :
Code:
cd /home
sudo chmod 755 FTP-shared
cd FTP-shared
sudo chmod 755 download
sudo chmod 777 upload
3- OK, now go to the proftpd configuration file :
Code:
sudo gedit /etc/proftpd.conf
or for edgy eft (ubuntu 6.10) :
Code:
sudo gedit /etc/proftpd/proftpd.conf
and edit your proftpd.conf file like that if it fit to your need :
Code:
# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias sauron userftp

ServerName   "ChezFrodon"
ServerType    standalone
DeferWelcome   on

MultilineRFC2228 on
DefaultServer   on
ShowSymlinks   off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayChdir                    .message
ListOptions                 "-l"

RequireValidShell   off

TimeoutLogin 20

RootLogin    off

# It's better for debug to create log files ;-)
ExtendedLog    /var/log/ftp.log
TransferLog    /var/log/xferlog
SystemLog   /var/log/syslog.log

#DenyFilter   \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart  on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port    1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User                  nobody
Group                 nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask    022 022

PersistentPasswd  off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent                  on       "you're at home"

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts    5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
 <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
 <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
 <Limit READ RMD DELE>
       DenyAll
     </Limit>

     <Limit STOR CWD MKD>
       AllowAll
     </Limit>
</Directory>
Ok you have done proftpd configuration. Your server is on port 1980 (in this exemple) and the access parameters are
user : sauron
password : the one you've set for userftp

4- To start/stop/restart your server :
Code:
sudo /etc/init.d/proftpd start
sudo /etc/init.d/proftpd stop
sudo /etc/init.d/proftpd restart
To perform a syntax check of your proftpd.conf file :
Code:
sudo proftpd -td5
To know who is connected on your server in realtime use "ftptop" command (use "t" caracter to swich to rate display), you can also use the "ftpwho" command.
other informations here


C- Advanced tricks

1- Enable TLS/SSL encryption (FTPS)
** Inportant note : proftpd versions before 1.3.2-rc2 may not work with latest filezilla versions using TLS encryption. See raymond.szebin's post for details.
The FTP file sharing protocol is an old protocol which was created when internet was still a secure place, therefore the default FTP protocol is not that secure.
For example the password and username for login are transmitted in plain text which obviously isn't secure.
That why, to fit the needs of our generation, encryption solutions were developed and one of them is TLS/SSH encryption.
This will encrypt the username and password and all the data you send, obviously to use it the FTP client must support SFTP protocol.

here are the steps to enable TLS/SSH encryption (FTPS):

Paste these commands in a terminal :
Code:
sudo apt-get install build-essential
sudo apt-get install libssl-dev
cd /etc
sudo mkdir ftpcert
cd ftpcert/
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo openssl genrsa -des3 -out ca.key 1024
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
** download the sign.sh file (at the bottom of the post) and put it in ftpcert directory **
sudo chmod +x sign.sh
sudo ./sign.sh server.csr
Then add this section to yout proftpd.conf file :
Code:
<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/ftpd/tls.log
    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /etc/ftpcert/server.crt
    TLSRSACertificateKeyFile /etc/ftpcert/server.key

    # CA the server trusts
    TLSCACertificateFile /etc/ftpcert/ca.crt

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off
</IfModule>
If you use edgy or proftpd 1.3 in general add this line at the beginning of your proftpd.conf file, it will load all the extra modules like mod_tls.c :
Code:
Include /etc/proftpd/modules.conf
Note - Use TLSRequired ON to force the use of TLS. OFF means that the use of TLS is optional.

Optional step:
You will notice that you will be asked for the password you set for the server.key file each time you start/stop/restart the server, it is because the RSA private key is encrypted in the server.key file.
The solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file which is obviously less secure, anyway if you do that make sure that the server.key is readable only by root.
Once you know that it's less secure here are the command lines to remove the encryption of the RSA private key :
Code:
cd /etc/ftpcert
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Here are some links to read in case of problems or just to get more informations :
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

To use your TLS encrypted FTP server you will need a FTP client which support it like the latest versions of filezilla (the one present in the feisty repository has the TLS support).
In filezilla the option to use is called FTPES.

Thanks to nix4me for the help he provided and for the instructions.

2- Restrict access for some users
Some of you wish, for different reasons, to create more than one user and give a different access depending on the user.
For example if i create 2 users, one called user1 and the second called user2 and then want to deny access to the download directory for user2, You can do it as following :

First create the 2 users like userftp in the guide and give them alias names if you use aliases. Then allow your 2 users in the general LIMIT LOGIN section :
Code:
#VALID LOGINS
<Limit LOGIN>
AllowUser user1
AllowUser user2
DenyALL
</Limit>
Once done here is how to modify the directory sections to chose who is able to use which directory :
Code:
<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off

        <Limit ALL>
  Order Allow,Deny
  AllowUser user1
  Deny ALL
 </Limit>

 <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
 DenyAll
 </Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on

       <Limit ALL>
  Order Allow,Deny
  AllowUser user1
                AllowUser user2
  Deny ALL
 </Limit>

 <Limit READ RMD DELE>
       DenyAll
     </Limit>

     <Limit STOR CWD MKD>
       AllowAll
     </Limit>
</Directory>
Note - user2 will see the download directory but will not be able to enter the directory.

That's all


Misc
Best Common Practices - Everyone should read this
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-BCP.html

ProftpTools 1.0.1
ProftpTools is a script I wrote thanks to swoop's feedback. This script allow you to start/stop proftpd, mount/unmount auto/manually directories, show your IP, ... and all of that with a GUI in order to use proftpd in a really easy way !
To install ProftpTools, download ProftpTools-v1.0.2.tar.gz (at the bottom of the page) and untar it where you want and then move the ProftpTools file in /usr/bin :
Code:
tar -xzvf ProftpTools-v1.0.2.tar.gz
cd ProftpTools-v1.0.2/
sudo mv ProftpTools /usr/bin/
Then add these lines in your .bashrc (it's in your home directory : gedit /home/username/.bashrc) file in order to specify what is the ProftpTools directory path, YOU MUST REMOVE THE "/" CHARACTER at the end of the path. I give you an exemple if your ProftpTools directory is in your home directory :
Code:
ProftpTools_dir=/home/username/ProftpTools-v1.0.2
export ProftpTools_dir
Now all you have to do is to type ProftpTools in a terminal and .... enjoy
You need zenity installed to use this script.

Don't hesitate to post in this thread or send me PM to report bugs, ask new features, correct my english, suggest improvement and thank you to give me feedback about this tool.

useful trick :
This trick is integrated in ProftpTools.
If you don't want (like me ) to use space in your /home directory, and use space on another hard drive, or if you just want to share a directory from another partition ... you can mount the directory you want in your download or upload directory without changing anything in proftpd.conf file, use these commands :
Code:
sudo mount -o bind the_directory_you_want_to_share /home/FTP-shared/download
or
sudo mount -o bind the_directory_you_want_to_use_for_upload /home/FTP-shared/upload
This command will not overwrite the directory, the idea is just to mount a directory in another one without overwritng anything, so when someone will log in your server he will see and use the mounted directory if you have mounted one. To unmout a directory (download directory for exemple):
Code:
sudo umount /home/FTP-shared/download
Permanent mount :
If you don't want to re-mount your directories after a reboot you can add a line in fstab file like that (sudo gedit /etc/fstab to open the file) :
Code:
the_directory_to_mount /home/FTP-shared/download vfat bind 0 0
thanks reet

If you want to create other directories in FTP-shared, think to add it in proftpd.conf file.
Don't hesitate to test yourself your server using gFTP for exemple, it's really helpful to debug your server.

Other stuff/Troubleshooting/FAQ
If you have a router you should read that, it describe the 2 commands to add in proftpd.conf and why.
If you have a dynamic DNS have a look here, you can also use ddclient(maybe easier for newbies).
If you have Unbindable port 21 issue please refer to this post from mustacheride.
Most of informations you're looking for are here
To get more debug informations : http://www.proftpd.org/localsite/Userguide/linked/x1058.html
You can specify a specific passive port range using PassivePorts command, it's very useful when you use a firewall in order to know which ports to allow.

For those who have a firewall/router i advice to read this excelent post from mssm

Thanks for feedback, and sorry if my english is sometimes really bad

Don't hesitate to post questions about proftpd in this thread.
Attached Files
File Type: gzProftpTools-v1.0.2.tar.gz (1.9 KB, 610 views)
File Type: shsign.sh (1.7 KB, 1146 views)

Last edited by frodon; October 4th, 2010 at 09:32 AM.. Reason: Updated - keep only one DefaultRoot command

Debian: Samba with AD Authentication

Debian: Samba with AD Authentication

This tutorial is a mix-up of other tutorials I found on the net. You’ll find the other sites in the source list at the bottom of this post.
Remember:
Just change ICT-FREAK.LOCAL to your own domain and Debian5srv1 to the name of your Debian server.
Step 1:  Update / Upgrade your Debain setup
apt-get update && apt-get upgrade
Step 2: Install the following packages:
apt-get install krb5-config krb5-user libkrb53 libpam-krb5
samba-common samba winbind smbclient
Step 3:  Create a backup of the krb5.conf file.
mv /etc/krb5.conf /etc/krb5.conf.org
edit the /etc/krb5.conf file with you favorite editor (nano or vi /etc/krb5.conf):
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = ICT-FREAK.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes
[realms]
ICT-FREAK.LOCAL = {
kdc = dc01.ICT-FREAK.LOCAL
admin_server = dc01.ICT-FREAK.LOCAL
default_domain = ICT-FREAK.LOCAL
}
Step 4: Check if you can Authenticate a user against the Active Directory
debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL:
Step 5: Create a backup of the krb5.conf file.
mv /etc/samba/smb.conf /etc/samba/smb.conf.org
edit the /etc/samba/smb.conf file with you favorite editor (nano or vi /etc/samba/smb.conf):
[global]
workgroup = ICT-FREAK
realm = ICT-FREAK.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = <ip-address from your DC>
encrypt passwords = yes
security = ADS
netbios name = debian5srv1
client signing = Yes
dns proxy = No
wins server = <ip-address from your DC>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
auth methods = winbind
Step 6: Start Winbind and test the connection
/etc/init.d/winbind start
You can query the AD with the command wbinfo. The –u parameter returns all users. The –g parameter returns all groups.
debian5srv1:~# wbinfo -u administrator
guest
support_388945a0
krbtgt
debian5srv1:~# wbinfo -g BUILTIN+administrators
BUILTIN+users
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy
dhcp users
dhcp administrators
wins users
Step 7: Add the Debian box to the Windows domain
debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL
debian5srv1:~# net ads join -U administrator
Joined ‘debian5srv1′ to realm ‘ICT-FREAK.LOCAL’
Step 8: Now tell PAM that samba requires authentication and account from winbind. Add the following lines to /etc/pam.d/samba
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
We also need to edit the /etc/nsswitch.conf file so it will look like this:
passwd: compat winbind
group: compat winbind
shadow: compat
Test the new settings with: getent passwd If everything is configured as it should be, you’ll see the AD users.
Step 9: Create a share. First we need to create a folder
mkdir –p /data/share
Change the permissions so the folder is writable
chmod 777 /data/share
Open the /etc/samba/smb.conf file and paste the following lines:
[Share]
comment = Test Share
read only = no
path = /data/share
valid users = @"ICT-FREAK+domain users"
Restart the Samba service via:
/etc/init.d/samba restart
Step 10: Test the new share. Go to your Windows box and browse to the Debian box via \\debian5srv1 
If everything is configured as it should be, you will see the following screen:
image

Sources:
http://www.simsonlai.org/samba-and-active-directory-authentication/
http://rubenleusink.com/debian-samba-filesharing-with-microsoft-active-directory-authentication-2008-10-07/