Understanding current FTP configuration

I already checked that entry previously which helped me to get ProFtpd running but I cannot access it at all on port 21 due to error above. It appears this is an issue people have string feelings over and probably not going to be fully resolved anytime soon so I will just stick with ssh and sftp and probably just disable ProFtpd.

I was just reporting this as if Virtualmin supports ProFtpd but its stock install on CentOS 7 does not actually work or give access it should be either disabled or noted as to what configs it works in (Centos 6 it seems to be OK)

This is the ProFTPD configuration file

#

See: http://www.proftpd.org/docs/directives/linked/by-name.html Security-Enhanced Linux (SELinux) Notes:

#

In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux in order to mitigate the effects of an attacker taking advantage of an unpatched vulnerability and getting control of the ftp server. By default, ProFTPD cannot read or write most files on a system nor connect to many external network services, but these restrictions can be relaxed by setting SELinux booleans as follows:

#

setsebool -P allow_ftpd_anon_write=1 This allows the ftp daemon to write to files and directories labelled with the public_content_rw_t context type; the daemon would only have read access to these files normally. Files to be made available by ftp but not writeable should be labelled public_content_t.

#

setsebool -P allow_ftpd_full_access=1 This allows the ftp daemon to read and write all files on the system.

#

setsebool -P allow_ftpd_use_cifs=1 This allows the ftp daemon to read and write files on CIFS-mounted filesystems.

#

setsebool -P allow_ftpd_use_nfs=1 This allows the ftp daemon to read and write files on NFS-mounted filesystems.

#

setsebool -P ftp_home_dir=1 This allows the ftp daemon to read and write files in users' home directories.

#

setsebool -P ftpd_connect_all_unreserved=1 This setting is only available from Fedora 16/RHEL-7 onwards, and is necessary for active-mode ftp transfers to work reliably with non-Linux clients (see http://bugzilla.redhat.com/782177), which may choose to use port numbers outside the "ephemeral port" range of 32768-61000.

#

setsebool -P ftpd_connect_db=1 This setting allows the ftp daemon to connect to commonly-used database ports over the network, which is necessary if you are using a database back-end for user authentication, etc.

#

setsebool -P ftpd_is_daemon=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5. It should be set if ProFTPD is running in standalone mode, and unset if running in inetd mode.

#

setsebool -P ftpd_disable_trans=1 This setting is available only in Fedora releases 4 to 6 and Red Hat Enterprise Linux 5, and when set it removes the SELinux confinement of the ftp daemon. Needless to say, its use is not recommended.

#

All of these booleans are unset by default.

#

See also the "ftpd_selinux" manpage.

#

Note that the "-P" option to setsebool makes the setting permanent, i.e. it will still be in effect after a reboot; without the "-P" option, the effect only lasts until the next reboot.

#

Restrictions imposed by SELinux are on top of those imposed by ordinary file ownership and access permissions; in normal operation, the ftp daemon will not be able to read and/or write a file unless all of the ownership, permission and SELinux restrictions allow it. Server Config - config used for anything outside a or context See: http://www.proftpd.org/docs/howto/Vhost.html Trace logging, disabled by default for performance reasons (http://www.proftpd.org/docs/howto/Tracing.html) TraceLog /var/log/proftpd/trace.log Trace DEFAULT:0

ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on

Cause every FTP user except adm to be chrooted into their home directory

DefaultRoot ~ !adm

Use pam to authenticate (default) and be authoritative

AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c

If you use NIS/YP/LDAP you may need to disable PersistentPasswd PersistentPasswd off Don't do reverse DNS lookups (hangs on DNS problems)

UseReverseDNS off

Set the user and group that the server runs as

User nobody Group nobody

To prevent DoS attacks, set the maximum number of child processes to 20. If you need to allow more than 20 concurrent connections at once, simply increase this value. Note that this ONLY works in standalone mode; in inetd mode you should use an inetd server that allows you to limit maximum number of processes per service (such as xinetd)

MaxInstances 20

Disable sendfile by default since it breaks displaying the download speeds in ftptop and ftpwho

UseSendfile off

Define the log formats

LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s"

Dynamic Shared Object (DSO) loading See README.DSO and howto/DSO.html for more details

#

General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c

#

Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables (contrib/mod_sql_passwd.html) LoadModule mod_sql_passwd.c

#

Mysql support (requires proftpd-mysql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c

#

Postgresql support (requires proftpd-postgresql package) (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_postgres.c

#

Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c

#

File-specific "driver" for storing quota table information in files (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) LoadModule mod_quotatab_file.c

#

SQL database "driver" for storing quota table information in SQL tables (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c

#

LDAP support (requires proftpd-ldap package) (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) LoadModule mod_ldap.c

#

LDAP quota support (requires proftpd-ldap package) (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) LoadModule mod_quotatab_ldap.c

#

Support for authenticating users using the RADIUS protocol (http://www.proftpd.org/docs/contrib/mod_radius.html) LoadModule mod_radius.c

#

Retrieve quota limit table information from a RADIUS server (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) LoadModule mod_quotatab_radius.c

#

SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be used to copy files/directories from one place to another on the server without having to transfer the data to the client and back (http://www.castaglia.org/proftpd/modules/mod_copy.html) LoadModule mod_copy.c

#

Administrative control actions for the ftpdctl program (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

LoadModule mod_ctrls_admin.c #

Support for MODE Z commands, which allows FTP clients and servers to compress data for transfer (http://www.castaglia.org/proftpd/modules/mod_deflate.html) LoadModule mod_deflate.c

#

Execute external programs or scripts at various points in the process of handling FTP commands (http://www.castaglia.org/proftpd/modules/mod_exec.html) LoadModule mod_exec.c

#

Support for POSIX ACLs (http://www.proftpd.org/docs/modules/mod_facl.html) LoadModule mod_facl.c

#

Support for using the GeoIP library to look up geographical information on the connecting client and using that to set access controls for the server (http://www.castaglia.org/proftpd/modules/mod_geoip.html) LoadModule mod_geoip.c

#

Allow for version-specific configuration sections of the proftpd config file, useful for using the same proftpd config across multiple servers where different proftpd versions may be in use (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) LoadModule mod_ifversion.c

#

Configure server availability based on system load (http://www.proftpd.org/docs/contrib/mod_load.html) LoadModule mod_load.c

#

Limit downloads to a multiple of upload volume (see README.ratio) LoadModule mod_ratio.c

#

Rewrite FTP commands sent by clients on-the-fly, using regular expression matching and substitution (http://www.proftpd.org/docs/contrib/mod_rewrite.html) LoadModule mod_rewrite.c

#

Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) LoadModule mod_sftp.c

#

Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) LoadModule mod_sftp_pam.c

#

Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user and host based authentication (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) LoadModule mod_sftp_sql.c

#

Provide data transfer rate "shaping" across the entire server (http://www.castaglia.org/proftpd/modules/mod_shaper.html) LoadModule mod_shaper.c

#

Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) LoadModule mod_site_misc.c

#

Provide an external SSL session cache using shared memory (contrib/mod_tls_shmcache.html) LoadModule mod_tls_shmcache.c

#

Provide a memcached-based implementation of an external SSL session cache (contrib/mod_tls_memcache.html) LoadModule mod_tls_memcache.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap.html) LoadModule mod_wrap.c

#

Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny files, as well as SQL-based access rules, for IP-based access control (http://www.proftpd.org/docs/contrib/mod_wrap2.html) LoadModule mod_wrap2.c

#

Support module for mod_wrap2 that handles access rules stored in specially formatted files on disk (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) LoadModule mod_wrap2_file.c

#

Support module for mod_wrap2 that handles access rules stored in SQL database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) LoadModule mod_wrap2_sql.c

#

Implement a virtual chroot capability that does not require root privileges (http://www.castaglia.org/proftpd/modules/mod_vroot.html) Using this module rather than the kernel's chroot() system call works around issues with PAM and chroot (http://bugzilla.redhat.com/506735)

LoadModule mod_vroot.c #

Provide a flexible way of specifying that certain configuration directives only apply to certain sessions, based on credentials such as connection class, user, or group membership (http://www.proftpd.org/docs/contrib/mod_ifsession.html) LoadModule mod_ifsession.c Allow only user root to load and unload modules, but allow everyone to see which modules have been loaded (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs)

ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user *

Enable basic controls via ftpdctl (http://www.proftpd.org/docs/modules/mod_ctrls.html)

ControlsEngine on ControlsACLs all allow user root ControlsSocketACL allow user * ControlsLog /var/log/proftpd/controls.log

Enable admin controls via ftpdctl (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)

AdminControlsEngine on AdminControlsACLs all allow user root

Enable mod_vroot by default for better compatibility with PAM (http://bugzilla.redhat.com/506735)

VRootEngine on

TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log TLSSessionCache shm:/file=/var/run/proftpd/sesscache

Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd

LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab

# If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

# Inform the user that it's not worth persisting BanMessage "Host %a has been banned"

# Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm

Set networking-specific "Quality of Service" (QoS) bits on the packets used by the server (contrib/mod_qos.html)

LoadModule mod_qos.c # RFC791 TOS parameter compatibility QoSOptions dataqos throughput ctrlqos lowdelay # For a DSCP environment (may require tweaking) #QoSOptions dataqos CS2 ctrlqos AF41

Global Config - config common to Server Config and all virtual hosts See: http://www.proftpd.org/docs/howto/Vhost.html

# Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022

# Allow users to overwrite files and change permissions AllowOverwrite yes AllowAll DefaultRoot ~

A basic anonymous configuration, with an upload directory Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd

User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias           anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients          10 "Sorry, max %m users -- try again later"

# Put the user into /pub right after login
#DefaultChdir       /pub

# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files. 
DisplayLogin        /welcome.msg
DisplayChdir        .message
DisplayReadme       README*

# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser         on ftp
DirFakeGroup        on ftp

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
  DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
#
# Directory specification is slightly different if mod_vroot is in
# use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
#          https://bugzilla.redhat.com/show_bug.cgi?id=1045922
<IfModule mod_vroot.c>
  <Directory /uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>
<IfModule !mod_vroot.c>
  <Directory uploads/*>
    AllowOverwrite      no
    <Limit READ>
      DenyAll
    </Limit>

    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>
</IfModule>

# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog         off

# Logging for the anonymous transfers
ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
ExtendedLog         /var/log/proftpd/auth.log AUTH auth

LoadModule mod_sftp.c TLSRSACertificateFile /etc/proftpd.cert TLSRSACertificateKeyFile /etc/proftpd.key TLSCACertificateFile /etc/proftpd.ca TLSEngine on

SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log

#SFTPHostKey /etc/ssh/ssh_host_rsa_key
#SFTPHostKey /etc/ssh/ssh_host_dsa_key

SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

SFTPCompression delayed

I resolved this by

1. Following the advice here https://www.virtualmin.com/node/39597 relating to the keys (to get ProFTPD to start)
2. Simply removing all the sftp stuff and listening on port 2222 - essentially everything after line #434

LoadModule mod_sftp.c

The next issue is that any client trying to connect using PASV (Passive mode) will fail to get a directory listing unless you open ports in the firewall for passive mode. Active mode will connect without issue.

Thanks, Andrew