proftpd za NATem

Petr Bartel cyber na irix-servis.cz
Úterý Září 27 11:42:46 CEST 2005 

Zdravim, jsem z toho uz mimo
Snazim se rozchodit ftp server za NATem, nastinim konfiguraci

cat /usr/local/etc/proftpd.conf
<Global>
DisplayLogin /usr/local/etc/welcome.msg
DisplayConnect /usr/local/etc/welcome.msg

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart               on

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# Set the user and group under which the server will run.
User                            nobody
Group                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.

  AllowOverwrite                on


<IfModule mod_tls.c>
        TLSEngine off             # disable SSL by default
        TLSLog /var/log/tls.log
        TLSRequired off      # if SSL, for both channels
</IfModule>


RootLogin off
RequireValidShell off

ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200


DenyFilter \*.*/

SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users* groups*
SQLConnectInfo          ftpdb na xxxxxx xxxxxxx xxxxxxx
SQLUserInfo             ftpuser userid passwd uid gid homedir shell
SQLGroupInfo            ftpgroup groupname gid members
SQLMinID                500
SQLHomedirOnDemand      on
SQLLog                  PASS updatecount
SQLNamedQuery           updatecount UPDATE "count=count+1,
accessed=now() WHERE userid='%u'" ftpuser
SQLLog                  STOR,DELE modified
SQLNamedQuery           modified UPDATE "modified=now() WHERE
userid='%u'" ftpuser

</Global>

MasqueradeAddress       xxxxxx
PassivePorts            60000 65535
# AllowForeignAddress -- Control the use of the PORT command
AllowForeignAddress     on

LogFormat               default "%t %h %a %s %m %f %b %T \"%r"\"
LogFormat               auth "%v [%P] %h %t \"%r\" %s"
LogFormat               write "%h %l %u %t \"%r\" %s %b"
SystemLog               /var/log/proftpd ALL default

Port                    21
TLSEngine               on            # enable SSL
TLSRequired             ctrl      # if SSL, for both channels
# Server's certificate
TLSRSACertificateFile /var/ssl/ftpcert.pem
TLSRSACertificateKeyFile /var/ssl/ftpkey.pem
# CA the server trusts
TLSCACertificateFile /var/ssl/cacert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
ServerName              "FTP"
MaxLoginAttempts        2
RequireValidShell       no
ExtendedLog             /var/log/proftpd ALL default
TransferLog             /var/log/proftpd ALL default
<Limit LOGIN>
        Order           allow, deny
        AllowUser       bartel
        Deny            from all
</Limit>

na firewallu mam

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t nat -A PREROUTING -p tcp  -d $OUT --dport 21 -j DNAT --to
$LOCAL_FTP:21
iptables -t nat -A POSTROUTING -p tcp -d $LOCAL_FTP --dport 21 -j SNAT
--to $OUT

iptables -A INPUT -i $OUT -p tcp --dport 60000:65535 -j ACCEPT

$IPT -N ftp
$IPT -A ftp -i $EXTERNAL -p tcp -m state --state NEW -j ACCEPT
$IPT -A ftp -i $EXTERNAL -p tcp -m limit  --limit $LIMIT -j LOG
--log-prefix "DROP-ftp "
$IPT -A ftp -i $EXTERNAL -j DROP

$IPT -N ftp-data
$IPT -A ftp-data -i $EXTERNAL -p tcp -m state --state NEW -j ACCEPT
$IPT -A ftp-data -i $EXTERNAL -p tcp -m limit  --limit $LIMIT -j LOG
--log-prefix "DROP-ftp-data "
$IPT -A ftp-data -i $EXTERNAL -j DROP

$IPT -A INPUT -i $EXTERNAL -p tcp -d $MY_IP --dport ftp         -j ftp
$IPT -A INPUT -i $EXTERNAL -p tcp -d $MY_IP --dport ftp-data    -j ftp-data

a pri pokusu zvenci mam tento problem pokud vypnu SSL vse je ok, ale
pokud ho mam zapnute

Connected to xxxxxxx.
220-Welcome, archive user @xxxxxxxx !

 The local time is: Tue Sep 27 11:39:47 2005

 This is an experimental FTP server.  If have any unusual problems,
 please report them via e-mail to <root na xxxxxxxxx>.

220 ProFTPD 1.3.0rc2 Server (FTP) [xxxxxxxxxx]
Name (xxxxxx:xxxx): xxxxx
234 AUTH SSL successful
[SSL Cipher DHE-RSA-AES256-SHA]
331 Password required for xxxxxx.
Password:
230 User xxxxxxxx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful

ssl_getc: SSL_read failed -1 = 4
421 Service not available, remote server has closed connection

receive aborted
waiting for remote to finish abort
ftp> quit

Nemate tuseni co s tim ? Udelal jsem nekde neco spatne ?

Pred rikam ze jsem googlil i hledal v konferenci, nasel jsem jen odkaz v
italstine a madarstine a nic v nem. Certifikat i autoritu jsem si
vygeneroval sam.

 Diky moc
	Petr

Další informace o konferenci Linux