|=--------------------------=[ "Secure" FTP server ]=------------------------=| +---------------------------------------------------------------------------+ | | | Debian 4.0 = server = 10.62.2.44 | | Proftpd (chroot) + | | ftp-proxy (chroot) | | | +---------------------------------------------------------------------------+ |=-------------------------------=[ BH 2007 ]=-----------------------------=| Toto HOWTO pojednava o instalacii ftp servera 'proftpd', ktory je chrootovany do adresara '/chroot/proftpd'. Pred samotnym ftp serverom je umiestnena ftp-proxy z rovnomenneho balicka 'ftp-proxy', ktora je chrootovana do adresara '/chroot/ftp-proxy'. Ftp-proxy je nastavena tak, ze povoluje len vybrane ftp prikazy. Klient sa napaja na standardny port ftp (21) na ktorom pocuva ftp-proxy. Ftp-proxy presmeruje poziadavku na port ftp servera (3021). Upozornenie!!! : Kedze ftp-proxy nezvlada TLS nie je vhodna na takyto setup. V pripade, ze chcete pouzit TLS na proftpd, vypnite ftp-proxy a v proftpd.conf zapnite podporu TLS (TLSEngine on) a nastavte port na 21. Schema systemu: ----------------- [ proftpd ] 10.62.2.44:3021 ^ | [ ftp-proxy ] 10.62.2.44:21 ^ | [ klient ] Predpoklad: ------------- Nainstalovany zakladny system Debian 4.0 =================== 0. Doinstalovanie =================== # apt-get install ssh # apt-get install mc ============== 1. Ftp-proxy ============== # apt-get install ftp-proxy ------------------------------------ 1.1 Vytvorenie Ftp-proxy uzivatela ------------------------------------ # groupadd ftpproxy # useradd -g ftpproxy ftpproxy ---------------------- 1.2 Chroot Ftp-proxy ---------------------- Vytvorenie adresarovej struktury (klietka) ------------------------------------------ # mkdir -p /chroot/ftp-proxy/dev # mkdir -p /chroot/ftp-proxy/usr/sbin # mkdir -p /chroot/ftp-proxy/etc/proxy-suite # mkdir -p /chroot/ftp-proxy/var/run/ # mkdir -p /chroot/ftp-proxy/var/log/ # mkdir -p /chroot/ftp-proxy/usr/lib # mkdir -p /chroot/ftp-proxy/lib/tls/i686/cmov Vytvorenie null zariadenia -------------------------- # mknod /chroot/ftp-proxy/dev/null c 2 2 # chown root:sys /chroot/ftp-proxy/dev/null # chmod 666 /chroot/ftp-proxy/dev/null binarka -> klietka ------------------ # cp /usr/sbin/ftp-proxy /chroot/ftp-proxy/usr/sbin/ konfiguraky -> klietka ---------------------- # cp /etc/proxy-suite/* /chroot/ftp-proxy/etc/proxy-suite/ # cat /etc/passwd | grep ftpproxy >> /chroot/ftp-proxy/etc/passwd # cat /etc/group | grep ftpproxy >> /chroot/ftp-proxy/etc/group kniznice -> klietka (# ldd /usr/sbin/ftp-proxy ) ------------------------------------------------ # cp /lib/libwrap.so.0 /chroot/ftp-proxy/lib # cp /usr/lib/libldap_r.so.2 /chroot/ftp-proxy/usr/lib # cp /lib/tls/i686/cmov/libcrypt.so.1 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /lib/tls/i686/cmov/libc.so.6 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /lib/tls/i686/cmov/libnsl.so.1 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /usr/lib/liblber.so.2 /chroot/ftp-proxy/usr/lib # cp /lib/tls/i686/cmov/libresolv.so.2 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /lib/tls/i686/cmov/libdl.so.2 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /usr/lib/libsasl2.so.2 /chroot/ftp-proxy/usr/lib # cp /usr/lib/libgnutls.so.13 /chroot/ftp-proxy/usr/lib # cp /lib/tls/i686/cmov/libpthread.so.0 /chroot/ftp-proxy/lib/tls/i686/cmov # cp /usr/lib/libtasn1.so.3 /chroot/ftp-proxy/usr/lib # cp /usr/lib/libz.so.1 /chroot/ftp-proxy/usr/lib # cp /usr/lib/libgcrypt.so.11 /chroot/ftp-proxy/usr/lib # cp /usr/lib/libgpg-error.so.0 /chroot/ftp-proxy/usr/lib zakladne kniznice -> klietka ---------------------------- # cp /lib/libnss_compat* /chroot/ftp-proxy/lib/ # cp /lib/libnss_dns* /chroot/ftp-proxy/lib/ # cp /lib/libnss_files* /chroot/ftp-proxy/lib/ ---------------------------- 1.3 Konfiguracia Ftp-proxy ---------------------------- ##################################################################### # # $Id: ftp-proxy.conf.sample,v 1.6.2.4 2005/01/11 13:00:01 mt Exp $ # # Sample FTP Proxy Configuration File # # For more information, see ftp-proxy.conf(5) manual page. # # The general format is "Keyword Value". # # Any white space at the beginning or end of a line and after # the Keyword is ignored. Lines can be continued with '\'. # Case is *NOT* sensitive, so "user" is "User" is "USER". # # Several variables can also be assigned to a client's user name. # User specific sections are introduced by a '[username]' line. # The variables are: TimeOut, ValidCommands, SameAddress, # ActiveMinDataPort, ActiveMaxDataPort, # PassiveMinDataPort, PassiveMaxDataPort, # DestinationAddress, DestinationPort, # DestinationMinPort, DestinationMaxPort, # DestinationTransferMode # These variables can also be obtained from an LDAP server, in # which case the values from this file are not evaluated any # more. # ##################################################################### # # The start of the file is implicitly the [-Global-] section. # [-Global-] # # The following entries select a port range for client DTP # ports in active mode, i.e. when the client sends a PORT # command. The default is port 20 as per RFC 959, if the # proxy is running as root (user ID 0) or a random port. # # ActiveMinDataPort 40000 # ActiveMaxDataPort 40999 # # The follwing flag is especially useful for outbound FTP # traffic. It allows to put some "magic" in the USER name. # If set, it enables the USER name to contain the target # server in the form "user[@host[:port]]" and overrides # the DestinationAddress (and DestinationPort) below. # See also ForceMagicUser option. # AllowMagicUser no # # The follwing setting allows you to configure a so called # transparent proxy for outgoing ftp. To get it working you # also have to redirect client requests on a gateway or # firewall host (i.e. via ipchains) to the ftp-proxy. # You can combine this with the AllowMagicUser flag. # # AllowTransProxy no # # This message prevents any login if a file with the given # name exists. Instead the contents of the file will be sent # to the client and the connection closed. Lines are prefixed # with "421-". If no such file exists, the mechanism is not # triggered and DenyString (s.b.) is ignored altogether. # #DenyMessage /etc/proxy-suite/ftp-deny.txt # # If a DenyMessage file exists, the deny mechanism will be # activated in any case. If a DenyString exists, it will be # sent (with escape sequences) as the last line (with a 421 # reply code), else the standard message # "Service not available" will be displayed. # #DenyString Service out of order # # Where to redirect incoming FTP traffic. This destination # will be used if a client has not set its own target. # WARNING: ftp-proxy will refuse to run if this directive # is not set and transparent proxying not enables (see also # AllowTransProxy). # DestinationAddress 10.62.2.44 # # (Local) port range for all connections to the server. The # default is to let the proxy select any ephemeral port. # # DestinationMinPort 42900 # DestinationMaxPort 42999 # # This is the port corresponding to DestinationAddress. It # defaults to 21, the standard FTP port. # DestinationPort 3021 # # Specify the FTP transfer mode to be used from the proxy to # the server. TransferMode can be active, passive, or client. # The default is "client" which means to use the same as the # client. # # DestinationTransferMode client # DestinationTransferMode passive # DestinationTransferMode active # # Defines the action that is taken when a data transfer command # is failed on the server side. If set to "yes", the client # socket will be reset after a command is failed and the transfer # mode reset to the default (active ftp). # This option is a workarround for Netscape (4.x) clients, that # sends a second data transfer command if the first is failed # while "user click" on a symbolic link pointing to a directory. # # FailResetsPasv no # # Same as AllowMagicUser, but makes the host and port portion # mandatory. # # ForceMagicUser no # # Limits the number of incoming client connections per minute # in daemon mode - it defaults to 40 connections per minute. # # ForkLimit 40 # # If given, change GID to give up root privileges. In POSIX # environments this changes all group ID's. # Group ftpproxy # # Defines a different base distinguished name that is used # when accessing an LDAP directory for user authentication # purposes. Defaults to LDAPBaseDN. # # LDAPAuthDN dc=domain,dc=tld # # Defines an attribute and its value as 'attr=value' string, # that will be checked while user authentication. # # LDAPAuthOKFlag allowedService=FTPProxy # # Defines the LDAP password attribute name used for user # authentication. Defaults to an empty string - password # authentication disabled. # #LDAPAuthPWAttr userPassword # # Defines password type used in LDAP followed by the minimal # allowed password length (default is 5). Valid values are: # plain, crypt, {crypt} # optionally followed by one number 0-9, i.e. {crypt}7, # plain9 or plain. Defaults to plain (length is 5). # #LDAPAuthPWType plain # # When accessing the LDAP directory, a search base can be # handed to the search functions. We strongly recommend to # do so. This is the "root" of the relevant search tree. # # LDAPBaseDN dc=domain,dc=tld # # Use distinguished name to (simple) bind to the directory # service. If not set, an annonymous bind is used. # If (exactly one) %s is used, the name will be replaced # by the auth name while user authentication or the FTP # user name. # # LDAPBindDN uid=%s,dc=domain,dc=tld # LDAPBindDN uid=ftp-proxy,dc=domain,dc=tld # # Use credential (password) to bind to the directory service # using distinguished name given with LDAPBindDN. # # LDAPBindPW aPassword # # The next thing to decide when using LDAP is the attribute # used as the main identificator. Some administrators will # use the CN (Common Name) attribute, and this is also the # default, but it can be any legal identifier. # # LDAPIdentifier LoginName # # Additionally, an LDAP ObjectClass should be defined for # the FTP User(s). This will be especially useful if the # user entries are located inside a mixed LDAP hierarchy. # If an ObjectClass is given, the search is executed as: # "(&(ObjectClass=)(CN=))", else it will # just be based upon CN (the Common Name) or whatever has # been assigned to LDAPIdentifier above. # # LDAPObjectClass FTPProxyUser # # Access information based upon users can also be obtained # dynamically from an LDAP directory. This works only if the # program was compiled with LDAP support. Both the University # of Michigan and the Netscape LDAP API are supported. # # LDAPServer ldap.domain.tld[:port] # # Set to listen on a specific interface (0.0.0.0 means all # and is also the default). Address can be given as dotted # decimal IP address or DNS host name. # Listen 10.62.2.44 # # Determine where to send logging information. If the value # starts with a '/' it is assumed to be a file. If it starts # with a '|' it is assumed to be a program which will be # popen()-ed. Anything else is assumed to be a facility for # syslog(). See ftp-proxy.conf(5) and the "SYSLOG" file for # severity handling. # LogDestination daemon #LogDestination /var/log/ftp-proxy.log # LogDestination |/usr/bin/rotatelogs /var/log/ftp-proxy.log # # Defines the maximal level of logged messages. The levels # are, in order of decreasing importance: # FLT, ERR, WRN, INF, DBG # The default level is INF. A LogLevel set to WRN causes, # that only messages of levels FLT, ERR, WRN will be logged. # LogLevel INF # # Maximum number of concurrent clients if running as daemon. # MaxClients 32 # # This message (or rather the contents of a file with this # name) will be issued when MaxClients is exceeded, each # line prefixed with "421-". If no such file exists, only # the MaxClientsString below will be displayed. # #MaxClientsMessage /etc/proxy-suite/ftp-maxclients.txt # # This string (with a default of "Service not available" will # be displayed, if the configured maximum number of concurrent # clients has been reached. It is prefixed with '421 '. # MaxClientsString The server is full # # Defines the maximum number of bytes read from socket at once # while data transfers. Default is to read all data as reported # by the kernel. # It may be usefull to set a limit (i.e. to 8192), if your proxy # machine uses two interfaces of different speed, i.e. the clients # are accessing the proxy via a high-speed interface (i.e. # FastEthernet) and the proxy is accessing servers using a slower # one (i.e. modem, ISDN link) and your ftp-clients aborts the data # transfers because of a timeout. # # MaxRecvBufSize 0 # # The following entries select a port range for client DTP # ports in passive mode, i.e. when the client sends a PASV. # If no port range is given, no bind is performed, in which # case the proxy lets the machine select an ephemeral port. # # PassiveMinDataPort 41000 # PassiveMaxDataPort 41999 # # Write an ASCII file with the Program ID if given. Only valid # if running as daemon, in which case the daemon itself uses it. # PidFile /chroot/ftp-proxy/var/run/ftp-proxy.pid # # Port to listen on (for the SERVER-PI). Default is "ftp". # Can be given as TCP service name or as a plain number. # Port 21 # # The following flag specifies the action when a PORT command # is received while a PASV listening socket is outstanding. # The RFC is not really clear about the "correct" behaviour, # but since most existing implementations seem to reset the # listener, we do the same by default. Nevertheless they all # may be ... inaccurate. # # PortResetsPasv yes # # Shall we allow data connections only from the same host where # the control connection originated from? Default is yes. If # you say no here, the proxy is able to take part in so called # third party server to server transfers. # # SameAddress yes # # If given, chroot() to this directory after initializing. # # Note, that you have to create the /dev/null device and copy # all needed libraries, configuration files, ... into this # directory first! # ServerRoot /chroot/ftp-proxy # # Determine whether to run as daemon or in inetd mode. This can # be overridden by -d/-i command line switch. Default is inetd. # # ServerType inetd ServerType standalone # # Enable this flag if you want to use a random port in # the specified range with PassiveMinDataPort/MaxDataPort, # DestinationMinPort/MaxPort, ActiveMinPort/MaxDataPort # instead of incrementing the port number. # # SockBindRand no # # Shall we use the TCP Wrapper Library when running as daemon? # "on", "yes", "true" or a non-zero number means yes, anything # else no. Default no. Only applicable when running as daemon. # Note that TCP Wrapper support must be compiled in for this to # work. # #TCPWrapper yes # # Defines the name to use for TCPWrapper checks. Default is # to use the base name of the ftp-proxy binary (ftp-proxy). # #TCPWrapperName ftp-proxy # If a client has no activity for this many seconds, it is # regarded to be dead and the connection will be terminated. # Default is 900 seconds, i.e. 15 minutes. # TimeOut 900 # # If the proxy server needs to advertise itself (in outgoing # responses to the ftp-server, like answers to PASV commands) # with a different address than it actually has, the following # option can be used. Relevant e.g. when using a NAT device # in the path. # # TranslatedAddress 0.0.0.0 # # If given, change UID to give up root privileges. In POSIX # environments this changes all user ID's. # If set, the proxy will use non-privileged ports (>1024) for # active mode ftp transfers - see also ActiveMin/MaxDataPort. # User ftpproxy # # Defines the mechanism, the proxy should use to authenticate # users - currently "ldap" is implemented. # # UserAuthType ldap # # Defines if additional and the order of user authentication # name and password should be encoded in FTP USER and PASS # commands, as supported by some ftp-client's (i.e. @auth by # NcFTP). Valid settings are: # # @auth for ftpuser@authuser[@host:port] # auth@ for authuser@[ftpuser@host:port] # # UserAuthMagic @auth # # Defines the character to use as separator between user # and host[:port] in the target setting of AllowMagicUser # Default is the '@' character. This allows you to use # E-Mail addresses as usernames for login to the ftp server # (i.e. me@mydomain%ftp.server:21 if you set it to %). # # UseMagicChar % # UserMagicChar % # # Allows to define a regular expression rule for validation # of the user name. The default setting matches the usual # cases inclusive E-Mail adresses and "domain/user" names: # # UserNameRule ^[[:alnum:]]+([%20@/\._-][[:alnum:]]+)*$ # # List of FTP commands that will be allowed from a client. # All commands not on this list will be rejected. If no list # exists, then all commands will be allowed. # Each command can be followed by an optional equals sign # and regular expression (POSIX 1003.2) to restrict legal # argument(s) syntax. In order to avoid confusing the # configuration reading functions, the expression is "pre- # processed." This means that a sequence like "%20" will be # replaced by a space and "%5c" or "%5C" by a backslash # before being compiled. In fact, this looks a bit like the # HTML way of doing things. The percent sign itself is # represented by "%25" of course. The pattern is interpreted # as a POSIX 1003.2 RE (with REG_NEWLINE flag set), and is # case sensitive. In any case, this works only if compiled # with regular expression support compiled into the program. # ValidCommands ABOR, PASS, PASV, STOR, USER, \ MODE, QUIT, SYST, CWD, GET, LIST, \ MKD, RMD, TYPE, RETR, PWD, XPWD, \ SIZE, REST, DELE, PORT, MTDM # # This file will be presented to all clients immediately after # the connection has been established. Each line is prefixed # with "220-". The whole message is followed by a standard # "220 FTP server () ready" or whatever has # been substituted with WelcomeString below. Escape sequences # (like %h for hostname; see ftp-proxy.conf(5)) are active. # #WelcomeMessage /etc/proxy-suite/ftp-welcome.txt # # If we wanted to disguise as some known other FTP server we # could use the following option. It replaces the standard # " FTP server () ready" in the initial 220 # message. As with all Messages and Strings, various escape # sequences are available. # WelcomeString Welcome to %h ############################################################ # $Log: ftp-proxy.conf.sample,v $ # Revision 1.6.2.4 2005/01/11 13:00:01 mt # fixed default UserNameRule regexp rejecting user # names where the 3. character is not alphanumeric # # Revision 1.6.2.3 2004/03/30 12:04:16 mt # - changed awk,grep,logger paths to /bin and ServerRoot # to /var/lib/ftp-proxy/rundir (/var/ftp-proxy/rundir) # in rc-script and config samples # # Revision 1.6.2.2 2004/03/22 12:38:12 mt # added UserNameRule option allowing a regex # override of the builtin user name checks # # Revision 1.6.2.1 2003/05/07 11:07:49 mt # added ForceMagicUser variable # # Revision 1.6 2002/05/02 13:44:52 mt # added documented user auth related variables # # Revision 1.5 2002/01/14 19:15:01 mt # actualized, added LogLevel TCPWrapperName MaxRecvBufSize options # # Revision 1.4 2001/11/06 23:04:44 mt # applied / merged with transparent proxy patches v8 # see ftp-proxy/NEWS for more detailed release news # # Revision 1.3 1999/09/24 06:39:43 wiegand # added regular expressions for all commands # removed character map and length of paths # added flag to reset PASV on every PORT # added "magic" user with built-in destination # added some argument pointer fortification # # Revision 1.2 1999/09/17 11:04:02 wiegand # added path name restriction options # # Revision 1.1 1999/09/16 07:53:54 wiegand # initial checkin # ############################################################ =================== 2. Proftpd server =================== # apt-get install proftpd -------------------------- 2.1 Konfiguracia Proftpd -------------------------- vytvorenie skupiny ftpusers ----------------------------- # ftpasswd --group --name=ftpusers --gid=1000 --file /chroot/proftpd/etc/ftpgroup vytvorenie uzivatela fttest ----------------------------- # ftpasswd --passwd --name=ftptest --gid=1000 --uid=1001 --home=/home/ftptest --shell=/bin/false --file /chroot/proftpd/etc/ftppasswd --------------------------- /etc/proftpd/proftpd.conf --------------------------- # # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes reload proftpd after modifications. # # Includes DSO modules Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off ServerName "Server FTP" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer off ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayFirstChdir .message ListOptions "-l" DenyFilter \*.*/ # bindneme si specificku ip adresu SocketBindTight on DefaultAddress 10.62.2.44 # chrootneme uzivatelov, do svojich domacich adresarov DefaultRoot ~ # zrychlime logovanie tym, ze vypneme ident IdentLookups off # nastavime ident servra ServerIdent on "Reprex FTP" # Port 21 is the standard FTP port. Port 3021 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. # PassivePorts 49152 65534 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group proftpd # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP to retrieve passwords: # PersistentPasswd off # Be warned: use of this directive impacts CPU average load! # # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # UseSendFile off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log TLSEngine off TLSLog /var/log/proftpd/proftpd_tls.log TLSOptions NoCertRequest TLSProtocol SSLv23 TLSRequired off TLSVerifyClient off TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem QuotaEngine on Ratios on # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. DelayEngine on ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock AdminControlsEngine on RequireValidShell off AuthUserFile /etc/ftppasswd AuthGroupFile /etc/ftpgroup # # # AllowGroup ftptest # DenyAll # # # AllowGroup ftptest # DenyAll # # # A basic anonymous configuration, no upload directories. # # User ftp # Group nogroup # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp # # RequireValidShell off # # # Limit the maximum number of anonymous logins # MaxClients 10 # # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayFirstChdir .message # # # Limit WRITE everywhere in the anonymous chroot # # # DenyAll # # # # # Uncomment this if you're brave. # # # # # Umask 022 is a good standard umask to prevent new files and dirs # # # (second parm) from being group and world writable. # # Umask 022 022 # # # # DenyAll # # # # # # AllowAll # # # # # # -------------------- 2.2 Chroot Proftpd -------------------- Vytvorenie adresarovej struktury (klietka) ------------------------------------------ # mkdir -p /chroot/proftpd/lib # mkdir -p /chroot/proftpd/usr/lib/proftpd # mkdir -p /chroot/proftpd/usr/lib/i686/cmov # mkdir -p /chroot/proftpd/lib/tls/i686/cmov # mkdir -p /chroot/proftpd/usr/sbin # mkdir -p /chroot/proftpd/etc/proftpd # mkdir -p /chroot/proftpd/var/run/proftpd # mkdir -p /chroot/proftpd/home # mkdir -p /chroot/proftpd/var/log/proftpd binarka -> klietka ------------------ # cp /usr/sbin/proftpd /chroot/proftpd/usr/sbin/ moduly -> klietka ------------------ # cp /usr/lib/proftpd/* /chroot/proftpd/usr/lib/proftpd konfiguraky -> klietka ---------------------- # cp /etc/proftpd/* /chroot/proftpd/etc/proftpd # cat /etc/passwd | grep -E ^proftpd: >> /chroot/proftpd/etc/passwd # cat /etc/passwd | grep -E ^ftp: >> /chroot/proftpd/etc/passwd # cat /etc/group | grep -E ^proftpd: >> /chroot/proftpd/etc/group # cp /etc/resolv.conf /chroot/proftpd/etc/ # cp /etc/nsswitch.conf /chroot/proftpd/etc/ # cp /etc/localtime /chroot/proftpd/etc/ kniznice -> klietka (# ldd /usr/sbin/proftpd ) ---------------------------------------------- # cp /lib/libacl.so.1 /chroot/proftpd/lib # cp /lib/libattr.so.1 /chroot/proftpd/lib # cp /lib/libpam.so.0 /chroot/proftpd/lib # cp /lib/ld-linux.so.2 /chroot/proftpd/lib # cp /lib/tls/i686/cmov/libcrypt.so.1 /chroot/proftpd/lib/tls/i686/cmov # cp /lib/tls/i686/cmov/libdl.so.2 /chroot/proftpd/lib/tls/i686/cmov # cp /lib/tls/i686/cmov/libc.so.6 /chroot/proftpd/lib/tls/i686/cmov kniznice potrebne pre modul mod_tls.c -> klietka (# ldd /usr/lib/proftpd/mod_tls.so ) ------------------------------------------------------------------------------------- # cp /usr/lib/i686/cmov/libssl.so.0.9.8 /chroot/proftpd/usr/lib/i686/cmov # cp /usr/lib/i686/cmov/libcrypto.so.0.9.8 /chroot/proftpd/usr/lib/i686/cmov # cp /lib/tls/i686/cmov/libdl.so.2 /chroot/proftpd/lib/tls/i686/cmov # cp /usr/lib/libz.so.1 /chroot/proftpd/usr/lib kniznice potrebne pre modul mod_ldap.c -> klietka ------------------------------------------------- # cp /usr/lib/libldap_r.so.2 /chroot/proftpd/usr/lib # cp /usr/lib/liblber.so.2 /chroot/proftpd/usr/lib # cp /lib/tls/i686/cmov/libresolv.so.2 /chroot/proftpd/lib/tls/i686/cmov # cp /usr/lib/libsasl2.so.2 /chroot/proftpd/usr/lib # cp /usr/lib/libgnutls.so.13 /chroot/proftpd/usr/lib # cp /lib/tls/i686/cmov/libpthread.so.0 /chroot/proftpd/lib/tls/i686/cmov # cp /usr/lib/libtasn1.so.3 /chroot/proftpd/usr/lib # cp /usr/lib/libgcrypt.so.11 /chroot/proftpd/usr/lib # cp /usr/lib/libgpg-error.so.0 /chroot/proftpd/usr/lib # cp /lib/tls/i686/cmov/libnsl.so.1 /chroot/proftpd/lib/tls/i686/cmov kniznice potrebne pre modul mod_sql_mysql.c -> klietka ------------------------------------------------------ # cp /lib/tls/i686/cmov/libm.so.6 /chroot/proftpd/lib/tls/i686/cmov # cp /usr/lib/libmysqlclient.so.15 /chroot/proftpd/usr/lib kniznice potrebne pre modul mod_sql_postgres.c -> klietka --------------------------------------------------------- # cp /usr/lib/libpq.so.4 /chroot/proftpd/usr/lib # cp /usr/lib/libkrb5.so.3 /chroot/proftpd/usr/lib # cp /lib/libcom_err.so.2 /chroot/proftpd/lib # cp /usr/lib/libk5crypto.so.3 /chroot/proftpd/usr/lib # cp /usr/lib/libkrb5support.so.0 /chroot/proftpd/usr/lib kniznice potrebne pre modul mod_wrap.c -> klietka ------------------------------------------------- # cp /lib/libwrap.so.0 /chroot/proftpd/lib zakladne kniznice -> klietka ---------------------------- # cp /lib/libnss_compat* /chroot/proftpd/lib/ # cp /lib/libnss_dns* /chroot/proftpd/lib/ # cp /lib/libnss_files* /chroot/proftpd/lib/ ostatne subory -> klietka ------------------------- # cp /var/run/proftpd/proftpd.delay /chroot/proftpd/var/run/proftpd # cp /var/log/wtmp /chroot/proftpd/var/log Vygenerovanie certifikatu a kluca pre server -------------------------------------------- # cd /chroot/proftpd/etc/proftpd # openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Slovakia Locality Name (eg, city) []:Kosice Organization Name (eg, company) [Internet Widgits Pty Ltd]:Firma Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:ftp.domena.sk Email Address []:ftp@domena.sk Spustenie proftpd c chroote --------------------------- chroot /chroot/proftpd proftpd ========== 3. Linkz ========== Proftpd --------- http://www.proftpd.org http://www.proftpd.org/docs/directives/linked/by-name.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html http://www.castaglia.org/proftpd/modules/mod_tls.html