1. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType standalone. If not, change this.

I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?

I don't see why this is necessary. By downloading the config.bin? file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?

1. Check line 7 in /opt/etc/proftpd.conf if it reads: ServerType? standalone. If not, change this.

1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d.
2. The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.

1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d. NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.

NB: The default config is for use with xinetd. To use the standalone server, change line 7 in /opt/etc/proftpd.conf into ServerType? standalone.

Warning! You could seriously screw up your slug installing this. Do it with caution and backup/image your drive first! I spent days trying to clean up the mess! --Alienz

1. off - clients can connect using insecure FTP or secure FTP/SSL
2. ctrl - encrypt only the ctrl channel using FTP/SSL
3. data - encrypt only the data channel using FTP/SSL (not recommended)
4. on - encrypt both the ctrl and data channels using FTP/SSL

1. off - client SSL certificates are not requried
2. on - client SSL certificates are required

1. SSLv23? - Use SSL3? for ctrl and TLS1? for data channels (works with most clients)

1. Clients are required to use FTP over SSL/TLS when talking to this server

1. ctrl = encrypt only the ctrl channel using FTP/SSL
2. data = encrypt only the data channel using FTP/SSL (not recommended)
3. on = encrypt both the ctrl and data channels using FTP/SSL

Using a Linux compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

1. Set the TLSProtocol? to one of the following
2. SSLv23? - Use SSL3? for ctrl and TLS1? for data ports (works with most clients)
3. SSLv3? - Use only SSL3?
4. TLSv1? - Use only TLS1?

1. off = clients can connect using insecure FTP or secure FTP/SSL
2. ctrl = encrypt only the ctrl port using FTP/SSL
3. data = encrypt only the data port using FTP/SSL (not recommended)
4. on = encrypt both the ctrl and data ports using FTP/SSL

	TLSRequired? ctrl

1. Authenticate clients that want to use FTP over SSL/TLS

Note that all use of SSLv2 is disabled by default with ProFTPD.

RobHam - modified Feb 2007

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This is needed to be compatable with the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line the control port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible TLSprotocol settings are :-

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

• SSLv23 - allow both SSLv3 and TLSv1
• SSLv3 - allow only SSLv3
• TLSv1 - allow only TLSv1

All use of SSLv2 is disabled.

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSLv3? was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSLv3 and the data port traffic using TLSv1.

The three possible protocol settings are :-

• SSLv23? - used to allow both SSLv3? and TLSv1?
• SSLv3? - allow only SSLv3?
• TLSv1? - allow only TLSv1?

All use of SSLv2? is disabled.

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23 the config port traffic will be encrypted using SSL3 (SSL2 with some older clients) and the data port traffic using TLS1.

After making my proftpd require TLS and trying to connect to it using sftp I kept getting the following error:

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3 (and perhaps SSL2 with some older clients) and the data port traffic using TLS1.

	TLSProtocol? SSLv23?

Note that the above script includes a modification (TLSProtocol TLSv1 changed to TLSProtocol SSLv23). This change is needed because support for SSL ver 3 was introduced into the current version of the OpenSSL? package and using the old config line would cause some FTP client programs problems during logging in. When using the new config line TLSProtocol SSLv23) the config port traffic will be encrypted using SSL3? (and perhaps SSL2? with some older clients) and the data port traffic using TLS1?.

Note that some FTP clients that claim to support SSL seem to have problems connecting when server side SSL/TLS is enabled. If you experience problems where connections are rejected then a work around that works in most cases is to change the relevant line above to TLSProtocol SSLv23

Note that some FTP clients that claim to support SSL do not fully support the TLS version 1 protocol. If you experience problems where connections are rejected then a workaround that works in most cases is to change the relevant line above to TLSProtocol SSLv23

-Mark

I also find use full information on th following website http://gentoo-wiki.com/HOWTO_ProFTPD

(Note2: Probably obvious [but I missed it] but xinetd needs to be installed and configured prior to installing proftpd. "ipkg install xinetd" Check the only_allow line carefully in the /opt/etc/xinetd.conf to ensure it matches your network / requirements for ftp / telnet client ip address ranges i.e. 192.168.1.0/24 will need changing if your local network uses a different IP range, and you may need external ip addresses to be able to access your box. - Rufus)

(Note: Didn't work for me as the "/var/log/run/xinetd.pid" was not created... ps aux |grep xinet will show you the PID to use instead of "`cat /var/run/xinetd.pid`" -Stein)

I don't see why this is necessary. By downloading the config.bin file (using the web UI), you can save permanent (across reboot) changes to the /etc/passwd file. (This is described in more detail elsewhere, e.g., look on http://www.batbox.org/nslu2-linux.html). This worked fine for me. Am I missing something? Are there other changes (alluded to above) that blow it away?

ingeba

• Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019. Both passive ports and your external IP-address/hostname are needed if there is no hidden FTP proxy in the NAT router or the FTP control connection is encrypted (TLS/SSL).

NOTE: Experience shows that there is very little to gain performance-wise from running standalone. The gain from running from xinetd depends on the amount of time proftpd is in active use (the less it is in use, the more often more RAM is available to other apps).

• It takes a long time from the initial connection to proftpd is made until the login prompt appears (several seconds). This is solved by putting the following lines in the main section of /opt/etc/proftpd.conf (not global or a virtual server section):

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 UseReverseDNS off
 IdentLookups off

(:tableend:)

• Supports large files (> 2GB)

Fix Received message too long Errors

Received message too long 458961211

After making my proftpd require TLS and trying to connect to it using sftp (thanks for the tutorial RobHam) I kept getting the following error: Received message too long 458961211

The reason that this happens is because my .bashrc displays information when I log on (because I installed bash and followed the bash tutorial to get a bunch of system stats when I log on). sftp is not expecting this information and dies with the above error message. To get rid of this message if you have to add the following to your .bashrc:

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
if [[ -n $PS1 ]]; then
  #.bashrc stuff that outputs text to the terminal
fi

(:tableend:)

This lets you keep your text output when you log on, which I like, but still allows sftp login.

-Mark

• Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>

• Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.

Note: Since SSL/TLS encrypts the control channel, NAT routers cannot read it to manage incoming TCP connection automatically. If you are behind a NAT router (usually on a 10.*.*.* or 192.168.*.* network), follow tip 4.

How to configure Proftpd for SSL/TLS authentication/encryption

1. Creating a signing script file (shame that this is not included with the openssl instalation).

1. Enabling SSL/TLS encription within proftpd

1. default key expiry set to 5 years but can be changed

2. Generate a self signed root certificate (expiry set to 5 years but can be changed) and copy the root certificate to folder /opt/etc/ftpd/\\

If you want to remove the passphrase from the server key (there is no real need for a password here so you will probably want to remove it), use: -\\

Change the TLSRequired and TLSVerifyClient configuration settings above as required.

1. off = client SSL certificates are not requried
2. on = client SSL certificates are required

1. Clients are required to use FTP over TLS when talking to this server

1. Authenticate clients that want to use FTP over TLS

1. off = clients can connect using insecure FTP or secure FTP/SSL
2. on = clients can only connect using secure FTP/SSL

1. off = client certificates are not requried
2. on = client certificates are required

default_days = 1825

Method

How to configure Proftpd for SSL/TSL authentication/encryption

The following list of instructions is largely based on Enabling HTTPS for Apache. The method involves: -

1. Creating a signing script file
2. Creating a Certificate Authority (CA) key and root Certificate
3. Creating a Server key and signed Server Certificate
4. Enabling SSL/TSL encription within proftpd

Login as user root and create a home folder for use by openssl to store the signing script and to create keys and certificates in. Make the folder read/write only by user root.
mkdir /opt/etc/openssl
chmod 600 /opt/etc/openssl

Move to the new folder
cd /opt/etc/openssl

You will now need to create a signing script by copying the following scipt section into a new file called sign.sh using a Unix compatable text editor. Store the script in the above folder.

sign.sh

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
unique_subject          = no
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0

(:tableend:)

Make sign.sh owned by root and executable
chown root:root /opt/etc/openssl/sign.sh
chmod 700 /opt/etc/openssl/sign.sh

Creating the Keys and Certificates

1. Create a new root key for your own Certificate Authority (CA)
openssl genrsa -des3 -out ca.key 1024

If you want to remove the passphrase from the root key, use: -
mv ca.key ca.key.orig
openssl rsa -in ca.key.orig -out ca.key

2. Generate a self signed root certificate and copy the root certificate to folder /opt/etc/ftpd/
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
cp /opt/etc/openssl/ca.crt /opt/etc/ftpd/

3. Create the server key
openssl genrsa -des3 -out server.key 1024

If you want to remove the passphrase from the server key, use: -
mv server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

Copy the server key to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.key /opt/etc/ftpd/

4. Prepare a certificate signing request (CSR).
Important - when asked for a Common Name - enter localhost
openssl req -new -key server.key -out server.csr

5. Sign your server key using the previously saved script file
./sign.sh server.csr

6. Copy the server certificate to folder /opt/etc/ftpd/
cp /opt/etc/openssl/server.crt /opt/etc/ftpd/

Modify proftpd.conf

Using a Unix compatable text editor insert the following script section into the proftpd configuration file /opt/etc/proftpd.conf, just paste it to the end of the file.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
<IfModule mod_tls.c>
	TLSEngine on
	TLSLog /opt/var/proftpd/tls.log
	TLSProtocol TLSv1

# Clients are required to use FTP over TLS when talking to this server.
# off - clients can connect using insecure FTP or secure FTP/SSL
# on  - clients can only connect using secure FTP/SSL
	TLSRequired off

# Server's certificate
	TLSRSACertificateFile /opt/etc/ftpd/server.crt
	TLSRSACertificateKeyFile /opt/etc/ftpd/server.key

# CA the server trusts
	TLSCACertificateFile /opt/etc/ftpd/ca.crt

# Authenticate clients that want to use FTP over TLS?
# on  - client certificates are required
	TLSVerifyClient off
</IfModule>

(:tableend:)

• Tip 1: Securing the server. The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd.conf according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

• Tip 4: Proftpd and NAT routers. Proftpd is easily configured for access across a NAT enabled router by enabaling a Passive port range. The following example will configure twenty Passive ports for data transfer in the range 50000 to 50019.

• Says warning: unable to determine IP address of '<SlugName>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.

• Tip 3: Missing users Home Directory - a possible workaround. Proftpd currently needs a users home directory entry in the /etc/passwd file for users to login.

1. Change the relevant proftpd.conf directive located in the global section to read:
   AuthUserFile /opt/etc/passwd.proftpd

RobHam

• Tip 3: Missing users Home Directory - a possible workaround. ProFTPD? currently needs a users home directory entry in the /etc/passwd file for users to login.

1. Change the relevant proftpd.conf directive located in the
   global section to read:
   AuthUserFile? /opt/etc/passwd.proftpd
2. Create and populate a new /opt/etc/passwd.proftpd file using a text editor with your required users by copying them from the system /etc/passwd file. Modify these users as required following the passwd file conventions.

• Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.

(:table border=0 width=100% bgcolor=#eeeeff:)

• Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.
• Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called ftpusers. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-

(:table border=0 width=100% bcolor=#eeeeff:) (:cell:)

 
# /opt/etc/ftpusers
# Inclusion of 'root' here has limited functionality, to disable
# 'root' access use the proftpd.conf directive - RootLogin off 
root
# Including 'ftp' here will disable anonymous login
ftp
# Other default users
bin
lp
mail
nobody
ourtelnetrescueuser
guest
admin
# End of file

(:tableend:)

• Tip 1: The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.

• Tip 2: Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-

• Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all theoretically can be used to login to the server (root and admin are most at risk). You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with the current default user names is:-

• Tip 2:Securing the server. The default /etc/passwd file contains a list of default user names, some are hidden from the web interface, all can be used to login to the server so pose a security. You can disable these names by placing them in a text file called 'ftpusers'. Save the text file to the folder /opt/etc/. An example ftpusers file with all current default user names is:-

RobHam?

• Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line : <Anonymous ~ftp>. Suggest changing to : <Anonymous /share/hdd/data/public>.

RobHam?

• Tip 1:The default proftpd.conf file will allow anonymous users direct access to the root directory /. This is easily changed by editing the line :-

<Anonymous ~ftp>.

Suggest changing to <Anonymous /share/hdd/data/public>.

• NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot is set.

• NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if @@DefaultRoot@@ is set.

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and the list of users not allowed to log on in /opt/etc/ftpusers.

General

• NOTE: The users must have a home directory in their /etc/passwd entry to log in. The directory does not have to exist if DefaultRoot? is set.

1. Set up startup script: cp /opt/doc/proftpd/S58proftpd /opt/etc/init.d

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

• Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf and restart proftpd.

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd and restart proftpd.

• Says warning: unable to determine IP address of '<SlugName?>' on startup. This is because /etc/nsswitch.conf is missing up until 4.x. Fix it by doing echo "hosts: files dns" > /etc/nsswitch.conf.

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd.

With xinetd

Since the proftpd package installs a xinetd configuration file, just do kill -SIGHUP `cat /var/run/xinetd.pid` to make xinetd reread its configuration files.

1. Set up startup script: cp /opt/doc/proftpd/S58proftpd to /opt/etc/init.d
2. Run: . /opt/etc/init.d/S58proftpd

As standalone

• Says unable to listen to local socket: No such file or directory on startup. This is because the directory /opt/var/proftpd was not created on proftpd install prior to IPK version 4. Just create the directories.

• Full man page installation.

Proftpd

Why proftpd

Check out http://www.proftpd.org

• Has virtual users
• Has bandwidth limitation (only per session, not global)
• Has SSL/TLS authentication/encryption.
• Has control tools, like ftptop and ftpwho, letting you see all that is going on on your server.
• Has a number of authentication methods
• Comes with integration scripts for running with the Linksys inetd, the Inetutils inetd and xinetd (recommended) as well as standalone server setup.
• Has quotas, up/down-load ratios and almost all you could want from an FTPD.

How to install

Install the package: ipkg install proftpd

How to configure

The possibilities for configuration are endless. Go to the Proftpd website and edit /opt/etc/proftpd according to your needs. SSL certificates are to be stored in /opt/etc/ftpd. Make sure to backup your configuration file as reinstalling or upgrading proftpd is likely to overwrite it (yes, it sucks).

How to activate

Chose your mode of running it (one of the below).

With Linksys inetd

1. Set up the diversion script: cp /opt/doc/rc.xinetd.proftpd /unslung/rc.xinetd
2. Run: . /etc/rc.d/rc.xinetd

With Inetutils inetd

1. Add the ftp entry: cat /opt/doc/proftpd/inetd.conf.proftpd >> /opt/etc/inetd.conf
2. Run: . /etc/rc.d/rc.xinetd

With xinetd (recommended)

1. Add proftpd entry: cp /opt/doc/proftpd/proftpd.xinetd /opt/etc/xinetd.d/proftpd
2. Run: . /etc/rc.d/rc.xinetd

As standalone server

1. Set up startup script: cp /opt/doc/proftpd/S68proftpd to /opt/etc/init.d
2. Run: . /opt/etc/init.d/S68proftpd

Troubleshooting

Let the trouble commence.

Bob_tm