FTP-Server absichern ==================== Datum: 21.12.2020 Understanding of passive vs. active FTP connections --------------------------------------------------- Siehe S. 470 ff sowie - https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#securing-ftp-servers (Handout) - http://www.istudynetwork.com/2012/12/how-active-and-passive-ftp-mode-works.html (anschauliche Grafiken) Aktiver vs. passiver Modus: - Per Default wird der aktive Modus verwendet, in dem der Server die Nutzdaten über seinen Port 20 ausliefert (PROBLEM: Aus Sicht des Clients sieht das aber wie eine von außen neu zu initiierende Verbindung aus -> Firewall blockiert dies!) - Der FTP-Client muss nach dem FTP-Login (Port 21) das interne Kommando 'passive' eingeben, damit sich der Server passiv verhält. Einrichtung von vsftpd ---------------------- Diese Server wurde völlig neu geschrieben, die Config-Datei wird ziemlich strikt geparst, allerdings gab es auch schon größere Bugs. Installation ^^^^^^^^^^^^ Installation im Container 'deb2' .. highlight:: shell-session :: my@bash $ exit exit my@bash $ lxc exec deb2 bash my@bash $ my@bash $ ip -4 addr 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0 inet 192.168.2.232/24 brd 192.168.2.255 scope global eth0 valid_lft forever preferred_lft forever my@bash $ my@bash $ apt-get update Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB] Hit:2 http://deb.debian.org/debian buster InRelease Get:3 http://security.debian.org/debian-security buster/updates/main amd64 Packages [256 kB] Get:4 http://security.debian.org/debian-security buster/updates/main Translation-en [140 kB] Fetched 462 kB in 1s (548 kB/s) Reading package lists... Done my@bash $ my@bash $ apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: apt libapt-pkg5.0 libssl1.1 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 3923 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://security.debian.org/debian-security buster/updates/main amd64 libapt-pkg5.0 amd64 1.8.2.2 [966 kB] Get:2 http://security.debian.org/debian-security buster/updates/main amd64 apt amd64 1.8.2.2 [1419 kB] Get:3 http://security.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u4 [1538 kB] Fetched 3923 kB in 1s (5157 kB/s) debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 17742 files and directories currently installed.) Preparing to unpack .../libapt-pkg5.0_1.8.2.2_amd64.deb ... Unpacking libapt-pkg5.0:amd64 (1.8.2.2) over (1.8.2.1) ... Setting up libapt-pkg5.0:amd64 (1.8.2.2) ... (Reading database ... 17742 files and directories currently installed.) Preparing to unpack .../archives/apt_1.8.2.2_amd64.deb ... Unpacking apt (1.8.2.2) over (1.8.2.1) ... Setting up apt (1.8.2.2) ... (Reading database ... 17742 files and directories currently installed.) Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u4_amd64.deb ... Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u4) over (1.1.1d-0+deb10u3) ... Setting up libssl1.1:amd64 (1.1.1d-0+deb10u4) ... Processing triggers for libc-bin (2.28-10) ... my@bash $ my@bash $ my@bash $ apt-get install vsftpd Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: vsftpd 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 153 kB of archives. After this operation, 357 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian buster/main amd64 vsftpd amd64 3.0.3-12 [153 kB] Fetched 153 kB in 0s (1196 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package vsftpd. (Reading database ... 17742 files and directories currently installed.) Preparing to unpack .../vsftpd_3.0.3-12_amd64.deb ... Unpacking vsftpd (3.0.3-12) ... Setting up vsftpd (3.0.3-12) ... Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /lib/systemd/system/vsftpd.service. [vsftpd.conf:1] Line references path below legacy directory /var/run/, updating /var/run/vsftpd/empty → /run/vsftpd/empty; please update the tmpfiles.d/ drop-in file accordingly. Processing triggers for systemd (241-7~deb10u5) ... my@bash $ my@bash $ Konfiguration ^^^^^^^^^^^^^ Jede Distribution bringt eine andere Default-Config mit, bei Debian sieht das so aus: :: my@bash $ alias gg="grep -v '^\s*#\|^$'" my@bash $ my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO my@bash $ my@bash $ my@bash $ ## Testweise als tux auf localhost einloggen: my@bash $ apt-get install ftp Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ftp 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 59.4 kB of archives. After this operation, 140 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian buster/main amd64 ftp amd64 0.17-34.1 [59.4 kB] Fetched 59.4 kB in 0s (317 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package ftp. (Reading database ... 17800 files and directories currently installed.) Preparing to unpack .../ftp_0.17-34.1_amd64.deb ... Unpacking ftp (0.17-34.1) ... Setting up ftp (0.17-34.1) ... update-alternatives: using /usr/bin/netkit-ftp to provide /usr/bin/ftp (ftp) in auto mode my@bash $ my@bash $ my@bash $ useradd -m -s /bin/bash tux my@bash $ passwd tux New password: Retype new password: passwd: password updated successfully my@bash $ my@bash $ ftp localhost Connected to localhost. 220 (vsFTPd 3.0.3) Name (localhost:root): tux 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> mkdir ABC 550 Permission denied. ftp> ftp> cd /etc 250 Directory successfully changed. ftp> ftp> get passwd local: passwd remote: passwd 200 EPRT command successful. Consider using EPSV. 150 Opening BINARY mode data connection for passwd (1753 bytes). 226 Transfer complete. 1753 bytes received in 0.00 secs (28.8240 MB/s) ftp> ftp> get shadow local: shadow remote: shadow 200 EPRT command successful. Consider using EPSV. 550 Failed to open file. ftp> ftp> by 221 Goodbye. my@bash $ my@bash $ ## >> Der Nutzer kann im rootfs umherwandern und an gewisse Informationen gelangen. my@bash $ ## Also keine Change-Root-Umgebung! Zum Erstellen eines Chroot-Jails auf klassische Art siehe ftp://ftp.wayne.edu/ldp/en/solrhe/chap29sec296.html Den Nutzer-Accounts Schreibrechte geben und das interne Chroot aktivieren: :: my@bash $ vi /etc/vsftpd.conf 27 # Uncomment this to allow local users to log in. 28 local_enable=YES 29 # 30 # Uncomment this to enable any form of FTP write command. 31 write_enable=YES 32 # 111 # You may restrict local users to their home directories. See the FAQ for 112 # the possible risks in this before using chroot_local_user or 113 # chroot_list_enable below. 114 chroot_local_user=YES 115 # 115 116 ## Damit $HOME schreibfähig bleiben kann: 117 allow_writeable_chroot=YES 118 my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO my@bash $ my@bash $ systemctl restart vsftpd Aus dem internen LAN heraus testen wir jetzt: .. highlight:: shell-session :: my@bash $ lxc exec deb-int1 bash my@bash $ my@bash $ apt-get install ftp Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ftp 0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded. Need to get 59.4 kB of archives. After this operation, 140 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian buster/main amd64 ftp amd64 0.17-34.1 [59.4 kB] Fetched 59.4 kB in 0s (664 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package ftp. (Reading database ... 18722 files and directories currently installed.) Preparing to unpack .../ftp_0.17-34.1_amd64.deb ... Unpacking ftp (0.17-34.1) ... Setting up ftp (0.17-34.1) ... update-alternatives: using /usr/bin/netkit-ftp to provide /usr/bin/ftp (ftp) in auto mode my@bash $ my@bash $ my@bash $ ftp 192.168.2.232 Connected to 192.168.2.232. 220 (vsFTPd 3.0.3) Name (192.168.2.232:root): tux 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> pwd 257 "/" is the current directory ftp> ftp> cd /etc 550 Failed to change directory. ftp> ftp> mkdir ABC 257 "/ABC" created ftp> ftp> ftp> ls 500 Illegal PORT command. ftp: bind: Address already in use ftp> ftp> passive Passive mode on. ftp> ftp> ls 227 Entering Passive Mode (192,168,2,232,247,70). 150 Here comes the directory listing. drwx------ 1 2001 2001 0 Dec 21 09:28 ABC 226 Directory send OK. ftp> ftp> my@bash $ ## Auf dem FTP-Server eine Testdatei erzeugen: my@bash $ echo INHALT > /home/tux/wichtig.txt my@bash $ my@bash $ ## >> Diese Datei "zieht" sich jetzt der Client, er hat my@bash $ ## bereits den Modus auf 'passive' umgeschaltet... ftp> ftp> ls 227 Entering Passive Mode (192,168,2,232,108,186). 150 Here comes the directory listing. drwx------ 1 2001 2001 0 Dec 21 09:28 ABC -rw-r--r-- 1 0 0 7 Dec 21 09:31 wichtig.txt 226 Directory send OK. ftp> ftp> ftp> get wichtig.txt local: wichtig.txt remote: wichtig.txt 227 Entering Passive Mode (192,168,2,232,167,112). 150 Opening BINARY mode data connection for wichtig.txt (7 bytes). 226 Transfer complete. 7 bytes received in 0.00 secs (94.9436 kB/s) ftp> ftp> by 221 Goodbye. my@bash $ my@bash $ ls -ltrc ~ total 40 -rw-r--r-- 1 root root 122 Dec 9 10:43 hugo1.ldif -rw-r--r-- 1 root root 207 Dec 9 11:15 fritz-posix.ldif -rw-r--r-- 1 root root 202 Dec 9 11:43 lisa-posix.ldif -rw-r--r-- 1 root root 205 Dec 9 11:51 franz-posix.ldif -rw-r--r-- 1 root root 83 Dec 9 12:43 fritz-uid-mod.ldif -rw-r--r-- 1 root root 208 Dec 10 08:35 maria-posix.ldif -rw-r--r-- 1 root root 3418 Dec 10 09:05 myLDAP-data-2020-12-10.ldif -rw-r--r-- 1 root root 73 Dec 10 10:08 loglevel-change.ldif -rw------- 1 root root 2677 Dec 11 11:01 mbox -rw-r--r-- 1 root root 7 Dec 21 09:32 wichtig.txt my@bash $ my@bash $ Login-Restriktionen ^^^^^^^^^^^^^^^^^^^ Eine uralte Datei ist die ``/etc/ftpusers``, in der weitere Benutzer, die diesen FTP-Server nicht verwenden dürfen, aufgelistet werden können (jeder Nutzername auf separater Zeile): .. highlight:: shell-session :: my@bash $ cat /etc/ftpusers # /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5). root daemon bin sys sync games man lp mail news uucp nobody my@bash $ Logging und Banner ^^^^^^^^^^^^^^^^^^ .. highlight:: shell-session :: my@bash $ ## Mit 'xferlog_enable=YES' kann detaillierte Protokollieren aktiviert werden: my@bash $ gg /etc/vsftpd.conf | grep xferlog_ xferlog_enable=YES my@bash $ my@bash $ ls -ltrc /var/log | tail -5 -rw-r--r-- 1 root root 10428 Dec 21 09:01 alternatives.log -rw-r--r-- 1 root root 161602 Dec 21 09:01 dpkg.log -rw-r--r-- 1 root root 64064 Dec 21 09:02 faillog -rw-rw-r-- 1 root utmp 584584 Dec 21 09:02 lastlog -rw------- 1 root root 834 Dec 21 09:32 vsftpd.log my@bash $ my@bash $ cat /var/log/vsftpd.log Mon Dec 21 09:02:00 2020 [pid 1163] CONNECT: Client "::1" Mon Dec 21 09:02:06 2020 [pid 1162] [tux] FAIL LOGIN: Client "::1" Mon Dec 21 09:02:44 2020 [pid 1173] CONNECT: Client "::1" Mon Dec 21 09:03:19 2020 [pid 1172] [tux] OK LOGIN: Client "::1" Mon Dec 21 09:04:04 2020 [pid 1174] [tux] OK DOWNLOAD: Client "::1", "/etc/passwd", 1753 bytes, 2797.25Kbyte/sec Mon Dec 21 09:04:11 2020 [pid 1174] [tux] FAIL DOWNLOAD: Client "::1", "/etc/shadow", 0.00Kbyte/sec Mon Dec 21 09:28:02 2020 [pid 1194] CONNECT: Client "::ffff:192.168.2.103" Mon Dec 21 09:28:09 2020 [pid 1193] [tux] OK LOGIN: Client "::ffff:192.168.2.103" Mon Dec 21 09:28:30 2020 [pid 1195] [tux] OK MKDIR: Client "::ffff:192.168.2.103", "/ABC" Mon Dec 21 09:32:58 2020 [pid 1195] [tux] OK DOWNLOAD: Client "::ffff:192.168.2.103", "/wichtig.txt", 7 bytes, 12.73Kbyte/sec my@bash $ Die Bannermeldung wird mit 'ftpd_banner' definiert: .. highlight:: shell-session :: my@bash $ gg /etc/vsftpd.conf | grep banner my@bash $ my@bash $ grep banner /etc/vsftpd.conf # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. my@bash $ my@bash $ sed -i 's/^#ftpd_banner/ftpd_banner/' /etc/vsftpd.conf my@bash $ my@bash $ systemctl restart vsftpd my@bash $ my@bash $ ## >> Bei neuerlichen Logins erscheint dann anstelle my@bash $ ## "220 (vsFTPd 3.0.3)" die Meldung "220 Welcome to blah FTP service." Anonymous Login aktivieren ^^^^^^^^^^^^^^^^^^^^^^^^^^ Der interne FTP-Nutzer 'anonymous' (mit Aliasnamen 'ftp') wird immer in eine Chroot-Umgebung gesperrt, bei Debian ist dies /srv/ftp, siehe $HOME des Systemnutzers 'ftp': .. highlight:: shell-session :: my@bash $ grep ^ftp /etc/passwd ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin my@bash $ my@bash $ ls -ld /srv/ftp drwxr-xr-x 1 root ftp 0 Dec 21 08:53 /srv/ftp my@bash $ my@bash $ my@bash $ echo Hallo Welt > /srv/ftp/willkommen.txt my@bash $ my@bash $ my@bash $ grep anonymous /etc/vsftpd.conf # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # Uncomment this to allow the anonymous FTP user to upload files. This only # Uncomment this if you want the anonymous FTP user to be able to create # If you want, you can arrange for uploaded anonymous files to be owned by # You may specify a file of disallowed anonymous e-mail addresses. Apparently my@bash $ my@bash $ sed -i 's/anonymous_enable=NO/anonymous_enable=YES/' /etc/vsftpd.conf my@bash $ my@bash $ systemctl restart vsftpd Von 'deb-intern1' aus testen: .. highlight:: shell-session :: my@bash $ ftp 192.168.2.232 Connected to 192.168.2.232. 220 Welcome to blah FTP service. Name (192.168.2.232:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> mkdir ABC 550 Permission denied. ftp> ftp> ls 500 Illegal PORT command. ftp: bind: Address already in use ftp> ftp> passive Passive mode on. ftp> ftp> ls 227 Entering Passive Mode (192,168,2,232,218,7). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt 226 Directory send OK. ftp> ftp> get willkommen.txt local: willkommen.txt remote: willkommen.txt 227 Entering Passive Mode (192,168,2,232,230,225). 150 Opening BINARY mode data connection for willkommen.txt (11 bytes). 226 Transfer complete. 11 bytes received in 0.00 secs (52.6578 kB/s) ftp> ftp> by 221 Goodbye. my@bash $ my@bash $ pwd /root my@bash $ my@bash $ cat willkommen.txt Hallo Welt my@bash $ Kontrolle der serverseitigen Einstellungen, mit denen Schreibrechte erteilt werden: .. highlight:: shell-session :: my@bash $ grep -E --color 'write|upload' /etc/vsftpd.conf # Uncomment this to enable any form of FTP write command. write_enable=YES # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will #anon_upload_enable=YES #anon_mkdir_write_enable=YES # Activate logging of uploads/downloads. # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not #chown_uploads=YES #ascii_upload_enable=YES allow_writeable_chroot=YES # the user does not have write access to the top level directory within the my@bash $ my@bash $ ## >> Vor allem bei Anonymous aufpassen: my@bash $ ## a) anon_upload_enable=NO my@bash $ ## b) anon_mkdir_write_enable=NO vsftpd mit TLS absichern ^^^^^^^^^^^^^^^^^^^^^^^^ Siehe dazu https://pemmann.de/cc/Doc/Abuild/_build/html/netzdienste/vsftpd.html#ssl-zertifikate-fur-vsftpd Prüfen, welche eigenen Zertifikate vorliegen: .. highlight:: shell-session :: my@bash $ ls -ltrc /etc/ssl/certs/ | tail -3 -rw-r--r-- 1 root root 1070 Dec 16 10:23 ssl-cert-snakeoil.pem lrwxrwxrwx 1 root root 21 Dec 16 10:23 4e3cc0b7 -> ssl-cert-snakeoil.pem -rw-r--r-- 1 root root 200061 Dec 16 10:23 ca-certificates.crt my@bash $ my@bash $ ls -ltrc /etc/ssl/certs/*my* ls: cannot access '/etc/ssl/certs/*my*': No such file or directory my@bash $ my@bash $ ## >> Keins gefunden! Also erzeugen wir wieder ein eigenes: .. highlight:: shell-session :: my@bash $ cd /etc/ssl my@bash $ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout private/vsftpd.key -out certs/vsftpd.pem Generating a RSA private key .....+++++ ..+++++ writing new private key to 'private/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Sachsen Locality Name (eg, city) []:Chemnitz Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMCAVE Organizational Unit Name (eg, section) []:Technik Common Name (e.g. server FQDN or YOUR name) []:deb2.haus1.tld Email Address []: my@bash $ my@bash $ head -3 private/vsftpd.key -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALXUJXAAthajob0J o0HoMVcAdAZhsCa3BKhkX9XKD5FJ0aTDrrz02cjBZjVgGmiwvdtj70XQl/WVftMP my@bash $ my@bash $ head -3 certs/vsftpd.pem -----BEGIN CERTIFICATE----- MIICujCCAiOgAwIBAgIUP0WA1Bq2wZxDDQcmhIw4paZM/OkwDQYJKoZIhvcNAQEL BQAwbzELMAkGA1UEBhMCREUxEDAOBgNVBAgMB1NhY2hzZW4xETAPBgNVBAcMCENo my@bash $ Zertifikat einbinden, weitere TLS-Einstellungen: .. highlight:: shell-session :: my@bash $ vi /etc/vsftpd.conf 152 # This option specifies the location of the RSA certificate to use for SSL 153 # encrypted connections. 154 rsa_cert_file=/etc/ssl/certs/vsftpd.pem 155 rsa_private_key_file=/etc/ssl/private/vsftpd.key 156 ssl_enable=YES 157 ssl_tlsv1=YES 158 ssl_sslv2=NO 159 ssl_sslv3=NO 160 my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=YES local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ftpd_banner=Welcome to blah FTP service. chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO my@bash $ my@bash $ systemctl restart vsftpd my@bash $ my@bash $ my@bash $ systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2020-12-21 10:41:41 CET; 1min 59s ago Process: 1267 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Process: 1268 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 1268 (code=exited, status=2) Dec 21 10:41:41 deb2 systemd[1]: Starting vsftpd FTP server... Dec 21 10:41:41 deb2 systemd[1]: Started vsftpd FTP server. Dec 21 10:41:41 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Dec 21 10:41:41 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'. my@bash $ my@bash $ my@bash $ systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2020-12-21 10:45:28 CET; 15s ago Process: 1280 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Process: 1281 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 1281 (code=exited, status=2) Dec 21 10:45:28 deb2 systemd[1]: Starting vsftpd FTP server... Dec 21 10:45:28 deb2 systemd[1]: Started vsftpd FTP server. Dec 21 10:45:28 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, " Dec 21 10:45:28 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'. my@bash $ my@bash $ ## >> ????? Der Daemon startet nicht mehr und systemd sagt uns nicht klar, was los ist ("status=2/INVALIDARGUMENT")! Liegt es evl. an fehlenden Leserechten für die Gruppenmitglieder? Was nicht der Fall ist, wie sich später herausstellt: :: my@bash $ ls -l /etc/ssl/certs/*oil* -rw-r--r-- 1 root root 1070 Dec 16 10:23 /etc/ssl/certs/ssl-cert-snakeoil.pem my@bash $ my@bash $ ls -l /etc/ssl/certs/vsftpd.pem -rw-r--r-- 1 root root 1005 Dec 21 10:33 /etc/ssl/certs/vsftpd.pem my@bash $ my@bash $ ls -l /etc/ssl/private/*oil* -rw-r----- 1 root ssl-cert 1704 Dec 16 10:23 /etc/ssl/private/ssl-cert-snakeoil.key my@bash $ my@bash $ ls -l /etc/ssl/private/vsftpd.key -rw------- 1 root root 916 Dec 21 10:32 /etc/ssl/private/vsftpd.key my@bash $ my@bash $ my@bash $ chmod 640 /etc/ssl/private/vsftpd.key my@bash $ chgrp ssl-cert /etc/ssl/private/vsftpd.key my@bash $ my@bash $ /usr/sbin/vsftpd -ossl_enable=NO /etc/vsftpd.conf 500 OOPS: SSL: cannot load RSA certificate my@bash $ my@bash $ /usr/sbin/vsftpd -ossl_enable=YES /etc/vsftpd.conf 500 OOPS: SSL: cannot load RSA certificate my@bash $ my@bash $ systemctl restart vsftpd my@bash $ my@bash $ systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2020-12-21 10:54:06 CET; 8s ago Process: 1303 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Process: 1304 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 1304 (code=exited, status=2) Dec 21 10:54:06 deb2 systemd[1]: Starting vsftpd FTP server... Dec 21 10:54:06 deb2 systemd[1]: Started vsftpd FTP server. Dec 21 10:54:06 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Dec 21 10:54:06 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'. my@bash $ my@bash $ ## >> Kein Erfolg! Fehlersuche/Logging ^^^^^^^^^^^^^^^^^^^ **TIPP**: Zur Fehlersuche den Daemon am besten direkt im Vordergrund der Bash ausführen: :: my@bash $ /usr/sbin/vsftpd --help 500 OOPS: unrecognise option: --help my@bash $ my@bash $ /usr/sbin/vsftpd -h 500 OOPS: unrecognise option: -h my@bash $ my@bash $ /usr/sbin/vsftpd help 500 OOPS: cannot read config file: help Dann also die man-Page lesen https://linux.die.net/man/8/vsftpd und weiterprobieren: :: my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf 500 OOPS: SSL: cannot load RSA certificate my@bash $ my@bash $ ## >> Schon eine genauere Aussage als das obige "status=2/INVALIDARGUMENT"! Falls wichtige Parameter mit höherer Priorität auf der Kommandozeile getestet werden sollen, muss die Konfigurationsdatei allerdings gleich als erster Parameter angegegeben werden (das Loggen aller möglichen Ereignisse bringt hier übrigens nichts, da der Daemon gar nicht erst startet): :: my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf -oxferlog_std_format=NO -olog_ftp_protocol=YES -ossl_enable=YES -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem 500 OOPS: SSL: cannot load RSA certificate my@bash $ Mit ``-ossl_enable=NO`` würde der Daemon mit dem unsicheren 1024-Bit Zertifikat wieder starten, weil TLS deaktiviert wird: :: my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf -oxferlog_std_format=NO -olog_ftp_protocol=YES -ossl_enable=NO -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem ^C my@bash $ HINWEIS zum Loggen: Soll möglichst viel in die Datei ``/var/log/vsftpd.log`` geschrieben werden, müssen zwei Schalter eingeschaltet und einer ausgeschaltet sein: - log_ftp_protocol=YES - xferlog_enable=YES - xferlog_std_format=NO Sichere Zertifikate ^^^^^^^^^^^^^^^^^^^ Erzeugen wir uns nun ein Zertifikat mit größerer RSA-Bitlänge als 1024 (2048 oder 4096 Bits), klappt dann alles: :: my@bash $ rm /etc/ssl/private/vsftpd.key /etc/ssl/certs/vsftpd.pem my@bash $ my@bash $ openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout private/vsftpd.key -out certs/vsftpd.pem Generating a RSA private key ..........................++++ ...........................++++ writing new private key to 'private/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Sachsen Locality Name (eg, city) []:Chemnitz Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:deb2.haus1.tld Email Address []: my@bash $ my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=YES local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ftpd_banner=Welcome to blah FTP service. chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES debug_ssl=YES log_ftp_protocol=YES syslog_enable=YES my@bash $ Alternativ können Zertifikat und Schlüssel in ein und derselben Datei stehen, die dann nur mit ``rsa_cert_file=`` anzugeben ist: :: my@bash $ cat certs/vsftpd.pem private/vsftpd.key > /etc/ssl/my-FTP-cert-and-key.pem my@bash $ my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=YES local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ftpd_banner=Welcome to blah FTP service. chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/my-FTP-cert-and-key.pem ssl_enable=YES debug_ssl=YES log_ftp_protocol=YES syslog_enable=YES my@bash $ my@bash $ systemctl restart vsftpd my@bash $ my@bash $ pgrep -alfi ftp 1399 /usr/sbin/vsftpd /etc/vsftpd.conf my@bash $ my@bash $ vi /etc/vsftpd.conf my@bash $ my@bash $ systemctl stop vsftpd my@bash $ my@bash $ pgrep -alfi ftp my@bash $ my@bash $ systemctl start vsftpd my@bash $ my@bash $ pgrep -alfi ftp 1410 /usr/sbin/vsftpd /etc/vsftpd.conf my@bash $ my@bash $ my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=YES local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ftpd_banner=Welcome to blah FTP service. chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES debug_ssl=YES log_ftp_protocol=YES syslog_enable=YES my@bash $ my@bash $ ## Gegenprobe: Der Server startet sich auch mit separaten Files: my@bash $ grep ^rsa /etc/vsftpd.conf rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key my@bash $ my@bash $ ## >> Halten wir fest: Die Schlüssellänge muss größer als 1024 Bits sein! my@bash $ ## Also mindestens '-newkey rsa:2048'! my@bash $ my@bash $ systemctl stop vsftpd my@bash $ systemctl start vsftpd my@bash $ pgrep -alfi ftp 1427 /usr/sbin/vsftpd /etc/vsftpd.conf my@bash $ Wir testen auf dem internen FTP-Client: .. highlight:: shell-session :: my@bash $ my@bash $ ftp 192.168.2.232 Connected to 192.168.2.232. 220 Welcome to blah FTP service. Name (192.168.2.232:root): tux 530 Non-anonymous sessions must use encryption. Login failed. 421 Service not available, remote server has closed connection ftp> by my@bash $ my@bash $ ftp 192.168.2.232 Connected to 192.168.2.232. 220 Welcome to blah FTP service. Name (192.168.2.232:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> passive Passive mode on. ftp> ftp> ls 227 Entering Passive Mode (192,168,2,232,127,232). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt 226 Directory send OK. ftp> ftp> by 221 Goodbye. my@bash $ my@bash $ ## >> Anonym geht das Ganze, User können sich aber nur via TLS authentifizieren. Auf dem SuSE-Host nach ``zypper in filezilla`` können wir *filezilla* ausführen und im Server-Manager ein Profil mit explizitem SSL anlegen. Und so sieht die Konfiguration schließlich aus: .. highlight:: shell-session :: my@bash $ gg /etc/vsftpd.conf listen=NO listen_ipv6=YES anonymous_enable=YES local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES ftpd_banner=Welcome to blah FTP service. chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO debug_ssl=YES log_ftp_protocol=YES syslog_enable=YES my@bash $ my@bash $ ## Wir testen weiterhin, ob alles klappt: my@bash $ systemctl stop vsftpd my@bash $ pgrep -alfi ftp my@bash $ my@bash $ systemctl start vsftpd my@bash $ my@bash $ pgrep -alfi ftp 1453 /usr/sbin/vsftpd /etc/vsftpd.conf my@bash $ my@bash $ ## >> Passt, auch mit den Sicherheitseinstellungen kann 'filezilla' umgehen. Einrichtung von pure-ftpd ------------------------- Hierbei handelt es sich um einen weitereren, sehr sicheren Server. Wir wollen vsftpd durch ihn ersetzten, wobei zumindest anonymer Login möglich sein soll. Installation ^^^^^^^^^^^^ .. highlight:: shell-session :: my@bash $ apt-get install pure-ftpd Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: openbsd-inetd pure-ftpd-common update-inetd The following packages will be REMOVED: vsftpd The following NEW packages will be installed: openbsd-inetd pure-ftpd pure-ftpd-common update-inetd 0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded. Need to get 374 kB of archives. After this operation, 700 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian buster/main amd64 update-inetd all 4.49 [27.8 kB] Get:2 http://deb.debian.org/debian buster/main amd64 openbsd-inetd amd64 0.20160825-4 [36.4 kB] Get:3 http://deb.debian.org/debian buster/main amd64 pure-ftpd-common all 1.0.47-3 [185 kB] Get:4 http://deb.debian.org/debian buster/main amd64 pure-ftpd amd64 1.0.47-3 [124 kB] Fetched 374 kB in 0s (1231 kB/s) debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 17809 files and directories currently installed.) Removing vsftpd (3.0.3-12) ... Selecting previously unselected package update-inetd. (Reading database ... 17756 files and directories currently installed.) Preparing to unpack .../update-inetd_4.49_all.deb ... Unpacking update-inetd (4.49) ... Selecting previously unselected package openbsd-inetd. Preparing to unpack .../openbsd-inetd_0.20160825-4_amd64.deb ... Unpacking openbsd-inetd (0.20160825-4) ... Selecting previously unselected package pure-ftpd-common. Preparing to unpack .../pure-ftpd-common_1.0.47-3_all.deb ... Unpacking pure-ftpd-common (1.0.47-3) ... Selecting previously unselected package pure-ftpd. Preparing to unpack .../pure-ftpd_1.0.47-3_amd64.deb ... Unpacking pure-ftpd (1.0.47-3) ... Setting up pure-ftpd-common (1.0.47-3) ... Setting up update-inetd (4.49) ... Setting up openbsd-inetd (0.20160825-4) ... Created symlink /etc/systemd/system/multi-user.target.wants/inetd.service → /lib/systemd/system/inetd.service. Setting up pure-ftpd (1.0.47-3) ... Installing new version of config file /etc/ftpusers ... Processing triggers for systemd (241-7~deb10u5) ... my@bash $ Konfiguration ^^^^^^^^^^^^^ Wie wir beim Installieren gesehen haben, wurde eine neue /etc/ftpusers bereitgestellt: .. highlight:: shell-session :: my@bash $ cat /etc/ftpusers # /etc/ftpusers: list of users disallowed FTP access. root daemon bin sys sync games man lp mail news uucp proxy majordom postgres www-data backup msql operator list irc nobody my@bash $ Da wir anonymen Login wollen, müssen wir uns um den ftp-Account kümmern: .. highlight:: shell-session :: my@bash $ my@bash $ grep ftp /etc/passwd my@bash $ my@bash $ ## >> Der Paketbetreuer liefert den Daemon OHNE solch ein Konto aus! (in unserem Fall wurde 'ftp' entfernt) my@bash $ my@bash $ ## Daher ist ein anonymer Login NICHT möglich: my@bash $ /usr/sbin/pure-ftpd -4 -e Unable to start a standalone server: Address already in use my@bash $ my@bash $ pgrep -alfi ftp 1708 pure-ftpd (SERVER) my@bash $ my@bash $ systemctl stop pure-ftpd my@bash $ my@bash $ /usr/sbin/pure-ftpd -4 -e ^Cmy@bash $ my@bash $ my@bash $ /usr/sbin/pure-ftpd -4 -e -A my@bash $ ## >> Der Server startet sich zwar, kann aber niemanden bedienen! my@bash $ ## (FTP-Client: "421 Unable to set up secure anonymous FTP") my@bash $ Den User 'ftp' manuell anlegen: .. highlight:: shell-session :: my@bash $ useradd -d /srv/ftp -s /usr/sbin/nologin -c "Anonymous FTP User" -r ftp my@bash $ my@bash $ grep ^ftp /etc/passwd ftp:x:998:998:Anonymous FTP User:/srv/ftp:/usr/sbin/nologin my@bash $ my@bash $ ## >> Dank -r, --system ist die User- und Gruppen-ID kleiner als 1000. my@bash $ my@bash $ ls -la /srv/ftp total 4 drwxr-xr-x 1 root 113 28 Dec 21 10:14 . drwxr-xr-x 1 root root 82 Dec 21 08:53 .. -rw-r--r-- 1 root root 11 Dec 21 10:14 willkommen.txt my@bash $ my@bash $ ## >> Die GID der ehem. FTP-Users taucht auf! my@bash $ ## Daher: my@bash $ chgrp ftp /srv/ftp my@bash $ my@bash $ ls -ld /srv/ftp drwxr-xr-x 1 root ftp 28 Dec 21 10:14 /srv/ftp my@bash $ Den Server wieder starten und testen: .. highlight:: shell-session :: my@bash $ /usr/sbin/pure-ftpd -4 -e -A -c 3 -d -B my@bash $ my@bash $ ftp 192.168.2.232 Connected to 192.168.2.232. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 3 allowed. 220-Local time is now 12:26. Server port: 21. 220-Only anonymous FTP is allowed here 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.2.232:root): ftp 230 Anonymous user logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 500 I won’t open a connection to 10.1.1.3 (only to 192.168.2.103) ftp: bind: Address already in use ftp> passive Passive mode on. ftp> ftp> ls 227 Entering Passive Mode (192,168,2,232,103,91) 150 Accepted data connection -rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt 226-Options: -l 226 1 matches total ftp> ftp> get willkommen.txt local: willkommen.txt remote: willkommen.txt 227 Entering Passive Mode (192,168,2,232,91,28) 150 Accepted data connection 226-File successfully transferred 226 0.002 seconds (measured here), 6.73 Kbytes per second 11 bytes received in 0.00 secs (14.2469 kB/s) ftp> ftp> by 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout. my@bash $ my@bash $ /usr/sbin/pure-ftpd --help pure-ftpd v1.0.47 [privsep] -0 --notruncate -1 --logpid -2 --certfile -4 --ipv4only -6 --ipv6only -8 --fscharset -9 --clientcharset -A --chrooteveryone -a --trustedgid -b --brokenclientscompatibility -B --daemonize -C --maxclientsperip -c --maxclientsnumber -d --verboselog -D --displaydotfiles -e --anonymousonly -E --noanonymous -f --syslogfacility -F --fortunesfile -g --pidfile -G --norename -h --help -H --dontresolve -I --maxidletime -i --anonymouscantupload -j --createhomedir -K --keepallfiles -k --maxdiskusagepct -l --login -L --limitrecursion -M --anonymouscancreatedirs -m --maxload -N --natmode -n --quota -o --uploadscript -O --altlog -p --passiveportrange -P --forcepassiveip -q --anonymousratio -Q --userratio -r --autorename -R --nochmod -s --antiwarez -S --bind -t --anonymousbandwidth -T --userbandwidth -U --umask -u --minuid -V --trustedip -w --allowuserfxp -W --allowanonymousfxp -x --prohibitdotfileswrite -X --prohibitdotfilesread -y --peruserlimits -Y --tls -J --tlsciphersuite -z --allowdotfiles -Z --customerproof my@bash $ Hilfsprogramme ^^^^^^^^^^^^^^ Siehe S. 474 f .. highlight:: shell-session :: my@bash $ /usr/sbin/pure-ftpd -4 -e -A -c 3 -B my@bash $ my@bash $ pure-ftpwho +------+---------+-------+------+-------------------------------------------+ | PID | Login |For/Spd| What | File/IP | +------+---------+-------+------+-------------------------------------------+ | 1781 | ftp | 00:00 | IDLE | | | '' | '' | '' | '' | -> 192.168.2.103 | +------+---------+-------+------+-------------------------------------------+ my@bash $ my@bash $ pure-ftpd-control stop [ ok ] Stopping pure-ftpd (via systemctl): pure-ftpd.service. my@bash $ my@bash $ pure-ftpd-control status ● pure-ftpd.service Loaded: loaded (/etc/init.d/pure-ftpd; generated) Active: inactive (dead) since Mon 2020-12-21 12:12:49 CET; 21min ago Docs: man:systemd-sysv-generator(8) Process: 1736 ExecStop=/etc/init.d/pure-ftpd stop (code=exited, status=0/SUCCESS) Dec 21 12:04:05 deb2 systemd[1]: Starting pure-ftpd.service... Dec 21 12:04:06 deb2 pure-ftpd[1698]: Starting ftp server: Running: /usr/sbin/pure-f…GH -B Dec 21 12:04:06 deb2 systemd[1]: Started pure-ftpd.service. Dec 21 12:12:49 deb2 systemd[1]: Stopping pure-ftpd.service... Dec 21 12:12:49 deb2 pure-ftpd[1736]: Stopping ftp server: pure-ftpd. Dec 21 12:12:49 deb2 systemd[1]: pure-ftpd.service: Succeeded. Dec 21 12:12:49 deb2 systemd[1]: Stopped pure-ftpd.service. Hint: Some lines were ellipsized, use -l to show in full. my@bash $ my@bash $ my@bash $ pure-pw useradd www -u 1000 -g 1000 -d /www Password: Enter it again: my@bash $ my@bash $ my@bash $ my@bash $ cat /etc/pure-ftpd/pureftpd.passwd www:$6$X7cfQjxzUwEGfmP0$c1VOXieNUC4b1CE5qKT6q4DArjzdPiECfFqhqMLbZRM5adMe5CwQMbsnoYDZmIH2X5zK8FioDXHuLFmilyfRm/:1000:1000::/www/./:::::::::::: my@bash $ my@bash $ ## >> Gut zu wissen: Virtuelle Nutzer lassen sich relativ leicht erzeugen. Konfigurationsdateien ^^^^^^^^^^^^^^^^^^^^^ Wir erleben hier eine etwas seltsame Art und Weise; es gibt es einige wichtige Dateien, deren Dateiname der Konfigirationsdirektive entspricht, in der Datei selber steht dann einfach nur der Wert: .. highlight:: shell-session :: my@bash $ grep -r -v --color '^#\|^$' /etc/pure-ftpd/ /etc/pure-ftpd/conf/AltLog:clf:/var/log/pure-ftpd/transfer.log /etc/pure-ftpd/conf/FSCharset:UTF-8 /etc/pure-ftpd/conf/MinUID:1000 /etc/pure-ftpd/conf/NoAnonymous:yes /etc/pure-ftpd/conf/PAMAuthentication:yes /etc/pure-ftpd/conf/PureDB:/etc/pure-ftpd/pureftpd.pdb /etc/pure-ftpd/conf/TLSCipherSuite:HIGH /etc/pure-ftpd/conf/UnixAuthentication:no /etc/pure-ftpd/pure-ftpd.conf:ChrootEveryone yes /etc/pure-ftpd/pure-ftpd.conf:BrokenClientsCompatibility no /etc/pure-ftpd/pure-ftpd.conf:MaxClientsNumber 50 /etc/pure-ftpd/pure-ftpd.conf:Daemonize yes /etc/pure-ftpd/pure-ftpd.conf:MaxClientsPerIP 8 /etc/pure-ftpd/pure-ftpd.conf:VerboseLog no /etc/pure-ftpd/pure-ftpd.conf:DisplayDotFiles yes /etc/pure-ftpd/pure-ftpd.conf:AnonymousOnly no /etc/pure-ftpd/pure-ftpd.conf:NoAnonymous no /etc/pure-ftpd/pure-ftpd.conf:SyslogFacility ftp /etc/pure-ftpd/pure-ftpd.conf:DontResolve yes /etc/pure-ftpd/pure-ftpd.conf:MaxIdleTime 15 /etc/pure-ftpd/pure-ftpd.conf:LimitRecursion 10000 8 /etc/pure-ftpd/pure-ftpd.conf:AnonymousCanCreateDirs no /etc/pure-ftpd/pure-ftpd.conf:MaxLoad 4 /etc/pure-ftpd/pure-ftpd.conf:AntiWarez yes /etc/pure-ftpd/pure-ftpd.conf:Umask 133:022 /etc/pure-ftpd/pure-ftpd.conf:MinUID 100 /etc/pure-ftpd/pure-ftpd.conf:AllowUserFXP no /etc/pure-ftpd/pure-ftpd.conf:AllowAnonymousFXP no /etc/pure-ftpd/pure-ftpd.conf:ProhibitDotFilesWrite no /etc/pure-ftpd/pure-ftpd.conf:ProhibitDotFilesRead no /etc/pure-ftpd/pure-ftpd.conf:AutoRename no /etc/pure-ftpd/pure-ftpd.conf:AnonymousCantUpload no /etc/pure-ftpd/pure-ftpd.conf:MaxDiskUsage 99 /etc/pure-ftpd/pure-ftpd.conf:CustomerProof yes /etc/pure-ftpd/pureftpd.passwd:www:$6$X7cfQjxzUwEGfmP0$c1VOXieNUC4b1CE5qKT6q4DArjzdPiECfFqhqMLbZRM5adMe5CwQMbsnoYDZmIH2X5zK8FioDXHuLFmilyfRm/:1000:1000::/www/./:::::::::::: my@bash $ Siehe dazu auch: - https://www.debinux.de/2013/10/schnell-pure-ftpd-fuer-www-data/ - https://download.pureftpd.org/pub/pure-ftpd/doc/README.Virtual-Users - https://wiki.archlinux.org/index.php/Pure-FTPd Einrichtung pro-ftpd -------------------- Zu diesem weiteren FTP-Server siehe S. 476 sowie https://www.ionos.de/digitalguide/server/konfiguration/eigenen-debian-ftp-server-mit-proftpd-einrichten/ Für LPI ist dieser Server nicht von besonderem Interesse. Vorteile: - Beherrscht virtuelle User (wie auch pure-ftpd) - Beherrscht darüberhinaus auch virtuelle Hosts - Modularer Aufbau - Detailierte Rechtevergabe Nachteile: - Größerer Arbeitsspeicherbedarf - Hohe Flexibilität geht auf Kosten der Sicherheit!