태그 Archives: proftpd

CentOS7 – proftpd 설정.

RHEL 7, CentOS 7 에서 epel 레포지트리 추가 후 proftpd 설치를 할경우.

기존 버전과 틀리게 proftpd-1.3.5b 가 설치된다. (CentOS6은 proftpd-1.3.3g)

문제는 conf 파일이 호환 되지 않아서 ‘ㅅ’a 기존 잘운영하건 conf를 복사해서 붙여넣을 경우 작동하지 않는다.

그래서 그냥.. 설정값 ‘ㅅ’a 업데이트 (그냥 무리없이 쓸수 있는 설정이다. 당연히 어나니머스 ftp는 사용 안함)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

# This is the ProFTPD configuration file

# See: http://www.proftpd.org/docs/directives/linked/by-name.html

# (http://www.proftpd.org/docs/howto/Tracing.html)

#TraceLog /var/log/proftpd/trace.log

#Trace DEFAULT:0

ServerName "ProFTP"

ServerIdent on "FTP Server ready."

ServerAdmin root@localhost

DefaultServer on

##########################################################

MultilineRFC2228 on

ShowSymlinks on

RequireValidShell off

TimeoutNoTransfer 600

TimeoutStalled 600

TimeoutIdle 1200

Port 21

PassivePorts 40001 40002

MaxClientsPerHost 5

MaxLoginAttempts 5

MaxClients 50 "Too many connections"

TransferLog /var/log/xferlog

UseEncoding utf8 cp949

TimesGMT off

SetEnv TZ "Asia/Seoul"

AllowOverwrite on

#########################################################

DefaultRoot ~ !root

AuthPAMConfig proftpd

AuthOrder mod_auth_pam.c* mod_auth_unix.c

#PersistentPasswd off

UseReverseDNS off

User nobody

Group nobody

MaxInstances 50

UseSendfile off

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%v [%P] %h %t \"%r\" %s"

#LoadModule mod_sql.c

#LoadModule mod_sql_passwd.c

#LoadModule mod_sql_mysql.c

#LoadModule mod_sql_postgres.c

#LoadModule mod_quotatab.c

#LoadModule mod_quotatab_file.c

#LoadModule mod_quotatab_sql.c

#LoadModule mod_ldap.c

#LoadModule mod_quotatab_ldap.c

#LoadModule mod_radius.c

#LoadModule mod_quotatab_radius.c

#LoadModule mod_copy.c

#LoadModule mod_deflate.c

#LoadModule mod_exec.c

#LoadModule mod_facl.c

#LoadModule mod_geoip.c

#LoadModule mod_ifversion.c

#LoadModule mod_load.c

#LoadModule mod_ratio.c

#LoadModule mod_rewrite.c

#LoadModule mod_sftp.c

#LoadModule mod_sftp_pam.c

#LoadModule mod_sftp_sql.c

#LoadModule mod_shaper.c

#LoadModule mod_site_misc.c

#LoadModule mod_tls_shmcache.c

#LoadModule mod_tls_memcache.c

#LoadModule mod_wrap.c

#LoadModule mod_wrap2.c

#LoadModule mod_wrap2_file.c

#LoadModule mod_wrap2_sql.c

LoadModule mod_vroot.c

#LoadModule mod_ifsession.c

LoadModule mod_ctrls_admin.c

ModuleControlsACLs insmod,rmmod allow user root

ModuleControlsACLs lsmod allow user *

# Enable basic controls via ftpdctl

ControlsEngine on

ControlsACLs all allow user root

ControlsSocketACL allow user *

ControlsLog /var/log/proftpd/controls.log

# Enable admin controls via ftpdctl

AdminControlsEngine on

AdminControlsACLs all allow user root

</IfModule>

# Enable mod_vroot by default for better compatibility with PAM

VRootEngine on

</IfModule>

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

#<IfDefine TLS>

TLSEngine on

TLSRequired off

TLSRSACertificateFile /etc/ssl/private/proftpd.pem

TLSRSACertificateKeyFile /etc/ssl/private/proftpd.pem

TLSProtocol SSLv23

TLSCipherSuite ALL:!ADH:!DES

TLSOptions NoCertRequest

TLSVerifyClient off

TLSRenegotiate ctrl 3600 data 512000 required off timeout 300

# TLSLog /var/log/proftpd/tls.log

TLSSessionCache shm:/file=/var/run/proftpd/sesscache

</IfModule>

#</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)

LoadModule mod_ban.c

BanEngine on

BanLog /var/log/proftpd/ban.log

BanTable /var/run/proftpd/ban.tab

BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

BanMessage "Host %a has been banned"

BanControlsACLs all allow user ftpadm

</IfDefine>

# Set networking-specific "Quality of Service" (QoS) bits on the packets used

LoadModule mod_qos.c

QoSOptions dataqos throughput ctrlqos lowdelay

#QoSOptions dataqos CS2 ctrlqos AF41

</IfDefine>

# Global Config - config common to Server Config and all virtual hosts

Umask 022

AllowOverwrite yes

AllowAll

</Limit>

</Global>

# A basic anonymous configuration, with an upload directory

#<IfDefine ANONYMOUS_FTP>

# <Anonymous ~ftp>

# User ftp

# Group ftp

# AccessGrantMsg "Anonymous login ok, restrictions apply."

# UserAlias anonymous ftp

# MaxClients 10 "Sorry, max %m users -- try again later"

# #DefaultChdir /pub

# DisplayLogin /welcome.msg

# DisplayChdir .message

# DisplayReadme README*

# DirFakeUser on ftp

# DirFakeGroup on ftp

# <Limit WRITE SITE_CHMOD>

# DenyAll

# </Limit>

# <IfModule mod_vroot.c>

# <Directory /uploads/*>

# AllowOverwrite no

# <Limit READ>

# DenyAll

# </Limit>

# <Limit STOR>

# AllowAll

# </Limit>

# </Directory>

# </IfModule>

# <IfModule !mod_vroot.c>

# <Directory uploads/*>

# AllowOverwrite no

# <Limit READ>

# DenyAll

# </Limit>

# <Limit STOR>

# AllowAll

# </Limit>

# </Directory>

# </IfModule>

# WtmpLog off

# ExtendedLog /var/log/proftpd/access.log WRITE,READ default

# ExtendedLog /var/log/proftpd/auth.log AUTH auth

# </Anonymous>

#</IfDefine>

기존과 틀려진 부분은 기존에 Certificate 와 Key 를 구분하여 받아 들였는데 pure-ftpd 처럼 한파일로 받는다.
TLS 설정을 안한경우 TLSEngine off 로 한다.

FTP용 인증서 발급 방법은 TLS통신을 위한 Public Certificate 발급&갱신을 확인 한당 ‘ㅅ’a

TLS통신을 위한 Public Certificate 발급&갱신

dovecot, sendmail, proftpd, pure-ftpd 를 위한 개인인증서 발급 혹은 갱신용 스크립트 이다.

#!/bin/bash

check_cert="/etc/pki/tls/certs/sendmail.pem"

make_cert() {

cd /etc/pki/tls/certs

ln -s /etc/pki/tls/certs /etc/ssl/private 2>/dev/null

ssl_cnf_temp="/tmp/openssl_temp.cnf"

echo "KR" > $ssl_cnf_temp

echo "Seoul" >> $ssl_cnf_temp

echo "company_name" >> $ssl_cnf_temp

echo "system_engineer_team" >> $ssl_cnf_temp

echo "$HOSTNAME" >> $ssl_cnf_temp

echo "engineer@xxxxxxx.com" >> $ssl_cnf_temp

make sendmail.pem < /tmp/openssl_temp.cnf 2>/dev/null # sendmail.pem

cat sendmail.pem > pure-ftpd.pem # pure-ftpd.pem

openssl req `locale -c LC_CTYPE -k|grep -q charmap.*UTF-8 && echo -utf8` \

-newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key \

-nodes -x509 -days 365 -out /etc/ssl/private/proftpd.crt \

-set_serial 0 < $ssl_cnf_temp 2>/dev/null # proftpd.key, proftpd.crt

cd /etc/mail

make

/etc/init.d/sendmail restart

/etc/init.d/dovecot restart

rm -f $ssl_cnf_temp

}

if [[ -e $check_cert ]];then

cert_expire=`openssl x509 -noout -text -in $check_cert|awk '/Not After :/{print $4,$5,$7}'`

cert_expire_date=`date +"%Y%m%d" -d "$cert_expire"`

two_weeks_after=`date +"%Y%m%d" -d "2 weeks"`

if [[ $two_weeks_after -gt $cert_expire_date ]];then

make_cert;

else

make_cert;

스크립트 설명 : sendmail.pem 인증서의 만료일 2주 미만으로 남았거나 인증서가 없으면 생성해준다.

cron 에 등록하여 일주일에 한번 정도씩 돌려주면 개인인증서 갱신 걱정 없이 사용할 수 있겠다.

vi /etc/cron.weekly/public_cert_make.sh 이런 위치에 넣어두면 일주일에 한번씩 돈다 ‘ㅅ’a

chmod 700 /etc/cron.weekly/public_cert_make.sh 해둬야 돈다 . 잊지 말자.

아래 설정값은 플레인 로그인을 막는 설정이 아니다.

1. dovecot – STARTTLS 설정( /etc/dovecot/conf.d/10-ssl.conf )

ssl = yes

ssl_cert = </etc/pki/tls/certs/sendmail.pem

ssl_key = </etc/pki/tls/certs/sendmail.pem

ssl_ca = </etc/pki/tls/certs/ca-bundle.crt

평문 패스워드 막는건 /etc/dovecot/conf.d/10-auth.conf 파일의 disable_plaintext_auth 옵션이다.

2. sendmail – STARTTLS 설정( /etc/mail/sendmail.mc )

1 2	~]# cd /etc/mail ~]# vi sendmail.mc

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl

define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl

define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl

define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl define(`confAUTH_OPTIONS', `A p')dnl

confAUTH_OPTIONS 는 주석 처리 해버린다 ‘ㅅ’a

1 2	~]# make ~]# /etc/init.d/sendmail restart

평문 패스워드 막는건 define(confAUTH_OPTIONS', A p’)dnl 이렇게 주석 제거 하고 하면 된다.

( TLS연결 테스트 : https://starttls.info ) 혹은 아래 명령어.

1 2	~]# openssl s_client -starttls smtp -connect localhost:25 ~]# openssl s_client -starttls pop3 -connect localhost:110

3. proftpd – FTP over TLS 설정( /etc/proftpd.conf )

TLSEngine on

TLSProtocol SSLv23

TLSOptions NoCertRequest AllowClientRenegotiations

TLSRSACertificateFile /etc/pki/tls/certs/proftpd.crt

TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key

TLSVerifyClient on

TLSRequired off

</IfModule>

평문 패스워드 막는건 TLSRequired 값을 on 으로 하면 된다.

4. pure-ftpd – FTP over TLS 설정( /etc/pure-ftpd/pure-ftpd.conf )

TLS 1

평문 패스워드 막는건 TLS 값을 2 으로 하면 된다.

yum을 이용한 proftpd 설치 및 설정 (centos6)

1. yum 설치 및 selinux 끄기.

~]# yum -y install epel-release

~]# yum -y install proftpd

~]# setsebool -P ftpd_use_passive_mode on

~]# setsebool -P ftp_home_dir on

~]# setenforce 0

2. /etc/pam.d/proftpd 설정

#%PAM-1.0

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth include system-auth

auth required pam_shells.so

account include system-auth

session include system-auth

session required pam_loginuid.so

3. TLS 통신 활성화를 위한 퍼블릭키 생성.

1	~]# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.key -out /etc/pki/tls/certs/proftpd.crt

4. /etc/proftpd.conf 설정.

# Includes DSO modules

# Include /etc/proftpd/modules.conf

UseIPv6 off

IdentLookups off

ServerName "ProFTP"

ServerType standalone

ServerIdent on "ProFTPD [x.x.x] Server"

DeferWelcome off

MultilineRFC2228 on

DefaultServer on

ShowSymlinks on

TimeoutNoTransfer 600

TimeoutStalled 600

TimeoutIdle 1200

DisplayLogin welcome.msg

DisplayChdir .message true

DenyFilter \*.*/

DefaultRoot ~ !root

RequireValidShell off

AuthUserFile /etc/passwd

AuthGroupFile /etc/group

Port 21

PassivePorts 50001 50060

MaxClientsPerHost 5

MaxLoginAttempts 5

MaxClients 30 "Too many connections"

MaxInstances 30

User root

Group nobody

Umask 022

AllowOverwrite on

TransferLog /var/log/xferlog

SystemLog /var/log/secure

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%h %l %u %t \"%r\" %s"

VRootOptions allowSymlinks

UseEncoding utf8 cp949

TimesGMT off

SetEnv TZ "Asia/Seoul"

TLSEngine on

TLSProtocol SSLv23

TLSOptions NoCertRequest AllowClientRenegotiations

TLSRSACertificateFile /etc/pki/tls/certs/proftpd.crt

TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key

TLSVerifyClient on

TLSRequired off

</IfModule>

37번째줄 설정은 서버 인코딩셋에 따라 euckr cp949 으로 지정해야 할수 있다.

echo $LANG 로 서버 인코딩셋을 확인하거나 /etc/stsconfig/i18n 을 확인하거나 수정 후에 맞추어 준다.

설정은 system-auth 를 이용한 인증제 이며 FTP 및 FTP over TLS 을 지원, 최대 접속자수 30명, 한개의 IP에서 5개 동시접속 허용값이다.

umask 는 022 로 필요에 따라(아파치 보안정책) 027 등으로 교체해서 사용한다.

5. 데몬 시작 및 chkconfig 등록.

1 2	~]# /etc/init.d/proftpd start ~]# chkconfig --level 2345 proftpd on