FTP Login

**Nuxwin** · Oct 3rd 2016

I think that @Peter did not enable SSL for the services via the i-MSCP installer (setup dialog), or he did something bad after the i-MSCP installation (like trying to activate SSL manually).

ProFTPD, when configured by i-MSCP, doesn't use (doesn't include) the /etc/proftpd/tls.conf. The SSL configuration snippet is injected by the i-MSCP installer in the /etc/proftpd/proftpd.conf file at runtime, when you enable SSL for the services through the i-MSCP setup dialog.

See https://github.com/i-MSCP/imsc…proftpd/installer.pm#L470

Resulting /etc/proftpd/proftpd.conf file:

Code

root@jessie-lvm:/etc/proftpd# cat proftpd.conf
# Includes DSO modules (this is mandatory in proftpd 1.3)
Include /etc/proftpd/modules.conf
ServerName "jessie-lvm.bbox.nuxwin.com"
ServerType standalone
ServerIdent on "i-MSCP FTP server"
DeferWelcome off
UseIPv6 on
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
UseReverseDNS off
IdentLookups off
AllowStoreRestart on
AllowForeignAddress on
LogFormat traff "%b %u"
TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir message
ListOptions "-a" "strict"
DenyFilter \*.*/
DefaultRoot ~
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 32768 60999
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 100
# Maximum number of clients allowed to connect per host.
MaxClientsPerHost none
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 027 027
# Normally, we want files to be overwriteable.
AllowOverwrite on
HideNoAccess on
</Directory>
<Limit ALL>
IgnoreHidden on
</Limit>
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
<Global>
RootLogin off
TransferLog /var/log/proftpd/xferlog
PathDenyFilter "\.quota$"
</Global>
# Loading required modules
<IfModule !mod_sql.c>
LoadModule mod_sql.c
AuthOrder mod_sql.c
</IfModule>
<IfModule !mod_sql_mysql.c>
LoadModule mod_sql_mysql.c
</IfModule>
<IfModule !mod_quotatab.c>
LoadModule mod_quotatab.c
</IfModule>
<IfModule !mod_quotatab_sql.c>
LoadModule mod_quotatab_sql.c
</IfModule>
<IfModule !mod_tls.c>
LoadModule mod_tls.c
</IfModule>
# i-MSCP Quota management
<IfModule mod_quotatab.c>
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM quotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" quotatallies
QuotaLock /var/run/proftpd/tally.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
</IfModule>
<IfModule mod_ratio.c>
# Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
# i-MSCP SQL Managment
<IfModule mod_sql.c>
SQLBackend mysql
SQLAuthTypes Crypt
SQLAuthenticate on
SQLConnectInfo imscp@localhost "vftp_user" "<password>"
SQLUserInfo ftp_users userid passwd uid gid homedir shell
SQLGroupInfo ftp_group groupname gid members
SQLMinUserUID 1001
SQLMinUserGID 1001
SQLUserWhereClause "status = 'ok'"
SQLNegativeCache on
</IfModule>
# ProFTPD behind NAT - Use public IP address
MasqueradeAddress <ip>
# SSL configuration
<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
TLSLog /var/log/proftpd/ftp_ssl.log
TLSProtocol TLSv1
TLSOptions NoCertRequest NoSessionReuseRequired
TLSRSACertificateFile /etc/imscp/imscp_services.pem
TLSRSACertificateKeyFile /etc/imscp/imscp_services.pem
TLSVerifyClient off
</IfModule>
root@jessie-lvm:/etc/proftpd#

Display More

**kess** · Oct 3rd 2016

In effect the last lines of my proftpd.conf file looks like that:

Code

# SSL configuration<IfModule mod_tls.c> TLSEngine on TLSRequired off TLSLog /var/log/proftpd/ftp_ssl.log TLSProtocol TLSv1 TLSOptions NoCertRequest NoSessionReuseRequired TLSRSACertificateFile /etc/imscp/imscp_services.pem TLSRSACertificateKeyFile /etc/imscp/imscp_services.pem TLSVerifyClient off</IfModule>

but I have some problems while connecting through TLS...

If I set in tls.conf something like:

Code

#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
TLSEngine on
#TLSLog /var/log/proftpd/tls.log
#TLSProtocol SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
...
...
...

Display More

it works correctly.

That's strange, because it's declared before... I need to investigate deeper into that...

Anyway thank you for replying to the prev message.
Bye Kess.

**Nuxwin** · Oct 3rd 2016

@kess

Again, the /etc/proftpd/tls.conf file is not used by ProFTPD when configured by i-MSCP (not included).Therefore, you have surely done something else.

What is the result of the following command on your system

Shell-Script

grep -nr 'tls.conf' /etc/proftpd/

**kess** · Oct 3rd 2016

In effect it's strange that something different happens when I modify that file.
The result of the above command results empty, so it's not included nowhere...

Let me investigate deeper, I'll let you know if I find something.

Thx a lot,
bye Kess.

FTP Login

Share

Similar Threads

WHMCS Plugin: User password reset

Spammails - Server kompromittiert

Lets Encrypt SSL installieren mit dem iMSCP Plugin?

Daily visitors