Glenn: catchg

2015-10-26T10:26:52Z

catchg

Admin: 1 revision imported

2015-06-22T00:58:48Z

1 revision imported

Raffe at 09:44, 20 April 2013

2013-04-20T09:44:47Z

New page

For detailed info, look here [http://forum.qnap.com/viewtopic.php?f=90&t=3499&p=16283 http://forum.qnap.com/viewtopic.php?f=90&t=3499&p=16283] and here [http://forum.qnap.com/viewtopic.php?f=90&t=2851&p=16280 viewtopic.php?f=90&t=2851&p=16280]

This is how I did it...

= First install Optware/ IPKG =

You need Optware/IPKG 

#a. Go to administration web login and go to Applications - QPKG Center and install Optware, also read [http://wiki.qnap.com/wiki/Install_Optware_IPKG http://wiki.qnap.com/wiki/Install_Optware_IPKG]
#b. Don't forget to enable Optware in administration web login - Applications - QPKG Center (click 'Enable' ) after installation and then restart the NAS. If you have not restarted, you need at least to do

<code>PATH=$PATH:/opt/bin:/opt/sbin</code> 

 

= Installing stuff =

First I go to a temp folder (so the littering files stays here)

<code>mkdir /opt/temp cd /opt/temp </code>

 

Install (to install perl, you can also do like this http://wiki.qnap.com/wiki/Perl_5.8.8_Installation )

<code>/opt/bin/ipkg update /opt/bin/ipkg install proftpd /opt/bin/ipkg install perl </code>

 

= Get ftpasswd =

From the source (I did this), find your favorite downloading/mirror site here http://www.proftpd.org/ or download from [ftp://ftp.proftpd.org/distrib/source/ ftp://ftp.proftpd.org/distrib/source/] :

<code>cd /opt/temp wget ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/ftp.proftpd.net/devel/source/proftpd-cvs-20080226.tar.gz tar xvfz proftpd-cvs-20080226.tar.gz cp /opt/temp/proftpd-cvs-20080226/contrib/ftpasswd /opt/bin/ rm proftpd-cvs-20080226* -r</code>

 Or maybe you prefer to get it from castaglia.org? I guess you could do like this:

<code>cd /opt/bin/ wget http://www.castaglia.org/proftpd/contrib/ftpasswd chmod 700 ftpasswd</code>

 If you installed perl with ipkg, open ftpasswd and change it with (if you installed with http://wiki.qnap.com/wiki/Perl_5.8.8_Installation, you don't need to change it):

 <code>vi /opt/bin/ftpasswd</code>

 From:

<code>#!/usr/bin/perl</code>

 To:

<code>#!/opt/bin/perl</code> 

 

= Make one virtual user to test with =

 <code>mkdir /home/proftpusers mkdir /home/proftpusers/bob cd /opt/etc/ftpd /opt/bin/ftpasswd --passwd --name=bob --uid=1001 --home=/home/proftpusers/bob --shell=/bin/false</code>

 

 

= Openssl =

 <code>mkdir /opt/etc/openssl chmod 600 /opt/etc/openssl cd /opt/etc/openssl touch sign.sh vi sign.sh</code> 

I paste this into sign.sh: 

<code> </code>
<pre>#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat > ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
# default key expiry set to 5 years but can be changed
default_days = 1825
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0

</pre>
Make sign.sh owned by root and executable

<code> </code>

<code></code>

<code>chown admin:administrators /opt/etc/openssl/sign.sh
chmod 700 /opt/etc/openssl/sign.sh </code>

 

Creating the Keys and Certificates

<code> </code>

<code></code>

<code>openssl genrsa -des3 -out ca.key 1024
mv ca.key ca.key.orig
openssl rsa -in ca.key.orig -out ca.key
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
cp /opt/etc/openssl/ca.crt /opt/etc/ftpd/
openssl genrsa -des3 -out server.key 1024
mv server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
cp /opt/etc/openssl/server.key /opt/etc/ftpd/ </code>

Prepare a certificate signing request (CSR). Important - when asked for a Common Name - enter localhost

<code>openssl req -new -key server.key -out server.csr
./sign.sh server.csr
cp /opt/etc/openssl/server.crt /opt/etc/ftpd/ </code>

= Setup proftpd =

Create a user to run proftpd

<code>addgroup nogroup adduser -h /home/proftpusers/ -G nogroup -s /bin/false proftpduser</code>

 

Lets change the config file, but first we do a backup of it:

<code>cp /opt/etc/proftpd.conf /opt/etc/proftpd.conf.backup vi /opt/etc/proftpd.conf</code> 

 

Change it to this: 
<pre> # This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP"
ServerType standalone
DefaultServer on
WtmpLog off
#MasqueradeAddress ftp.yourdomain.com

# Port 21 is the standard FTP port.
Port 21
PassivePorts 50000 50019
UseReverseDNS off
IdentLookups off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 10

<Global>
RootLogin Off
RequireValidShell off
# Lets use our new virtual users
AuthUserFile /opt/etc/ftpd/ftpd.passwd
AuthOrder mod_auth_file.c
AllowStoreRestart on
# TransferRate RETR 25
# TransferRate APPE,STOR 100:2048
</Global>

# Set the user and group under which the server will run.
User proftpduser
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

<IfModule mod_tls.c>
TLSEngine on
TLSLog /opt/var/proftpd/tls.log
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3 - Use only SSL3
# TLSv1 - Use only TLS1
TLSProtocol SSLv23

# Clients are required to use FTP over SSL/TLS when talking to this server
# off - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on - encrypt both the ctrl and data channels using FTP/SSL
TLSRequired ctrl

# Server's certificate
TLSRSACertificateFile /opt/etc/ftpd/server.crt
TLSRSACertificateKeyFile /opt/etc/ftpd/server.key

# CA the server trusts
TLSCACertificateFile /opt/etc/ftpd/ca.crt

# Authenticate clients that want to use FTP over SSL/TLS
# off - client SSL certificates are not requried
# on - client SSL certificates are required
TLSVerifyClient off
</IfModule>

</pre>
Or if you want some logging, use this (I use this one): 
<pre> # This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP"
ServerType standalone
DefaultServer on
WtmpLog off
#MasqueradeAddress ftp.yourdomain.com

# Port 21 is the standard FTP port.
Port 21
PassivePorts 50000 50019
UseReverseDNS off
IdentLookups off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 10

# Logging options
#
TransferLog /opt/var/proftpd/xferlog.legacy
#
# Some logging formats
#
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
#

<Global>
RootLogin Off
RequireValidShell off
# Lets use our new virtual users
AuthUserFile /opt/etc/ftpd/ftpd.passwd
AuthOrder mod_auth_file.c
AllowStoreRestart on
# TransferRate RETR 25
# TransferRate APPE,STOR 100:2048
#
# Logging
# file/dir access
ExtendedLog /opt/var/proftpd/access.log WRITE,READ write
#
# Record all logins
ExtendedLog /opt/var/proftpd/auth.log AUTH auth

</Global>

# Set the user and group under which the server will run.
User proftpduser
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

<IfModule mod_tls.c>
TLSEngine on
TLSLog /opt/var/proftpd/tls.log
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3 - Use only SSL3
# TLSv1 - Use only TLS1
TLSProtocol SSLv23

# Clients are required to use FTP over SSL/TLS when talking to this server
# off - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on - encrypt both the ctrl and data channels using FTP/SSL
TLSRequired ctrl

# Server's certificate
TLSRSACertificateFile /opt/etc/ftpd/server.crt
TLSRSACertificateKeyFile /opt/etc/ftpd/server.key

# CA the server trusts
TLSCACertificateFile /opt/etc/ftpd/ca.crt

# Authenticate clients that want to use FTP over SSL/TLS
# off - client SSL certificates are not requried
# on - client SSL certificates are required
TLSVerifyClient off
</IfModule>

</pre>
Say you have a dir called 'uploads', where you like them to be able to upload files. Add this code just above </Global> 
<pre> # An upload directory that allows storing files but not retrieving
# or creating directories.
<Limit WRITE>
DenyAll
</Limit>
<Directory /home/proftpusers/uploads/*>
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>

</pre>
 

If you get disconnection problems with your FTP client, as an example say you want to copy several files but after the first file the other files don't get copied. And you need to close and restart the client to continue and in your TLS log you see something like this:
<pre>Apr 18 05:27:33 mod_tls/2.4.3[12797]: client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
</pre>

Then you can try to add
<pre>TLSOptions NoSessionReuseRequired</pre>
inside of
<pre><IfModule mod_tls.c>
...
</IfModule></pre>
 

Don't forget:

*Pathnames in <Directory ...> must always be absolute (except inside <Anonymous>), and should not reference symbolic links
*You may need to do a 'chmod 777' on the directory for this to work (dirs where you don't want 'them' to write you can have chmod 755)
*After a change in proftpd.conf, restart proftpd ('ps' -> check the PID -> 'kill <pid>' -> '/opt/sbin/proftpd &' 

 

About <Directory ...> http://www.proftpd.org/docs/directives/linked/config_ref_Directory.html

About <Limit ...> http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html

-- More -- Configuration Directives by Functionality http://www.castaglia.org/proftpd/doc/contrib/functional-directive-index.html

ProFTPD Configuration Directives By Context http://www.castaglia.org/proftpd/doc/contrib/contextual-directive-index.html

----

EVEN MORE ---- Howtos, configs etc: http://www.castaglia.org/proftpd/ 

= Lets try it =
<pre>/opt/sbin/proftpd & </pre>
 

Since 1.3.2 is available for Qnap ipkg, so any FileZilla client should work with these settings: '''GENERAL''' Servertype: FTPES - FTP over explicit TLS/SSL Logontype: Normal

'''TRANSFER SETTINGS'''

Transfer mode: Active

[[Category:Communications]] [[Category:FTP_Server]] [[Category:Installation_and_Setup]] [[Category:Miscellaneous]] [[Category:QPKG]] [[Category:Optware_IPKG]]

← Older revision		Revision as of 10:26, 26 October 2015
Line 451:		Line 451:


−	[[Category:Communications]] [[Category:FTP_Server]] ~~[[Category:Installation_and_Setup]] [[Category:Miscellaneous]]~~ [[Category:QPKG]] [[Category:Optware_IPKG]]	+	[[Category:Communications]]
		+	[[Category:FTP_Server]]
		+	[[Category:QPKG]]
		+	[[Category:Optware_IPKG]]

← Older revision	Revision as of 00:58, 22 June 2015
(No difference)

Proftpd with Openssl and virtual users - Revision history

Glenn: catchg

Admin: 1 revision imported

Raffe at 09:44, 20 April 2013