Proftpd with Openssl and virtual users
For detailed info, look here http://forum.qnap.com/viewtopic.php?f=90&t=3499&p=16283 and here viewtopic.php?f=90&t=2851&p=16280
This is how I did it...
First install Optware/ IPKG
You need Optware/IPKG
- a. Go to administration web login and go to Applications - QPKG Center and install Optware, also read http://wiki.qnap.com/wiki/Install_Optware_IPKG
- b. Don't forget to enable Optware in administration web login - Applications - QPKG Center (click 'Enable' ) after installation and then restart the NAS. If you have not restarted, you need at least to do
PATH=$PATH:/opt/bin:/opt/sbin
Installing stuff
First I go to a temp folder (so the littering files stays here)
mkdir /opt/temp
cd /opt/temp
Install (to install perl, you can also do like this http://wiki.qnap.com/wiki/Perl_5.8.8_Installation )
/opt/bin/ipkg update
/opt/bin/ipkg install proftpd
/opt/bin/ipkg install perl
Get ftpasswd
From the source (I did this), find your favorite downloading/mirror site here http://www.proftpd.org/ or download from ftp://ftp.proftpd.org/distrib/source/ :
cd /opt/temp
wget ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/ftp.proftpd.net/devel/source/proftpd-cvs-20080226.tar.gz
tar xvfz proftpd-cvs-20080226.tar.gz
cp /opt/temp/proftpd-cvs-20080226/contrib/ftpasswd /opt/bin/
rm proftpd-cvs-20080226* -r
Or maybe you prefer to get it from castaglia.org? I guess you could do like this:
cd /opt/bin/
wget http://www.castaglia.org/proftpd/contrib/ftpasswd
chmod 700 ftpasswd
If you installed perl with ipkg, open ftpasswd and change it with (if you installed with http://wiki.qnap.com/wiki/Perl_5.8.8_Installation, you don't need to change it):
vi /opt/bin/ftpasswd
From:
#!/usr/bin/perl
To:
#!/opt/bin/perl
Make one virtual user to test with
mkdir /home/proftpusers
mkdir /home/proftpusers/bob
cd /opt/etc/ftpd
/opt/bin/ftpasswd --passwd --name=bob --uid=1001 --home=/home/proftpusers/bob --shell=/bin/false
Openssl
mkdir /opt/etc/openssl
chmod 600 /opt/etc/openssl
cd /opt/etc/openssl
touch sign.sh
vi sign.sh
I paste this into sign.sh:
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat > ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
# default key expiry set to 5 years but can be changed
default_days = 1825
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
Make sign.sh owned by root and executable
chown admin:administrators /opt/etc/openssl/sign.sh
chmod 700 /opt/etc/openssl/sign.sh
Creating the Keys and Certificates
openssl genrsa -des3 -out ca.key 1024
mv ca.key ca.key.orig
openssl rsa -in ca.key.orig -out ca.key
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
cp /opt/etc/openssl/ca.crt /opt/etc/ftpd/
openssl genrsa -des3 -out server.key 1024
mv server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
cp /opt/etc/openssl/server.key /opt/etc/ftpd/
Prepare a certificate signing request (CSR). Important - when asked for a Common Name - enter localhost
openssl req -new -key server.key -out server.csr
./sign.sh server.csr
cp /opt/etc/openssl/server.crt /opt/etc/ftpd/
Setup proftpd
Create a user to run proftpd
addgroup nogroup
adduser -h /home/proftpusers/ -G nogroup -s /bin/false proftpduser
Lets change the config file, but first we do a backup of it:
cp /opt/etc/proftpd.conf /opt/etc/proftpd.conf.backup
vi /opt/etc/proftpd.conf
Change it to this:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP"
ServerType standalone
DefaultServer on
WtmpLog off
#MasqueradeAddress ftp.yourdomain.com
# Port 21 is the standard FTP port.
Port 21
PassivePorts 50000 50019
UseReverseDNS off
IdentLookups off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 10
<Global>
RootLogin Off
RequireValidShell off
# Lets use our new virtual users
AuthUserFile /opt/etc/ftpd/ftpd.passwd
AuthOrder mod_auth_file.c
AllowStoreRestart on
# TransferRate RETR 25
# TransferRate APPE,STOR 100:2048
</Global>
# Set the user and group under which the server will run.
User proftpduser
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<IfModule mod_tls.c>
TLSEngine on
TLSLog /opt/var/proftpd/tls.log
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3 - Use only SSL3
# TLSv1 - Use only TLS1
TLSProtocol SSLv23
# Clients are required to use FTP over SSL/TLS when talking to this server
# off - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on - encrypt both the ctrl and data channels using FTP/SSL
TLSRequired ctrl
# Server's certificate
TLSRSACertificateFile /opt/etc/ftpd/server.crt
TLSRSACertificateKeyFile /opt/etc/ftpd/server.key
# CA the server trusts
TLSCACertificateFile /opt/etc/ftpd/ca.crt
# Authenticate clients that want to use FTP over SSL/TLS
# off - client SSL certificates are not requried
# on - client SSL certificates are required
TLSVerifyClient off
</IfModule>
Or if you want some logging, use this (I use this one):
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP"
ServerType standalone
DefaultServer on
WtmpLog off
#MasqueradeAddress ftp.yourdomain.com
# Port 21 is the standard FTP port.
Port 21
PassivePorts 50000 50019
UseReverseDNS off
IdentLookups off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 10
# Logging options
#
TransferLog /opt/var/proftpd/xferlog.legacy
#
# Some logging formats
#
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
#
<Global>
RootLogin Off
RequireValidShell off
# Lets use our new virtual users
AuthUserFile /opt/etc/ftpd/ftpd.passwd
AuthOrder mod_auth_file.c
AllowStoreRestart on
# TransferRate RETR 25
# TransferRate APPE,STOR 100:2048
#
# Logging
# file/dir access
ExtendedLog /opt/var/proftpd/access.log WRITE,READ write
#
# Record all logins
ExtendedLog /opt/var/proftpd/auth.log AUTH auth
</Global>
# Set the user and group under which the server will run.
User proftpduser
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<IfModule mod_tls.c>
TLSEngine on
TLSLog /opt/var/proftpd/tls.log
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3 - Use only SSL3
# TLSv1 - Use only TLS1
TLSProtocol SSLv23
# Clients are required to use FTP over SSL/TLS when talking to this server
# off - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on - encrypt both the ctrl and data channels using FTP/SSL
TLSRequired ctrl
# Server's certificate
TLSRSACertificateFile /opt/etc/ftpd/server.crt
TLSRSACertificateKeyFile /opt/etc/ftpd/server.key
# CA the server trusts
TLSCACertificateFile /opt/etc/ftpd/ca.crt
# Authenticate clients that want to use FTP over SSL/TLS
# off - client SSL certificates are not requried
# on - client SSL certificates are required
TLSVerifyClient off
</IfModule>
Say you have a dir called 'uploads', where you like them to be able to upload files. Add this code just above </Global>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Limit WRITE>
DenyAll
</Limit>
<Directory /home/proftpusers/uploads/*>
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
If you get disconnection problems with your FTP client, as an example say you want to copy several files but after the first file the other files don't get copied. And you need to close and restart the client to continue and in your TLS log you see something like this:
Apr 18 05:27:33 mod_tls/2.4.3[12797]: client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
Then you can try to add
TLSOptions NoSessionReuseRequired
inside of
<IfModule mod_tls.c> ... </IfModule>
Don't forget:
- Pathnames in <Directory ...> must always be absolute (except inside <Anonymous>), and should not reference symbolic links
- You may need to do a 'chmod 777' on the directory for this to work (dirs where you don't want 'them' to write you can have chmod 755)
- After a change in proftpd.conf, restart proftpd ('ps' -> check the PID -> 'kill <pid>' -> '/opt/sbin/proftpd &'
About <Directory ...>
http://www.proftpd.org/docs/directives/linked/config_ref_Directory.html
About <Limit ...>
http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html
-- More --
Configuration Directives by Functionality
http://www.castaglia.org/proftpd/doc/contrib/functional-directive-index.html
ProFTPD Configuration Directives By Context
http://www.castaglia.org/proftpd/doc/contrib/contextual-directive-index.html
EVEN MORE ----
Howtos, configs etc:
http://www.castaglia.org/proftpd/
Lets try it
/opt/sbin/proftpd &
Since 1.3.2 is available for Qnap ipkg, so any FileZilla client should work with these settings:
GENERAL
Servertype: FTPES - FTP over explicit TLS/SSL
Logontype: Normal
TRANSFER SETTINGS
Transfer mode: Active