Back to the main page

ProFTPD 

What

The FTP server (ProFTPD) for anonymous users.
 
Where
 
On the Solaris 10. 

Installation 

It's easy to get one (from Blastwave) and install it using pkg-get . In time of writing, the version is 1.3.2. 

The  pkg-get -i proftpd  will install all required dependencies and if needed ask you to update dependences with old versions. 

This kind of installation will also integrate proftpd in Service Management Facility. 

Check following commands to make sure installation went okay. 

# svcs -a |grep ftp
disabled       Jan_31   svc:/network/ftp:default
online         10:21:12 svc:/network/cswproftpd:default

# svccfg
svc:> select cswproftpd
svc:/network/cswproftpd> listprop
general                      framework
general/single_instance      boolean  true
network                      dependency
network/entities             fmri     svc:/milestone/network:default
network/grouping             astring  require_all
network/restart_on           astring  error
network/type                 astring  service
filesystem-local             dependency
filesystem-local/entities    fmri     svc:/system/filesystem/local:default
filesystem-local/grouping    astring  require_all
filesystem-local/restart_on  astring  none
filesystem-local/type        astring  service
autofs                       dependency
autofs/entities              fmri     svc:/system/filesystem/autofs:default
autofs/grouping              astring  optional_all
autofs/restart_on            astring  error
autofs/type                  astring  service
start                        method
start/exec                   astring  "/opt/csw/lib/svc/method/svc-cswproftpd start"
start/timeout_seconds        count    18446744073709551615
start/type                   astring  method
stop                         method
stop/exec                    astring  "/opt/csw/lib/svc/method/svc-cswproftpd stop"
stop/timeout_seconds         count    18446744073709551615
stop/type                    astring  method
restart                      method
restart/exec                 astring  "/opt/csw/lib/svc/method/svc-cswproftpd restart"
restart/timeout_seconds      count    18446744073709551615
restart/type                 astring  method
svc:/network/cswproftpd>



The configuration file and location is usually  /etc/opt/csw/proftpd/proftpd.conf 

There are many ways for configuration, so this is just example, not recommendation. 

Most basic things to pay attention are:
1. Have user/group under ProFTPD will run
2. Have user ftp to login as anonymous (do not make shell for this account)
3. Make sure you have jailed directory for anonymous user
4. Don't forget to setup log files
5. Think if you want to allow users to upload files or your FTP server is just read-only 

The example of config file. 


ServerName                      "ProFTPD for Googlux test"
ServerType                      standalone
DefaultServer                   on

# Port 21 is the standard FTP port [command/control socket]
Port                            21
# Active FTP uses data socket on port 20
# Passive FTP uses data socket on server's unprivileged ports 
PassivePorts 	60000	60100

# Don't use IPv6 support by default.
UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            nobody
Group                           nogroup

# The ScoreboardFile is used by proftpd for tracking information for each current FTP session.
ScoreboardFile  /var/proftpd/proftpd.scoreboard

# ------------------
# Logging
# -----------------

TransferLog     /var/log/proftpd/xfer.log

# Log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"

# Authentication logs
ExtendedLog     /var/log/proftpd/proftpd_auth.log

# Log everything
ExtendedLog     /var/log/proftpd/proftpd_all.log

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire  section.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  # .message must be present in each directory if you want to
  # see message when going to that particular directory
  DisplayChdir                  .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    AllowAll
    #DenyAll
  </Limit>
</Anonymous>



 Notes about password 

As you know FTP protocol sends password over network as clear text. 
If you want to verify that use  snoop  to capture packet and here is confirmation.

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 45 arrived at 10:55:32.37584
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 0:3:ba:35:59:xx,
ETHER:  Source      = 0:18:73:bc:19:xx,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 40 bytes
IP:   Identification = 45905
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 125 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 9af4
IP:   Source address = 192.168.25.91, ftpclient
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 59 bytes
IP:   Identification = 45902
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 125 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 9ae4
IP:   Source address = 192.168.25.91, ftpclient
IP:   Destination address = 192.168.20.222, ftp_server
IP:   No options
IP:
TCP:  ----- TCP Header -----
TCP:
TCP:  Source port = 3589
TCP:  Destination port = 21 (FTP)
TCP:  Sequence number = 321214489
TCP:  Acknowledgement number = 3850540064
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x18
TCP:        0... .... = No ECN congestion window reduced
TCP:        .0.. .... = No ECN echo
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 1... = Push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 65389
TCP:  Checksum = 0xfccc
TCP:  Urgent pointer = 0
TCP:  No options
TCP:
FTP:  ----- FTP:   -----
FTP:
FTP:  "PASS zare@googlux.com\r\n"  THIS IS THE PASSWORD!!!! 
FTP:



Also log file capture the password. 

#  tail -f proftpd_all.log 
ftpclient  UNKNOWN nobody [11/Mar/2010:13:41:06 -0800] "USER anonymous" 331 -
ftpclient UNKNOWN ftp [11/Mar/2010:13:41:11 -0800] "PASS zare@googlux.com" 230 -
ftpclient UNKNOWN ftp [11/Mar/2010:13:41:13 -0800] "XPWD" 257 - 

#  cat xfer.log 
Thu Mar 11 13:15:54 2010 0 client_box 1499023 /ftp/nfs_performance.pdf b _ i a zare@googlux.com  ftp 1 * c

 Notes about FTP data transfer mode 

The TCP port 21 is used for commands/control. 
But regarding server's port for data we have two cases - active FTP and passive FTP. 

 Active FTP  

1. Client starts talking with server's port 21 from unprivileged port (N > 1024)
2. Client listens on port N+1 (send command PORT N+1 to FTP server)
3. Server (from port 20) connect to client's data port N+1

Conclusion: so here server's data port is always TCP 20, FTP server initiatives data connection to client and client actively listen on data N+1 port. 

 Passive FTP 

1. Clients start talking with FTP server  from unprivileged ports (N>1024) and second port is open (N+1)
2. Client from port N talks with server's port 21 and sends command PASV
3. Server knows client is passive now, so it opens unprivileged port (M > 1024) defined in config file and sends PORT M command to client. 
4. Client now sand data from its port N+1 to servers port M

Conclusion: so here client is in passive mode (doesn't actively listen for server's connection), servers sends data port (not 20, but > 1024) and server listens on this port, so client connects to new data port and that's it. 

Check extract from snoop troubleshooting. 

54   0.00191    server -> client FTP R port=4743 257 "/" is the curre
55   0.00054    client -> server FTP C port=4743 PASV\r\n
56   0.00155    server -> client FTP R port=4743 227 Entering Passive
57   0.00107    client -> server TCP D=60046 S=4744 Syn Seq=305790400 Len=0 Win=64240 Options=<mss 1460,nop,nop,sackOK>
58   0.00011    server -> client TCP D=4744 S=60046 Syn Ack=305790401 Seq=3710462999 Len=0 Win=49640 Options=<mss 1460,nop,nop,sackOK>
Back to the main page