[prev in list] [next in list] [prev in thread] [next in thread]
List: proftpd-users
Subject: Re: [Proftpd-user] ProFTPD server sending PORT for passive on different IP address than contacted
From: Tony Stocker <akostocker () gmail ! com>
Date: 2021-02-04 18:11:24
Message-ID: CACLi31W583cp76EUzhD+ux8dsz17=ZP-=k9KAKW5cuSeKTRZ=g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
TJ
Okay, can you help me figure out what needs to be moved from our
Global/Server config into each of the VirtualHost definitions and what can
stay in the Global/Server definition portions? I've stripped out all of the
comments and anonymized the addresses & sundry, here's our current config
in its entirety:
---------------------------------------------------------------------------------------------
ServerName "PPX"
ServerType standalone
DefaultServer on
DefaultAddress 198.x.y.100 198.x.y.103 2001:4d0:x:y::64
2001:4d0:x:y::67
ServerIdent on "Server ready"
PidFile
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.pid
ScoreboardFile
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.scoreboard
DelayTable
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.delay
DeferWelcome off
Port 21
TimeoutLogin 120
TimeoutIdle 300
TimeoutNoTransfer 600
TimeoutStalled 1800
PassivePorts 64000 65000
AllowForeignAddress off
UseIPv6 on
UseReverseDNS off
IdentLookups off
MaxInstances 300
User nobody
Group nobody
DefaultRoot ~ vrtftp
DefaultRoot ~ exxdis
AllowOverwrite on
TransferLog /var/log/proftpd/ftpdist_xferlog
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
LogFormat full "%{%Y%m%d:%T:%Z}t|%h|%v|%P|\"%r\"|%F|%s|%b|"
LogFormat fulluser "%{%Y%m%d:%T:%Z}t|%h|%U|%P|\"%r\"|%F|%s|%b|"
LogFormat debug
"%{%Y%m%d:%T:%Z}t|%h||%P|\"%r\"|%F|%s|%b|***|%m|%J|%p|%S|%T|"
<Limit SITE_CHMOD>
DenyAll
</Limit>
<Limit WRITE>
Order allow, deny
Deny from All
</Limit>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/ourftp_tls.log
TLSProtocol TLSv1.2
TLSRequired auth
TLSRSACertificateFile /NFS/local/etc/certs/Tcombined.crt
TLSRSACertificateKeyFile /NFS/local/etc/certs/Tcombined.key
TLSCACertificateFile /NFS/local/etc/certs/TcombinedIntermediateCA.crt
TLSVerifyClient off
TLSRenegotiate none
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
TLSOptions EnableDiags
TLSCipherSuite
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38 \
4:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDH \
E-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES2 \
56-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA
</IfModule>
<Limit LOGIN>
AllowGroup vrtftp
AllowGroup ppxuser
AllowUser thaeronline
AllowUser dsc
DenyAll
</Limit>
<Global>
ServerIdent on "FTPS Server ready"
DisplayConnect /etc/ftpissue
DisplayLogin welcome.msg
DisplayChdir readme true
ExtendedLog /var/log/proftpd/ftpdist_access.log
WRITE,READ write
ExtendedLog /var/log/proftpd/ftpdist_auth.log AUTH auth
ExtendedLog /var/log/proftpd/ftpdist_all.log ALL full
ExtendedLog /var/log/proftpd/ourftp_alluser.log ALL
fulluser
ExtendedLog /var/log/proftpd/ourftp_debug.log ALL debug
MaxClients 1000
MaxClientsPerHost 100 "This IP address has too many open
connections"
MaxClientsPerUser 10 "This account has too many open
connections"
AllowForeignAddress off
AuthUserFile
/NFS/local/ha_scripts/ourweb/proftpd/etc/proftpd.virtualuser.passwd
<IfGroup virtftp>
<Limit WRITE>
DenyAll
</Limit>
</IfGroup>
<IfGroup ppxuser>
<Limit WRITE>
DenyAll
</Limit>
</IfGroup>
<IfUser thaeronline>
<Limit LOGIN>
Order Allow,Deny
Allow from 198.x.z.,198.x.y.,192.168.0.,127.0.0.1
DenyAll
</Limit>
</IfUser>
</Global>
---------------------------------------------------------------------------------------------
Do I just move the addresses to separate blocks and put the MasqueradeAddress
definition in? Or do I also need to replicate the various Limit, IfGroup,
IfUser, IfModule, MaxClients*, and AuthUserFile declarations in each block?
I appreciate the help, since it's an in-use system I don't have the luxury
of playing with the configuration and seeing what breaks and what works.
Thanks!
On Thu, Feb 4, 2021 at 11:07 AM TJ Saunders <tj@castaglia.org> wrote:
>
> > How can I force Proftpd to only respond and provide ports for the IP
> > address on which it was contacted and not just the first one in its
> > DefaultAddress setting?
>
> The way to configure this is to use explicit <VirtualHost> sections, one
> for each of the addresses. In each <VirtualHost> section, you would
> configure a MasqueradeAddress directive, which tells ProFTPD which address
> to send to clients -- who connect to that <VirtualHost> -- in the PASV/EPSV
> responses.
>
> Cheers,
> TJ
>
>
> _______________________________________________
> ProFTPD Users List <proftpd-users@proftpd.org>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html
>
--
Tony Stocker
-------------------------------------------------------------------
"There are no wrong turnings.
Only paths you had not known
you were meant to walk."
-------------------------------------------------------------------
[Attachment #5 (text/html)]
<div dir="ltr"><div>TJ<br><br>Okay, can you help me figure out what needs to be moved \
from our Global/Server config into each of the VirtualHost definitions and what can \
stay in the Global/Server definition portions? I've stripped out all of the \
comments and anonymized the addresses & sundry, here's our current config in \
its entirety:<br><br><span \
style="font-family:monospace">---------------------------------------------------------------------------------------------</span></div><div><span \
style="font-family:monospace">ServerName \
"PPX"<br>ServerType standalone<br>DefaultServer \
on<br>DefaultAddress 198.x.y.100 198.x.y.103 2001:4d0:x:y::64 \
2001:4d0:x:y::67<br>ServerIdent on "Server \
ready"<br>PidFile \
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.pid<br>ScoreboardFile \
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.scoreboard<br>DelayTable \
/NFS/local/ha_scripts/ourweb/proftpd/var/run/ourweb_proftpd.delay<br>DeferWelcome \
off<br>Port 21<br>TimeoutLogin \
120<br>TimeoutIdle 300<br>TimeoutNoTransfer \
600<br>TimeoutStalled 1800<br>PassivePorts 64000 \
65000<br>AllowForeignAddress off<br>UseIPv6 \
on<br>UseReverseDNS off<br>IdentLookups \
off<br>MaxInstances 300<br>User \
nobody<br>Group nobody<br>DefaultRoot ~ \
vrtftp<br>DefaultRoot ~ exxdis<br>AllowOverwrite on<br>TransferLog \
/var/log/proftpd/ftpdist_xferlog<br>LogFormat default "%h %l %u %t \
\"%r\" %s %b"<br>LogFormat auth "%v [%P] %h %t \
\"%r\" %s"<br>LogFormat write "%h %l %u %t \
\"%r\" %s %b"<br>LogFormat full \
"%{%Y%m%d:%T:%Z}t|%h|%v|%P|\"%r\"|%F|%s|%b|"<br>LogFormat \
fulluser "%{%Y%m%d:%T:%Z}t|%h|%U|%P|\"%r\"|%F|%s|%b|"<br>LogFormat \
debug "%{%Y%m%d:%T:%Z}t|%h||%P|\"%r\"|%F|%s|%b|***|%m|%J|%p|%S|%T|"<br><Limit \
SITE_CHMOD><br> DenyAll<br></Limit><br><Limit WRITE><br> Order \
allow, deny<br> Deny from All<br></Limit><br><IfModule mod_tls.c><br> \
TLSEngine on<br> TLSLog /var/log/proftpd/ourftp_tls.log<br> TLSProtocol \
TLSv1.2<br> TLSRequired auth<br> TLSRSACertificateFile \
/NFS/local/etc/certs/Tcombined.crt<br> TLSRSACertificateKeyFile \
/NFS/local/etc/certs/Tcombined.key<br> TLSCACertificateFile \
/NFS/local/etc/certs/TcombinedIntermediateCA.crt<br> TLSVerifyClient off<br> \
TLSRenegotiate none<br> TLSOptions NoSessionReuseRequired \
AllowClientRenegotiations<br> TLSOptions EnableDiags<br> TLSCipherSuite \
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38 \
4:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDH \
E-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES2 \
56-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA<br></IfModule><br><Limit \
LOGIN><br> AllowGroup vrtftp<br> AllowGroup ppxuser<br> AllowUser \
thaeronline<br> AllowUser dsc<br> \
DenyAll<br></Limit><br><Global><br> ServerIdent \
on "FTPS Server ready"<br> DisplayConnect \
/etc/ftpissue<br> DisplayLogin welcome.msg<br> \
DisplayChdir readme true<br> ExtendedLog \
/var/log/proftpd/ftpdist_access.log WRITE,READ write<br> ExtendedLog \
/var/log/proftpd/ftpdist_auth.log AUTH auth<br> ExtendedLog \
/var/log/proftpd/ftpdist_all.log ALL full<br> ExtendedLog \
/var/log/proftpd/ourftp_alluser.log ALL fulluser<br> ExtendedLog \
/var/log/proftpd/ourftp_debug.log ALL debug<br> MaxClients \
1000<br> MaxClientsPerHost 100 "This IP address has too \
many open connections"<br> MaxClientsPerUser 10 "This \
account has too many open connections"<br> AllowForeignAddress \
off<br> AuthUserFile \
/NFS/local/ha_scripts/ourweb/proftpd/etc/proftpd.virtualuser.passwd<br> \
<IfGroup virtftp><br> <Limit WRITE><br> \
DenyAll<br> </Limit><br> </IfGroup><br> <IfGroup \
ppxuser><br> <Limit WRITE><br> DenyAll<br> \
</Limit><br> </IfGroup><br> <IfUser thaeronline><br> \
<Limit LOGIN><br> Order Allow,Deny<br> Allow \
from 198.x.z.,198.x.y.,192.168.0.,127.0.0.1<br> DenyAll<br> \
</Limit><br> </IfUser><br></Global></span><br> <span \
style="font-family:monospace">---------------------------------------------------------------------------------------------
</span></div><div><br></div><div>Do I just move the addresses to separate blocks and \
put the <span style="font-family:monospace">MasqueradeAddress </span>definition in? \
Or do I also need to replicate the various <span \
style="font-family:monospace">Limit</span>, <span \
style="font-family:monospace">IfGroup</span>, <span \
style="font-family:monospace">IfUser</span>, <span \
style="font-family:monospace">IfModule</span>, <span \
style="font-family:monospace">MaxClients*</span>, and <span \
style="font-family:monospace">AuthUserFile </span>declarations in each block? I \
appreciate the help, since it's an in-use system I don't have the luxury of \
playing with the configuration and seeing what breaks and what \
works.</div><div><br></div><div>Thanks!</div><div><br></div><div><br></div></div><br><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 4, 2021 at 11:07 AM \
TJ Saunders <<a href="mailto:tj@castaglia.org">tj@castaglia.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br> > How can I \
force Proftpd to only respond and provide ports for the IP<br> > address on which \
it was contacted and not just the first one in its<br> > DefaultAddress \
setting?<br> <br>
The way to configure this is to use explicit <VirtualHost> sections, one for \
each of the addresses. In each <VirtualHost> section, you would configure a \
MasqueradeAddress directive, which tells ProFTPD which address to send to clients -- \
who connect to that <VirtualHost> -- in the PASV/EPSV responses.<br> <br>
Cheers,<br>
TJ<br>
<br>
<br>
_______________________________________________<br>
ProFTPD Users List <<a href="mailto:proftpd-users@proftpd.org" \
target="_blank">proftpd-users@proftpd.org</a>><br> Unsubscribe problems?<br>
<a href="http://www.proftpd.org/list-unsub.html" rel="noreferrer" \
target="_blank">http://www.proftpd.org/list-unsub.html</a><br> </blockquote></div><br \
clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">Tony \
Stocker<br>-------------------------------------------------------------------<br> \
"There are no wrong turnings. <br> Only \
paths you had not known <br> you were meant to \
walk."<br>-------------------------------------------------------------------</div>
_______________________________________________
ProFTPD Users List <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic