Pure or Pro FTP, Just the facts please

[elor]

Hi,

I'm contemplating moving from pro to pureftp for security reasons and I'm looking for suggestions. I haven't seen anything recent in the boards about this except for possible proftp security issues.

1. Should I switch over?
2. Any pitfalls making the switch?
3. Any special settings you use in conf?

Thanks in advance.

cPanel.net Support Ticket Number:

[myusername]

One drawback is you have to resync the ftp passwords. e.g. If you reset the users cpanel pw it doesnt propagate on the fly to ftp, you have to use the resync the passwords link from whm.

Havent tried it lately though.

cPanel.net Support Ticket Number:

[NetX]

Pureftp is significantly faster and easy to configure.
You can setup a cron job to resync ftp passwords.
No problems switching from proftp
You can disable anonymous access just with this line in conf file:
NoAnonymous yes

(All conf options are pretty simple like this)

[goodmove]

Originally posted by NetX
Pureftp is significantly faster and easy to configure.
You can setup a cron job to resync ftp passwords.
No problems switching from proftp
You can disable anonymous access just with this line in conf file:
NoAnonymous yes

(All conf options are pretty simple like this)

What's the location of the pureftp conf file?

[NetX]

The path of is the pureftp conf file is:

/etc/pure-ftpd.conf

cPanel.net Support Ticket Number:

[goodmove]

Thanks for that, NetX.

Here are some simple ways to secure Proftpd (to a certain degree) and speed up the connections. In /etc/proftpd.conf:

Code:

# DisplayConnect /etc/issue.net
ServerName                      "ProFTPD"
AuthUserFile /etc/proftpd/passwd.vhosts
LogFormat BytesLog "%b"
ServerType                      standalone
DeferWelcome                    on
DefaultServer                   on
DefaultRoot ~ !wheel
MaxInstances                    50
ServerIdent on "FTP Server ready."
UseReverseDNS                   off
IdentLookups                    off
RequireValidShell               off
TimeoutLogin                    120
TimeoutNoTransfer               1800
TimeoutIdle                     1800
TimeoutStalled                  1800

Change the timeouts and the ServerName & ServerIdent messages inside the quote marks to your liking. Just a reminder: The less information in those messages about your server's identity, the better. You may also want to review the /etc/issue.net and modify it as needed. I have it commented out in my example.

[elor]

I made the switch and it went just fine. It pretty easy to configure. Only nit is, WHM still lists

Restart FTP (proFTP)

, no big deal.

Thanks.

cPanel.net Support Ticket Number:

[tAzMaNiAc]

To truly disable anonymous, u need to edit the pureftpd stuff in /etc/sysconfig. This is for linux servers..

FYI.

cPanel.net Support Ticket Number:

[anand]

Originally posted by tAzMaNiAc
To truly disable anonymous, u need to edit the pureftpd stuff in /etc/sysconfig. This is for linux servers..

FYI.

cPanel.net Support Ticket Number:

I remember seeing an option in WHM where you change your ftp server. There was an option earlier to disable Anonymous Access.

cPanel.net Support Ticket Number:

[ciphervendor]

If you're looking to really speed things up in proftp, increase security & logging--implement the following:

Code:

touch /var/log/proftp-access.log
touch /var/log/proftp-auth.log
touch /var/log/proftp-paranoid.log
chmod 0640 /var/log/proftp-*
chown root.root /var/log/proftp-*

Code:

touch /etc/logrotate.d/proftpd
chown root.root /etc/logrotate.d/proftpd
chmod 0640 /etc/logrotate.d/proftpd

The following 'code' should be placed in the newly created /etc/logrotate.d/proftpd

Code:

/var/log/proftp-access.log {
    create 0640 root root
    postrotate
    /usr/bin/killall -HUP proftpd
    endscript
}
/var/log/proftp-auth.log {
    create 0640 root root
    postrotate
    /usr/bin/killall -HUP proftpd
    endscript
}
/var/log/proftp-paranoid.log {
    create 0640 root root
    postrotate
    /usr/bin/killall -HUP proftpd
    endscript
}

This code should replace the cPanel proftpd.conf file in /etc. Be sure to only replace the config stuff near the top of the file (top of the file all the way to the bottom of the anonymous ftp config stuff), keeping your virtual ftp entries in place.

Code:

ServerName "FTP Service"
ServerType standalone
ServerAdmin admin@domain.com

DeferWelcome            on
DefaultServer           on
UseReverseDNS           off

Port                    21
MaxInstances            30
Umask                   022
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600

LogFormat default       "%h %u %t \"%r\" %s %b"
LogFormat auth          "%h %t \"%r\" %s"
LogFormat write         "%h %u %t \"%r\" %s %b"
LogFormat BytesLog      "%b"

MultilineRFC2228        on

DisplayConnect          /etc/issue.net

DefaultRoot             ~ !wheel

User                    nobody
Group                   proftpd

AuthUserFile            /etc/proftpd/passwd.vhosts

<Global>
 DisplayLogin           welcome.msg
 DisplayFirstChdir      message
 MaxClients             30
 AllowOverwrite         on
 IdentLookups           off
 ExtendedLog            /var/log/proftp-access.log read,write
 ExtendedLog            /var/log/proftp-auth.log auth
 ExtendedLog            /var/log/proftp-paranoid.log all default
</Global>

<Directory /*>
  AllowOverwrite        on
</Directory>

<Anonymous ~ftp>

User                    ftp
Group                   ftp
UserAlias               anonymous ftp
UseFtpUsers             on
RequireValidShell       off
AnonRequirePassword     on 
HideUser                root
HideGroup               root

MaxClients              10  
DisplayLogin            welcome.msg
DisplayFirstChdir       .message

        <Limit LOGIN>
         AllowAll
        </Limit>

 <Directory public_ftp/incoming>

        <Limit STOR>
         AllowAll
        </Limit>

        <Limit WRITE DIRS READ>
         DenyAll
        </Limit>

        <Limit CWD XCWD CDUP>
         AllowAll
        </Limit>
 
 </Directory>
 
 <Directory /*>
 
        <Limit ALL>
         DenyAll
        </Limit>

 </Directory>
 
        <Limit WRITE>
         DenyAll
        </Limit>

</Anonymous>

I haven't really tested the anonymous FTP section of the above config since I don't have that enabled on the machines I admin. However if you have issues, remove:

Code:

  <Directory /*>
 
        <Limit ALL>
         DenyAll
        </Limit>

 </Directory>

from the above.

After all of these changes, killall -HUP proftpd as root. Also keep in mind that you can't use the enable/disable anonymous FTP feature in the FTP tweak settings feature in WHM as it will mess up my config. You will have to mod the config file manually.

[anand]

The tweaking part is cool, but can't we just choose the anonymous access from WHM ?? it will work right ??

If your settings are used to tweak proftp, will using the anonymous ftp option in whm break anything after we have tweaked conf file??

cPanel.net Support Ticket Number:

[ciphervendor]

Originally posted by anand
The tweaking part is cool, but can't we just choose the anonymous access from WHM ?? it will work right ??

Sure. It should work fine with a stock cPanel proftpd.conf

If your settings are used to tweak proftp, will using the anonymous ftp option in whm break anything after we have tweaked conf file??

You obviously didn't read my entire post and therefore shouldn't apply anything I've mentioned in my post.

cPanel.net Support Ticket Number:

[anand]

Originally posted by ciphervendor
Sure. It should work fine with a stock cPanel proftpd.conf You obviously didn't read my entire post and therefore shouldn't apply anything I've mentioned in my post.

cPanel.net Support Ticket Number: [/B]

I use pureftp on all my servers at present. I was curious about proftp so i posted thats all. Anyways i can figure out the tweaks when and if i install proftp on any of my servers. Thx for the answer/

cPanel.net Support Ticket Number:

[elor]

tAzMaNiAc,

Isn't the cpanel tweak enough??

cPanel.net Support Ticket Number:

[anand]

Originally posted by elor
tAzMaNiAc,

Isn't the cpanel tweak enough??

cPanel.net Support Ticket Number:

Thats wat i also said and asked at the first place.

cPanel.net Support Ticket Number: