Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Pure-FTPd TLS-Auth working (so far)

Discussion in 'General Discussion' started by NgtCrwlr, Dec 25, 2003.

  1. NgtCrwlr

    NgtCrwlr Registered

    Joined:
    Nov 26, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Florida
    This post is just a quick heads up for those that are looking for a secure FTP solution other than ProFTP. More testing is needed to say that this will work for everyone. If you have a test box and feel froggy this might make your day, it sure made mine.

    WHM 8.5.1 cPanel 8.5.3-S3
    RedHat - 2.4.20-24.9 WHM X v2.1.1

    I managed to upgrade Pure-FTPd to the latest RPM that includes TLS support, I used the i686 RPM from here:

    http://mirrors.sunsite.dk/pure-ftpd/snapshots/VERSION%201.0.17%20HAS%20BEEN%20RELEASED/binaries/redhat/

    I know the following is a bit confusing... I'm trying to pull too much from memory here. If it doesn't make sense I suggest you wait for a formal how-to.

    service pure-ftpd stop

    Edit the new config files installed by the updated RPM:
    e.g. pure-ftpd.conf.rpmnew

    Add the following line to /etc/sysconfig/pure-ftpd

    --with-tls

    Un-comment the last line of /etc/pure-ftpd.conf

    TLS 1


    PureFTP's instructions on how to create a self-signed certificate:

    http://www.pureftpd.org/README.TLS

    mkdir -p /etc/ssl/private

    openssl req -x509 -nodes -newkey rsa:1024 -keyout \
    /etc/ssl/private/pure-ftpd.pem \
    -out /etc/ssl/private/pure-ftpd.pem

    chmod 600 /etc/ssl/private/*.pem


    service pure-ftpd start

    For all this to work you must use an SSL/TLS capable FTP client. The latest SmartFTP worked excellent.

    http://www.smartftp.com/download/


    This had me smiling big time:

    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-Your FTP server wishes you a merry Xmas!
    220-You are user number 1 of 50 allowed.
    220-Local time is now 03:49. Server port: 21.
    220 You will be disconnected after 15 minutes of inactivity.
    AUTH TLS
    234 AUTH TLS OK.
    Connected. Exchanging encryption keys...
    Session Cipher: 128 bit RC4
    SSL encrypted session established.
    PBSZ 0
    200 PBSZ=0
    USER #######
    331 User ####### OK. Password required
    PASS (hidden)

    This was tested on three JAILSHELLED IP based sites, and it seems to be working great... so far. ;-) I could FTP all three sites using TLS-Auth using the server IP OR each sites independent IP.

    Keep in mind the end result of all this is AUTH encryption only, not AUTH/DATA. I believe this version of PureFTPd cannot support TLS DATA encryption?

    I have yet to test firewall rules and I'm not sure if cPanel auto update is going to be a thorn.

    Well there you have it, I am praying that this turns out to be a working solution for a glaring pain in the Bneck security issue.

    Cheers!

    -Larry "NgtCrwlr" Mingus
     
    #1 NgtCrwlr, Dec 25, 2003
    Last edited: Dec 25, 2003
  2. Eric Martello

    Eric Martello Member

    Joined:
    Dec 30, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Works great. Here's a bonus from me. :)

    You can take this a step further and give full SSL/TLS functionality to ANY FTP client using an SSL/TLS wrapper:

    Grab the SSL/TLS Wrapper here. For windows users, pick up the Cygwin DLLs as well:

    http://tlswrap.sunsite.dk/

    Set up the wrapper

    - These steps assume you will be using Windows.

    - Unzip the archive to a directory, along with the DLLs.

    - Create a shortcut for the .exe file.

    - Edit the shortcut properties and add:

    -l 21

    - This will tell the TLS/SSL wrapper to listen on port 21. That is a lowercase L, btw, not an I.

    - Run the wrapper, and you're all set to connect to your FTP server using SSL/TLS.

    How to set up your client.

    - For the FTP host, where you normally enter ftp.host.com, enter localhost.

    - For the username, use the following format:

    #username@ftp.yourhost.com

    - The # sign is optional. Adding it will speed up logon by not encrypting the data channel.

    - Enter your password normally.

    - Connect and enjoy your SSL secured FTP.

    This method is great for people like me who use Dreamweaver and do not want to use a dedicated FTP client which supports SSL natively. THis works much better than SSH tunneling.
     
    #2 Eric Martello, Jan 4, 2004
    Last edited: Jan 4, 2004
  3. mjost

    mjost Member

    Joined:
    Mar 7, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Europe
    The problem with this is that virtual ftp users doesn't work anymore..

    Waiting on darkorb to update their pure-ftpd and why not work on bandwidth monitoring.......
     
  4. azdanb

    azdanb Member

    Joined:
    Jul 15, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    I got it working with virtual sites :)

    Ok, here is what I did:

    first su -

    wget the newest TLS enabled RPM from pureftp.org

    ftp://ftp.pureftpd.org/pub/pure-ftpd/releases/binaries/redhat/

    The one I used was:
    ftp://ftp.pureftpd.org/pub/pure-ftpd/releases/binaries/redhat/pure-ftpd-1.0.18-1.tls.i686.rpm

    once it's on the server:
    rpm -Uvh the rpm

    That should install the binaries to /usr/local/sbin/

    Make a directory in your home dir... for instance:
    mkdir /home/admin/pure

    Then copy all the pure binaries over:
    cp /usr/local/sbin/pure* /home/admin/pure/

    Go to WHM and have it install pure ftp, you may have to have it install proftp first and then switch back to pureftp

    Once you are done with that:
    whereis pure-ftpd

    It should list off the following:
    pure-ftpd: /usr/sbin/pure-ftpd /etc/pure-ftpd /etc/pure-ftpd.conf /usr/man/man8/pure-ftpd.8.gz

    Now we have our target...
    /sbin/service pure-ftpd stop

    cd /usr/sbin/pure-ftpd
    mkdir purebak
    cp pure* /usr/sbin/pureback
    cp /home/admin/pure/pure* /usr/sbin/

    It may ask you to confirm the file overwrites, hit y for all of them

    Now, go to /etc/init.d
    pico -w pure-ftpd

    scroll down a bit and find the following:

    Code:
    start() {
            echo -n "Starting $prog: "
            daemon $fullpath -O clf:/var/log/xferlog -lextauth:/var/run/ftpd.sock $OPTIONS --daemonize
    
    Now at the end of the last line, hit the space bar ONCE and add --tls=1

    ctrl-x and save

    If you haven't done so already, follow the instructions in the first post on how to make a certificate.

    /sbin/service pure-ftpd restart

    everything should go ok....

    open up your favorite SSL enabled FTP client and give it a go.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice