0

I am trying to setup a Proftpd server (version 1.3.6 on CentOS 8) that works this way:

  • User accesses the server on port 21 and IP or DNS name ftp.xyze.com: use plain FTP
  • User accesses the server on port 21 and DNS name secureftp.xyze.com: use FTPS
  • User accesses the server on port 22: use SFTP

ftp.xyze.com and secureftp.xyze.com resolve to the same IP address.

SFTP works without problems, but I am not getting the TLS part working. If I set up "TLS Engine off" in Global and "TLS Engine on" in secureftp virtualhost, only plain FTP works. If I set up "TLS Engine on" globally, FTPS works for every Virtualhost. If I set up two separate Virtualhosts on port 21, I receive a IP bind error when proftp starts up. What am I configuring wrong? Here is my proftpd.conf file:

Include /etc/proftpd/modules.conf

ServerName          "xyze server"
ServerIdent         off
ServerAdmin         root@localhost
DefaultServer           off
UseIPv6             off
PassivePorts            40000 40019

DisplayLogin                    /home/ftp/welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"
DenyFilter                      \*.*/
UseReverseDNS           off
IdentLookups                    off
MaxInstances            150
UseSendfile         off
LogFormat           default "%h %l %u %t \"%r\" %s %b"
LogFormat           auth    "%v [%P] %h %t \"%r\" %s"
ControlsEngine          on
ControlsACLs            all allow user root
ControlsSocketACL       allow user *
ControlsLog         /var/log/proftpd/controls.log

<IfModule mod_ctrls_admin.c>
  AdminControlsEngine       off
</IfModule>

<IfModule mod_vroot.c>
  VRootEngine           on
</IfModule>

<IfModule mod_ban.c>
Include /etc/proftpd/mod_ban.conf
</IfModule>

<IfModule mod_qos.c>
Include /etc/proftpd/mod_qos.conf
</IfModule>

TransferLog /var/log/proftpd/xferlog
ExtendedLog /var/log/proftpd/extended.log
DebugLevel 9

<Global>

DefaultRoot         ~ !adm

AuthOrder           mod_ldap.c
RequireValidShell       off

<IfModule mod_ldap.c>
  # LDAPUseTLS on
  LDAPServer ldap://192.168.1.10/??sub
  LDAPUsers ou=enabled,dc=metxyz
</IfModule>

PersistentPasswd        off

User                nobody
Group               nobody

Umask               002 022

AllowOverwrite      yes
<Limit ALL SITE_CHMOD>
  AllowAll
</Limit>

<IfDefine TLS>
    TLSEngine                     off
    TLSRequired                   off
    TLSRSACertificateFile         /etc/ssl/xyze_certs/xyze_it.crt
    TLSRSACertificateKeyFile      /etc/ssl/xyze_certs/xyze_it.key
    TLSCACertificateFile          /etc/ssl/xyze_certs/xyze_it_CA.crt
    TLSVerifyClient               off
    TLSProtocol                   TLSv1 TLSv1.1 TLSv1.2
    TLSCipherSuite                PROFILE=SYSTEM
    TLSRenegotiate                none

    TLSOptions                    NoSessionReuseRequired
    TLSLog                        /var/log/proftpd/tls.log
    <IfModule mod_tls_shmcache.c>
      TLSSessionCache             shm:/file=/run/proftpd/sesscache
    </IfModule>
</IfDefine>

</Global>

<IfDefine ANONYMOUS_FTP>
Include /etc/proftpd/anonftp.conf
</IfDefine>

DefaultAddress ftp.xyze.com 111.222.333.444

<VirtualHost secureftps.xyze.com>
  TLSEngine             on
  TLSREquired           on
</VirtualHost>

<IfModule mod_sftp.c>
 <VirtualHost 0.0.0.0>
  Port 22
  SFTPEngine on
  SFTPLog /var/log/proftpd/sftp.log
  SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
  SFTPOptions InsecureHostKeyPerms
  SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
  SFTPHostKey /etc/ssh/ssh_host_rsa_key
 </VirtualHost>
</IfModule>

Include /etc/proftpd/conf.d/*.conf
J.B.
  • 315
  • 8
  • 23
  • 1
    Do `ftp.xyze.com` and `secureftps.xyze.com` resolve to different IP addresses? If not, you will be relying on _name-based_ virtual servers, which for FTP, requires that the client use the `HOST` command (see [RFC 7151](https://tools.ietf.org/html/rfc7151). – Castaglia Apr 28 '20 at 14:28
  • Yes, they resolve to the same IP address. I will give a look to `HOST` command then. – J.B. Apr 28 '20 at 15:20

0 Answers0