[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] ftp security

Subject: Re: [cobalt-users] ftp security
From: Goetz Lohmann <goetz.lohmann@xxxxxx>
Date: Mon Sep 8 15:28:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Jim Dory schrieb:

> Goetz Lohmann wrote:
>
>> Ok ... with proftpd you have two common security problems to deal with.
>> 1.) username authentication will use clear text paswords like in
>> telnet :-(
>> 2.) most hacks try to do a buffer overflow in proftpd
>>
>> to the first you could prevent this by running proftp version 1.28 or
>> above which
>> could use SSL/TLS security authentication like SSH. You might easalie
>> update it
>> with RPM or compile it by your own. The pretty way of this is, that
>> it still works
>> with the cobalt admin interface, cause the needed changes to the
>> proftpd.conf
>> are untouched :-)
>>
>
> Thanks much for the replies everybody - this is a big help.
> This sounds like a nice solution - using SSL. I'm not too familiar
> with it..  not sure how to enable SSL for just Proftp but I can search
> that out. Assuming this can be self-signed. 

it can just as the apache-ssl

search the archives ... I posted a whole proftpd.conf a while ago ...
but here a shor snippet of the

/etc/proftpd.conf
ServerName                      "ProFTPD"
ServerType                      inetd
DeferWelcome                    off
DefaultServer                   on
DefaultRoot                     / admin
DefaultRoot                     ~/../.. site-adm
DefaultRoot                     ~ !site-adm
...
[here are some other options]
...
<Global>

   # Security issue about WS-FTP to accept certificates
   <IfModule mod_tls.c>
        # TLS/SSL Security Engine
        TLSEngine                       on
        TLSLog                          /var/log/auth
        # TLSProtocol directive is used to configure
        # the SSL/TLS protocol versions (SSLv3,TLSv1,SSLv23)
        TLSProtocol                     SSLv23

        # Are clients required to use FTP over TLS when talking to this
server?
        # SSL/TLS only (on), Data Channel (data), Control Channel
(ctrl), or No (off)
        #TLSRequired                     off

        # Server's certificate
        TLSRSACertificateFile          /usr/share/ssl/certs/ftpd-rsa.pem
        TLSRSACertificateKeyFile       /usr/share/ssl/certs/ftpd-rsa-key.pem
        TLSDSACertificateFile          /usr/share/ssl/certs/ftpd-dsa.pem
        TLSDSACertificateKeyFile       /usr/share/ssl/certs/ftpd-dsa-key.pem

        TLSDHParamFile                 /usr/share/ssl/certs/ftpd-dhparam.pem

        # Certificates to use to authenticate
        #TLSCipherSuite                  ALL.!ADH
        # All available ciphers not including ADH key exchange
        #    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        # All algorithms including ADH and export but excluding patented
algorithms
        #    HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA

        # Authenticate clients that want to use FTP over TLS?
        #TLSVerifyClient                 off

        # Verification Depth 0=self signed, 1=CA signed , ...
        #TLSVerifyDepth                  10

        # SSL/TLS Options: NoCertRequest StdEnvVars ExportCertData
AllowDotLogin dNSNameRequired iPAddressRequired
        #TLSOptions                     StdEnvVars ExportCertData
AllowDotLogin
   </IfModule>

   # Report localtime, not GMT
   TimesGMT             off
   ServerIdent          on      "####### ProFTPd server ready! #######"
   DeferWelcome         on
   # ServerName         "ProFTPD"

</Global>
...
<VirtualHost 123.123.123.123>
...
[our virtual host sections which will be always rewirten by a perl script]
...
</VirtualHost>

>> so I guess ... get proftpd-1.2.8 source tarball ... compile it with a
>> stackguard
>> enabled gcc and change the existing proftpd-1.2.4 (???) to the new one.
>>  
>>
> This stackguard enabled gcc is new to me, so will have to do some
> googling. The question I have is how to install it without breaking
> anything. Does it overwrite the gcc that is installed - and if so,
> maybe that is no problem? Thanks again. 

there is also a post in the past. The fact ist that the main part of the
coblat stuff is meanwhile compiled with a stackguard enabled gcc
but they lack in giving hem to us. Once a while ago I got a stackguard
gcc for a RedHat 6.2 System whichs goes fine with the Cobalt RaQ4. To
prevent freaking my system I catched the original Cobalt gcc RPM. After
succesfully compiling I could now swith back.
Long time both versions exists near  each other and only a Symlink in
/usr/bin/gcc points to /usr/sg/lib/gcc-lib or /usr/lib/gcc-lib

Maybe I should still have the RPM anywhere ...

> --Cheers, Jim D.
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
-- 

¸,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸

Götz Lohmann  |  D-Mannheim  |  Web-Developer & Sys-Admin
---------------------------------------------------------
He's the fellow that people wonder what he does and why
the company needs him, until he goes on vacation.
¸,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°°¤ø,¸

Follow-Ups:
- Re: [cobalt-users] ftp security
  - From: Jim Dory

References:
- Re: [cobalt-users] ftp security
  - From: Dave's List Addy
- Re: [cobalt-users] ftp security
  - From: Goetz Lohmann
- Re: [cobalt-users] ftp security
  - From: Jim Dory

Prev by Date: [cobalt-users] Mailscanner upgrade 3.22 to 4.x experience?
Next by Date: Re: [cobalt-users] ftp security
Previous by thread: Re: [cobalt-users] ftp security
Next by thread: Re: [cobalt-users] ftp security

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index