search

bambusoft / sentora-paranoid

This is a script for those who are very concerned about sentora project security (sentora.org) and want to enable basic security for sentora operational environment
http://sentora-paranoid.open-source.tk
GNU General Public License v3.0
4 stars 3 forks source link

ProFTP sftp not working #4

Closed KaidenP closed 9 years ago

KaidenP commented 9 years ago

Proftp complains about a 'segmentation fault` when the following lines are uncommented

#<IfModule mod_sftp.c>
#  <VirtualHost %%LOCAL_IP%%>
#               TLSRequired off
#               ServerName "<fqdn> sFTP Server"
#               SFTPEngine on
#               Port 115
#               SFTPLog /var/sentora/logs/proftpd/sftp.log
#
#               # Configure both the RSA and DSA host keys, using the same host key
#               # files that OpenSSH uses.
#               SFTPHostKey /etc/ssh/ssh_host_rsa_key
#               SFTPHostKey /etc/ssh/ssh_host_dsa_key
#
#               #SFTPAuthMethods publickey
#               #SFTPAuthorizedUserKeys file:/etc/sentora/configs/proftpd/authorized_keys/%u
#               SFTPAuthMethods password
#               # Enable compression
#               SFTPCompression delayed
#  </VirtualHost>
#</IfModule>

After the comment everything works fine.

bambusoft commented 9 years ago

It looks like %%LOCAL_IP%% were not changed to the actual IP, did you ran the script twice?, ignoring the warnings..., can you post the sentora and sentora-paranoid log files?

KaidenP commented 9 years ago

This time It was only run once. I do have two ips on my server however, so that might of caused a problem.

Is this SSH FTP or Simple FTP?

bambusoft commented 9 years ago

The script try to setup both FTP and sFTP, the problem you described in the configuration is for sFTP module

KaidenP commented 9 years ago

What I meant is is it for SFTP (SSH File Transfer Protocol) or SFTP (Simple File Transfer Protocol)?

bambusoft commented 9 years ago

SSH File Transfer Protocol

bambusoft commented 9 years ago

I changed the script to take the first ip in the local_ip variable, but my tests shows me that in case of more than one ip, local_ip is taking both ips and the ftp config file must have both ips and not the replacement tag, so I think there must be another condition causing this. (Also I added a validate replacement function to inform user about replacements strings not changed for some reason)

KaidenP commented 9 years ago

A possible idea would be to test if there is multiple IPs, and then ask the user if they want to enable It.

Or, have it create a VirtualHost for each IP detected, although I do not know if that will work. I will not pretend to be a proFTP guru.

Honestly, in my case at least, I will never use the SFTP used in proFTP. FTPS is good enough for me. I wouldn't have even known it was possible if I didn't have a problem with it. I only use SFTP when doing remote administration, with large files.

bambusoft commented 9 years ago

Sounds like a good idea, detect how many ips and ask which ones to configure, let me dig into proFTPd documentation and put in the next version things to do. Thank you

bambusoft commented 9 years ago

In my case, I have two different clients that want to transfer sensible data via secure ftp channel

KaidenP commented 9 years ago

Is ftps not secure?

bambusoft commented 9 years ago

Yes it is, but the mod_sftp module implements the SSH2 protocol and its own SFTP subsystem for secure file transfers over an SSH2 connection.... and SFTP is much easier to port through firewalls (In my case it was a client requierement and not by ftps itself)