Facebook
Twitter
QWeb Ric
Basic Pleskian
Hi,
One of our CentOS servers is running ProFTPd, brought in with Plesk, but the default configuration allows unencrypted connections which is against the PCI-DSS compliance regulations so I need to change it.
Following the documentation I came up with this /etc/proftpd.conf file: http://pastebin.com/uYauBqKx
With this configuration, ftp:// is refused, ftps:// is refused, and ftpes:// is allowed. This is technically perfect as the only connections that are allowed are those which issue an AUTH TLS before attempting to log in and being ftpes, the usual port 21 is used. Unfortunately though, I'm a KDE user and KDE doesn't currently implement an io-slave for ftpes so long story short, this is no good for me.
Back to the drawing board I'm now trying to either get ftps:// working, or ftp:// with UseExplicitSSL. This is where things are getting problematic.
If I add UseImplicitSSL to the mix and/or change the port definition to 990, i.e: http://pastebin.com/WJvLpn9T then ftps:// is still refused and both ftp:// and ftpes:// when tested in Filezilla hang on "Connection established, waiting for welcome message". If I then add IdentLookups off and UseReverseDNS off, the hangs disappear but I'm instead getting immediate "Connection closed by server" responses.
As far as I can tell, I've opened the correct ports (989 for ftps-data and 990 for ftps, as well as the original 20 fot ftp-data, 21 for ftp and 60000-65000 for passive mode). However, being CentOS and Plesk, xinetd is used and ProFTPd is configured to run in inetd mode. If I run a port scan I'm seeing that 21 is listening and 990 is closed, regardless of my .conf settings or what's open in the firewall.
Do I need to somehow tell xinitd to listen in on 990 for ftps or ftp with UseImplicitSSL to work? Or am I missing something else entirely?
Thanks.
One of our CentOS servers is running ProFTPd, brought in with Plesk, but the default configuration allows unencrypted connections which is against the PCI-DSS compliance regulations so I need to change it.
Following the documentation I came up with this /etc/proftpd.conf file: http://pastebin.com/uYauBqKx
With this configuration, ftp:// is refused, ftps:// is refused, and ftpes:// is allowed. This is technically perfect as the only connections that are allowed are those which issue an AUTH TLS before attempting to log in and being ftpes, the usual port 21 is used. Unfortunately though, I'm a KDE user and KDE doesn't currently implement an io-slave for ftpes so long story short, this is no good for me.
Back to the drawing board I'm now trying to either get ftps:// working, or ftp:// with UseExplicitSSL. This is where things are getting problematic.
If I add UseImplicitSSL to the mix and/or change the port definition to 990, i.e: http://pastebin.com/WJvLpn9T then ftps:// is still refused and both ftp:// and ftpes:// when tested in Filezilla hang on "Connection established, waiting for welcome message". If I then add IdentLookups off and UseReverseDNS off, the hangs disappear but I'm instead getting immediate "Connection closed by server" responses.
As far as I can tell, I've opened the correct ports (989 for ftps-data and 990 for ftps, as well as the original 20 fot ftp-data, 21 for ftp and 60000-65000 for passive mode). However, being CentOS and Plesk, xinetd is used and ProFTPd is configured to run in inetd mode. If I run a port scan I'm seeing that 21 is listening and 990 is closed, regardless of my .conf settings or what's open in the firewall.
Do I need to somehow tell xinitd to listen in on 990 for ftps or ftp with UseImplicitSSL to work? Or am I missing something else entirely?
Thanks.
