#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    212
    Rep Power
    14

    Question Need Help Getting ProFTPd Started with XINETD


    I just installed proftpd server to replace wuftpd because I want to make sure my server is more secure. I was able to get it started yesterday and connected, but now for some reason I can't get it to start. I have it set up to start through XINETD but for some reason it never does. Can somebody look through my settings and let me know if you can find why it isn't working?

    Note: I'm not sure if this is why it isn't working but I do not have any files under /etc/xinetd.d named proftpd. If this could be the problem, how do I get it to show up? I used the default ./configure when installing proftpd.

    File: /etc/xinetd.conf

    Code:
    # Simple configuration file for xinetd
    #
    # Some defaults, and include /etc/xinetd.d/
    
    defaults
    {
            instances               = 25
            log_type                = FILE /var/log/servicelog
            log_on_success          = HOST PID
            log_on_failure          = HOST RECORD
            cps                     = 25 30
    }
    
    service ftp
    {
            disable                 = no
            flags                   = REUSE
            socket_type             = stream
            wait                    = no
            user                    = root
            server                  = /usr/local/sbin/in.proftpd
            log_on_success          += DURATION USERID
            log_on_failure          += USERID
            nice                    = 10
            bind                    = MYISPSIPADDRESS
    }
    
    service ssh
    {
            flags       = REUSE
            protocol    = tcp
            socket_type = stream
            wait        = no
            user        = root
            server      = /usr/local/sbin/sshd
    }

    File: /usr/local/etc/proftpd.conf

    Code:
    # This is a basic ProFTPD configuration file (rename it to
    # 'proftpd.conf' for actual use.  It establishes a single server
    # and a single anonymous login.  It assumes that you have a user/group
    # "nobody" and "ftp" for normal operation and anon.
    
    ServerName                      "mydomain.com"
    ServerType                      inetd
    DefaultServer                   on
    
    # Port 21 is the standard FTP port.
    Port                            21
    # Umask 022 is a good standard umask to prevent new dirs and files
    # from being group and world writable.
    Umask                           022
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances                    30
    
    # Set the user and group that the server normally runs at.
    User                            nobody
    Group                           nobody
    
    # Normally, we want files to be overwriteable.
    <Directory /usr/local/private>
      AllowOverwrite                on
    </Directory>
    
    # A basic anonymous configuration, no upload directories.
    <Anonymous ~ftp>
      User                          ftp
      Group                         ftp
      # We want clients to be able to login with "anonymous" as well as "ftp"
      UserAlias                     anonymous ftp
    
      # Limit the maximum number of anonymous logins
      MaxClients                    25
    
      # We want 'welcome.msg' displayed at login, and '.message' displayed
      # in each newly chdired directory.
      DisplayLogin                  welcome.msg
      DisplayFirstChdir             .message
    
      # Limit WRITE everywhere in the anonymous chroot
    
      <Limit WRITE>
        DenyAll
    
      <Limit WRITE>
        DenyAll
      </Limit>
    
    </Anonymous>
    AllowRetrieveRestart on
    AllowStoreRestart on
    DefaultTransferMode ascii
    IdentLookups off
    MaxClients 5
    ShowSymlinks on
    ShowDotFiles on
    AllowOverwrite on
    RootLogin off
    TimeoutLogin 0
    TimeoutNoTransfer 0
    TimeoutStalled 0
    UseReverseDNS off
    Files in.proftpd and proftpd are located in the /usr/sbin directory.

    I've tried restarting xinetd with /etc/rc.d/init.d/xinetd restart and it comes up with this error:

    /etc/rc.d/init.d/xinetd: config:: command not found

    Here's what comes up when I run netstat-at so I know the FTP server is not running:

    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 *:mysql                 *:*                     LISTEN      
    tcp        0      0 *:pop3                  *:*                     LISTEN      
    tcp        0      0 *:10000               *:*                     LISTEN      
    tcp        0      0 *:http                  *:*                     LISTEN      
    tcp        0      0 *:ssh                   *:*                     LISTEN      
    tcp        0      0 *:smtp                  *:*                     LISTEN
    Any ideas?


    John Saunders
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    user = root
    server = /usr/local/sbin/in.proftpd

    ...

    Files in.proftpd and proftpd are located in the /usr/sbin directory
    first mistake: if you want security, donīt run the service as root
    second mistake: look at the two paths again... they should match, no?

    donīt know if this solves the ::config problem, but give it a try!
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    212
    Rep Power
    14
    Hello M.Hirsch:

    Thanks for your reply. I was able to get the config :: problem fixed by re-commenting the lines at the top of the xinetd.conf file. Regarding your security suggestion, should I just create seperate users like sshd and ftp and run these services using those instead of root?

    I just double checked and my sshd and proftpd files are in /usr/local/sbin, nothing with those names are under /usr/sbin. I believe I had specified in the ./configure when installing those was to install them under /usr/local/sbin instead of the default.

    I think the reason I couldn't get it started was because I had SSHD starting in a seperate boot command. I disabled it so it could only start through XINETD and when I restarted, I could connect via FTP but not SSHD. Now the SSHD server doesn't appear to be starting because I can't connect using SecureFTP.

    Do you think SSHD wasn't compiled with the --enable=tcp-wrappers option? If so, how can I check this?

    Here is what I have in the /etc/xinetd.conf file now:

    Code:
    #
    # Simple configuration file for xinetd
    #
    # Some defaults, and include /etc/xinetd.d/
    
    defaults
    {
    	instances               = 25
            log_type                = FILE /var/log/servicelog
            log_on_success		= HOST PID
            log_on_failure		= HOST RECORD
    	cps			= 25 30
    }
    
    service ftp
    {
            protocol                = tcp
            socket_type             = stream
            wait                    = no
            user                    = root
            server                  = /usr/local/sbin/proftpd
            log_on_success          += HOST PID
    }
    
    service ssh
    {
            flags       = REUSE
    	protocol    = tcp
    	socket_type = stream
    	wait        = no
    	user        = root
    	server      = /usr/local/sbin/sshd
    }
    This is what is in etc/ssh/sshd_conf:

    Code:
    #	$OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 3600
    #ServerKeyBits 768
    
    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 600
    #PermitRootLogin yes
    #StrictModes yes
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile	.ssh/authorized_keys
    
    # rhosts authentication should not be used
    #RhostsAuthentication no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    #AFSTokenPassing no
    
    # Kerberos TGT Passing only works with the AFS kaserver
    #KerberosTgtPassing no
    
    # Set this to 'yes' to enable PAM keyboard-interactive authentication 
    # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
    #PAMAuthenticationViaKbdInt yes
    
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #KeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #Compression yes
    
    #MaxStartups 10
    # no default banner path
    #Banner /some/path
    #VerifyReverseMapping no
    
    # override default of no subsystems
    Subsystem	sftp	/usr/local/libexec/sftp-server
    IgnoreRhosts yes
    RhostsRSAAuthentication yes
    RhostsAuthentication yes
    IgnoreUserKnownHosts no
    PrintMotd yes
    StrictModes yes
    RSAAuthentication yes
    PermitRootLogin yes
    PermitEmptyPasswords no
    PasswordAuthentication yes
    #CheckMail no
    Do you see anything that is causing SSHD to not start?


    John
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    to the separate user question: yes, if it is not already there, create a user "ftpd" and group "ftpd". donīt use "ftp"! it is the user for anonymous ftp.

    the rest: uh, sorry, no.
    works standalone but not in xinetd? i canīt tell how to find out the .configure options either

    your "netstat -at", with the new config?

IMN logo majestic logo threadwatch logo seochat tools logo