# ProFTPd + SSL Woes

## Sakkath

When I log into my FTPd with SSL, I get this

```
ftp> ls

500 Illegal PORT command

ftp: bind: Address already in use

ftp>

```

It works fine without an SSL connection.

This is my proftpd.conf

```
# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             off

AuthPAMConfig       ftp

SystemLog           /var/log/proftpd/proftpd.log

# Port 21 is the standard FTP port.

Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            proftpd

Group                           proftpd

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

# A basic anonymous configuration, no upload directories.

<Anonymous ~ftp>

  User                          ftp

  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"

  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins

  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed

  # in each newly chdired directory.

  DisplayLogin                  welcome.msg

  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot

  <Limit WRITE>

    DenyAll

  </Limit>

</Anonymous>

#SSL Setup

TLSEngine                         on 

TLSLog                              /var/log/profptd/tls.log

TLSProtocol                       SSLv23

TLSOptions                        NoCertReques

TLSRSACertificateFile          /etc/ssl/certs/proftpd.cert.pem

TLSRSACertificateKeyFile    /etc/ssl/certs/proftpd.key.pem

TLSVerifyClient                  off

TLSRequired                      off

# MySQL setup

# Password type

SQLAuthTypes              Plaintext

# Authentication type

SQLAuthenticate           users

# Use only SQL when authenticating, and not the system's /etc/passwd

# If the user's information is not in SQL, they're not a user to use

# this server.

AuthOrder mod_sql.c

# DB connect info. Format: database_name@server_address database_username databa                                             se_password

SQLConnectInfo           ftp@localhost ftp *****

# Default UID/GID. Change to suit needs.

SQLDefaultUID             65534

SQLDefaultGID             100

# Mininum UID/GID. Change to suit needs.

SQLMinUserUID            1000

SQLMinUserGID            100

# Database query. Format: ** defined below **

SQLUserInfo                ftp username passwd uid gid ftpdir homedir

# Jail users in ftpdir

DefaultRoot             ~

SQLLogFile                      /var/log/proftpd/mysql.log

# Fast logins

IdentLookups off

```

----------

## Sakkath

Bump.

----------

## Sakkath

Bump.

----------

## Sakkath

Bump.

----------

## Sakkath

Come on, bump! :'( Nothing at all? :'(

----------

## Sakkath

 :Crying or Very sad: 

----------

## xming

poor Sakkat

This could be a firewall problem, do you have a 2 firewalls between client and server?

----------

## wellwhoopdedooo

There's NAT or a firewall between you and the FTP server, correct?

----------

## Sakkath

Yeah, not the server-side, but yes, client-side.

Thank you so much for a reply!

----------

## wellwhoopdedooo

Yeah, that's your issue. Because the FTP communication is encrypted, the FTP proxy that's (almost certainly) built into your firewall can't interpret the traffic. IPTables uses ftp_conntrack; you can turn that off but then your regular FTP won't work. If you're in active mode, when you open a data channel a connection is made back to your computer. The firewall sees the PORT command and translates it for the FTP server to your actual external IP, and forwards the port to your system. In passive mode, the firewall normally wouldn't be an issue, but some FTP proxies get confused if you're using explicit SSL.

My advice to you is, if you have to use SSL FTP, use implicit SSL. That will prevent your FTP proxy from getting in the way. You'll have to manage the holes for your data channels manually, or at least use passive mode, but it's a lot easier than explicit. Which isn't saying much.

To be honest, my suggestion is to set up SSH file transfers. Even configuring Apache to do WebDAV over HTTPS is way easier than FTP SSL (which also isn't saying much). I just spent the last two weeks setting this up at work, and it's a nightmare of fighting with firewalls and invisible, impossible to turn off FTP proxies. Even after getting the server set properly, the clients almost always need special setup. This will absolutely be more pain than it's worth for you.

----------

## Sakkath

So, even of the client doesn't have NAT?  The server doesn't have iptables running at the moment, nor is it behind NAT.

So what is "implicit" SSL?  _Only_ allow SSL connections?

To be honest, WebDav sounds like a good idea, but I don't even know how to configure Apache with SSL.

SFTP isn't a solution since all these users are virtual in ProFTPd.

----------

## xming

if there is only ONE fw at the client side then you should be able to connect with passive ftp. Force that in your client.

if there are 2 FW then you are out of luck.

NAT does not play a great deal here.

----------

## wellwhoopdedooo

Implicit SSL is where you just wrap the whole FTP conversation in SSL. Your FTP server is, or could potentially be, unaware that SSL is even involved. With explicit SSL, the AUTH TLS command is sent at the beginning, and any part of the conversation after authentication could or could not be encrypted, you have to check your options and defaults carefully on both the client and server.

If the client isn't behind NAT it gets a lot easier, but you're still not out of the woods. Your firewall could be interfering still. If you're using IPTables the best way around it is to run your FTP server on a port other than 21, or failing that, disable conntrack_ftp.

I'm going to recommend the WebDAV. Not only are you having this problem, but 95% of the people that try to connect to your FTP server will have it too. Linux has plenty of WebDAV clients, Windows has a built-in WebDAV client, and you'll find tons of info on setting up SSL Apache, and mod_dav. You'll hit a brick wall troubleshooting this unless you can interpret packet captures, know the FTP protocol inside and out, and maybe do a little C coding. At that point you'll still run into troubles with client firewalls neither of you control.

----------

## Sakkath

I guess I better use WebDav then ^.^.  If I encounter any issues, can I count on you to help me?

So, with implicit SSL, there can't be any normal, non-ssl connections?

----------

## wellwhoopdedooo

I'll lend a hand, and I've set it up a few times, but I'm not promising anything.

First thing you want to do is follow this guide: http://gentoo-wiki.com/HOWTO_WebDav

Actually, if all goes well that's all you need to do for a basic setup. Get it working according to the guide first, customize from there.

----------

## xming

 *Sakkath wrote:*   

> 
> 
> So, with implicit SSL, there can't be any normal, non-ssl connections?

 

no, it's IMPLICIT.

----------

## Sakkath

 *xming wrote:*   

>  *Sakkath wrote:*   
> 
> So, with implicit SSL, there can't be any normal, non-ssl connections? 
> 
> no, it's IMPLICIT.

 

Dude, if I knew what that was I wouldn't be questioning you ^.^

----------

## Sakkath

So what about TLS?  Same situation?  And as far as implicit and explicit go, they are both a "no-go" basically?

----------

## Sakkath

Bump.

----------

## xming

implicit means that the connection has to use tls, with expliciet it means that the server supports tls but it does not have to use tls. So explicit will work when it's not using tls.

FTP + SSL/TLS with 2 FW (or NAT) will just bring your FW to the ealry '90s ACL, you will loosing all the security if you just want to use the TLS.

So either use a separate acount ot use something else.

----------

## Sakkath

I'll just keep it normal then ^.^.

----------

