In our office, we are using squid to restrict users to connect only particular web sites and urls. If a user is connecting a web page via https, url_regex acl will not work. In a https request, we have control over domain only. But we need to restrict on url level. So, we used ssl bump to intercept the https requests. Its working fine, but we got some ssl warnings in browser.
Is this possible to intercept a ssl connection in bump without any browser warnings?
squid configuration file
#
# Recommended minimum configuration:
#
#debug_options ALL,3
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
#allowing .zopert.com domains
acl trustedDomains dstdomain -i "/etc/squid/trusted_domains.txt"
#excluded domains
acl excludedDomains dstdomain -i "/etc/squid/excluded_domains.txt"
#allowing grid console.
acl adminConsole urlpath_regex \/admin\/
#allowed urls
acl trustedUrls url_regex -i "/etc/squid/allowed_urls.txt"
# Example rule allowing access from your local networks.
http_port 3129 ssl-bump cert=/etc/squid/test.crt key=/etc/squid/test.key
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl HTTPS proto HTTPS
#
# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost
#http_access allow manager localhost
http_access deny manager
#http_access allow allowurls
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#allowing trusted domains(.zopert.com) only.
http_access allow trustedDomains adminConsole
http_access allow trustedDomains trustedUrls
#allowing static domains
http_access allow excludedDomains
#ssl_bump deny trustedDomains
http_access allow CONNECT trustedDomains
#http_access allow CONNECT
always_direct allow HTTPS
#ssl_bump allow adminConsole
ssl_bump allow trustedDomains
#we don't need to intercept other ssl sites.
ssl_bump deny all
# And finally deny all other access to this proxy
#sslproxy_cert_error allow all
#http_access allow localnet
http_access deny all
http_access deny CONNECT
#We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logformat squid %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log
SSL bump is doing a man-in-the-middle attack and the browser is complaining about this, which is the expected behavior. If you don't want this you need to import the CA (test.crt) as trusted in all browsers.
Related
I have many ips on same server and I am using squid basic authentication.
Example - I have two ips and 2 users and one single port 3128. The issue is any user can use any outgoing ips.
Below is my squid configuration:
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl CONNECT method CONNECT
auth_param basic program /usr/bin/python /path/to/authenticationscript
auth_param basic realm Please enter username and password
auth_param basic credentialsttl 1 second
acl AuthUsers proxy_auth REQUIRED
external_acl_type userip %SRC %LOGIN /usr/lib/squid/ext_file_userip_acl -f /path/to/config.file
acl userip external userip
http_access allow userip
http_access deny all
http_port 3128 name=0
acl ip1 myportname 0
tcp_outgoing_address x.x.x.0 ip1
acl ip2 myportname 1
tcp_outgoing_address x.x.x.1 ip2
where x.x.x.x is the ipaddress of the server.
In the config.file I am having
x.x.x.0(ipaddress1) user1
x.x.x.1(ipaddress2) user2
How can I let one user to connect to one ip?
I found the solution.
I need to change the http_port and acl of myportname to below:
http_port 3128
acl ip1 myip x.x.x.0
tcp_outgoing_address x.x.x.0 ip1
acl ip2 myip x.x.x.1
tcp_outgoing_address x.x.x.1 ip2
I have a problem with Squid. I wanted to block the possibility of accessing www to selected people on the principle that I define allowed domains and block all the rest. I can not deal with this configuration. What I have done so far is a working proxy with authentication.
Can you help me to solve my problem?
Regards
acl lan src 192.168.1.0/24
# It does not work
acl TimeWorkUser1 time M T W H F A 7:00-15:00
acl User1 src 192.168.1.100
acl GoodSites dstdomain "/etc/squid/users/GoodSites.cfg"
# end
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 8 hours
auth_param basic realm Proxy: Wymagana autoryzacja
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# It does not work
http_access deny User1 !GoodSites
http_access allow TimeWorkUser1
# end
http_access allow localhost
http_access allow lan
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
# cat /etc/squid/users/GoodSites.cfg
www.somedomain.com
somedomain.com
My /etc/httpd/conf.d/phpMyadmin.conf has the following configurations
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip xx.xx.xx.xxx
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from All
Allow from xx.xx.xx.xxx
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip xx.xx.xx.xxx
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from All
Allow from xx.xx.xx.xxx
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
#Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
#Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
#Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
When I access at my page EC2 instance as
http://xx.xx.xx.xxx/phpmyadmin, I have You don't have permission to access /phpmyadmin on this server. error.
I made sure this ip address xx.xx.xx.xxx is my EC2's Elastic IP address.
phpMyadmin.conf has correct xx.xx.xx.xxx to allow.
I tried to follow the similar links of this, this and this.
But still have the error. What could be wrong with my error?
My EC2 instance has AWS linux OS installed.
Thanks
As per my understanding this configuration is related to PhpMyadmin. In order to load this configuration into Apache Web Server, Make sure Apache is loading all the configuration files from conf.d by looking into httpd.conf if you are using apache [Not Apache2] and apache2.conf [for Apache2].
Inside /etc/apache2/apache2.conf, you will find the following line, which includes those files:
# Include generic snippets of statements
Include conf.d/
[Refference]
You might have checked it still, it is one of the solution.
I have same error. Follow this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html to do all owner and group changes. Did all as you did above, but it's getting that error. Finally after restarting httpd, I become able to connect.
I set up a Vagrant VirtualBox box for Debian Wheezy following this instruction.
I installed nginx and php5-fpm on this virtual machine. I can access my guest machine via 127.0.0.1:8080 from host. It can also serve php files and phpinfo() works correctly, too.
However, when I try to access a remote MySQL server from a php file, the request always times out and I get a 504 Gateway Timeout error.
I noticed the followings.
In my nginx conf file, I have this line fastcgi_pass unix:/var/run/php5-fpm.sock;.
In /etc/php5/fpm/pool.d/www.conf, I have listen = /var/run/php5-fpm.sock.
php5-fpm.sock exists in /var/run/.
If I use 127.0.0.1:9000 instead of the socket, I still get the 504 Gateway Timeout error, but I get the error immediately without any waiting.
I added proxy_read_timeout 300; in my nginx conf, but this did not solve the issue.
My Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
# Every Vagrant virtual environment requires a box to build off of.
config.vm.box = "wheezy32"
config.vm.provision :shell, :path => "dev/bootstrap.sh"
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
config.vm.network :forwarded_port, guest: 80, host: 8080
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network :private_network, ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network :public_network
end
My nginx conf
server {
root /var/www/sites/mysite/public_html;
index index.html index.htm index.php;
# Make site accessible from http://localhost/
server_name localhost;
access_log /var/www/logs/mysite/mysite.access_log;
error_log /var/www/logs/mysite/mysite.error_log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_read_timeout 300;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
/var/www/logs/mysite/mysite.error_log
2013/06/16 23:47:27 [error] 2567#0: *23 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.2.2, server: localhost, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock", host: "127.0.0.1:8080"
2013/06/16 23:47:27 [error] 2567#0: *23 rewrite or internal redirection cycle while internally redirecting to "/index.html", client: 10.0.2.2, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "127.0.0.1:8080"
Here is how I attempt to connect to the remote MySQL server.
require_once('/var/www/sites/mysite/includes/db_constants.php');
try {
$dsn = 'mysql:host=172.16.0.51;dbname=' . DB_NAME . ';charset=utf8';
$db = new PDO($dsn,DB_USER,DB_PASS);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
} catch (PDOException $e) {
header('HTTP/1.1 500');
exit;
} catch (Exception $e) {
header('HTTP/1.1 500');
exit;
}
What am I missing?
As #cmur2 said, I was using the private IP to connect to the remove server, and that was why it did not work. I changed it to a public IP and now it is working correctly.
I just installed ProFTPD on a test CentOS webserver, which contains Webmin.
After installing ProFTPD I tried to connect via FTP and it wouldn't let me. I've tried to connect with FileZilla and terminal on the server. To connect I've tried all the users on the server (root, admin, steven10172) and all of them return the same error "530 Login Incorrect."
Could someone please assist me as to why I can't connect via ftp??
Error message (With AuthPam On):
May 23 02:03:34 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD killed (signal 15)
May 23 02:03:34 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD 1.3.3g standalone mode SHUTDOWN
May 23 02:03:36 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17261] 76.209.55.83: ProFTPD 1.3.3g (maint) (built Thu Nov 10 2011 16:20:58 UTC) standalone mode STARTUP
May 23 02:03:39 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session opened.
May 23 02:03:40 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): USER root (Login failed): Incorrect password.
May 23 02:03:42 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17267] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session closed.
Error message (with AuthPam Off):
May 23 02:02:21 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17201] 76.209.55.83: ProFTPD 1.3.3g (maint) (built Thu Nov 10 2011 16:20:58 UTC) standalone mode STARTUP
May 23 02:02:25 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session opened.
May 23 02:02:26 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): USER steven10172 (Login failed): No such user found.
May 23 02:02:29 adsl-76-209-55-83.dsl.emhril.sbcglobal.net proftpd[17207] 76.209.55.83 (::ffff:12.172.237.130[::ffff:12.172.237.130]): FTP session closed.
/etc/proftpd.conf:
# This is the ProFTPD configuration file
#
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root#localhost
DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
DefaultRoot ~ !adm
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details
#
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql.c
#
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
# (contrib/mod_sql_passwd.html)
# LoadModule mod_sql_passwd.c
#
# Mysql support (requires proftpd-mysql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_mysql.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
# LoadModule mod_sql_postgres.c
#
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
# LoadModule mod_quotatab.c
#
# File-specific "driver" for storing quota table information in files
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
# LoadModule mod_quotatab_file.c
#
# SQL database "driver" for storing quota table information in SQL tables
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
# LoadModule mod_quotatab_sql.c
#
# LDAP support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
# LoadModule mod_ldap.c
#
# LDAP quota support (requires proftpd-ldap package)
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
# LoadModule mod_quotatab_ldap.c
#
# Support for authenticating users using the RADIUS protocol
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
# LoadModule mod_radius.c
#
# Retrieve quota limit table information from a RADIUS server
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
# LoadModule mod_quotatab_radius.c
#
# Administrative control actions for the ftpdctl program
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
# LoadModule mod_ctrls_admin.c
#
# Execute external programs or scripts at various points in the process
# of handling FTP commands
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
# LoadModule mod_exec.c
#
# Support for POSIX ACLs
# (http://www.proftpd.org/docs/modules/mod_facl.html)
# LoadModule mod_facl.c
#
# Support for using the GeoIP library to look up geographical information on
# the connecting client and using that to set access controls for the server
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
# LoadModule mod_geoip.c
#
# Configure server availability based on system load
# (http://www.proftpd.org/docs/contrib/mod_load.html)
# LoadModule mod_load.c
#
# Limit downloads to a multiple of upload volume (see README.ratio)
# LoadModule mod_ratio.c
#
# Rewrite FTP commands sent by clients on-the-fly,
# using regular expression matching and substitution
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
# LoadModule mod_rewrite.c
#
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
# LoadModule mod_sftp.c
#
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
# LoadModule mod_sftp_pam.c
#
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
# LoadModule mod_sftp_sql.c
#
# Provide data transfer rate "shaping" across the entire server
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
# LoadModule mod_shaper.c
#
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
# LoadModule mod_site_misc.c
#
# Provide an external SSL session cache using shared memory
# (contrib/mod_tls_shmcache.html)
# LoadModule mod_tls_shmcache.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
# LoadModule mod_wrap.c
#
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
# files, as well as SQL-based access rules, for IP-based access control
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
# LoadModule mod_wrap2.c
#
# Support module for mod_wrap2 that handles access rules stored in specially
# formatted files on disk
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
# LoadModule mod_wrap2_file.c
#
# Support module for mod_wrap2 that handles access rules stored in SQL
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
# LoadModule mod_wrap2_sql.c
#
# Provide a flexible way of specifying that certain configuration directives
# only apply to certain sessions, based on credentials such as connection
# class, user, or group membership
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
# LoadModule mod_ifsession.c
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfDefine>
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite on
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
RootLogin on
UseFtpUsers off
AuthAliasOnly off
RequireValidShell off
</Global>
SystemLog /var/log/proftpd/errors.log
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous>
</IfDefine>
It seems the user is not included in the proftpd users list. Its the default safety procedure with proftd recent versions.
To enable it manually,
In the "Server Status" section of the webmin default page (click 'webmin' to get this page), click on 'ProFTPD FTP Server'. This will open the Proftpd module.
In the "Global Configuration Section", click "Edit Config files"
In the editor find the line umask 22
add the following lines below with the webmin username. this will allow webmin user to use ftp and sftp
umask 22
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
DenyAll
AllowUser webminuser1 webminuser2
</Limit>
save the file and restart proftpd.
**
OR
**
Use the default webmin configuration to enable proftpd for users :
remove and fresh install proftpd.
yum install proftpd
and start the service, service proftpd start
check your ftp connection by telnet. telnet <ipaddress> 21
if telnet connects, Go to webmin menu,
webmin->webmin configuration->webmin modules
In the Install from section, on Standard module from
www.webmin.com, choose proftpd module (you can try just typing in the
box, but its better click the globe icon to select proftpd)
After Selecting Proftpd, check Ignore Dependencies option, and check Grant access to all Webmin users,
And click on Install module button Restart the System for changes to take effect.
Try connecting with ftpclient with the username and password. It should work!
In webmin, go to your ProFTPD module and look for an icon/option of Denied FTP Users.
Remove any users from that list, that you want access to the FTP server. One spot I had trouble with.
In most of the ftp clients by default its enabling FTP Passive connection option so just unselect it and then try to connect.
While this only helps for one or two of the usernames you specified, root accounts are generally barred from FTP access.
... a list of the users that either have no business using ftp or
have too many privileges to be allowed to log in through the FTP
server daemon. Such users usually include root, daemon, bin, uucp,
and news.