14 Replies - 1240 Views - Last Post: 21 February 2015 - 05:38 PM

#1 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

ProFTPd jail not working

Posted 19 February 2015 - 03:39 PM

I would like to jail a user to the root of a website directory. I have edited the proftpd.conf folder to only include
DefaultRoot /var/www/html anonken
but when I connect to the server through SFTP, it plants me in the root of the file system.

This post has been edited by The_Programmer-: 20 February 2015 - 03:38 PM

Is This A Good Question/Topic? 0
  • +

Replies To: ProFTPd jail not working

#2 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6821
  • View blog
  • Posts: 31,443
  • Joined: 10-May 07

Re: ProFTPd jail not working

Posted 19 February 2015 - 07:02 PM

What group is your user you logged in as? What do the logs say?
Was This Post Helpful? 0
  • +
  • -

#3 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 20 February 2015 - 03:44 PM

The user has a primary group of "anonken" and secondary groups of www-data and ftpusers. The logs only show that the SFTP connections were successful. There are no errors at all. Is there a better FTP server that is easier to jail users on?

Oh, since I am using SFTP, would I have to somehow jail the user through the OpenSSH configs?
Was This Post Helpful? 0
  • +
  • -

#4 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 20 February 2015 - 10:14 PM

Oddly, I got it to work. I enabled FTP over TLS, connected using FTPES, and now even if I connect using unencrypted FTP, it will jail me to the folder I want.
Was This Post Helpful? 0
  • +
  • -

#5 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 20 February 2015 - 11:59 PM

Well now it's not working for some reason. It connects over TLS, but it fails to list the directory. I'm not aware of my VPS company having some sort of firewall, so that shouldn't be the issue. This happens with any client I used. It's weird that it worked for a bit though.
Was This Post Helpful? 0
  • +
  • -

#6 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6821
  • View blog
  • Posts: 31,443
  • Joined: 10-May 07

Re: ProFTPd jail not working

Posted 21 February 2015 - 08:28 AM

A VPS won't have a firewall, it's up to you to have a firewall. If it connects & doesn't ls, that's because it's connecting in passive mode, which uses a different port range. It is incredibly important that ProFTPD is configured to use the correct ports, & all the same that you allow those ports on your firewall. Ports 20 & 21 are standard, 22 for SFTP (which you need to use for jails), & passive ports are configured within protftpd.conf.
Was This Post Helpful? 1
  • +
  • -

#7 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 04:22 PM

Ya. I finally figured that out. My problem is that I don't know how to open a range of ports in iptables. It would be impossible to enter the thousands of ports in the passive range by hand. Do you know how to open a range of ports?
Was This Post Helpful? 0
  • +
  • -

#8 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 04:37 PM

For example, one port would be like
sudo iptables -A INPUT -p tcp --dport 2122 -j ACCEPT

Was This Post Helpful? 0
  • +
  • -

#9 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6821
  • View blog
  • Posts: 31,443
  • Joined: 10-May 07

Re: ProFTPd jail not working

Posted 21 February 2015 - 04:37 PM

iptables.conf :
# Passive Ports
PassivePorts      35000 40000


iptables.save :
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 35000:40000 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT



But I will ask again that understand passive mode is ftp, & sftp is port 22, yes?
Was This Post Helpful? 1
  • +
  • -

#10 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 04:41 PM

Yes. I understand it's on port 22 since SFTP is over SSH. I'm trying to do FTPES though (FTP with explicit TLS). Is that what you meant? I'll try opening the ports now and see what happens.
Was This Post Helpful? 0
  • +
  • -

#11 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 04:53 PM

Thank you! Opening the port range fixed it and I am now jailed while using FTPES.

Well what the heck. The directory was listed when I first tried it, but now it will not list the directory.
Was This Post Helpful? 0
  • +
  • -

#12 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 05:12 PM

Hm. Now the TLS log is saying that the connection was successful but it receives an EOF that violates protocol. It then says the handshake failed.
Was This Post Helpful? 0
  • +
  • -

#13 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6821
  • View blog
  • Posts: 31,443
  • Joined: 10-May 07

Re: ProFTPd jail not working

Posted 21 February 2015 - 05:15 PM

Restart the services. Do you have selinux running?
Was This Post Helpful? 0
  • +
  • -

#14 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 05:26 PM

I don't think I have SELinux. I messed around with the ports, and this seems to work. I am now able to connect successfully.
Posted Image
Was This Post Helpful? 0
  • +
  • -

#15 The_Programmer-   User is offline

  • Paranormal Investigator
  • member icon

Reputation: 25
  • View blog
  • Posts: 694
  • Joined: 24-October 11

Re: ProFTPd jail not working

Posted 21 February 2015 - 05:38 PM

And of COURSE it does not work again. Why is it only working off and on?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1