问题[proftpd](server)

我有一个实际使用 FTP 协议的 ProFTPd，但我也想使用 SFTP。
我找到了一个带有<VirtualHost>块的解决方案，但它对我不起作用。

  <IfModule mod_sftp.c>
      <VirtualHost 0.0.0.0>

        TLSEngine          off
        SFTPEngine         on
        Port               2222
        SFTPLog            /var/log/proftpd/sftp.log
        Include            /etc/proftpd/sql.conf

        SFTPHostKey        /etc/ssh/ssh_host_rsa_key
        SFTPHostKey        /etc/ssh/ssh_host_ecdsa_key

        SFTPCompression    delayed
        DefaultRoot        ~
        RequireValidShell  on

     </VirtualHost>
  </IfModule>

2021-10-11 11:03:32,289 mod_sftp/0.9.9[20791]: using '/etc/ssh/ssh_host_ecdsa_key' as 256-bit ECDSA hostkey
2021-10-11 11:03:32,289 mod_sftp/0.9.9[20791]: using '/etc/ssh/ssh_host_ecdsa_key' as 256-bit ECDSA hostkey
2021-10-11 11:03:32,291 mod_sftp/0.9.9[20791]: sent server version 'SSH-2.0-SFTP Server'
2021-10-11 11:03:32,291 mod_sftp/0.9.9[20791]: received client version 'SSH-2.0-PuTTYFileZilla_3.46.3'
2021-10-11 11:03:32,291 mod_sftp/0.9.9[20791]: handling connection from SSH2 client 'PuTTYFileZilla_3.46.3'
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session key exchange: ecdh-sha2-nistp256
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session server hostkey: ecdsa-sha2-nistp256
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session client-to-server encryption: aes256-ctr
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session server-to-client encryption: aes256-ctr
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session client-to-server MAC: hmac-sha2-256
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session server-to-client MAC: hmac-sha2-256
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session client-to-server compression: none
2021-10-11 11:03:32,363 mod_sftp/0.9.9[20791]:  + Session server-to-client compression: none
2021-10-11 11:03:32,504 mod_sftp/0.9.9[20791]: sending acceptable userauth methods: keyboard-interactive,password
2021-10-11 11:03:32,626 mod_sftp/0.9.9[20791]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2021-10-11 11:03:32,627 mod_sftp_pam/0.3[20791]: PAM authentication error (7) for user 'sql_user': Authentication failure
2021-10-11 11:03:32,627 mod_sftp/0.9.9[20791]: sending userauth failure; remaining userauth methods: keyboard-interactive,password
2021-10-11 11:03:32,628 mod_sftp/0.9.9[20791]: unhandled SSH_MSG_USER_AUTH_INFO_RESP (61) message, disconnecting
2021-10-11 11:03:32,628 mod_sftp/0.9.9[20791]: disconnecting (Unsupported protocol sequence)

我正在尝试在 Proftpd 服务器上启用 TLS（ProFTPD 版本 1.3.7a，Debian 版本：11）

但是，在完成所有步骤并重新启动 proftpd 后，我收到以下错误。

mod_dso/0.5: unable to load 'mod_tls.c'; check to see if '/usr/lib/proftpd/mod_tls.la' exists

所以我检查了 /usr/lib/proftpd/ 并且 mod_tls 在那里丢失了。我怎样才能在那里启用/安装这个模块？

Proftpd 是通过 apt-get install 安装的。

我很好奇为什么 epel 7 repo 中没有 epel-x86_64 ftp 服务器包 proftp 的新版本：

https://centos.pkgs.org/7/epel-x86_64/proftpd-1.3.5e-10.el7.x86_64.rpm.html

从 2017 年 4 月 9 日起仅提供版本 1.3.5e。最新版本是 1.3.7a 是 21/Jul/2020。

我正在使用带有 proftp 的 Amazon Linux 2 来托管 ftp 服务器。

除了手动编译它我还能做什么？我想通过 yum 更新 proftp。

我已将我的 FTP（运行 proftpd）服务器从 Ubuntu 18.04 移动到 Ubuntu 20.04 服务器，现在连接时出现问题。在连接日志中有一行说：

"Status: Server does not support non-ASCII characters."

并且无法下载所有包含非 ASCII 字符的文件和文件夹。

我可以通过将我的 FTP 客户端（例如 FileZilla）设置为明确使用 UTF-8 来修复此客户端站点，但对于连接到 FTP 的其他人来说，问题仍然存在。

proftpd-basic/focal,now 1.3.6c-2 amd64 [installed,automatic]
proftpd-doc/focal,now 1.3.6c-2 all [installed,automatic]
proftpd-mod-mysql/focal,now 1.3.6c-2 amd64 [installed]

有谁知道导致此错误的原因可能是什么以及如何解决？

我正在运行 Ubuntu Server 20.04 和 proftpd 1.36，并且在设置 TLS 时遇到问题。

我已按照配置文件中的指南进行操作，但出现了一个非常奇怪的错误。没有支持的密码。然后该过程因握手错误而中断。SSL clienthello 消息包含许多可识别的密码，并且在机器上。

TLS 日志：

2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions attempted: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions established: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions renegotiated: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions resumed: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions in cache: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache hits: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache misses: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache timeouts: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache size exceeded: 0
2020-06-29 18:16:35,242 mod_tls/2.7[87910]: TLSOption EnableDiags enabled, setting diagnostics callback
2020-06-29 18:16:35,245 mod_tls/2.7[87910]: error initializing OpenSSL context for this session
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: TLS/TLS-C requested, starting TLS handshake
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] (unknown): before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [msg] received protocol record message (5 bytes)
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [msg] received TLSv1.3 'ClientHello' Handshake message (368 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg]
ClientHello:
  client_version = TLS 1.2
  random:
    gmt_unix_time = Thu Oct 20 14:46:18 1904 (not guaranteed to be accurate)
    random_bytes (28 bytes)
      5820ebe66e5afa9ec7d9cfc5d69fd7b97698ba054091bd338c918587
  session_id (0 bytes)
  cipher_suites (58 bytes)
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    [unknown/unsupported]
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    [unknown/unsupported]
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    [unknown/unsupported]
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    [unknown/unsupported]
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    [unknown/unsupported]

    TLS_RSA_WITH_AES_256_CBC_SHA
    [unknown/unsupported]
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA
    [unknown/unsupported]
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    [unknown/unsupported]
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    [unknown/unsupported]
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    [unknown/unsupported]
  compression_methods (1 byte)
    None
  extensions (265 bytes)
    extension_type = status_request (5 bytes)
    extension_type = elliptic_curves (22 bytes)
    extension_type = ec_point_formats (2 bytes)
    extension_type = signature_algorithms (34 bytes)
    extension_type = encrypt_then_mac (0 bytes)
    extension_type = extended_master_secret (0 bytes)
    extension_type = session_ticket (0 bytes)
    extension_type = key_share (139 bytes)
    extension_type = supported_versions (9 bytes)
    extension_type = renegotiate (1 byte)
    extension_type = psk_kex_modes (3 bytes)
    extension_type = [unknown/unsupported] (2 bytes)

2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg] sent protocol record message (5 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg] sent TLSv1.2 fatal 'handshake_failure' Alert message (2 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [info] writing: SSL/TLS alert fatal: handshake failure
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [info] accepting: error
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: unable to accept TLS connection: protocol error:
  (1) error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: unable to accept TLS connection: client does not support any cipher from 'TLSCipherSuite DEFAULT:!ADH:!EXPORT:!DES' (see `openssl ciphers DE>
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: TLS/TLS-C negotiation failed on control channel
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions attempted: 1
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions established: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions renegotiated: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions resumed: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions in cache: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache hits: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache misses: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache timeouts: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache size exceeded: 0

openssl 的输出

openssl ciphers -v 'DEFAULT:!ADH:!EXPORT:!DES'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

如您所见，有很多匹配的密码。那为什么我会收到这个错误？

----------- 奖励信息---------- 我尝试将密码更改为单个密码，每个密码，仍然是相同的错误。我已经尝试更改协议，仍然是同样的错误。谷歌没有帮助我找到解决方案，所有错误似乎都与实际缺少的证书有关，或者不相关。为了完成，proftpd tls 配置：

#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using 
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
#          -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key 
# chmod 0640 /etc/ssl/private/proftpd.key
# 
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile            /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
TLSOptions                      NoCertRequest EnableDiags 
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions                             AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired                             auth
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate                          required off
</IfModule>

我想在 SliTaz 上使用 FTP over TLS。我已经使用以下命令安装了 proftpd：

tazpkg get-install proftpd

我习惯于在 SliTaz 上启动和停止程序，/etc/init.d/program start or stop但我不知道如何启动 proftpd，因为没有 /etc/init.d/proftpd。

proftpd 配置仍然是默认配置，我尝试与 FileZilla 连接，但在验证用户身份后无法连接到服务器。

SliTaz (5.0) 是 Windows 10 主机上的虚拟机。我尝试在主机上使用 FileZilla 到 SliTaz 主机专用 ip。

如何在 SliTaz 上配置 proftpd？

编辑

proftpd我发现我可以通过在命令行中输入来启动 proftpd 。我确实有一个/etc/proftpd.conf文件，但是当我更改文件中的某些内容时不会更改。我不能使用proftpd restart，所以我假设proftpd 重新加载只是proftpd？

我尝试在以下行中使用 TLS /etc/proftpd.conf：

<IfModule mod_tls.c>                                                     
TLSEngine                  on                                            
TLSLog                     /var/log/proftpd/tls.log                      
TLSProtocol TLSv1.2                                                      
TLSCipherSuite AES128+EECDH:AES128+EDH                                   
TLSOptions                 NoCertRequest AllowClientRenegotiations       
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.pem             
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.pem              
TLSVerifyClient            off                                           
TLSRequired                on                                            
RequireValidShell          no                                            
</IfModule> 

我创建了proftpd.pemopenssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.pem -keyout /etc/proftpd/ssl/proftpd.pem

一个普通的 FileZilla 可以完美运行，但Require explicit FTP over TLS返回500 AUTH not understood.

编辑 2

默认情况下不编译 mod_tls.c。我proftpd -l能够看到所有模块：

Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_rlimit.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_facts.c
  mod_ident.c
  mod_cap.c

Mod_tls.c 不在列表中，这可能就是它不起作用的原因。如何将 mod_tls.c 添加到 proftpd 列表中？

为了从 de-factor 封闭源 glftpd 2.01 迁移到 proftpd，我需要将用户帐户的密码哈希从 glftpd 迁移到 proftpd。阅读有关我认为 mod_sql_passwd 的主题应该可以解决问题。

因此，我像这样设置了我的 proftpd 服务器：

<global>
    SQLBackend              mysql
    SQLAuthTypes            Crypt
    SQLAuthenticate         users groups

    SQLConnectInfo  testdbuser@testdbhost testdb

    SQLUserInfo     ftpuser userid passwd uid gid homedir shell
    SQLGroupInfo    ftpgroup groupname gid members
    SQLMinID        500
    CreateHome on

[...]

    RootLogin off
    RequireValidShell off
    DefaultRoot ~
</global>

DefaultServer                   off
ServerType                      standalone

<VirtualHost 0.0.0.0>
    Port 21
    PassivePorts 10000 10250
    MasqueradeAddress 123.123.123.123

    SQLAuthTypes pbkdf2
    SQLPasswordPBKDF2 sha1 100 40

    SQLNamedQuery get-user-salt SELECT "salt FROM ftpuser WHERE userid = '%{0}'"
    SQLPasswordUserSalt sql:/get-user-salt Prepend
</VirtualHost>

glftpd passwd 中的哈希值如下所示：

$7e8ab0c7$bf044082ab83875eeb3a2158cd6253f8e88f40cf

数据库如下所示（CSV 表示）：

"id","userid","passwd","salt","uid","gid","homedir","shell","count","accessed","modified"
"1","test","bf044082ab83875eeb3a2158cd6253f8e88f40cf","7e8ab0c7","5500","5500","/data/test","/sbin/nologin","20","2020-03-31 20:02:45","2020-03-25 16:30:49"

到目前为止的所有配置都会导致：

USER test (Login failed): No such user found

虽然实际上用户存在并且通过将散列更改为 Crypt() Bcrypt 样式散列，但登录成功。

问题/问题：

• 从 glftpd 可用的少量资源中不清楚 glftpd 的哈希使用了多少次迭代，可以得出 100 的迭代值
• 尚不清楚美元符号是否应添加到盐和哈希值之前
• 带有 DebugLevel 10 的proftpd 除了“用户测试（登录失败）：没有找到这样的用户”之外没有其他信息，但是，使用普通的 Crypt() Bcrypt 类型的哈希它可以完美地工作（参见配置的顶部）
• 目前还不清楚 glftpd 2.01 哈希是如何构建的，我尝试SQLPasswordOptions HashPassword HashSalt了这似乎是最合乎逻辑的，但没有成功 [²]

很高兴听到有人有类似的任务并在这种迁移方面取得了一些经验。也欢迎提供有助于解决此主题的其他线索。

[¹] https://glftpd.io/files/glftpd-LNX_2.01.tgz (bin/sources/PassChk/passhk.c) glftpd 2.01 "passchk.c":

    PKCS5_PBKDF2_HMAC_SHA1(pwd, strlen(pwd), real_salt, SHA_SALT_LEN, 100,
               mdlen, md);

[²] http://www.proftpd.org/docs/contrib/mod_sql_passwd.html#Transformations

我在 debian 8 上使用 proFTPD。出于某些原因，我需要只能访问其 documentroot 的用户。我已经配置了它并且它可以工作，但只有当我连接到 FTP 时。

如果用户在 SFTP 上连接，他将能够访问整个 FTP。

我能怎么做 ？

编辑 ：

我找到了如何纠正我的问题。

1) 我停止了 proFTD，因为它会引起问题。我在默认的 SSH 服务器和我的 debian 服务器上切换

2) 所有文件夹都归root:root所有，拥有755个权限。在我的情况下，它是/, /var, /var/www, and/var/www/dev

3) SSHD 配置为：

Subsystem sftp internal-sftp Match Group dev ChrootDirectory /var/www/dev ForceCommand internal-sftp AllowTcpForwarding no

我正在运行 proftp，但不确定如何正确配置用户和组。

在我的 proftpd.conf 中，我配置了：

# Set the user and group that the server runs as
User                proftp
Group               proftp

这将影响系统用户，proftpd 服务正在运行。

在mod_sql中有相同设置的选项，这对我来说似乎加倍：

# The SQLDefaultGID directive configures the default GID for users. 
# This value must be greater than any configured SQLMinUserGID. Default: 65533
SQLDefaultGID xxxx


# The SQLDefaultUID directive configures the default UID for users. 
# This value must be greater than any configured SQLMinUserUID. Default: 65533
SQLDefaultUID xxxx

还有一些 proftpd 服务可以运行这个用户，因为我可以使用top。

有没有最佳实践，如何设置这些值以获得最佳安全性？

我们有一个在 centos6 上运行的 proftpd 服务器（1.3.3g），当它似乎超过大约 150 个正在运行的进程时，它会锁定并阻止更多的连接。

proftpd 服务器连接到 MYSQL 以处理用户身份验证。

我已经运行了 proftpd paranoid 日志，并且看不到任何失败，并且检查了安全日志中是否存在任何登录失败而没有任何问题。

监控显示在它跌倒期间没有 CPU/内存/磁盘/网络峰值，它似乎只是锁定，直到连接再次下降。该机器应该可以处理超过 150 个并发用户（E3-1271v3 32GB RAM）。

PROFTPD 配置

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "PROHIBITED FTP ACCESS"
DeferWelcome                     off
#ServerType                      standalone

# Globbing
UseGlobbing off

TransferLog /var/log/ftpxferlog
UseReverseDNS off
IdentLookups off
UseFtpUsers off 
WtmpLog off
UseIPv6 off


# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
# 49152-65534
PassivePorts                    49152 65534

Port                            21
Umask                           022

TimeoutLogin                    120
TimeoutIdle                     300
TimeoutNoTransfer               300
TimeoutStalled                  300

# Default to show dot files in directory listings
ListOptions "-a +R" strict
# ListOptions "" maxdepth 3
# ListOptions "" maxdirs 10
ListOptions "" maxfiles 2000
AllowOverride off

# Set the user and group that the server normally runs as.
User                            www
Group                           www

# Set path locations
ScoreboardFile                  /var/run/proftpd.score
#DefaultRoot                    /data/filesroot/ftproot/pub
DefaultRoot                     /data/filesroot/ftproot

# Log formats
LogFormat                      default "%h %l %u %t \"%r\" %s %b"
#LogFormat                      anonymous "%h %l %u %t \"%r\" %s %b"
#LogFormat                      auth    "%v [%P] %h %t \"%r\" %s"
#LogFormat                      write   "%h %l %u %t \"%r\" %s %b"

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
<IfModule mod_dso.c>
   LoadModule mod_sql.c
   LoadModule mod_sql_mysql.c
   LoadModule mod_ifsession.c
</IfModule>

# Global settings
<Global>

        AuthOrder               mod_sql.c

        SQLEngine               on
        SQLAuthenticate         users groups
        SQLConnectInfo          xxx@xxx:3306 USERNAME PASSWORD
        SQLAuthTypes            Backend
        SQLUserInfo             ftpusers username passwd uid gid NULL NULL

        SQLDefaultHomedir       /data/filesroot/ftproot/

        RequireValidShell       off
        SQLGroupInfo            ftpgroups groupname gid members
        SQLDefaultGID           65533
        SQLDefaultUID           65533
        SQLMinID                350

        ServerIdent on "FTP Server ready."
        AllowOverwrite          yes
        IdentLookups            off
        DelayEngine             off

        # Logging
        # file/dir access
        #ExtendedLog            /var/log/proftpd/access.log WRITE,READ

        # Record all logins
        #ExtendedLog            /var/log/proftpd/auth.log AUTH

        # Paranoia logging level....
        #ExtendedLog            /var/log/proftpd/paranoid.log ALL
</Global>

<Limit LOGIN>
      Order allow, deny
      DenyAll
</Limit>

# Deny writing to the base server...
<Directory /data/filesroot/ftproot/pub/*>
    <Limit WRITE>
    DenyAll
    </Limit>
</Directory>

<Limit WRITE>
DenyAll
</Limit>

<Directory />
        HideNoAccess on
        <Limit WRITE>
        DenyAll
        </Limit>
</Directory>


<VirtualHost xxx.xxx.xxx.xxx>

        ServerAdmin             [email protected]
        ServerName              "FTP"

        DefaultRoot             /data/filesroot/ftproot
        SQLDefaultHomedir       /data/filesroot/ftproot/

        TransferLog             /data/logs/ftp/files/files.xferlog

        RequireValidShell       off
        AllowOverwrite          on
        AllowRetrieveRestart    on
        AllowStoreRestart       on
        MaxLoginAttempts        2
        MaxClients              2000 "Sorry, maximum users reached."
        MaxClientsPerUser       5
        MaxHostsPerUser         2

        # How quickly do we kick someone out?
        TimeoutLogin            45
        TimeoutIdle             15
        TimeoutNoTransfer       300

        # Port 21 is the standard FTP port.
        Port                    21

        # Umask 022 is a good standard umask to prevent new dirs and files
        # from being group and world writable.
        Umask                   022

        # Set the user and group that the server normally runs at.
        User                    www
        Group                   www

        # Set Anonymous access controls
        <Anonymous /data/filesroot/ftproot/pub>
                User                    www
                Group                   www
                UserAlias               anonymous www
                RequireValidShell       off
                MaxClients              1

                <Limit WRITE>
                DenyAll
                </Limit>
                # Don't write anonymous accesses to the system wtmp file (good idea!)
                WtmpLog      off
        </Anonymous>            

</VirtualHost>

对于 FTP 服务器来说，150 个并发连接似乎非常小。任何见解将不胜感激