From 5f05478c762642aed326c914976fc403fe2147b5 Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Mon, 24 Jul 2023 10:38:44 +0200 Subject: [PATCH] improve/update proftpd configuration template; fixes #1148 Signed-off-by: Michael Kaufmann --- lib/Froxlor/Cli/ConfigServices.php | 2 +- lib/configfiles/bionic.xml | 41 +++++++++++++++++++++++++----- lib/configfiles/bookworm.xml | 37 ++++++++++++++++++++++++--- lib/configfiles/bullseye.xml | 41 +++++++++++++++++++++++++----- lib/configfiles/buster.xml | 41 +++++++++++++++++++++++++----- lib/configfiles/focal.xml | 41 +++++++++++++++++++++++++----- lib/configfiles/gentoo.xml | 37 ++++++++++++++++++++++----- lib/configfiles/jammy.xml | 41 +++++++++++++++++++++++++----- 8 files changed, 241 insertions(+), 40 deletions(-) diff --git a/lib/Froxlor/Cli/ConfigServices.php b/lib/Froxlor/Cli/ConfigServices.php index 155c0afd..4fa1fcda 100644 --- a/lib/Froxlor/Cli/ConfigServices.php +++ b/lib/Froxlor/Cli/ConfigServices.php @@ -42,7 +42,7 @@ final class ConfigServices extends CliCommand { private $yes_to_all_supported = [ - /* 'bookworm', */ + 'bookworm', 'bionic', 'bullseye', 'buster', diff --git a/lib/configfiles/bionic.xml b/lib/configfiles/bionic.xml index 76ccc55c..f031ec18 100644 --- a/lib/configfiles/bionic.xml +++ b/lib/configfiles/bionic.xml @@ -1529,7 +1529,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -3962,7 +3962,6 @@ ServerName " FTP Server" ServerType standalone DeferWelcome off -MultilineRFC2228 on DefaultServer on ShowSymlinks on @@ -4299,7 +4298,6 @@ SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimit SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - ]]> @@ -4310,16 +4308,16 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -4332,6 +4330,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + + diff --git a/lib/configfiles/bookworm.xml b/lib/configfiles/bookworm.xml index fb4d0ab3..88f60b44 100644 --- a/lib/configfiles/bookworm.xml +++ b/lib/configfiles/bookworm.xml @@ -1488,7 +1488,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -2950,7 +2950,7 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt @@ -2959,7 +2959,7 @@ TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -2972,6 +2972,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + + diff --git a/lib/configfiles/bullseye.xml b/lib/configfiles/bullseye.xml index 1b7d352d..0db23717 100644 --- a/lib/configfiles/bullseye.xml +++ b/lib/configfiles/bullseye.xml @@ -1488,7 +1488,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -4172,7 +4172,6 @@ ServerName " FTP Server" ServerType standalone DeferWelcome off -MultilineRFC2228 on DefaultServer on ShowSymlinks on @@ -4511,7 +4510,6 @@ SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimit SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - ]]> @@ -4522,16 +4520,16 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -4544,6 +4542,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + + diff --git a/lib/configfiles/buster.xml b/lib/configfiles/buster.xml index 82d2f4b2..91a2f359 100644 --- a/lib/configfiles/buster.xml +++ b/lib/configfiles/buster.xml @@ -1488,7 +1488,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -4165,7 +4165,6 @@ ServerName " FTP Server" ServerType standalone DeferWelcome off -MultilineRFC2228 on DefaultServer on ShowSymlinks on @@ -4502,7 +4501,6 @@ SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimit SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - ]]> @@ -4513,16 +4511,16 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -4535,6 +4533,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + + diff --git a/lib/configfiles/focal.xml b/lib/configfiles/focal.xml index 96563815..2707b002 100644 --- a/lib/configfiles/focal.xml +++ b/lib/configfiles/focal.xml @@ -1517,7 +1517,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -3393,7 +3393,6 @@ ServerName " FTP Server" ServerType standalone DeferWelcome off -MultilineRFC2228 on DefaultServer on ShowSymlinks on @@ -3730,7 +3729,6 @@ SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimit SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - ]]> @@ -3741,16 +3739,16 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -3763,6 +3761,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + + diff --git a/lib/configfiles/gentoo.xml b/lib/configfiles/gentoo.xml index 697c8924..68d539e6 100644 --- a/lib/configfiles/gentoo.xml +++ b/lib/configfiles/gentoo.xml @@ -1,6 +1,6 @@ - @@ -1473,7 +1473,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -3421,7 +3421,6 @@ MaxInstances 50 # General settings DeferWelcome on -MultilineRFC2228 on ShowSymlinks on AllowOverwrite on AllowStoreRestart on @@ -3487,10 +3486,10 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd-tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 #TLSTimeoutHandshake 120 # Really important for WinClients and some clients -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt @@ -3499,7 +3498,7 @@ TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key # Authenticate client that want to use FTP over TLS? TLSVerifyClient off # Uncomment the following line to force tls login -#TLSRequired on +TLSRequired on # LOG settings @@ -3517,6 +3516,32 @@ ExtendedLog /var/log/proftpd-access.log WRITE,READ write # make proftpd faster / do not perform ident and reverse dns lookup UseReverseDNS off + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd-ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + ]]> diff --git a/lib/configfiles/jammy.xml b/lib/configfiles/jammy.xml index 1ffcf68b..ab44b42d 100644 --- a/lib/configfiles/jammy.xml +++ b/lib/configfiles/jammy.xml @@ -1517,7 +1517,7 @@ user = password = dbname = hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' +query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> @@ -3385,7 +3385,6 @@ ServerName " FTP Server" ServerType standalone DeferWelcome off -MultilineRFC2228 on DefaultServer on ShowSymlinks on @@ -3722,7 +3721,6 @@ SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimit SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - ]]> @@ -3733,16 +3731,16 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6} TLSEngine on TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key -TLSOptions NoCertRequest NoSessionReuseRequired +TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? -#TLSRequired on +TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support @@ -3755,6 +3753,37 @@ TLSVerifyClient off ]]> + + +From 127.0.0.1 + + +MaxLoginAttempts 3 + + + BanEngine off + + + BanEngine on + +BanLog /var/log/proftpd/ban.log +BanTable /etc/proftpd/ban.tab +BanMessage "User %u was banned." +BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" +BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 +BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 +BanControlsACLs all allow user root + + + +BanEngine off +DelayEngine off + + ]]> + +