improve/update proftpd configuration template; fixes #1148

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2023-07-24 10:38:44 +02:00
parent 6616bd9a38
commit 5f05478c76
8 changed files with 241 additions and 40 deletions
--- a/lib/configfiles/bookworm.xml
+++ b/lib/configfiles/bookworm.xml
@@ -1488,7 +1488,7 @@ user = <SQL_UNPRIVILEGED_USER>
 password = <SQL_UNPRIVILEGED_PASSWORD>
 dbname = <SQL_DB>
 hosts = <SQL_HOST>
-query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1'
+query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0
 ]]>
 							</content>
 						</file>
@@ -2950,7 +2950,7 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}
 <IfModule mod_tls.c>
 TLSEngine                               on
 TLSLog                                  /var/log/proftpd/tls.log
-TLSProtocol                             TLSv1 TLSv1.1 TLSv1.2
+TLSProtocol                             TLSv1.2 TLSv1.3
 TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
 TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
 TLSECCertificateFile                    /etc/ssl/certs/proftpd_ec.crt
@@ -2959,7 +2959,7 @@ TLSOptions                              NoSessionReuseRequired
 TLSVerifyClient                         off

 # Are clients required to use FTP over TLS when talking to this server?
-#TLSRequired                             on
+TLSRequired                             on

 # Allow SSL/TLS renegotiations when the client requests them, but
 # do not force the renegotiations.  Some clients do not support
@@ -2972,6 +2972,37 @@ TLSVerifyClient                         off
 ]]>
 						</content>
 					</file>
+					<file name="/etc/proftpd/conf.d/99-froxlor-ratelimit.conf" chown="root:0"
+						  chmod="0644">
+						<content><![CDATA[
+<Class whitelist>
+From 127.0.0.1
+</Class>
+
+MaxLoginAttempts 3
+<IfModule mod_ban.c>
+ <IfClass whitelist>
+  BanEngine off
+ </IfClass>
+ <IfClass !whitelist>
+  BanEngine on
+ </IfClass>
+BanLog /var/log/proftpd/ban.log
+BanTable /etc/proftpd/ban.tab
+BanMessage "User %u was banned."
+BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently"
+BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00
+BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99
+BanControlsACLs all allow user root
+</IfModule>
+
+<IfClass whitelist>
+BanEngine off
+DelayEngine off
+</IfClass>
+					]]>
+						</content>
+					</file>
 					<command><![CDATA[service proftpd restart]]></command>
 				</daemon>
 				<!-- Pureftpd -->