proftpd problem auf lenny 64bit - fulltilt - 07-07-2009 01:06 AM
Habe hier Probleme auf einem System lenny 64bit / ispcp stable ...
Per Filezilla dauert der Login nun etwas lange ...
Woran kann das liegen?
Code:
Jul 6 17:03:48 host1 proftpd: pam_unix(proftpd:auth): check pass; user unknown
Jul 6 17:03:48 host1 proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=ftp@domain.tld rhost=xx.xxx.xx.x
ist auch eine seltsame Fehlermeldung, der Login funktioniert ja - allerdings dauert es ....
Gruss
RE: proftpd problem auf lenny 64bit - Top44 - 07-07-2009 01:44 AM
Ich glaube es liegt daran das die auth sowohl lokal als auch in der db durchgeführt wird, was eigendlich nicht sein darf. Das habe ich in nem anderen Beitrag schonmal geschrieben.
Versuche mal folgendes :
in der proftpd.conf suchen und ändern :
Quote:SQLAuthenticate on
zu
Quote:SQLAuthenticate users*
damit sollte er nur über die DB authen ....
Grüße
RE: proftpd problem auf lenny 64bit - fulltilt - 07-07-2009 02:45 AM
Quote:SQLAuthenticate users*
Danke erstmal
Habe es versucht, jedoch bringt es bei mir keinen grossen Unterschied ...
ist so ne Verzögerung von 5-10 sec. gegenüber einem Etch System ... und dann diese seltsame Fehlermeldung.
Gruss
RE: proftpd problem auf lenny 64bit - Top44 - 07-07-2009 02:58 AM
Dann versuch nochmal dies:
Quote:SQLAuthenticate users* groups*
Grüße
RE: proftpd problem auf lenny 64bit - BeNe - 07-07-2009 02:59 AM
Es sollte eigentlich ein AuthOrder in der Config stehen --> http://www.isp-control.net/ispcp/browser/trunk/configs/debian/proftpd/proftpd1.3.conf.lenny#L110
Er versucht zuerst gegen PAM zu testen - das kostet Zeit und macht keine sinn. Nicht nötige Module am besten auch deaktiviern in der modules.conf.
Greez BeNe
RE: proftpd problem auf lenny 64bit - Top44 - 07-07-2009 03:09 AM
Hmm, hab ich mir auch gedacht, aber ich habe mod_auth_file nicht gefunden, das dürfte ja f+r die pam auth erforderlich sein.
Aber Trotzdem ist die SQLAuthentication Direktive von ISPCP in der proftpd falsch.
"SQLAuthentication on" - Erst PAM dann MySQL, egal was als AuthOrder steht.
"SQLAuthentication users* groups*" Nur MySQL.
So habe ich es zumindest gelesen und verstanden.
grüße
RE: proftpd problem auf lenny 64bit - fulltilt - 07-07-2009 09:20 PM
Hier sind die confs:
module:
Code:
# unused module here, in alternative.
#
# Install proftpd-mod-mysql to use this
#LoadModule mod_sql_mysql.c
# Install proftpd-mod-pgsql to use this
#LoadModule mod_sql_postgres.c
LoadModule mod_radius.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c
# Install proftpd-mod-ldap to use this
#LoadModule mod_quotatab_ldap.c
# Install proftpd-mod-pgsql or proftpd-mod-mysql to use this
#LoadModule mod_quotatab_sql.c
LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
LoadModule mod_rewrite.c
LoadModule mod_load.c
LoadModule mod_ban.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
# Install proftpd-mod-pgsql or proftpd-mod-mysql to use this
#LoadModule mod_wrap2_sql.c
LoadModule mod_dynmasq.c
# keep this module the last one
LoadModule mod_ifsession.c
proftpd:
Code:
# Includes DSO modules (this is mandatory in proftpd 1.3)
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off
ServerName "hostx.domain.tld"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
UseReverseDNS off
IdentLookups off
AllowStoreRestart on
AllowForeignAddress on
LogFormat traff "%b %u"
TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir message
ListOptions "-l"
#LsDefaultOptions "-l"
DenyFilter \*.*/
DefaultRoot ~
IdentLookups off
ServerIdent off
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
#PassivePorts 49152 65534
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
HideNoAccess on
</Directory>
<Limit ALL>
IgnoreHidden on
</Limit>
# Be warned: use of this directive impacts CPU average load!
#
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
# UseSendFile off
<Global>
RootLogin off
TransferLog /var/log/proftpd/xferlog
ExtendedLog /var/log/proftpd/ftp_traff.log read,write traff
PathDenyFilter "\.quota$"
</Global>
# Loading required modules
<IfModule !mod_sql.c>
LoadModule mod_sql.c
</IfModule>
<IfModule !mod_sql_mysql.c>
LoadModule mod_sql_mysql.c
</IfModule>
<IfModule !mod_quotatab.c>
LoadModule mod_quotatab.c
</IfModule>
<IfModule !mod_quotatab_sql.c>
LoadModule mod_quotatab_sql.c
</IfModule>
#
# SSL via TLS
#
#<IfModule mod_tls.c>
# TLSEngine off # on for use of TLS
# TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
# TLSProtocol SSLv23 # SSLv23 or TLSv1
# TLSOptions NoCertRequest # either to request the certificate or not
# TLSRSACertificateFile /etc/proftpd/ssl.crt # SSL certfile
# TLSRSACertificateKeyFile /etc/proftpd/ssl.key # SSL keyfile
# TLSVerifyClient off # client verification
#</IfModule>
#
# ISPCP Quota management;
#
<IfModule mod_quotatab.c>
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM quotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" quotatallies
QuotaLock /var/run/proftpd/tally.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
# ispCP SQL Managment
SQLBackend mysql
SQLAuthTypes Crypt
SQLAuthenticate on
SQLConnectInfo ispcp@localhost vftp xxxxxxxxxxxxxxx
SQLUserInfo ftp_users userid passwd uid gid homedir shell
SQLGroupInfo ftp_group groupname gid members
SQLMinUserUID 2000
SQLMinUserGID 2000
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
Include /etc/proftpd/ispcp/*
RE: proftpd problem auf lenny 64bit - fulltilt - 07-08-2009 02:38 AM
hm - noch ein Problem ... der Login über den Filemanager geht nicht
RE: proftpd problem auf lenny 64bit - Top44 - 07-08-2009 03:07 AM
Ich würde mal sagen du hast ganz andere probleme.... mal die Logs durchgeschaut obs iwas mitm apache oder php is ??
grüße
RE: proftpd problem auf lenny 64bit - fulltilt - 07-08-2009 03:25 AM
(07-08-2009 03:07 AM)Top44 Wrote: Ich würde mal sagen du hast ganz andere probleme.... mal die Logs durchgeschaut obs iwas mitm apache oder php is ??
sorry - Filemanager Login geht - ich musste allerdings 30 sec warten bis ich eingeloggt war ...
Was kann das noch sein das es sich mit der Auth so sehr verzögert?
Gruss
|