Bonjour Jean-Fransoué,
Je te conseille de monter d'un cran en n'employant plus le ftp directement, voici le tutoriel qui te permettra d'augmenter la sécurité : https://www.digitalocean.com/community/tutorials/how-to-configure-proftpd-to-use-sftp-instead-of-ftp et pour faire passer la pilule : https://www.youtube.com/watch?v=44FWZ03kWog désolé, mais je ne vois que cette solution Bonne chance pour la suite Bien à toi Bernard ----- Mail original ----- > De: "Jean-François Bachelet" <jfbache...@free.fr> > À: debian-user-french@lists.debian.org > Envoyé: Dimanche 22 Août 2021 17:20:42 > Objet: multiples problèmes avec proftpd depuis upgrade bullseye sur serveur > :-( > > Hello folks ^^) > > > bon, le passage de buster à bullseye sur serveur ne se fait pas sans > problèmes :( > > > dabort, mon proftpd ne voulait pas se mettre à jour : résolu en > désinstallant tout proftpd (plus rien ne faisant référence à lui sur > le > serveur) puis install proftpd-basic qui appelle correctement les > dépendances. > > un problème de moins ; > > ensuite restauration des nouvelles confs et redémarrage du serveur ; > > essaie de connexion ftps avec filezilla comme ça fonctionnait sous > buster : niet ! 'vous vous êtes déjà connecté à ce serveur en ftp > over > tls mais ce serveur ne supporte pas ftp over tls' ! un comble ! > > > c'est quoi le problème maintenant ??? > > > voilà les confs : > > > proftpd.conf : > > # > # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration > file. > # To really apply changes, reload proftpd after modifications, if > # it runs in daemon mode. It is not required in inetd/xinetd mode. > # > > # Includes DSO modules > Include /etc/proftpd/modules.conf > > # Set off to disable IPv6 support which is annoying on IPv4 only > boxes. > UseIPv6 on > # If set on you can experience a longer connection delay in many > cases. > <IfModule mod_ident.c> > IdentLookups off > </IfModule> > > ServerName "ftp3.myownfqdn" > # Set to inetd only if you would run proftpd by inetd/xinetd/socket. > # Read README.Debian for more information on proper configuration. > ServerType standalone > DeferWelcome off > > # Disable MultilineRFC2228 per > https://github.com/proftpd/proftpd/issues/1085 > <https://github.com/proftpd/proftpd/issues/1085> > # MultilineRFC2228on > DefaultServer on > ShowSymlinks on > > TimeoutNoTransfer 600 > TimeoutStalled 600 > TimeoutIdle 1200 > > DisplayLogin welcome.msg > DisplayChdir .message true > ListOptions "-l" > > DenyFilter \*.*/ > > # Use this to jail all users in their homes > DefaultRoot ~ > > # Users require a valid shell listed in /etc/shells to login. > # Use this directive to release that constrain. > # RequireValidShelloff > > # Port 21 is the standard FTP port. > Port 21 > > # In some cases you have to specify passive ports range to by-pass > # firewall limitations. Ephemeral ports can be used for that, but > # feel free to use a more narrow range. > PassivePorts 49152 49252 > > # If your host was NATted, this option is useful in order to > # allow passive tranfers to work. You have to use your public > # address and opening the passive ports used on your firewall as > well. > # MasqueradeAddress 1.2.3.4 > > # This is useful for masquerading address with dynamic IPs: > # refresh any configured MasqueradeAddress directives every 8 hours > <IfModule mod_dynmasq.c> > # DynMasqRefresh 28800 > </IfModule> > > # To prevent DoS attacks, set the maximum number of child processes > # to 30. If you need to allow more than 30 concurrent connections > # at once, simply increase this value. Note that this ONLY works > # in standalone mode, in inetd mode you should use an inetd server > # that allows you to limit maximum number of processes per service > # (such as xinetd) > MaxInstances 30 > > # Set the user and group that the server normally runs at. > User proftpd > Group nogroup > > # Umask 022 is a good standard umask to prevent new files and dirs > # (second parm) from being group and world writable. > Umask 022 022 > # Normally, we want files to be overwriteable. > AllowOverwrite on > > # Uncomment this if you are using NIS or LDAP via NSS to retrieve > passwords: > # PersistentPasswd off > > # This is required to use both PAM-based authentication and local > passwords > # AuthOrder mod_auth_pam.c* mod_auth_unix.c > > # Be warned: use of this directive impacts CPU average load! > # Uncomment this if you like to see progress and transfer rate with > ftpwho > # in downloads. That is not needed for uploads rates. > # > # UseSendFile off > > TransferLog /var/log/proftpd/xferlog > SystemLog /var/log/proftpd/proftpd.log > > # Logging onto /var/log/lastlog is enabled but set to off by default > #UseLastlog on > > # In order to keep log file dates consistent after chroot, use > timezone info > # from /etc/localtime. If this is not set, and proftpd is configured > to > # chroot (e.g. DefaultRoot or <Anonymous>), it will use the > non-daylight > # savings timezone regardless of whether DST is in effect. > SetEnv TZ :/etc/localtime > > <IfModule mod_quotatab.c> > QuotaEngine off > </IfModule> > > <IfModule mod_ratio.c> > Ratios off > </IfModule> > > > # Delay engine reduces impact of the so-called Timing Attack > described in > # http://www.securityfocus.com/bid/11430/discuss > <http://www.securityfocus.com/bid/11430/discuss> > # It is on by default. > <IfModule mod_delay.c> > DelayEngine on > </IfModule> > > <IfModule mod_ctrls.c> > ControlsEngine off > ControlsMaxClients 2 > ControlsLog /var/log/proftpd/controls.log > ControlsInterval 5 > ControlsSocket /var/run/proftpd/proftpd.sock > </IfModule> > > <IfModule mod_ctrls_admin.c> > AdminControlsEngine off > </IfModule> > > # > # Alternative authentication frameworks > # > #Include /etc/proftpd/ldap.conf > #Include /etc/proftpd/sql.conf > > # > # This is used for FTPS connections > # > Include /etc/proftpd/tls.conf > > # > # This is used for SFTP connections > # > #Include /etc/proftpd/sftp.conf > > # > # This is used for other add-on modules > # > #Include /etc/proftpd/dnsbl.conf > #Include /etc/proftpd/geoip.conf > #Include /etc/proftpd/snmp.conf > > # > # Useful to keep VirtualHost/VirtualRoot directives separated > # > #Include /etc/proftpd/virtuals.conf > > # A basic anonymous configuration, no upload directories. > > # <Anonymous ~ftp> > # User ftp > # Group nogroup > # # We want clients to be able to login with "anonymous" as well as > "ftp" > # UserAlias anonymous ftp > # # Cosmetic changes, all files belongs to ftp user > # DirFakeUser on ftp > # DirFakeGroup on ftp > # > # RequireValidShell off > # > # # Limit the maximum number of anonymous logins > # MaxClients 10 > # > # # We want 'welcome.msg' displayed at login, and '.message' > displayed > # # in each newly chdired directory. > # DisplayLogin welcome.msg > # DisplayChdir .message > # > # # Limit WRITE everywhere in the anonymous chroot > # <Directory *> > # <Limit WRITE> > # DenyAll > # </Limit> > # </Directory> > # > # # Uncomment this if you're brave. > # # <Directory incoming> > # # # Umask 022 is a good standard umask to prevent new files and > dirs > # # # (second parm) from being group and world writable. > # # Umask022 022 > # # <Limit READ WRITE> > # # DenyAll > # # </Limit> > # # <Limit STOR> > # # AllowAll > # # </Limit> > # # </Directory> > # > # </Anonymous> > > # Include other custom configuration files > # !! Please note, that this statement will read /all/ file from this > subdir, > # i.e. backup files created by your editor, too !!! > # Eventually create file patterns like this: > /etc/proftpd/conf.d/*.conf > # > Include /etc/proftpd/conf.d/ > > # Allow Tranfer Resume > AllowStoreRestart on > AllowRetrieveRestart on > > <Global> > DefaultRoot ~ > RootLogin off > UseFtpUsers on > </Global> > > > et tls.conf : > > # > # Proftpd sample configuration for FTPS connections. > # > # Note that FTPS impose some limitations in NAT traversing. > # See http://www.castaglia.org/proftpd/doc/co ... O-TLS.html > <http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html> > # for more information. > # > > <IfModule mod_tls.c> > TLSEngine on > TLSLog /var/log/proftpd/tls.log > TLSProtocol TLSv1.2 > # > # Server SSL certificate. You can generate a self-signed certificate > using > # a command like: > # > # openssl req -x509 -newkey rsa:1024 \ > # -keyout /etc/ssl/private/proftpd.key -out > /etc/ssl/certs/proftpd.crt \ > # -nodes -days 365 > # > # The proftpd.key file must be readable by root only. The other file > can be > # readable by anyone. > # > # chmod 0600 /etc/ssl/private/proftpd.key > # chmod 0640 /etc/ssl/private/proftpd.key > # > TLSRSACertificateFile /etc/ssl/proftpd/proftpd.crt > TLSRSACertificateKeyFile /etc/ssl/proftpd/private/proftpd.key > # > # CA the server trusts... > #TLSCACertificateFile /etc/ssl/certs/CA.pem > # ...or avoid CA cert and be verbose > #TLSOptions NoCertRequest EnableDiags > # ... or the same with relaxed session use for some clients (e.g. > FireFtp) > TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired > # > # > # Per default drop connection if client tries to start a renegotiate > # This is a fix for CVE-2009-3555 but could break some clients. > # > #TLSOptions AllowClientRenegotiations > # > # Authenticate clients that want to use FTP over TLS? > # > #TLSVerifyClient off > # > # Are clients required to use FTP over TLS when talking to this > server? > # > TLSRequired on > # > # Allow SSL/TLS renegotiations when the client requests them, but > # do not force the renegotations. Some clients do not support > # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these > # clients will close the data connection, or there will be a timeout > # on an idle data connection. > # > TLSRenegotiate required off > </IfModule> > > > avec ces confs, le ftp over tls fonctionnait parfaitement sous buster > et > plus du tout sous bullseye... > > les clés ssl sont à leur place donc qu'est-ce qui va plus ici ? > > > grrr! > > Jeff >