Page 3 of 3 FirstFirst 123
Results 41 to 56 of 56

Thread: TLS v1.0 deadline by pci!

  1. #41
    Join Date
    Apr 2009
    Posts
    2,209
    Quote Originally Posted by wattie View Post
    The following config will give you "C" score for ProFTPd:...
    Did you see this changelog entry?: https://directadmin.com/features.php?id=2226 - however it would be needed to do ./build proftpd - also I don't know what score it would give, but it should be better then before.

  2. #42
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    Because of problem with UTF8 "facebook icons" i installed
    pureftp

    https://help.directadmin.com/item.php?id=540

    There you see also de ssl settings

    For pureftp i did also
    openssl dhparam -out /etc/pure-ftpd-dhparams.pem 3072
    in the .conf
    TLS 2
    TLSCipherSuite High:MEDIUM:+TLSv1.1:!SSLv2!SSLv3!ADH!aNULL
    EDITed these anonymous cipher suites are gone now with the setting above: didn;t know wich one therefore used both

    Was not enoough don't know how switch these off ??
    this one ltd scan on port ftp 21:

    Support for anonymous cipher suites
    Trigger This service supports 4 anonymous cipher suites.
    Context

    Each cipher suite describes how server authentication is done. Anonymous cipher suites tell the client not to authenticate the server. They should thus not be used unless server authentication is not required, as is usually the case for SMTP servers.
    And for port 22 the diffie helman to 3072 where to find set?
    For security, a 2048-bit group is reasonable although ECRYPT recommends a group size of at least 3072
    PORT 22 ALSO: EDIT You have to set these in the sshd config
    Support for Blowfish cipher
    Trigger The server supports the Blowfish cipher.
    Context

    Blowfish is a block cipher with a 64-bit block size.

    In SSH, Blowfish is used with 128-bit keys. However, its 64-bit block size, can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There are also some cryptanalytic results on reduced-round versions (though no practical attacks). There seem to be no advantage to using it over more secure and more widely supported ciphers.
    And:
    Support for CAST-128 cipher
    Trigger The server supports the CAST-128 cipher.
    Context

    In SSH, CAST-128 is used with 128-bit keys. However, it has a 64-bit block size, which can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There seem to be no advantage to using it over more secure and more widely supported ciphers.
    Last edited by ikkeben; 12-28-2018 at 03:10 AM.
    DUTCH GERMAN, GERMAN DUTCH

  3. #43
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    The link is a bit confusing to me.
    It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

    Do we still need to recompile for utf8 support?

    Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.
    Greetings, Richard.

  4. #44
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    Quote Originally Posted by Richard G View Post
    The link is a bit confusing to me.
    It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

    Do we still need to recompile for utf8 support?

    Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.
    Same problem here tried ./build .... failed restart while
    OPTIONS="${OPTIONS} --fscharset=utf-8 --clientcharset=utf-8"
    Is not for in the .conf file i think ??
    DUTCH GERMAN, GERMAN DUTCH

  5. #45
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    No the .conf file is just a configuration file.

    I just had a look in the .conf file and it looks like this:
    Code:
    # UTF-8 support for file names (RFC 2640)
    # Set the charset of the server filesystem and optionally the default charset
    # for remote clients that don't use UTF-8.
    # Works only if pure-ftpd has been compiled with --with-rfc2640
    
    # FileSystemCharset                big5
    # ClientCharset                    big5
    So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

    The options lines is online for in the boot script.

    Recompiling is done with the custom script by adding the
    --with-rfc2640
    line, so also not with the Options line.
    Greetings, Richard.

  6. #46
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    Yea did that after the failed sorry for not mentioning.

    Quote Originally Posted by Richard G View Post
    No the .conf file is just a configuration file.

    I just had a look in the .conf file and it looks like this:
    Code:
    # UTF-8 support for file names (RFC 2640)
    # Set the charset of the server filesystem and optionally the default charset
    # for remote clients that don't use UTF-8.
    # Works only if pure-ftpd has been compiled with --with-rfc2640
    
    # FileSystemCharset                big5
    # ClientCharset                    big5
    So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

    The options lines is online for in the boot script.

    Recompiling is done with the custom script by adding the
    --with-rfc2640
    line, so also not with the Options line.
    DUTCH GERMAN, GERMAN DUTCH

  7. #47
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    Oke but does it work?
    Because until now if I changed something in the pure-ftpd.conf and restarted pure-ftpd, it did not work because the start script isn't looking at the .conf file by default.
    Greetings, Richard.

  8. #48
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    Did it in custom.
    And ofcourse then needed a ./build pureftpd before is needed

    The SSL en ciphers settings did worked, so i hope utf-8 also

    https://help.directadmin.com/item.php?id=540

    But the texts there are confusing where what to edit and howto change where, also wich versions are new, while saying new installs...?

    Also here see difference centos
    https://help.directadmin.com/item.php?id=579

    So don't know wich parts are already only working in/out of the conf, some texts/remarks in the conf are also saying changes in configure are needed and so on
    Last edited by ikkeben; 12-27-2018 at 06:21 AM.
    DUTCH GERMAN, GERMAN DUTCH

  9. #49
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    So don't know wich parts are already only working in/out of the conf
    Yes that's what I mean. A lot of things do not work from the conf file, because I used pure-ftpd in the past before Directadmin used it, on my private server.
    There were 2 ways to invoke pure-ftpd to work. Either via commandline, or via the configuration file.

    What Directadmin docs are telling is not true. They don't work both at the same time.

    From the pure-ftpd docs itself:
    Tweak it according to your needs, and start the server using that file:

    /usr/local/sbin/pure-ftpd /etc/pure-ftpd.conf

    Note the absence of switches. In order to avoid confusion, either a
    configuration file or a set of command-line switches can be used
    .
    So you can have a pure-ftpd.conf file, but that will NOT work, unless the start script is changed to use it.
    And then we might have issues that things get overwritten on a pure-ftpd update.
    Greetings, Richard.

  10. #50
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    It's indeed very unclear in the DA help section.

    But it seems the pure-ftpd.conf is only to be used with really new installations (from since the date of the doc).

    I just checked my Centos 7 server which is only several months old, and this has the pure-ftpd.conf in the startup service.
    My Centos 6 servers, which are already older doesn't have that.

    So your UTF-8 will only work if you use that options stuff for in the startup script.
    When options are used in the startup script, then pure-ftpd.conf will be ignored and the other way around.

    It's only strange that it states new installations will have pure-ftpd.conf in /etc while "old" installations got one too.
    Greetings, Richard.

  11. #51
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    OK did the proftpd fstp option and blocked with csf ports 21 and 20

    The manual here is not complete!
    https://help.directadmin.com/item.php?id=439
    you need this

    https://forum.directadmin.com/showthread.php?t=55638

    But then the 1024 is not safe on port 23 fstp! How can we solve this part?


    SSH DSA key length
    Trigger The server uses a 1024-bit DSA key.
    Context

    DSA keys must be long enough to provide reasonable security. The recommended size is 2048-bit. However, longer keys might be preferable in new systems.

    Some SSH implementations such as OpenSSH don't support DSA keys larger than 1024 bits. In such cases, DSA should not be used at all.
    Remediation R02
    OpenSSH < 6.7

    Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key

    (/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
    OpenSSH ≥ 6.7

    Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

    HostKey /etc/ssh/ssh_host_ed25519_key
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key

    (/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)

    and this

    http://forum.directadmin.com/showthread.php?t=55873

    clamav for proftpd then also another
    Last edited by ikkeben; 01-08-2019 at 05:21 PM.
    DUTCH GERMAN, GERMAN DUTCH

  12. #52
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    Looks nice.

    Can this be made safe? And can this also be done for Pure-ftpd as a lot of users use pure-ftpd?

    We indeed need better and longer keys for various things.
    Greetings, Richard.

  13. #53
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,698
    Pure-FTPd is installed by default, that's why a lot of users use it. Rarely it's changed...

    As for FTP over SSH (aka sFTP) by Pure-FTPd, it's not very straight-forward... Check their guide in the FAQ(?) section: https://download.pureftpd.org/pure-ftpd/doc/FAQ Scroll down to the words "* FTP over SSH.".

    Probably anybody have sufficient free time to adapt the guide for Directadmin servers.

  14. #54
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    Seems in the faq they find sFTP somethings else then FTP over SSH. Looks like they got the terms incorrect.
    FTP-over-SSH is a nice alternative over FTP-over-TLS (impossible to securely
    firewall) and SFTP (which is slower, but only uses one port) .
    I'm always confused by these terms. I also thought FTP over SSH was called sFTP and FTP over TLS was called FTPS. But I don't now what they mean in the docs here by SFTP which uses one port, which seems in their eyes something different the FTP over SSH.
    Seems to me that doc is not correct. FTPS is FTP over SSL/TLS as far as I know and also read on the internet.

    In that case I pull back, because I would need SSH user to have SFTP working while FTPS is working by default on pure-ftpd I've seen. And I don't want to have SSH users.
    Greetings, Richard.

  15. #55
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    389
    DUTCH GERMAN, GERMAN DUTCH

  16. #56
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,611
    Yep I know, but we use the passive ports anyway for normal use, so they can also be used for tls/ssl for FTPS in our case.
    Greetings, Richard.

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •