FTP clear text authentication issues and PCI Compliance

[nealdxmhost]

Got hit with another PCI compliance headache the other day and I have been going round and round trying to figure what I am doing wrong to resolve this.

Anyhow this is the general synopsis of what I got from McAfee on this problem;

FTP supporting clear text authentication, where the remote FTP server allows the user's name and password to be transmitted in clear text, which may be intercepted by a network sniffer, or a man-in-the-middle attack.

The General Solution they recommend: switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted.

Any ideas?????

 

[Ramsy]

Did you compile ProFTPD with SSL support?

http://www.directadmin.com/forum/showthread.php?t=30607

 

[SeLLeRoNe]

Actually the last post in that thread is from nealdxmhost aswell where he say is having problem with that configuration.

Honestly i cant help you, never tryed that configuration, but, what problem are you facing? Would you let me log into your box for try by myself?

Regards

 

[nealdxmhost]

Did you compile ProFTPD with SSL support?

http://www.directadmin.com/forum/showthread.php?t=30607

I believe so, I had edited the proftpd.configure file in custom/proftpd with the following;

#!/bin/sh
install_user=ftp \
install_group=ftp \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/share/man \
--without-pam \
--disable-auth-pam \
--with-modules=mod_ratio:mod_readme:mod_sftp \
LDFLAGS=-static

 

[nealdxmhost]

I just came across this on the ProFTP web site

Now to go back to my dumber than a bag of hammers mentality.........

I came across this link http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS and did some reading.

   ------------------------ ACCEPTING TLS SESSIONS ------------------------
      
Once the certificate has been installed, you need to start a TLS-enabled
pure-ftpd daemon with the -Y (or --tls=) switch. Example :

/usr/local/sbin/pure-ftpd --tls=1 &

- With "--tls=0", support for SSL/TLS is disabled. This is the default.

- With "--tls=1", clients can connect either the traditional way or through an
SSL/TLS layer. This is probably the setting you need if you want to enable
TLS without having too much angry customers.

- With "--tls=2", cleartext sessions are refused and only SSL/TLS compatible
clients are accepted.

- With "--tls=3", cleartext sessions are refused and only SSL/TLS compatible 
clients are accepted. Clear data connections are also refused, so private 
data connections are enforced. This is an extreme setting.

When SSL/TLS has been successfully negociated for a connection, you'll see
something similar to this in log files :

<<
SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher
>>

A cipher using traditional algorithms with a 40 bits key is weak but
exportable to almost any country. This is the minimum size accepted by the
server, else a "Cipher too weak" error message will be logged and reported to
the client.

At the risk of sounding like a total and complete idiot, what would/should I need to do next to make this happen?

 

[Ramsy]

Test whether your FTP server is actually accepting SSL connnections
I remember I had sorta like the same message when making the server PCI compliant (Comodo) and I got it sorted.

 

[nealdxmhost]

Test whether your FTP server is actually accepting SSL connnections
I remember I had sorta like the same message when making the server PCI compliant (Comodo) and I got it sorted.

In all honesty I am not too sure how to do that. Man I feel like a total NOOB...........

 

[nealdxmhost]

Test whether your FTP server is actually accepting SSL connnections
I remember I had sorta like the same message when making the server PCI compliant (Comodo) and I got it sorted.

[root@cp admin]# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 ProFTPD 1.3.3e Server ready.
AUTH TLS
500 AUTH not understood

 

[Ramsy]

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.3e Server ready.
AUTH TLS
234 AUTH TLS successful

I've got this in my "/etc/proftpd.conf"

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

 

[nealdxmhost]

I tried that as well and this is what I am getting;

[root@cp admin]# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 ProFTPD 1.3.3e Server ready.
AUTH TLS
500 AUTH not understood

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.3e Server ready.
AUTH TLS
234 AUTH TLS successful

I've got this in my "/etc/proftpd.conf"

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

 

[Ramsy]

Guess you need to recompile proftpd.
Take a look at /usr/local/directadmin/custombuild/build or search the forums for update script.

If you want I can do it for you. You will get invoiced though.

 

[nealdxmhost]

Guess you need to recompile proftpd.
Take a look at /usr/local/directadmin/custombuild/build or search the forums for update script.

If you want I can do it for you. You will get invoiced though.

I have done that a couple of times already but I will give it another go.

 

[nealdxmhost]

Tried to recompile proftpd and this is what happened;

tar: proftpd-1.3.3e/tests/t/config/ftpaccess/merging.t: Cannot open: No such fil                                              e or directory
tar: proftpd-1.3.3e/tests/t/config/directory: Cannot mkdir: No such file or dire                                              ctory
tar: proftpd-1.3.3e/tests/t/config/directory/umask.t: Cannot open: No such file                                               or directory
tar: proftpd-1.3.3e/tests/t/config/directory/lookups.t: Cannot open: No such fil                                              e or directory
tar: proftpd-1.3.3e/tests/t/config/directory/limits.t: Cannot open: No such file                                               or directory
tar: proftpd-1.3.3e/tests/t/config/timeoutlogin.t: Cannot open: No such file or                                               directory
tar: proftpd-1.3.3e/tests/t/config/allowoverwrite.t: Cannot open: No such file o                                              r directory
tar: proftpd-1.3.3e/tests/t/config/maxstorefilesize.t: Cannot open: No such file                                               or directory
tar: proftpd-1.3.3e/configure.in: Cannot open: No such file or directory
tar: proftpd-1.3.3e/README.controls: Cannot open: No such file or directory
tar: proftpd-1.3.3e/CREDITS: Cannot open: No such file or directory
tar: proftpd-1.3.3e/Makefile.in: Cannot open: No such file or directory
tar: proftpd-1.3.3e/README.DSO: Cannot open: No such file or directory
tar: proftpd-1.3.3e/README.ports: Cannot open: No such file or directory
tar: Error exit delayed from previous errors
chown: cannot access `proftpd-1.3.3e': No such file or directory
./build: line 8042: cd: proftpd-1.3.3e: No such file or directory
rm: cannot remove `/etc/proftpd.conf.old': Permission denied
cp: cannot create regular file `/etc/proftpd.conf.old': Permission denied
Configuring proftpd-1.3.3e...
/usr/local/directadmin/custombuild/custom/proftpd/configure.proftpd: line 2: ./c                                              onfigure: is a directory
Done. Making proftpd-1.3.3e...
Trying to make ProFTPD...
make: *** No targets specified and no makefile found.  Stop.

*** The make has failed, would you like to try to make again? (y,n):
y

Trying to make ProFTPD...
make: *** No targets specified and no makefile found.  Stop.

*** The make has failed, would you like to try to make again? (y,n):
n

 

[nealdxmhost]

And this is what I have in custom/proftpd/configure.proftpd

#!/bin/sh
install_user=ftp \
install_group=ftp \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/share/man \
--without-pam \
--disable-auth-pam \
--with-modules=mod_ratio:mod_readme:mod_sftp \
LDFLAGS=-static

 

[Ramsy]

#!/bin/sh
install_user=ftp \
install_group=ftp \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/share/man \
--without-pam \
--disable-auth-pam \
--enable-nls \
--with-modules=mod_ratio:mod_readme:mod_tls \
LDFLAGS=-static

./build clean
./build update_script 
 ./build update
./build proftpd

 

[nealdxmhost]

Thanks for that revision and this time around I was able to get proftpd to re-compile.

However when I do the test via telnet I am still getting the 500 error;

[root@cp custombuild]# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 ProFTPD 1.3.3e Server ready.
auth tls
500 AUTH not understood
quit
221 Goodbye.
Connection closed by foreign host.

I am getting more and more baffled by this whole thing as I believe I have followed all instructions and this is where I am at...........

 

[scsi]

Try:

proftpd -l

Does it show mod_auth*

 

[nealdxmhost]

This is what I got;

[root@cp ~]# /usr/sbin/proftpd -l
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_facts.c
  mod_ident.c
  mod_ratio.c
  mod_readme.c
  mod_sftp.c
  mod_cap.c
  mod_lang.c

 

[scsi]

Thats strange mine works out of the box with auth tls.

Make sure you dont have any different proftpd.conf file that it might be running off of.

find / -name proftpd.conf

You should make sure you dont have any other proftpd installations with:

rpm -aq | grep -i proftpd

Try to do:

/usr/local/directadmin/scripts/proftpd.sh

cd /usr/local/directadmin/custombuild
./build update
./build clean
./build proftpd d

Other then that you might want to check its error log or start it in debug mode by stopping proftpd in directadmin and then run

/usr/sbin/proftpd -d10 -n

then you can look for errors that might be happening.

 

[nealdxmhost]

Thats strange mine works out of the box with auth tls.

Make sure you dont have any different proftpd.conf file that it might be running off of.

find / -name proftpd.conf

I run that command and it just seems to hang there doing nothing, however if do the following I get this;

 whereis proftpd.conf
proftpd: /usr/sbin/proftpd /etc/proftpd.conf /etc/proftpd.passwd /usr/lib/proftpd /usr/local/etc/proftpd.conf /usr/include/proftpd /usr/share/man/man8/proftpd.8.gz /usr/share/man/man8/proftpd.8

Does that help?

You should make sure you dont have any other proftpd installations with:

rpm -aq | grep -i proftpd

I did that and this is what I got

[root@cp ~]# rpm -aq | grep -i proftpd
proftpd-standalone-1.3.1-1
proftpd-1.3.1-1

Try to do:

/usr/local/directadmin/scripts/proftpd.sh

cd /usr/local/directadmin/custombuild
./build update
./build clean
./build proftpd d

Gave that a go and here are the results;

[root@cp ~]# /usr/local/directadmin/scripts/proftpd.sh
cat: ./setup.txt: No such file or directory
Stopping xinetd:                                           [FAILED]
Starting xinetd:                                           [  OK  ]
Preparing...                ########################################### [100%]
        package proftpd-1.3.1-1.x86_64 is already installed
Preparing...                ########################################### [100%]
        package proftpd-standalone-1.3.1-1.x86_64 is already installed
mkdir: cannot create directory `/var/log/proftpd': File exists

Now on to recompiling proftpd again......

Other then that you might want to check its error log or start it in debug mode by stopping proftpd in directadmin and then run

/usr/sbin/proftpd -d10 -n

then you can look for errors that might be happening.

Noted

Got a full screen of stuff and then some. Anyhow I am still getting the 500 error after doing a telnet localhost 21 and entering AUTH TLS