ProFTPd update?

Hello,

http://www.proftpd.org/docs/NEWS-1.2.10
Was their last "Stable" release.

Right on their main page, it also say "This module will be included in the next release of ProFTPD", which would be 1.3.0, wich isn't set as stable yet.

They do have a release candidate 1.3.0rc1, which would probably have what you're looking for.

I wouldn't say that not having the module is a huge security problem. Someone can just as easily see if a user exists by going to http://1.2.3.4/~username ;) (that's all this new module really hides anyway, which users exist or don't exist).

John
 
John,

No it isn't a HUGE security problem. That kind of brute force attack is a rare animal anyways but it is still a possibility. Visa/MC/AMEX and Discover think it is a big deal though. So I do have to give it the attention it needs.

Any chance you can apply the LSS fix for it to the sources.

---snip---
Pseudo-random usleep() at the login procedure that will obfuscate time leak. Something like this:

proftpd-1.2.10/modules/mod_auth.c

1867a1868,1877

> {
> unsigned int randa;
> struct timeval tv;
> struct timezone tz;
> gettimeofday (&tv, &tz);
> srand(tv.tv_usec);
> randa = rand() % 20000;
> usleep(randa);
> }
>

After this simple patch is applied, it is impossible to tell which users do and don't exist:
---snip---

That is the fix that the auditing company is recommending anyways.

Cheers,

Big Wil
 
So then updating proftpd using DA's rpms should just be a simple matter of grabbing the rpms for your particular linux flavor and then rpm -Uvh....?

Or did I miss something?
 
DA uses a customized version.
Here are steps for update a CentOS 4 box:

#rpm -Uvh http://files.directadmin.com/services/proftpd-1.3.0rc3-1.src.rpm
#cd /usr/src/redhat/SPECS
#rpmbuild -bb --target=i686 proftpd.spec
#cd ../RPMS/i686
#rpm -Uvh proftpd-standalone-1.3.0rc3-1.i686.rpm
#rpm -Uvh proftpd-1.3.0rc3-1.i686.rpm
#/etc/init.d/proftpd restart

You should have rpm-build installed first, try yum install rpm-build

I have successfully updated to proftpd 1.3.0rc3 using the above steps. ;)
 
Last edited:
Hi Jeff

I figured that grabbing the source rpms would be safe. I was trying to save people the extra step when I observed that DA seems to have put .rpm files in the various unix flavors on files.directadmin.com/services. I'm guessing that those are prebuilt and safe to install provided that you get the right one for your flavor of unix.

Can anyone at DA confirm this?
 
You must log in or register to reply here.
Back
Top