TLS v1.0 deadline by pci!

Because of problem with UTF8 "facebook icons" i installed
pureftp

https://help.directadmin.com/item.php?id=540

There you see also de ssl settings

For pureftp i did also
openssl dhparam -out /etc/pure-ftpd-dhparams.pem 3072
Click to expand...
in the .conf
TLS 2
TLSCipherSuite High:MEDIUM:+TLSv1.1:!SSLv2!SSLv3!ADH!aNULL
Click to expand...

EDITed these anonymous cipher suites are gone now with the setting above: didn;t know wich one therefore used both

Was not enoough don't know how switch these off ??
this one ltd scan on port ftp 21:

Support for anonymous cipher suites
Trigger This service supports 4 anonymous cipher suites.
Context

Each cipher suite describes how server authentication is done. Anonymous cipher suites tell the client not to authenticate the server. They should thus not be used unless server authentication is not required, as is usually the case for SMTP servers.
Click to expand...

And for port 22 the diffie helman to 3072 where to find set?
For security, a 2048-bit group is reasonable although ECRYPT recommends a group size of at least 3072
Click to expand...

PORT 22 ALSO: EDIT You have to set these in the sshd config
Support for Blowfish cipher
Trigger The server supports the Blowfish cipher.
Context

Blowfish is a block cipher with a 64-bit block size.

In SSH, Blowfish is used with 128-bit keys. However, its 64-bit block size, can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There are also some cryptanalytic results on reduced-round versions (though no practical attacks). There seem to be no advantage to using it over more secure and more widely supported ciphers.
Click to expand...

And:
Support for CAST-128 cipher
Trigger The server supports the CAST-128 cipher.
Context

In SSH, CAST-128 is used with 128-bit keys. However, it has a 64-bit block size, which can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There seem to be no advantage to using it over more secure and more widely supported ciphers.
Click to expand...
 
Last edited:
The link is a bit confusing to me.
It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

Do we still need to recompile for utf8 support?

Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.
 
Richard G said:
The link is a bit confusing to me.
It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

Do we still need to recompile for utf8 support?

Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.
Click to expand...

Same problem here tried ./build .... failed restart while
OPTIONS="${OPTIONS} --fscharset=utf-8 --clientcharset=utf-8"
Click to expand...
Is not for in the .conf file i think ??
 
No the .conf file is just a configuration file.

I just had a look in the .conf file and it looks like this:
Code: 
# UTF-8 support for file names (RFC 2640)
# Set the charset of the server filesystem and optionally the default charset
# for remote clients that don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset                big5
# ClientCharset                    big5

So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

The options lines is online for in the boot script.

Recompiling is done with the custom script by adding the
--with-rfc2640
line, so also not with the Options line.
 
Yea did that after the failed sorry for not mentioning.:confused:

Richard G said:
No the .conf file is just a configuration file.

I just had a look in the .conf file and it looks like this:
Code: 
# UTF-8 support for file names (RFC 2640)
# Set the charset of the server filesystem and optionally the default charset
# for remote clients that don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset                big5
# ClientCharset                    big5

So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

The options lines is online for in the boot script.

Recompiling is done with the custom script by adding the
--with-rfc2640
line, so also not with the Options line.
Click to expand...
 
Oke but does it work?
Because until now if I changed something in the pure-ftpd.conf and restarted pure-ftpd, it did not work because the start script isn't looking at the .conf file by default.
 
Did it in custom.
And ofcourse then needed a ./build pureftpd before is needed

The SSL en ciphers settings did worked, so i hope utf-8 also ;)

https://help.directadmin.com/item.php?id=540

But the texts there are confusing where what to edit and howto change where, also wich versions are new, while saying new installs...?

Also here see difference centos
https://help.directadmin.com/item.php?id=579

So don't know wich parts are already only working in/out of the conf, some texts/remarks in the conf are also saying changes in configure are needed and so on
 
Last edited:
So don't know wich parts are already only working in/out of the conf
Click to expand...
Yes that's what I mean. A lot of things do not work from the conf file, because I used pure-ftpd in the past before Directadmin used it, on my private server.
There were 2 ways to invoke pure-ftpd to work. Either via commandline, or via the configuration file.

What Directadmin docs are telling is not true. They don't work both at the same time.

From the pure-ftpd docs itself:
Tweak it according to your needs, and start the server using that file:

/usr/local/sbin/pure-ftpd /etc/pure-ftpd.conf

Note the absence of switches. In order to avoid confusion, either a
configuration file or a set of command-line switches can be used.
Click to expand...

So you can have a pure-ftpd.conf file, but that will NOT work, unless the start script is changed to use it.
And then we might have issues that things get overwritten on a pure-ftpd update.
 
It's indeed very unclear in the DA help section.

But it seems the pure-ftpd.conf is only to be used with really new installations (from since the date of the doc).

I just checked my Centos 7 server which is only several months old, and this has the pure-ftpd.conf in the startup service.
My Centos 6 servers, which are already older doesn't have that.

So your UTF-8 will only work if you use that options stuff for in the startup script.
When options are used in the startup script, then pure-ftpd.conf will be ignored and the other way around.

It's only strange that it states new installations will have pure-ftpd.conf in /etc while "old" installations got one too.
 
OK did the proftpd fstp option and blocked with csf ports 21 and 20

The manual here is not complete!
https://help.directadmin.com/item.php?id=439
you need this

https://forum.directadmin.com/showthread.php?t=55638

But then the 1024 is not safe on port 23 fstp! How can we solve this part?

SSH DSA key length
Trigger The server uses a 1024-bit DSA key.
Context

DSA keys must be long enough to provide reasonable security. The recommended size is 2048-bit. However, longer keys might be preferable in new systems.

Some SSH implementations such as OpenSSH don't support DSA keys larger than 1024 bits. In such cases, DSA should not be used at all.
Click to expand...

Remediation R02
OpenSSH < 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
OpenSSH ≥ 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
Click to expand...


and this

http://forum.directadmin.com/showthread.php?t=55873

clamav for proftpd then also another
 
Last edited:
Looks nice.

Can this be made safe? And can this also be done for Pure-ftpd as a lot of users use pure-ftpd?

We indeed need better and longer keys for various things.
 
Pure-FTPd is installed by default, that's why a lot of users use it. Rarely it's changed...

As for FTP over SSH (aka sFTP) by Pure-FTPd, it's not very straight-forward... Check their guide in the FAQ(?) section: https://download.pureftpd.org/pure-ftpd/doc/FAQ Scroll down to the words "* FTP over SSH.".

Probably anybody have sufficient free time to adapt the guide for Directadmin servers.
 
Seems in the faq they find sFTP somethings else then FTP over SSH. Looks like they got the terms incorrect.
FTP-over-SSH is a nice alternative over FTP-over-TLS (impossible to securely
firewall) and SFTP (which is slower, but only uses one port) .
Click to expand...
I'm always confused by these terms. I also thought FTP over SSH was called sFTP and FTP over TLS was called FTPS. But I don't now what they mean in the docs here by SFTP which uses one port, which seems in their eyes something different the FTP over SSH.
Seems to me that doc is not correct. FTPS is FTP over SSL/TLS as far as I know and also read on the internet.

In that case I pull back, because I would need SSH user to have SFTP working while FTPS is working by default on pure-ftpd I've seen. And I don't want to have SSH users.
 
Yep I know, but we use the passive ports anyway for normal use, so they can also be used for tls/ssl for FTPS in our case.
 
You must log in or register to reply here.
Back
Top