TLS v1.0 deadline by pci!

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,233
Location
Netherlands Germany
Because of problem with UTF8 "facebook icons" i installed
pureftp

https://help.directadmin.com/item.php?id=540

There you see also de ssl settings

For pureftp i did also
openssl dhparam -out /etc/pure-ftpd-dhparams.pem 3072
in the .conf
TLS 2
TLSCipherSuite High:MEDIUM:+TLSv1.1:!SSLv2!SSLv3!ADH!aNULL

EDITed these anonymous cipher suites are gone now with the setting above: didn;t know wich one therefore used both

Was not enoough don't know how switch these off ??
this one ltd scan on port ftp 21:

Support for anonymous cipher suites
Trigger This service supports 4 anonymous cipher suites.
Context

Each cipher suite describes how server authentication is done. Anonymous cipher suites tell the client not to authenticate the server. They should thus not be used unless server authentication is not required, as is usually the case for SMTP servers.

And for port 22 the diffie helman to 3072 where to find set?
For security, a 2048-bit group is reasonable although ECRYPT recommends a group size of at least 3072

PORT 22 ALSO: EDIT You have to set these in the sshd config
Support for Blowfish cipher
Trigger The server supports the Blowfish cipher.
Context

Blowfish is a block cipher with a 64-bit block size.

In SSH, Blowfish is used with 128-bit keys. However, its 64-bit block size, can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There are also some cryptanalytic results on reduced-round versions (though no practical attacks). There seem to be no advantage to using it over more secure and more widely supported ciphers.

And:
Support for CAST-128 cipher
Trigger The server supports the CAST-128 cipher.
Context

In SSH, CAST-128 is used with 128-bit keys. However, it has a 64-bit block size, which can be insufficient for some applications, for example because of birthday attacks (sweet32.info). There seem to be no advantage to using it over more secure and more widely supported ciphers.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
The link is a bit confusing to me.
It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

Do we still need to recompile for utf8 support?

Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,233
Location
Netherlands Germany
The link is a bit confusing to me.
It says since january 2018 we got the /etc/pure-ftpd.conf and changes can be made in there.

Do we still need to recompile for utf8 support?

Next to that I tried making changes in there earlier this year, but they were not taken over. My guess is because normally pure-ftpd.conf is stated in the boot script, otherwise the conf will be ignored.

Same problem here tried ./build .... failed restart while
OPTIONS="${OPTIONS} --fscharset=utf-8 --clientcharset=utf-8"
Is not for in the .conf file i think ??
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
No the .conf file is just a configuration file.

I just had a look in the .conf file and it looks like this:
Code:
# UTF-8 support for file names (RFC 2640)
# Set the charset of the server filesystem and optionally the default charset
# for remote clients that don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset                big5
# ClientCharset                    big5

So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

The options lines is online for in the boot script.

Recompiling is done with the custom script by adding the
--with-rfc2640
line, so also not with the Options line.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,233
Location
Netherlands Germany
Yea did that after the failed sorry for not mentioning.:confused:

No the .conf file is just a configuration file.

I just had a look in the .conf file and it looks like this:
Code:
# UTF-8 support for file names (RFC 2640)
# Set the charset of the server filesystem and optionally the default charset
# for remote clients that don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset                big5
# ClientCharset                    big5

So I guess you have to remove the # characters, change big5 to utf-8 save and then restart pure-ftpd.

The options lines is online for in the boot script.

Recompiling is done with the custom script by adding the
--with-rfc2640
line, so also not with the Options line.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
Oke but does it work?
Because until now if I changed something in the pure-ftpd.conf and restarted pure-ftpd, it did not work because the start script isn't looking at the .conf file by default.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,233
Location
Netherlands Germany
Did it in custom.
And ofcourse then needed a ./build pureftpd before is needed

The SSL en ciphers settings did worked, so i hope utf-8 also ;)

https://help.directadmin.com/item.php?id=540

But the texts there are confusing where what to edit and howto change where, also wich versions are new, while saying new installs...?

Also here see difference centos
https://help.directadmin.com/item.php?id=579

So don't know wich parts are already only working in/out of the conf, some texts/remarks in the conf are also saying changes in configure are needed and so on
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
So don't know wich parts are already only working in/out of the conf
Yes that's what I mean. A lot of things do not work from the conf file, because I used pure-ftpd in the past before Directadmin used it, on my private server.
There were 2 ways to invoke pure-ftpd to work. Either via commandline, or via the configuration file.

What Directadmin docs are telling is not true. They don't work both at the same time.

From the pure-ftpd docs itself:
Tweak it according to your needs, and start the server using that file:

/usr/local/sbin/pure-ftpd /etc/pure-ftpd.conf

Note the absence of switches. In order to avoid confusion, either a
configuration file or a set of command-line switches can be used
.

So you can have a pure-ftpd.conf file, but that will NOT work, unless the start script is changed to use it.
And then we might have issues that things get overwritten on a pure-ftpd update.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
It's indeed very unclear in the DA help section.

But it seems the pure-ftpd.conf is only to be used with really new installations (from since the date of the doc).

I just checked my Centos 7 server which is only several months old, and this has the pure-ftpd.conf in the startup service.
My Centos 6 servers, which are already older doesn't have that.

So your UTF-8 will only work if you use that options stuff for in the startup script.
When options are used in the startup script, then pure-ftpd.conf will be ignored and the other way around.

It's only strange that it states new installations will have pure-ftpd.conf in /etc while "old" installations got one too.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,233
Location
Netherlands Germany
OK did the proftpd fstp option and blocked with csf ports 21 and 20

The manual here is not complete!
https://help.directadmin.com/item.php?id=439
you need this

https://forum.directadmin.com/showthread.php?t=55638

But then the 1024 is not safe on port 23 fstp! How can we solve this part?


SSH DSA key length
Trigger The server uses a 1024-bit DSA key.
Context

DSA keys must be long enough to provide reasonable security. The recommended size is 2048-bit. However, longer keys might be preferable in new systems.

Some SSH implementations such as OpenSSH don't support DSA keys larger than 1024 bits. In such cases, DSA should not be used at all.

Remediation R02
OpenSSH < 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
OpenSSH ≥ 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)


and this

http://forum.directadmin.com/showthread.php?t=55873

clamav for proftpd then also another
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
Looks nice.

Can this be made safe? And can this also be done for Pure-ftpd as a lot of users use pure-ftpd?

We indeed need better and longer keys for various things.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,252
Location
GMT +7.00
Pure-FTPd is installed by default, that's why a lot of users use it. Rarely it's changed...

As for FTP over SSH (aka sFTP) by Pure-FTPd, it's not very straight-forward... Check their guide in the FAQ(?) section: https://download.pureftpd.org/pure-ftpd/doc/FAQ Scroll down to the words "* FTP over SSH.".

Probably anybody have sufficient free time to adapt the guide for Directadmin servers.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
Seems in the faq they find sFTP somethings else then FTP over SSH. Looks like they got the terms incorrect.
FTP-over-SSH is a nice alternative over FTP-over-TLS (impossible to securely
firewall) and SFTP (which is slower, but only uses one port) .
I'm always confused by these terms. I also thought FTP over SSH was called sFTP and FTP over TLS was called FTPS. But I don't now what they mean in the docs here by SFTP which uses one port, which seems in their eyes something different the FTP over SSH.
Seems to me that doc is not correct. FTPS is FTP over SSL/TLS as far as I know and also read on the internet.

In that case I pull back, because I would need SSH user to have SFTP working while FTPS is working by default on pure-ftpd I've seen. And I don't want to have SSH users.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
6,718
Location
Maastricht
Yep I know, but we use the passive ports anyway for normal use, so they can also be used for tls/ssl for FTPS in our case.
 
Top