by schischa

In the first part of the howto I just explained how to get a proftpd deamon to run with ssl encryption. Doing this brings up a new problem for dyndns users with 24h reconnects and dynamic wan IPs. Proftpd masquarades the IP-address when it is started and not everytime a connection is made (like some other deamons) so after getting a new IP, via for example dyndns service, the deamon is still running with the old address and no encrypted connection is possible to (home)servers which get a new ip adress after reconnecting to the internet.

As there exists no implemented solution for this problem we need to find a solution by ourselves ;) Thinking about it I had two ideas.

1. restart the proftpd deamon with a cronjob at a specific time (normally a few minutes after the 24h reconnect) which should be made at the same time every day. This solution is quite poor in my opinion because just restarting the router or disconnecting the connection to the internet would lead to an unuseable ftp server.

2. using a script which checks whether the IP has changed till the last check. Putting such a script in a cron with the instruction to restart the proftpd deamon if the IP has changed should just work. The great advantage would be that it automatically restarts the deamon when the IP changes and its completely independent of any user interaction or time (like a 24h reconnect of course).

Thinking about realising it lead to a problem: I know perfectly well how to set a cron but I didn’t know how to write a skript (which would be the more ergonomic solution) but had the idea and could also think of something like sending a single ping to the hostname of the server to find out its IP-adress and checking if it changed till the last ping. After that a simple if/else should be enough to restart the server or leaving it as it is if the IP hasn’t changed.

Luckily I told SIYB about my idea and as it seemed to be quite easy to him he just coded it and it seems to work :

here is the code (change the filenames/locations as you wish or however the default locations of proftpd and your cron deamon are, the ones here are the defaults used by gentoo):

first create a new file with (all actions explained here are done with root privileges)

# nano -w /usr/local/sbin/proftpd_masquarade

and then copy the code into it (change the hostname to yours):

#!/usr/bin/tclsh

# this script will restart the proftp server if the ip of the host changes

### config ###

# your dyndns hostname
set config(host) "yourhostname.dyndns.org"

# the temporary file to store the old ip
set config(file) "/var/run/proftpdip"

### code ###

# getting ip from dyndns host
set newip [string trim [lindex [split [exec ping -c 1 $config(host)]] 2] ()]

# getting old ip or enter ip if there is no record
if {![file exists $config(file)]} {
    set fl [open $config(file) a+]; puts $fl $newip; close $fl
    set data $newip
} else {
    # get data from file
    set fl [open $config(file) r]; set data [gets $fl]; close $fl

    # erase file content and enter new ip
    set fl [open $config(file) w]; puts $fl $newip; close $fl
}

# check newip vs oldip
if {$newip == $data} {
    puts "super"
} else {
    puts "restart ftpd"
    exec /etc/init.d/proftpd restart >> /dev/null
}

Save it. As it is written in TCL you need to have TCL installed to run it with:

# tclsh /usr/local/sbin/proftpd_masquarade

Now you just have to create a cronjob to run the script every minute so just put the following in your crontab by running:

# echo “*/1 * * * * root tclsh /usr/local/sbin/proftpd_masquarade” >> /etc/crontab

Finally your proftpd deamon should work fine behind NAT with encryption and the 24h reconnect. Not so bad, heh!?

This was just planned as a short tip so its not really part 2 but 1.5. More is on its way, especially things like vhosts and performance tuning. There is also a POSIX script now, written by zhenech, to avoid the TCL dependency. It will be blogged soon.

big thx to siyb for writing the script, to zhenech and craven for correction and to teranetworks for wasting my spare-time

by siyb

I installed my Hauppage WinTv-PVR 350 on my Linux box yesterday, this howto explains almost everything there is to do (I assume that you have build a kernel module before and that you have all required packages, like module-assistant). It took me less than 10 minutes to install the card, take your time and read this guide carefully, so that your installation will be as fluent and quick as mine.

Install the kernel headers to you current kernel, the ivtv source and utils, do that by running:

apt-get install linux-headers-`uname -r` ivtv-source ivtv-utils

Change into the kernel header direcotry and build the ivtv kernel module

cd /usr/src/linux-headers-`uname -r`
m-a a-i ivtv

Ok, we installed everything we need and build the kernel module, but before we actually load it we need to copy the firmware into /lib/firmware/ or /usr/lib/hotplug/firmware/ (second choice is depriciated). I uploaded the firmware onto our server, feel free to use it. I DON’T GUARANTEE THIS FIRMWARE’S INTEGRITY AND TERANETWORKS.DE CAN NOT BE HELD RESPONSIBLE FOR ANY HARM THE FIRMWARE CAUSES. If you are still willing to use it you can find it here, you may also look for it on the net, your choice.

tar -xf firmware.tar
cp ALL-FILES-OF-TAR /lib/firmware/ or /usr/lib/hotplug/firmware/

Now load the module and check if everything is ok

modprobe -v ivtv
dmesg

lsmod | grep ivtv should return something like that

ivtv 155344 0
firmware_class 9600 1 ivtv
i2c_algo_bit 8424 1 ivtv
cx2341x 10308 1 ivtv
tveeprom 13840 1 ivtv
videodev 21120 1 ivtv
v4l1_compat 12036 2 ivtv,videodev
v4l2_common 20448 6 msp3400,saa7115,tuner,ivtv,cx2341x,videodev
i2c_core 19680 10 msp3400,saa7127,saa7115,tuner,ivtv,i2c_ali1535,i2c_ali15×3,i2c_algo_bit,tveeprom,i2c_ali1563

If this tutorial does not work for you please let me know, any questions? Feel free to leave a comment or write an email to siyb at projectx-thegame.de.

Thanks to Zhenech for correcting some parts of my howto.

by schischa

As the ftp protocol was written in a time when nobody really thought about privacy on the internet it lacks some essential features as implemented encryption. Luckily this can easily be achieved by the mod_tls extension for proftpd which is my favorite ftp daemon. As a large number of ftp clients can handle encrypted ftp sessions there is no reason for using non encrypted ftp, except for anonymous accounts unless you would like your ISP and the RIAA, MPAA or GEMA to see what u are using your bandwidth for.

A quite useful list of ftp clients and functions supported can be found here. If you don’t like to install a standalone tool and are using Firefox to browse the web there is a quite perfect solution for you called FireFTP. It’s a firefox extension providing a feature-complete ftp client.

First you need to emerge (or however installing something is called in your favorite distro) proftpd and configure it. There are many howtos about configuring proftpd out there so these are just a few hints for the important things. I will write more based uppon this howto, about vhosts and restricting resources for WAN but not for LAN, but at the moment we just want to use the ftp server with encryption ;)

#Normally, we want files to be overwriteable
AllowOverwrite on
HiddenStor on

#jail users to their homedir and disable root login
DefaultRoot ~/ ftp
RootLogin off

Now we come to the essential part of the proftpd.conf and create a certificate:

## create a dir where the certificate is located
$ # mkdir /etc/proftpd/ftpcert && cd /etc/proftpd/ftpcert
## generate a key and a certificate
$ # openssl genrsa 1024 > host.key && chmod 400 host.key
$ # openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

Now we add the following to our proftpd.conf.

# TLS

TLSEngine on
TLSLog /var/log/proftpd/proftpd_tls.log
TLSProtocol SSLv23
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/proftpd/ftpcert/host.cert
TLSRSACertificateKeyFile /etc/proftpd/ftpcert/host.key

This activates the tls extension for proftpd. If you want tls required for _every_ login change the following line

TLSRequired off

to

TLSRequired on

For people using NAT (like myself) there is some more configuration necessary. Everyone else can just restart proftpd and enjoy your well earned crypted ftping :)

For NAT users:

First we need to tell proftpd which IP to use behind NAT. Using

MasqueradeAddress 192.168.13.37

if you’re running a home server you’ll want to use your dyndns hostname as ip:

MasqueradeAddress hostname.dyndns.org

we tell proftpd to hide its IP adresse and use the public NAT adresse. Due to the fact that we use the passive FTP-mode we would have to forward all ports >1024. This is possible but you should be aware of the massive security risks. I suggest speciefing a portrange instead, which will require us to forward a much smaller amount of ports and tell proftpd which ports to use for passive connections. I configured it to use the following ports:

PassivePorts 60000 65535

Now forward the ports in your router. Be aware that every router behaves differently. If your running a router with DD-wrt firmware you have to go to the “Port Range Forwarding” section and not only “Port Forwarding” as we need a whole range of ports forwarded. I was nearly going mad until i figured why my proftpd with TLS didn’t work behind NAT :)
In general: RTFM of your router and forward the _range_ of ports and not only the two ports!!!

If you have worked according to this guide you should have a working and encrypted FTP-server now.
Next parts of this howto will be about using vhosts, general tuning (optimizations) and useful security enhancements so stay tuned :>
Read the rest of this entry »