Francesco Paolo Lovergine a écrit :
severity 335902 normal thanks
Ack.
421 is non mandatory in RFC959. Btw, add your proftpd.conf and a dumping session to the report to help.
proftpd.conf attached.By the way, any clue why with this conf proftpd still binds itself to all the interfaces ?
$ sudo netstat -natup | grep ":21"tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 26099/proftpd: (acc
dump generated with tcpdump -ni lo -s0 -w dump (an ftp session is open before the dump to saturate the server, the dump trace the second session).
Thanks Upstream reports: My guess is that they're encountering their MaxInstance limit, rather than MaxClient since that will cause proftpd to simply close the connection as soon as possible, before doing any special handling (such as sending an error reply)
Correct, MaxInstance=Maxclient=1 in this testbed configuration. Our regular ftp server was running with MaxInstance=Maxclient=100.Even if 421 is non mandatory, it might be more "polite" to return it instead of closing the connection. Right now anybody using virsuscan 7.1.0 and heating MaxInstance get stuck with a process eating 100% of the cpu. Other borked ftp client might be hit by this problem.
@+,
Fab
# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "srvtest" Bind 127.0.0.1 ServerType standalone DeferWelcome off ShowSymlinks on MultilineRFC2228 on DefaultServer on ShowSymlinks on AllowOverwrite on # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. DelayEngine off #DelayEngine on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayFirstChdir .message ListOptions "-l" DenyFilter \*.*/ # Uncomment this if you are using NIS or LDAP to retrieve passwords: #PersistentPasswd off # Port 21 is the standard FTP port. Port 21 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 1 # Set the user and group that the server normally runs at. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /*> # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. <Anonymous /home/ftp> User ftp Group nogroup # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp RequireValidShell off # Limit the maximum number of anonymous logins MaxClients 1 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
dump.proftpd
Description: Binary data
dump.vsftpd
Description: Binary data
