My own referral…?

Funny story… at least I thought it was… I was on-site @ a customer’s data center the other day and I was tasked with configuring a SUN LTO-3 Quantum tape drive, similar to the photo on the left here, among other things… No biggie right…? Any way… in my usual way I was Googling lots of stuff, because I don’t remember anything… and while doing so, I came across my own blog, this very one you are reading for the answer.  I thought that was awesome… I answered my own question… LOL 🙂

SUN-Jail – Solaris 10 convicted ! Part III Dammit… this friggin thing doesn’t restart @ boot-time !!!

Ok well I was not expecting to have a Part III, but I forgot some pretty important stuff… I guess I am so used to working with Linux where all of this manual crap is a “given,” meaning it is already configured to do what you would expect it to do… I got lazy and didn’t check the start-up scripts… and of course, on Solaris 10 at least, proftpd doesn’t just start on it’s own…  So here are the steps to make that happen for you as well as the start-up script I am currently using… Oh, and make sure that in your proftpd config file, you have proftpd set as a standalone server…

# cat /usr/local/etc/proftpd.conf|grep ServerType
ServerType                      standalone

Go out and make this file in /etc/init.d

# vi /etc/init.d/proftpd

#!/bin/sh

case $1 in
'start' )
/usr/local/sbin/proftpd
;;
'stop' )
kill `ps -ef | grep proftpd | grep -v grep | awk '{print $2}'` > /dev/null 2>&1
;;
*)
echo "usage: $0 {start|stop}"
esac

# chmod 744 /etc/init.d/proftpd

# ln -s /etc/init.d/proftpd /etc/rc3.d/S99proftpd
# ln -s /etc/init.d/proftpd /etc/rc1.d/K99proftpd

I have webmin installed here so I went in to test the scripts from the “System” dashboard under “Bootup and Shutdown” just to make sure it works, obviously you can reboot as well as the final test for proper functionality.  Sorry for the omissions 😦

SUN-Jail – Solaris 10 convicted ! Part II Dammit… I forgot to lock the door !

OK… so hopefully you already went through Part I, but if not, this may not make much sense as I am not going to re-visit anything here.  This is for the mod_tls setup for ftps or ftpes if you are using filezilla… I was not familiar with the ftpes connection state, but now I am and so are you… I was using fireFTP and everything was working fine, but in the interest of testing more than what I use, I found this new tidbit of information 🙂

So lets first tweak the proftpd.conf file, add this to the bottom of the file:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                off
</IfModule>

Take note of the files referenced here.  Go ahead and create the log dir, def do this as you will need it if anything is not working… and then we can move on to making the key/cert.  Keep in mind that I am using webmin for the proftpd control and it allows you to apply changes following a save eliminating the need for a manual restart of proftpd 🙂

Make this dir, please make this or the key/cert command will whine like a bitty baby…

mkdir -p /etc/proftpd/ssl

Then make the key/cert:

openssl req -new -x509 -days 365 -nodes -out /etc/proftp /ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Make sure to answer all the posed questions:

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter  your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name  of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT  Department").
Common Name (eg, YOUR name) []: <--  Enter the Fully Qualified Domain Name of the system (e.g.  "server1.example.com").
Email Address []: <-- Enter your Email  Address.
And again now we are done.  Not too bad… right?  I set up a few test users to allow me to tail the log file and watch as they login to make sure I can see what is expected as well as what isn’t…
May 25 15:35:08 mod_tls/2.2.1[2020]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:08 mod_tls/2.2.1[2020]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:09 mod_tls/2.2.1[2020]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:35:10 mod_tls/2.2.1[2020]: Protection set to Private
May 25 15:35:26 mod_tls/2.2.1[2021]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:26 mod_tls/2.2.1[2021]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:27 mod_tls/2.2.1[2021]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
May 25 15:35:27 mod_tls/2.2.1[2021]: Protection set to Private
May 25 15:35:51 mod_tls/2.2.1[2022]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:52 mod_tls/2.2.1[2022]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:52 mod_tls/2.2.1[2022]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:36:33 mod_tls/2.2.1[2023]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:36:33 mod_tls/2.2.1[2023]: TLS/TLS-C requested, starting TLS handshake
May 25 15:36:33 mod_tls/2.2.1[2023]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)