The version of ProFTPD that is shipped with Plesk since version 9.5 contains a bug that leads to vulnerability. Until Parallels releases a fix you should not use the FTP server shipped with Plesk.
On RHEL, CentOS and Fedora you can simply use the Plesk repository of Atomic Rocket Turtle. It contains a patched version of psa-proftpd. On Debian based systems one possible solution is to replace the package psa-proftpd by proftpd-basic which is shipped with Debian and Ubuntu Karmic and newer.
WARNING: The solution described on this page works for us on our own servers (Plesk 9.5.3 on Ubuntu Hardy). This does not mean that it will work on your servers with your own configuration. If you follow these tips you DO IT ON YOUR OWN RISK. Neither we nor Parallels are responsible for any damage on your system that is caused by the steps described below. Also please note that replacing the psa-proftpd package leads to a lack of functionality because psa-proftpd includes some special patches from Parallels. I tested this method also with Plesk 10.0.1 on Debian Lenny and it did NOT work! You have been warned...
Due to dependency issues, you can't simply replace psa-proftpd by proftpd-basic. On our server we use a dummy package that depends on proftpd-basic and provides psa-proftpd. You can download it here:
Remove psa-proftpd and install proftpd-replacement via
dpkg -r --ignore-depends=psa-proftpd-inetd psa-proftpd dpkg -i proftpd-replacement_1.0_all.deb
After that let apt install proftpd-basic and all necessary dependencies by running
apt-get -f install
Make sure to keep all existing configuration files and configure ProFTPD to be run by inetd.
Note that this will fail on Ubuntu Hardy because there is no package named proftpd-basic! If you're running Ubuntu Hardy have a look into the next section.
Ubuntu 8.04 LTS shipps with ProFTPD v. 1.3.1. The package is named proftpd and not proftpd-basic, which causes problems when using our package proftpd-replacement. There are two possibilities:
We didn't want to use ProFTPD v. 1.3.1 so we backported version 1.3.3a-5 from Ubuntu Natty. This version includes a patch for the bug mentioned above. You can download our package for Ubuntu Hardy i386 here:
Remove psa-proftpd and install proftpd-basic:
dpkg -r --ignore-depends=psa-proftpd-inetd psa-proftpd dpkg -i proftpd-basic_1.3.3a-5\~bico1_i386.deb
For amd64 you can build a package on your own by using our source packages:
... and the following commands: (you will need to install debhelper out of hardy-backports and maybe some other build-dependencies)
dpkg-source -x proftpd-dfsg_1.3.3a-5\~bico1.dsc cd proftpd-dfsg-1.3.3a dpkg-buildpackage -rfakeroot
After installing proftpd-basic you should be able to install proftpd-replacement or, if you did so already, to configure it:
apt-get -f install
service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.proftpd log_on_success += DURATION USERID log_on_failure += USERID instances = 30 nice = 10 }After that you need to restart xinetd.
TLSOptions NoSessionReuseRequired