HOWTO CorpProFTPD

From Gentoo Linux Wiki

[edit] Introduction

The purpose of this howto is to configure a modern FTP server for public or corporate consumption. This means solving three basic requirements:

1. System users have general access to the FTP server from outside and inside the LAN
2. FTP users (clients) only have chrooted access from outside the FTP server
3. System is mainly self managed (files scrub themselves, accounts get nuked after X days)

The guide will be separated into three parts, depending on how many of the above requirements you want to implement:

1. Base install of ProFTPD
2. Basic configuration of ProFTPD
3. Advanced configuration

[edit] Current system configuration

To avoid any confusion and to ensure that you get the most out of this guide, please consider the following system context:

[edit] Caution about FTP solutions

FTP servers are basically vestigial reminents of the early 90s: legacy technology that has made its way into most OSes today, usually in the form of a very scaled down FTP client being a part of some GUI. What is even more unfortunate is that the advancements in the RFCs haven't really been adopted throughout, leaving SFTP and other great features out of the lowest common denominator feature set. That means you need to educate your user base about the perils of FTP:

• Generally unsafe as client/server protocols use clear text to pass passwords around
• Extremely chatty on the command interface, causing extreme performance degradation when transferring large numbers of small files
• Client implementations are usually poor and untested
• Very few checks are performed to ensure that a file was fully transferred (i.e. no CRC)
• Files are transferred w/o the use of PKI or any other security features

So keep that in mind when posting credit-card lists in text format on FTP servers. (Don't laugh, I've seen it done =))

[edit] Base install

Become root and run the following commands:

# echo 'net-ftp/proftpd -ipv6 -ssl authfile vroot' >> /etc/portage/package.use

Your server will not require SSL as most people wont even know how to set that up. Additionally, its very unlikely that you will require IPv6 unless you have a very specific target audience in mind.

Next, you must install the package from Portage:

# emerge --sync
# emerge -av proftpd

Make sure your dependencies are met before proceeding.

Once the application compiles you will have an unconfigured FTP server installed on your Gentoo machine. The installer also creates the ProFTP and FTP user/groups:

# cat /etc/group|grep ftp && cat /etc/passwd|grep ftp

The command should return something like this:

ftp:x:21:
proftpd:x:1004:
ftp:x:21:21:by portage for ftpbase:/home/ftp:/sbin/nologin
proftpd:x:101:1004:by portage for proftpd:/dev/null:/sbin/nologin 

If for some reason these groups and accounts were not created then you need to do this by hand.

[edit] Basic Configuration

The plan is to configure the server to run on Port 21 with a separated user base for system users and "guest" users. Guest users are those who may require an FTP account but should not have shell accounts. Anonymous access is disabled.

[edit] Configuration file: proftpd.conf

Your default configuration file is /etc/proftpd/proftpd.conf.

This file needs to be created from /etc/proftpd/proftpd.sample. However, in your case you can create a fresh clean file and use the below example as a starting point.

Issue the following commands as root:

# touch /etc/proftpd/proftpd.conf
# vi /etc/proftpd/proftpd.conf

You will now be editing a blank file. Go ahead and paste the sample config provided below:

service proftpd
{
ServerName                      "FTP Server"
ServerType                      standalone
DeferWelcome                    off
Port                            21
Umask                           002

MaxInstances                    30
TimeoutLogin                    120
TimeoutIdle                     600
TimeoutNoTransfer               900
TimeoutStalled                  3600

DefaultServer                   off
DefaultAddress                  127.0.0.1

User                            proftpd
Group                           proftpd

PassivePorts                    52300 52323

DefaultRoot /pub/ftproot

LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "[%P] %h %{%Y-%m-%d}t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"

<Global>
        AllowOverwrite          yes
        UseReverseDNS           off
        IdentLookups            off
</Global>

#Base server cannot have ANY writing
<Limit WRITE>
        DenyAll
</Limit>

<VirtualHost 192.168.0.1>
ServerAdmin             ftp.admin@mycompany.com
ServerName              "MyCompany Client Access Server"
MaxLoginAttempts        5
RequireValidShell       no
DefaultRoot             ~
DefaultServer           on
AllowOverwrite          yes
AuthUserFile            /etc/proftpd/ftpd.passwd
AuthGroupFile           /etc/proftpd/ftpd.group
User                    ftp
Group                   ftp
ExtendedLog             /var/log/ftp/auth.log AUTH auth

        <Directory ~>
                <Limit STOR>
                        AllowAll
                </Limit>
                <Limit WRITE DIRS READ>
                        AllowAll
                </Limit>
                <Limit CWD XCWD CDUP>
                        AllowAll
                </Limit>
        </Directory>
</VirtualHost>

}

• The above configuration limits the default FTP server to localhost and exposes a public server at IP 192.168.0.1. In corporate settings this is usually an internal address on your DMZ configured with a static NAT rule on the firewall that binds it to the external address.

• Notice the AuthUserFile and AuthGroupFile settings. This uses external files /etc/proftpd/ftpd.passwd, and /etc/proftpd/ftpd.group respectively to house all FTP accounts. This way you do not have FTP accounts polluting your posix account index.

Note: this does not mean you have re-create Unix accounts in the local files. Both account types will allow you to log in.

• Be sure to create / modify the root directory for your server DefaultRoot /pub/ftproot

• Take notice of LogFormat auth "[%P] %h %{%Y-%m-%d}t \"%r\" %s". This setting formats the date of when users logged into your FTP server. This is important for future references as you will be writing scripts that scrape this file to determine when a user logged on last.

• Here is the line to capture authentication to your external FTP server: ExtendedLog /var/log/ftp/auth.log AUTH auth. Ensure that this file exists in the appropriate location.

[edit] Final environment adjustments

You are almost ready to fire up the FTP server for the first time. Since the point of this exercise to is to allow non-posix accounts to authenticate and access the FTP server there is still a few things to do.

First, make sure that ftproot is owned by ftp/ftp. All folders and files underneath the root are owned by 'ftp/ftp'

# mkdir /pub/ftproot
# chown -R ftp:ftp /pub/ftproot
# chmod -R 777 /pub/ftproot

Next, make sure log files exist:

# touch /var/log/ftp/auth.log

Finally, create blank local account access files:

# touch /etc/proftpd/ftpd.passwd && /etc/proftpd/ftpd.group

[edit] Firing up the FTP server

Go over the configuration file and make sure that all paths and files exist. Once you've done that you are ready to fire up the server:

# /etc/init.d/proftpd start

Watch to make sure you don't have any errors. Assuming that the server started without error, go ahead and log in using your regular shell account login and password. Your home directory will be your standard /home/yourloginid.

[edit] Adding external user accounts

Finally you need to be able to add some non-system accounts. For this your best bet is to use a third party script that you can download here:

http://www.castaglia.org/proftpd/contrib/ftpasswd

Go ahead and fetch this file and store it in /pub/bin

# cd /pub/bin
# wget http://www.castaglia.org/proftpd/contrib/ftpasswd
# chmod +x ftpasswd

Next, change your directory over to where you created your ftpd.passwd ad ftpd.grop files:

# cd /etc/proftpd

Run ftpasswd:

# ftpasswd --passwd --name="bob" --uid=1000 --home=/pub/ftproot/bob --shell=/bin/false

Make bob's ftp home directory:

# mkdir /pub/ftproot/bob
# chown -R ftp:ftp /pub/ftproot/bob
# chmod -R 777 /pub/ftproot/bob

Then follow the prompt to set the user's password. Now try logging in with bob/password account.

[edit] Advanced configuration

As you can see from the above, managing a corporate FTP server one user at a time can be very time consuming. This is why you need to write a series of bash scripts and cron jobs to help you along. This section shows you a few sample scripts you can use to easily manage the FTP server and covers the following topics:

1. User-adding and user-deleting script
2. Cron job to clean out files that are over 90 days old
3. Cron job to clean out users who have not logged in for 2 months

[edit] Automating addition/removal of users

Need to paste content.

[edit] Automating file cleanup

Need to paste content.

[edit] Automating external account cleanup

Need to paste content.

[edit] About the author

Greg Fleury is a 10 year veteran of the technology field. Started out with writing communication protocols in C++ for CA, moved to architecture and business analysis, conducted project management and business analysis for an local Identity Management solutions provider, and now holds a managerial position with an online marketing firm in Calgary, Alberta, Canada.