ProFTPd

From Gentoo Linux Wiki

(Redirected from HOWTO ProFTPD)
Jump to: navigation, search
Image:Proftpd.png

Image:Gentoo_tux.png

Base Install

  1. What is Gentoo?
  2. About
  3. Preparation
  4. Partitioning
  5. Configuring
  6. Stage Progression
  7. Kernel
  8. Bootloader
  9. Test
  10. Converting from or to a non-Gentoo distribution
  11. Troubleshooting
  12. Maintaining

Configuration

Base Extras

Server

Desktop

Other Articles

edit

Contents

[edit] Introduction

FTP daemons are easy to setup and nice to use if you ever want to share files publicly. They can especially be useful as an alternative to local network file systems or SSHD if security is not a concern.

[edit] Current Problems

Currently, the versions of ProFTPd available in portage (proftpd-1.3.1_rc3 and proftpd-1.3.1_rc2-r3) are not working. They fail when started with the error:

LoadModule: error loading module 'mod_lang.c':

This is a known bug:

The only workaround at present involves commenting out a line in /etc/proftpd/modules.conf. However, this file is not present when proftpd is built with portage.

[edit] Emerge ProFTPd

As root, run these commands: 

emerge --sync
emerge -av proftpd

Check flags and dependencies before emerge.

[edit] Configuration

Your configuration files are located in /etc/proftpd.

Before starting proftpd, you need to have a configuration file created named proftpd.conf

The proftpd package includes two samples files that you can start with already located in /etc/proftpd: proftpd.conf.distrib and proftpd.conf.sample

For this example, we are going to use the sample config file. Copy it to proftpd.conf and then open it with your favorite editor: 

cd /etc/proftpd
cp proftpd.conf.sample proftpd.conf
vim proftpd.conf

[edit] FTP Server User and Group

As of the most recent version of ProFTPD (this being written on Jan. 7, 2006), ProFTPD depends on ftpbase, which sets up the FTP user and group (and probably other stuff). You may need to fix the ownership on the /home/ftp folder, in some cases it is created as owned by root:ftp.

You'll need to edit the ProFTPD conf as so: 

 # Set the user and group under which the server will run.
 User                            ftp
 Group                           ftp

[edit] Standalone or via inetd/xinetd

There are two ways to start proftpd, either standalone where proftpd itself is listening to the ports and handles client requests or via an internet services daemon, inetd or xinetd. Standalone is best suited for high traffic sites where it would be too much overhead of having to parse the configuration file and start proftpd each time.

[edit] standalone

Edit this line in proftpd.conf 

 ServerType          standalone

You may also need to add the proftpd user and group: 

 # automatic with recent proftpd
 adduser proftpd
 groupadd proftpd

Add it to the default runlevel and start the daemon for this session 

 rc-update add proftpd default
 /etc/init.d/proftpd start

[edit] xinetd

Edit this line in proftpd.conf: 

 ServerType          inetd

If xinetd is installed the installation of proftpd has created a basic /etc/xinetd.d/proftpd, otherwise reinstall proftpd or create the file by hand. Comment the line disable = yes or change it to disable = no. Xinetd can also control host access and much more. Be careful as my version (2.3.13) of Xinetd did not allow connections from anywhere but localhost until I specified the 'only_from' directive !

File: /etc/xinetd.d/proftpd 
service proftpd
{
...
#Allow access from the local network (ie, 192.168.0.0/24)
only_from   = 192.168.0.0/24
#And from two remote locations
only_from   = 10.1.1.2 sampleconfig.com
#allow from anywhere
only_from   = 0.0.0.0
...
}

[edit] iptables/firewall

Remember that if you are running a firewall, to allow port 21 to be open. If you are using iptables, add a line similar to this in /var/lib/iptables/rules-save 

 [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

and for passive modes, you will have to add this line: 

 -A INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

By default, proftpd listens for connections on port 21, but it can be changed in the configuration file.

[edit] PAM and LDAP

When using pam with backend authentication users ldap (ex: openldap), add follow line in proftpd.conf

File: /etc/proftpd/proftpd.conf 
PersistentPasswd   off
Note: This configuration setting is also needed to have ProFTPd use PAM with winbind (Samba's authentication module).

[edit] MySQL

Warning: As of proftpd-1.3.1rc* except proftpd-1.3.1rc3, MySQL authentication support is broken. Version 1.3.0 AND 1.3.1rc3 works fine with MySQL authentication.

If you host multiple ftp sites (virtual ftp sites), using MySQL might work better. If you choose MySQL to store ftp users and user information, proftpd needs to be compiled with mysql. Simply add mysql to /etc/make.conf or /etc/portage/package.use. see HOWTO MySQL for MySQL installation instructions

Once compiled with mysql support, fire up /etc/proftpd/proftpd.conf and add the following:

File: /etc/proftpd/proftpd.conf 
# Password type
SQLAuthTypes              Plaintext

# Authentication type
SQLAuthenticate           users

# Use only SQL when authenticating, and not the system's /etc/passwd
# If the user's information is not in SQL, they're not a user to use
# this server.
 
AuthOrder mod_sql.c

# DB connect info. Format: database_name@server_address database_username database_password
SQLConnectInfo           ftp@localhost ftp PASSWORD

# Default UID/GID. Change to suit needs.
SQLDefaultUID             5000
SQLDefaultGID             5000

# Mininum UID/GID. Change to suit needs.
SQLMinUserUID            1000
SQLMinUserGID            1000

# Database query. Format: ** defined below **
SQLUserInfo                ftp username passwd uid gid ftpdir homedir

# Jail users in ftpdir
DefaultRoot             ~

  ### It is wise when making an 'ftp' user that you either block its
  ### ability to login either via /etc/login.access or my giving it
  ### an invalid shell.
  ### Uncomment this if the 'ftp' user you made has an invalid shell

RequireValidShell        off

Cell breakdown of SQLUserInfo above: 

ftp => database table with user information
username => username
passwd => password
uid => UID of ftpdir
gid => GID of ftpdir
ftpdir => user directory. this is the full, and absolute, path to directory user will log into
homedir => irrelevant but mandatory as proftpd will not start otherwise. If RequireValidShell is off, then homedir can by null.


  • Last 2 column must be homedir and shell !

See info about SQLUserInfo

And finally, here is a sample database template that is quite usable:

Code: SQL query 
 CREATE TABLE ftp (
    user_id int(11) NOT NULL auto_increment,
    username varchar(100) DEFAULT '' NOT NULL,
    passwd varchar(50) DEFAULT '' NOT NULL,
    uid int(5) DEFAULT '5000' NOT NULL,
    gid int(5) DEFAULT '5000' NOT NULL,
    ftpdir varchar(255) DEFAULT '' NOT NULL,
    homedir varchar(255) DEFAULT '' NOT NULL,
    PRIMARY KEY (user_id),
    UNIQUE  (username)
 );

[edit] Fast logins

You may have noticed that logging in to the FTP server can take a while. This is probably caused by a firewall or DNS timeout. By default ProFTPD will try to do both DNS and ident lookups against the incoming connection. If these are blocked or excessively delayed a slower than normal login will result. To turn off DNS and ident use: 

UseReverseDNS off
IdentLookups off

Thanks goes to Mark Lowes http://www.proftpd.org/docs/faq/faq_full.html#AEN341

[edit] Passive Mode

If you don't set PassivePorts directive, your proftpd will be probably unaccessable from internet, because most clients deny incoming connections. So set ports for passive mode: 

PassivePorts min-pasv-port max-pasv-port

Run something like this: 

iptables -A INPUT -p tcp -m multiport --destination-ports min-pasv-port:max-pasv-port -j ACCEPT

or you can use something like this: 

#IANA-registered ephemeral port range of 49152-65534 for passive transfers
iptables -A INPUT -p tcp -m tcp --dport 49152:65534 --syn -j ACCEPT

and save your iptables state: 

/etc/init.d/iptables save

and restart your iptables state: 

/etc/init.d/iptables restart

Min-pasv-port must be port >= 1024. Range has to be large enough to handle many simultaneous passive connections (for example, 49152-65534, the IANA-registered ephemeral port range).

[edit] Setup anonymous access

This guide (currently only) will describe how to setup ProFTPd to allow anonymous access to a directory where anyone can download files only.

The sample config file is already setup to allow anonymous users to login and download files only, so no configuration is necessary.

When users login anonymously, they will be dropped into the /home/ftp directory. Place any files in that directory that you would like your users to have access to.

If you can't log in to the running proftpd daemon and the system log is saying something like "ftp: Directory ~ftp/ is not accessible." or "530-Unable to set anonymous privileges.", check whether you have compiled Proftpd with the acl USE flag enabled. If you don't have an ACL enabled filesystem and have the acl USE flag enabled, the getxattr system call will fail, resulting in the FTP session being closed.

[edit] Anonymous user for FTP access only

Create an FTP shell: 

cp /bin/false /bin/ftp
echo "/bin/ftp" >> /etc/shells

Create the user on your machine with the ftp shell: 

useradd -d /home/username -G ftp -s /bin/ftp username

Edit proftpd.conf to add the user with desired permissions:

File: proftpd.conf 
 <Anonymous ~username>
   User                 username
   Group                ftp
   AnonRequirePassword  on
   MaxClients           1
   DisplayLogin         welcome.msg
   DisplayFirstChdir    .message
 
   <Limit WRITE>
     Deny from all
   </Limit>
   <Directory incoming>
     <Limit READ WRITE DIRS STOR CWD CDUP>
       AllowAll
     </Limit>
   </Directory>
 </Anonymous>

This will allow access to an account with the username "username", to login to your ftp server and is allowed to upload files in the "incoming" directory located within your default home directory.

[edit] Anonymous jails

When anonymous users login to your FTP server, they will be jailed to the anonymous FTP directory ( /home/ftp in this case ) meaning that they cannot browse out of that filesystem. When logged in, they will see / as their entire filesystem.

You can of course create new directories in home/ftp which the user will see.

[edit] Sharing other directories with mount

In case you want to share a directory that already exists on the filesystem with your users, but don't want to move all those files to the FTP login directory, you can mount them using the bind option.

From man mount: 

 mount --bind olddir newdir
      After this call the same contents is accessible in two places.  One can
      also remount a single file (on a single file).

For a sample scenario, let's say you wanted to share your Gentoo distfiles directory, located in /usr/portage/distfiles on your anonymous ftp server.

Here is what you would need to do.

First, create the directory in the FTP root where you want the files to be shared. 

cd /home/ftp
mkdir distfiles

Next, use mount --bind to make the contents accessible in both places. 

mount --bind /usr/portage/distfiles distfiles

Next time the users login, they will be able to browse to the distfiles directory and see the files, and download them.

If you want to do this every time at boot, add following line to the end of /etc/fstab: 

/usr/portage/distfiles     /home/ftp/distfiles     none     bind     0 0

[edit] See also

Retrieved from "http://gentoo-wiki.com/ProFTPd"
Personal tools