Search:  
Gentoo Wiki

HOWTO_CorpProFTPD

Merge-arrows.gifIt has been suggested that this article be Merged into one article with ProFTPd.    (Discuss)

Contents

Introduction

The purpose of this howto is to configure a modern FTP server for public or corporate consumption. This means solving three basic requirements:

  1. System users have general access to the FTP server from outside and inside the LAN
  2. FTP users (clients) only have chrooted access from outside the FTP server
  3. System is mainly self managed (files scrub themselves, accounts get nuked after X days)

The guide will be separated into three parts, depending on how many of the above requirements you want to implement:

  1. Base install of ProFTPD
  2. Basic configuration of ProFTPD
  3. Advanced configuration

Current system configuration

To avoid any confusion and to ensure that you get the most out of this guide, please consider the following system context:

Current System Context
Variable Environment
Date June 2008
Kernel2.6.25.1 SMP
ProFTPDnet-ftp/proftpd-1.3.1_rc2-r3

Caution about FTP solutions

FTP servers are basically vestigial reminents of the early 90s: legacy technology that has made its way into most OSes today, usually in the form of a very scaled down FTP client being a part of some GUI. What is even more unfortunate is that the advancements in the RFCs haven't really been adopted throughout, leaving SFTP and other great features out of the lowest common denominator feature set. That means you need to educate your user base about the perils of FTP:

So keep that in mind when posting credit-card lists in text format on FTP servers. (Don't laugh, I've seen it done.)

Base install

Become root and run the following commands:

# echo 'net-ftp/proftpd -ipv6 -ssl authfile vroot' >> /etc/portage/package.use

Your server will not require SSL as most people wont even know how to set that up. Additionally, its very unlikely that you will require IPv6 unless you have a very specific target audience in mind.

Next, you must install the package from Portage:

# emerge --sync
# emerge -av proftpd

Make sure your dependencies are met before proceeding.

Once the application compiles you will have an unconfigured FTP server installed on your Gentoo machine. The installer also creates the ProFTP and FTP user/groups:

# cat /etc/group|grep ftp && cat /etc/passwd|grep ftp

The command should return something like this:

ftp:x:21:
proftpd:x:1004:
ftp:x:21:21:by portage for ftpbase:/home/ftp:/sbin/nologin
proftpd:x:101:1004:by portage for proftpd:/dev/null:/sbin/nologin 

If for some reason these groups and accounts were not created then you need to do this by hand.


Basic Configuration

The plan is to configure the server to run on Port 21 with a separated user base for system users and "guest" users. Guest users are those who may require an FTP account but should not have shell accounts. Anonymous access is disabled.

Configuration file: proftpd.conf

Your default configuration file is /etc/proftpd/proftpd.conf.

This file needs to be created from /etc/proftpd/proftpd.sample. However, in your case you can create a fresh clean file and use the below example as a starting point.

Issue the following commands as root:

# touch /etc/proftpd/proftpd.conf
# vi /etc/proftpd/proftpd.conf

You will now be editing a blank file. Go ahead and paste the sample config provided below:

File: /etc/proftpd/proftpd.conf
service proftpd
{
ServerName                      "FTP Server"
ServerType                      standalone
DeferWelcome                    off
Port                            21
Umask                           002

MaxInstances                    30
TimeoutLogin                    120
TimeoutIdle                     600
TimeoutNoTransfer               900
TimeoutStalled                  3600

DefaultServer                   off
DefaultAddress                  127.0.0.1

User                            proftpd
Group                           proftpd

PassivePorts                    52300 52323

DefaultRoot /pub/ftproot

LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "[%P] %h %{%Y-%m-%d}t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"

<Global>
        AllowOverwrite          yes
        UseReverseDNS           off
        IdentLookups            off
</Global>

#Base server cannot have ANY writing
<Limit WRITE>
        DenyAll
</Limit>

<VirtualHost 192.168.0.1>
ServerAdmin             ftp.admin@mycompany.com
ServerName              "MyCompany Client Access Server"
MaxLoginAttempts        5
RequireValidShell       no
DefaultRoot             ~
DefaultServer           on
AllowOverwrite          yes
AuthUserFile            /etc/proftpd/ftpd.passwd
AuthGroupFile           /etc/proftpd/ftpd.group
User                    ftp
Group                   ftp
ExtendedLog             /var/log/ftp/auth.log AUTH auth

        <Directory ~>
                <Limit STOR>
                        AllowAll
                </Limit>
                <Limit WRITE DIRS READ>
                        AllowAll
                </Limit>
                <Limit CWD XCWD CDUP>
                        AllowAll
                </Limit>
        </Directory>
</VirtualHost>
}

Note: this does not mean you have re-create Unix accounts in the local files. Both account types will allow you to log in.

Final environment adjustments

You are almost ready to fire up the FTP server for the first time. Since the point of this exercise to is to allow non-posix accounts to authenticate and access the FTP server there is still a few things to do.

First, make sure that ftproot is owned by ftp/ftp. All folders and files underneath the root are owned by 'ftp/ftp'

# mkdir /pub/ftproot
# chown -R ftp:ftp /pub/ftproot
# chmod -R 777 /pub/ftproot

Next, make sure log files exist:

# touch /var/log/ftp/auth.log

Finally, create blank local account access files:

# touch /etc/proftpd/ftpd.passwd && /etc/proftpd/ftpd.group

Firing up the FTP server

Go over the configuration file and make sure that all paths and files exist. Once you've done that you are ready to fire up the server:

# /etc/init.d/proftpd start

Watch to make sure you don't have any errors. Assuming that the server started without error, go ahead and log in using your regular shell account login and password. Your home directory will be your standard /home/yourloginid.

Adding external user accounts

Finally you need to be able to add some non-system accounts. For this your best bet is to use a third party script that you can download here:

http://www.castaglia.org/proftpd/contrib/ftpasswd

Go ahead and fetch this file and store it in /pub/bin

# cd /pub/bin
# wget http://www.castaglia.org/proftpd/contrib/ftpasswd
# chmod +x ftpasswd

Next, change your directory over to where you created your ftpd.passwd ad ftpd.grop files:

# cd /etc/proftpd

Run ftpasswd:

# ftpasswd --passwd --name="bob" --uid=1000 --home=/pub/ftproot/bob --shell=/bin/false

Make bob's ftp home directory:

# mkdir /pub/ftproot/bob
# chown -R ftp:ftp /pub/ftproot/bob
# chmod -R 777 /pub/ftproot/bob

Then follow the prompt to set the user's password. Now try logging in with bob/password account.


Advanced configuration

As you can see from the above, managing a corporate FTP server one user at a time can be very time consuming. This is why you need to write a series of bash scripts and cron jobs to help you along. This section shows you a few sample scripts you can use to easily manage the FTP server and covers the following topics:

  1. User-adding and user-deleting script
  2. Cron job to clean out files that are over 90 days old
  3. Cron job to clean out users who have not logged in for 2 months

Automating addition/removal of users

Need to paste content.

Automating file cleanup

Need to paste content.

Automating external account cleanup

Need to paste content.

About the author

Greg Fleury is a 10 year veteran of the technology field. Started out with writing communication protocols in C++ for CA, moved to architecture and business analysis, conducted project management and business analysis for an local Identity Management solutions provider, and now holds a managerial position with an online marketing firm in Calgary, Alberta, Canada.

Retrieved from "http://www.gentoo-wiki.info/HOWTO_CorpProFTPD"

Last modified: Sat, 06 Sep 2008 10:58:00 +0000 Hits: 1,597