Tips for configuring PROFTP services under Linux system platforms

1. Configure FTP to allow root login

Modify/etc/ftpusers, remove root

2, if you want to implement the root user ftp can switch to/directory

The general user can only switch to their own home directory, modify the/etc/proftpd.conf file, in the Defaultroot

Add one line before line

Defaultroot/root

Restart the PROFTPD service.

Change anonymous logins do not want to log on to the default/var/ftp directory

We'll put the/etc/passwd in the file

Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin

The default directory in can be changed.

3, FTP has write function, please change the paragraph in the/etc/proftpd.conf file to read as follows:

<Limit STOR>
　　AllowAll
</Limit>

Before you can.

4, FTP changed to PASV mode

The setting in our Red Flag DC 5.0 is to add the following two statements to the proftpd.conf.

Masqueradeaddress IP Address

#该参数设置在client发pasv指令时, the server returns the connection address that should be included in the PASV address string to the client.

#该地址通常是防火墙的外部地址 (address for RDR)

Passiveports Port number

Restart the FTP service after setting it up.

FTP connections are generally two connected, one is the client and server transfer commands, and the other is data transfer connections. FTP service programs generally support two different modes, one is Port mode, one is

Passive mode (pasvmode), let me first say the difference between the two modes of connection.

Let's assume that the client is C and that the service end is S.

*port Mode: *

When client C connects to server s and uses port mode, client C sends a command to tell the server that s (client C has a port open locally and waits for you to make a data connection) when the server s

After this port command

A connection is made to the port n that is opened by the client, and this data connection is generated.

*PASV Mode: *

When client C is connected to the server s, the server s will send a message to client C, this information is (service end s locally opened a port m, you now go to connect me), when client C received this information, you can

Service End S of the M port connection, after the successful connection, the data connection was also established.

From the above explanation, the main difference between the two modes is the difference between the data connection, for Port mode, is client C in the local open a port, such as server s to connect to establish data connection; and PASV mode is the server

s opens a port waiting for client C to establish a data connection.

About the PASV mode of FTP, there is a situation:

If it is through iptables forwarded to the intranet of a server, the default can only use port mode, at this time, you can add two iptables modules to achieve PASV mode:

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Put/etc/rc.local. (Set on a gateway server, or set on a machine configured with iptables)

Of course, by modifying proftpd.conf, it is OK to specify the allowed port, but this will be limited, that is, PASV port is fixed, assuming the number is 51000-510011, you can only provide up to 11 users, otherwise there will be no port to allocate. But the loading module does not have this problem.