Ubuntu12.04 + proftpd1.3.4a system user + virtual user permission application practices

Directory: 1. What is ProFTPD? 2. Where is the official ProFTPD website? 3. Where can I download it? 4. How to install it? 1) system user configuration + permission Control 2) virtual user configuration + permission Control  1. What is ProFTPD?ProFTPD is a set of highly configurable open-source FTP server software. The last d of the name is because daemon is used in Linux. ProFTPD is similar to Apache configuration, so it is easy to configure and manage. At the beginning of the project, FTP servers on Unix or Unix-like platforms were very limited. The most common use was wu-ftpd. Although wu-ftpd has excellent performance and is also a set of good software, it lacks some characteristics of FTP server on many Win32 platforms, at the same time, wu-ftpd also found many security vulnerabilities in the past. ProFTPD creators have spent a lot of time looking for wu-ftpd vulnerabilities to improve and add many features. However, unfortunately, he quickly discovered that wu-ftpd needs to be completely rewritten to supplement the lack of setup capabilities and some of the functions. In addition to WU-FTPd, some other FTP servers can be designed to be light-weight, secure, and configurable. For example, troll FTP is a good FTP program, which is safer than wu-ftpd and consumes less resources. Unfortunately, it is very suitable for basic FTP services, but not suitable for FTP sites that require more complex functions. proFTPD is not generated by modifying the source code of other FTP servers. On the contrary, ProFTPD is a completely independent and complete FTP server that is rewritten. Many famous websites with high traffic use ProFTPd. ProFTPD can run in two modes: independent servers and super servers. Both security and stability are good options for configuration. 2. Where is the official ProFTPD website?Http://www.proftpd.org/ 3. Where can I download it?Http://www.proftpd.org/md5_pgp.html 4. How to install it?The title describes that my system is ubuntu12.04, so you can directly install it using apt-get. A window will pop up during the installation process to allow you to choose the running mode, here we choose standalone"

[email protected]:~# apt-get install proftpd

After the installation, ProFTPD is automatically started. You can check whether the process has "PS-Aux | grep FTP" or use "netstat-tulpn | grep: 21 "check whether ftp's default port 21 contains content

[email protected]:~# ps -aux|grep ftpWarning: bad ps syntax, perhaps a bogus ‘-‘? See http://procps.sf.net/faq.htmlproftpd  18912  0.0  0.0  93376  2204 ?        Ss   11:10   0:00 proftpd: (accepting connections)              root     18942  0.0  0.0   8112   940 pts/1    S+   12:06   0:00 grep --color=auto ftp[email protected]:~# netstat -tulpn | grep :21tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      18912/proftpd: (acc[email protected]:~# 

　　 Basic ProFTPD configurations:

Disable IPv6 support useipv6 off # disable Reverse Domain name resolution usereversedns off # supported encoding format useencoding UTF-8 GBK # Do Not Display Server-related information, such as PROFTPD version serverident off # Find the customer's remote user name, disable identlookups off # Configure the server name servername "idoall.org FTP server" # Set the server running mode and independent services, alternatively, the servertype standalone # disabled welcome information display deferwelcome on # If the welcome information is displayed, the displayed file displaylogin/usr/share/ProFTPD/etc/ftplogin is specified. MSG # The Welcome Message displaychdir is displayed when the folder is switched. message # ftp Security Extension multilinerfc2228 on # Set to default server defaultserver on # do not display the target file defaultroot showsymlinks off of the linked file # allow root users to log on. This option is not recommended for security reasons. Rootlogin off # the time allowed for idle after login timeoutnotransfer 600 # connection timeout timeoutstalled 600 # client idle time setting, the default value is 600 seconds timeoutidle 600 # The detailed information is displayed in listoptions "-l" # blocked. command denyfilter \*. */# Restrict the upload speed of lionftp users to 150 Kbytes/s transferrate stor 150 user lionftp # Restrict the download speed of lionftp users to 100 Kbytes/s transferrate RETR 100 user lionftp # port number port 21 # display in MB quotadisplayunits MB # Set the port range used in passive mode to passiveports 60000 65535 # ftp server Maxinstances 30 # Set User ProFTPD for running server processes # Set Group nogroup for running server processes # Set umask 022 022 # Set User to be chroot defaultroot/usr/local/nginx/html # Allow overwriting file allowoverwrite on # Shield server version information serverident off # When uploading, allow resumable upload of allowstorerestart on # When downloading, allow resumable upload of allowretrieverestart on # each account allows up to one maxhostsperuser from the source IP address 10 # each account can log on to each client once at most, prevents the server from being damaged by multi-threaded software downloads. maxclientsperuser 10 # the same client can only be used at most. One account can log on to maxclientsperhost 10 # Do You Want To record FTP in the log? If not, you can set it to off to shield log. Wtmplog on # Set the log transferlog/var/log/ProFTPD/xferlog systemlog/var/log/ProFTPD/ProFTPd. Log

Limit permission description:

CMD: change working directory change Directory MKD: Make directory create directory permission RNFR: Rename from change directory name permission DELE: delete File Permission RMD: remove directory permission to delete directory RETR: retrieve permission to download from server to client stor: store permission to upload from client to server read: readable permission, excluding column directory permission, equivalent to write permissions such as RETR and stat: Write file or directory permissions, including MKD and rmddirs: whether to allow column directories, equivalent to list, NLST and other permissions, or more practical all: all permissions login: permission to log on to allowuser # Control of users and groups in limit allowuser for the limitdenyuser allowed by a user for the limitallowgroup prohibited by a user for a user group limitdenygroup limited allowall for all the limitdenyall allowed by the user group is for limit prohibited by all users.

The settings of the welcome File Include the following parameters:

% T current time % F remaining disk capacity % C Current Directory % R client host name % L server host name % u user account name % m maximum allowed connection student count % N current server connection count % e ftp server administrator email % I number of files uploaded this time % O number of files downloaded this time % T number of files uploaded + downloaded this time

With these parameters in mind, we can write a friendly welcome speech:

[Email protected]: ~ # Vi/usr/share/ProFTPD/etc/ftplogin. MSG welcome % u, which is the FTP server tested for idoall; current time: % t; the server allows a maximum of % m user connections; currently, there are % N user connections on the server; at present, your directory is % C; the hard disk of the directory contains % F bytes.

1) system user configuration + permission ControlA) Configure nologin in Ubuntu, which is slightly different from other Linux systems. Add/usr/sbin/nologin in the last line.

[email protected]:~# vi /etc/shells# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash/usr/bin/tmux/usr/bin/screen/usr/sbin/nologin

B) user operation Permissions

/Usr/share/nginx/html ---- lionftp can read and write, chenshuaiftp read-only/usr/share/nginx/html/A ---- lionftp can read and write, and chenshuaiftp can read and write

C) first create an FTP user group, then create two test users lionftp and chenshuaiftp, and prohibit ftp users from using terminal login, adding the users lionftp and chenshuaiftp to the FTP User Group

[email protected]:~# groupadd ftp[email protected]:~# useradd lionftp -g ftp -s /usr/sbin/nologin[email protected]:~# useradd chenshuaiftp -g ftp -s /usr/sbin/nologin[email protected]:~# passwd lionftpEnter new UNIX password: Retype new UNIX password: passwd: password updated successfully[email protected]:~# passwd chenshuaiftpEnter new UNIX password: Retype new UNIX password: passwd: password updated successfully

D) Set Directory User Permissions

[email protected]:~# chown lionftp /usr/share/nginx/html

E) modify the configuration of ProFTPD

[Email protected]: ~ # Vi/etc/ProFTPD/ProFTPd. conf # If set on you can experience a longer connection delay in your cases. #/etc/ProFTPD/ProFTPd. conf -- this is a basic ProFTPD configuration file. # To really apply changes, reload ProFTPD after modifications, if # It runs in daemon mode. it is not required in inetd/xinetd mode. # includes DSO modules include/etc/ProFTPD/modules. conf disabling IPv6 supports useipv6 off # Disabling Reverse Domain name resolution Usereversedns off # supported encoding format useencoding UTF-8 GBK # Do Not Display Server-related information, such as PROFTPD version serverident off # Find the customer's remote user name, disable identlookups off # Configure the server name servername "idoall.org FTP server" # Set the server running mode and independent services, alternatively, the servertype standalone # disabled welcome information display deferwelcome on # If the welcome information is displayed, the displayed file displaylogin/usr/share/ProFTPD/etc/ftplogin is specified. MSG # The Welcome Message displaychdir is displayed when the folder is switched. message # ftp Security Extension multilinerfc2228 on # Set to default server defaultserver on # Do Not Display Defaultroot showsymlinks off, the target file of the linked file # Root User logon is allowed. This option is not recommended for security reasons. Rootlogin off # the time allowed for idle after login timeoutnotransfer 600 # connection timeout timeoutstalled 600 # client idle time setting, the default value is 600 seconds timeoutidle 600 # The detailed information is displayed in listoptions "-l" # blocked. command denyfilter \*. */# Restrict the upload speed of lionftp users to 150 Kbytes/s transferrate stor 150 user lionftp # Restrict the download speed of lionftp users to 100 Kbytes/s transferrate RETR 100 user lionftp # port number port 21 # display in MB quotadisplayunits MB # Set the port range used in passive mode to passiveports 60000 65535 # ftp server Maxinstances 30 # Set User ProFTPD for running server processes # Set Group nogroup for running server processes # Set umask 022 022 # Set User to be chroot defaultroot/usr/local/nginx/html # Allow overwriting file allowoverwrite on # Shield server version information serverident off # When uploading, allow resumable upload of allowstorerestart on # When downloading, allow resumable upload of allowretrieverestart on # each account allows up to one maxhostsperuser from the source IP address 10 # each account can log on to each client once at most, prevents the server from being damaged by multi-threaded software downloads. maxclientsperuser 10 # the same client can only be used at most. One account can log on to maxclientsperhost 10 # Do You Want To record FTP in the log? If not, you can set it to off to shield log. Wtmplog on # Set the log transferlog/var/log/ProFTPD/xferlog systemlog/var/log/ProFTPD/ProFTPd. log <directory "/usr/local/nginx/html/*"> <limit all> allowuser lionftpdenyall </limit> <limit CWD read dirs> allowall </limit> </directory> <directory "/usr/local/nginx/html/A/*"> <limit all> allowuser lionftpallowuser chenshuaiftpdenyall </limit> <limit CWD read dirs> allowall </limit> </directory> # Do not allow anyone to execute the CHMOD command (site_chmod) <limit site_chmod> denyall </limit> <ifmodule quit> quotaengine off </ifmodule> <ifmodule mod_ratio.c> ratios off </ifmodule> <ifmodule mod_delay.c> delayengine on </ifmodule> <ifmodule mod_ctrls.c> controlsengine off controlsmaxclients 2 controlslog/var/log/ProFTPD/controls. log controlsinterval 5 controlssocket/var/run/ProFTPD/ProFTPd. sock </ifmodule> <ifmodule mod_ctrls_admin.c> admincontrolsengine off </ifmodule> # This is useful for masquerading address with dynamic IPs: # refresh any configured masqueradeaddress directives every 8 hours <ifmodule mod_dynmasq.c> # dynmasqrefresh 28800 </ifmodule> include/etc/ProFTPD/CONF. d/

F) restart the FTP server.

[email protected]:~# service proftpd restart

G) Test the connection on Windows.

C: \ Users \ Administrator> ftpftp> open 192.168.1.100 connect to 192.168.1.100. 220 192.168.1.100 FTP Server Ready user (192.168.1.100 :( none): chenshuaiftp331 Password required for chenshuaiftp password: 230-Welcome to chenshuaiftp, which is the test FTP server of idoall; 230-the current time is: sat Aug 09 03:22:02 2014; 230-the current server allows a maximum of 0 user connections; 230-currently there are 2 user connections on the server; 230-your current directory is /; 230-the hard disk of the directory contains 0 bytes. 230 user chenshuaiftp logged inftp> dir200 PORT command successful150 opening ASCII mode data connection for file list-RW-r -- 1 Root 537 Aug 6 06:38 50x.html drwxrwxrwx 19 Root 4096 JUN 17 05:49 xxxdrwxrwxrwx 7 Root 4096 Aug 9 0:19 aaaa226 transfer completeftp: 201 bytes received, 0.01 KB/second in 13.40 seconds.

2) virtual user configuration + permission ControlA) modify the configuration file, add the following configuration to the configuration file, and add a user to the "/usr/local/nginx/html/A/*" permission section, next we will use this virtual user "ftpchenshuai" to test

# Do not request a valid shell. The direct effect is to allow nologin users and virtual users to log on to requirevalidshell off # authorder specifies the permission check sequence. Here we only use the virtual user authorder mod_auth_file.c mod_auth_unix.cauthuserfile/usr/share/ProFTPD/etc/passwdauthgroupfile/usr/share/ProFTPD/etc/group

All the modified ProFTPD configuration files are as follows:

[Email protected]: ~ # Vi/etc/ProFTPD/ProFTPd. conf # If set on you can experience a longer connection delay in your cases. #/etc/ProFTPD/ProFTPd. conf -- this is a basic ProFTPD configuration file. # To really apply changes, reload ProFTPD after modifications, if # It runs in daemon mode. it is not required in inetd/xinetd mode. # includes DSO modules include/etc/ProFTPD/modules. conf disabling IPv6 supports useipv6 off # Disabling Reverse Domain name resolution Usereversedns off # supported encoding format useencoding UTF-8 GBK # Do Not Display Server-related information, such as PROFTPD version serverident off # Find the customer's remote user name, disable identlookups off # Configure the server name servername "idoall.org FTP server" # Set the server running mode and independent services, alternatively, the servertype standalone # disabled welcome information display deferwelcome on # If the welcome information is displayed, the displayed file displaylogin/usr/share/ProFTPD/etc/ftplogin is specified. MSG # The Welcome Message displaychdir is displayed when the folder is switched. message # ftp Security Extension multilinerfc2228 on # Set to default server defaultserver on # Do Not Display Defaultroot showsymlinks off, the target file of the linked file # Root User logon is allowed. This option is not recommended for security reasons. Rootlogin off # the time allowed for idle after login timeoutnotransfer 600 # connection timeout timeoutstalled 600 # client idle time setting, the default value is 600 seconds timeoutidle 600 # The detailed information is displayed in listoptions "-l" # blocked. command denyfilter \*. */# Restrict the upload speed of lionftp users to 150 Kbytes/s transferrate stor 150 user lionftp # Restrict the download speed of lionftp users to 100 Kbytes/s transferrate RETR 100 user lionftp # port number port 21 # display in MB quotadisplayunits MB # Set the port range used in passive mode to passiveports 60000 65535 # ftp server Maxinstances 30 # Set User ProFTPD for running server processes # Set Group nogroup for running server processes # Set umask 022 022 # Set User to be chroot defaultroot/usr/local/nginx/html # Allow overwriting file allowoverwrite on # Shield server version information serverident off # When uploading, allow resumable upload of allowstorerestart on # When downloading, allow resumable upload of allowretrieverestart on # each account allows up to one maxhostsperuser from the source IP address 10 # each account can log on to each client once at most, prevents the server from being damaged by multi-threaded software downloads. maxclientsperuser 10 # the same client can only be used at most. One account can log on to maxclientsperhost 10 # Do You Want To record FTP in the log? If not, you can set it to off to shield log. Wtmplog on # Set the log transferlog/var/log/ProFTPD/xferlog systemlog/var/log/ProFTPD/ProFTPd. log # do not require a valid shell. The direct effect is to allow nologin users and virtual users to log on to requirevalidshell off # authorder specifies the permission check order. Here only the virtual user authorder mod_auth_file.c mod_auth_unix.cauthuserfile/usr/share/ProFTPD/etc/passwdauthgroupfile/usr/share/ProFTPD/etc/group <directory "/usr/local/nginx/html/ * "> <limit all> allowuser lionftpdenyall </limit> <limit CWD read dirs> allowall </limit> </directory> <directory"/usr/local/nginx/html/ a/* "> <limit all> allowuser lionftpallowuser chenshuaiftpallowuser ftpchenshuaidenyall </limit> <limit CWD read dirs> allowall </limit> </directory> # Do not allow anyone to execute (site_chmod) <limit site_chmod> denyall </limit> <ifmodule quit> quotaengine off </ifmodule> <ifmodule mod_ratio.c> ratios off </ifmodule> <ifmodule mod_delay.c> delayengine on </ifmodule> <ifmodule mod_ctrls.c> controlsengine off controlsmaxclients 2 controlslog/var/log/ProFTPD/controls. log controlsinterval 5 controlssocket/var/run/ProFTPD/ProFTPd. sock </ifmodule> <ifmodule mod_ctrls_admin.c> admincontrolsengine off </ifmodule> # This is useful for masquerading address with dynamic IPs: # refresh any configured masqueradeaddress directives every 8 hours <ifmodule mod_dynmasq.c> # dynmasqrefresh 28800 </ifmodule> include/etc/ProFTPD/CONF. d/

B) if the files of virtual users and user groups in the configuration file do not exist, create:

[email protected]:~# mkdir -p /usr/share/proftpd/etc/[email protected]:~# touch /usr/share/proftpd/etc/passwd[email protected]:~# touch /usr/share/proftpd/etc/group

C) create a virtual user ftpchenshuai and specify the Directory

[email protected]:~# ftpasswd --passwd --file=/usr/share/proftpd/etc/passwd --name=ftpchenshuai --uid=3000 --home=/usr/local/nginx/html/a --shell=/bin/false

　　　　　　 -Passwd specifies to create a new virtual user, and-Group creates a virtual group; -File: Specifies to store virtual user files; -Name: Specifies the User Name of the virtual user. The password must be entered during command execution; -UID indicates the System user uid corresponding to this virtual user. The virtual user reads and writes files as the system uid. -Home specifies the root directory of the virtual user, that is, the root directory of the user after logging on to FTP; -Shell: Specifies the shell of this virtual user. To ensure security, you must specify a shell that cannot be logged on.. D) create a virtual user group

[email protected]:~# ftpasswd --group --name=testgroup --gid=2014

E) Add a virtual user to a virtual user group

[email protected]:~# ftpasswd --group --name=testgroup --gid=2014 --member=ftpchenshuai

F) if the user does not have the write permission after logon, use the following command to add

[email protected]:~# chmod 777 -R /usr/local/nginx/html/a

G) restart the FTP server

[email protected]:~# service proftpd restart

H) Test the connection on Windows.

C: \ Users \ Administrator> ftpftp> open 192.168.1.100 connect to 192.168.1.100. 220 192.168.1.100 FTP Server Ready user (192.168.1.100 :( none): ftpchenshuai331 Password required for ftpchenshuai password: 230-Welcome to ftpchenshuai, which is the FTP server tested by idoall; 230-the current time is: sat Aug 09 03:30:53 2014; 230-the current server allows a maximum of 0 user connections; 230-currently there are 2 user connections on the server; 230-your current directory is/; 230-the hard disk of the directory contains 0 bytes. 230 user ftpchenshuai logged inftp> pwd257 "/a" is the current directoryftp> dir200 PORT command successful150 opening ASCII mode data connection for file list-RW-r -- 1 ftpchenshuai 3000 1870666 Aug 9 xxx.apk 226 transfer completeftp: 88 bytes received, 0.01 KB/second in 5.87 seconds. Ftp> put c: \ a.txt 200 PORT command successful150 opening ASCII mode data connection for a.txt 226 transfer completeftp: 1 byte sent, 0.06 KB/second in 0.02 seconds. Ftp> dir200 PORT command successful150 opening ASCII mode data connection for file list-RW-r -- 1 ftpchenshuai 3000 1 Aug 9 0:33 a.txt-RW-r -- 1 ftpchenshuai 3000 1870666 aug 9 xxx.apk 226 transfer completeftp: 154 bytes received, 0.01 KB/second in 22.00 seconds. Ftp> bye221 goodbye.

I have also tried vsftpd and other ftp before, and finally I feel it is easier to configure ProFTPd. --------------------------------------- Bowen Jia one blog address: http://idoall.org/home.php? MoD = Space & uid = 1 & Do = Blog & id = 549 reprinted statement: reprinted, but the original source and author information and copyright statement must be indicated in hyperlink form. Thank you for your cooperation! ---------------------------------------