Installation, configuration, and management of proftpd in Linux

How to install, configure, and manage proftpd in Linux-Linux Enterprise Application-Linux server application information. Oftpd is an open source ftp server software, which is the most widely used domestic version of wu-ftpd in the world. It fixes many defects of wu-ftpd, significant improvements have been made in many aspects. One of the important changes is that it learns the Apache configuration method, making proftpd configuration and management easier and easier to understand. This article describes the most basic installation and configuration in Red hat Linux 9.

2. software-related resources.

Http://www.proftpd.org/

Source code package: proftpd is an open source software that can be downloaded from its official website. The latest stable version is 1.2.10.

Help document: this software package is included.

FAQ: this software package is included.

Configuration File example: this software package contains.

3. install the software.

1. Install

Download its source code package proftpd-1.2.10. tar.gz from its official website. Next, I will explain some important steps in the installation process:

[Root @ localhost root]

# Tar xzvf proftpd-1.2.10. tar.gz

[Root @ localhost root]

# Cd bind-9.3.1

[Root @ localhost bind-9.3.1]

#./Configure

[Root @ localhost bind-9.3.1]

# Make

[Root @ localhost bind-9.3.1]

# Make install

Tar xzvf bind-9.3.1.tar.gz decompression package.

./Configure for machine Installation check and settings, most of the work is automatically done by the machine, but you can complete some settings through some parameters, the common options are:

./Configure -- help view the parameter settings help.

-- The enable-ipv6 supports IPv6.

You can set many parameters. You can use-help to view the required parameters. Generally, you can set the parameters by default.

By default, the installation process should be:

Deamon of proftpd is/usr/local/sbin/proftpd

Proftpd configuration file,/usr/local/etc/proftpd. conf.

2. Start:

[Root @ localhost root]

#/Usr/local/sbin/proftpd-c

/Usr/local/etc/proftpd. conf

-C option is used to specify the location of the configuration file. If not specified, the default location is/usr/local/etc/proftpd. conf.

Under normal circumstances, proftpd should be started, ps aux should be able to check the proftpd process, or netstat-an can also see that the Service on port 21 is up. (Default ftp port)

If you want to enable the ftp server to start automatically at startup, you only need to add a line in/etc/rc. d/rc. local.

/Usr/local/sbin/proftpd

#! /Bin/sh

#

# This script will be executed

* After * all the other init scripts.

# You can put your own

Initialization stuff in here if you don't

# Want to do the full Sys V style init stuff.

Touch/var/lock/subsys/local

/Usr/local/sbin/proftpd

4. Software configuration.

1. Initial Configuration File

The default configuration file is located:

/Usr/local/etc/proftpd. conf (if the file does not exist, you can copy the configuration file sample from the compressed package.) The following describes some common options one by one: (# The following part is a comment)

# This is a basic ProFTPD

Configuration file

(Rename it

# 'Proftpd. conf' for actual use.

It establishes a single server

# And a single anonymous login.

It assumes that you have a user/group

# "Nobody" and "ftp" for normal

Operation and anon.

ServerName"

ServerType

Standalone

Defaserver Server

On

# Port 21 is the standard FTP port.

Port 21

ServerType specifies the Startup Type of the FTP Server. The standalone method is generally relatively simple. if the traffic is small, xinetd must be used to listen for startup to save resources. Port: Specifies the FTP listening Port. Port 21 is generally used.

# Umask 022 is a good standard

Umask to prevent new dirs and files

# From being group and world writable.

Umask 022

# To prevent DoS attacks, set

Maximum number of child processes

# To 30. If you need to allow

More than 30 concurrent connections

# At once, simply increase this value.

Note that this ONLY works

# In standalone mode, in inetd mode

You shoshould use an inetd server

# That allows you to limit maximum

Number of processes per service

# (Such as xinetd ).

MaxInstances 30

Umask specifies the Umask value of the FTP server process. The default value of 022 is the same as that of Linux.

MaxInstances specifies the maximum number of connections to the FTP server.

# Set the user and group under

Which the server will run.

User nobody

Group nogroup

# To cause every FTP user to be

"Jailed" (chrooted) into their home

# Directory, uncomment this line.

# DefaultRoot ~

DefaultRoot

The User and Group specify the valid User ID when the proftpd process starts. The default identity is nobody for security reasons. Note that, in Red Linux 9.0, nogroup is not set by default, set Group to nobody.

The DefaultRoot option restricts Linux users from logging on to the home Directory through FTP.

# Set the maximum number of seconds

A data connection is allowed

# To "stall" before being aborted.

# TimeoutStalled 300

AllowRetrieveRestart on

AllowStoreRestart on

# Normally, we want files to be overwriteable.

AllowOverwrite on

TimeoutStalled specifies the connection timeout.

AllowRetriveRestart and AllowStroeRestart specify that resumable upload is allowed.

User ftp

Group ftp

# We want clients to be able

Login with "anonymous"

As well as "ftp"

UserAlias anonymous ftp

# Limit the maximum number of anonymous logins

MaxClients 10

# We want 'Welcome. msg 'displayed

At login, and '. message' displayed

# In each newly chdired directory.

DisplayLogin welcome. msg

DisplayFirstChdir. message

# Limit WRITE everywhere

In the anonymous chroot

DenyAll

2. configuration file structure analysis

# Global settings

Set Project 1 parameter 1

Set Project 2 parameter 2

# Setting a directory
...
...

# Anonymous login settings
...
...
...
...
　　　
Common global settings

DefaultRoot ~ # Restrict each FTP user from viewing the upper-level directory in their own directory

AllowRetrieveRestart on # resumable download

AllowStoreRestart on # resumable upload

ServerIdent off # Shield server version information

TransferRate stor retr speed (Kbytes/s) user # sets the user transmission rate

MaxHostsPerUser 1 # each account can have up to one source ip address, which is useful for preventing ftp accounts.

MaxClientsPerUser 1 # each account can log on to each client at most once at the same time, which can prevent the destruction of the server caused by multi-thread software download.

MaxClientsPerHost 1 # only one account can be logged on to the same client

WtmpLog on # Whether to record ftp in the log. If not, you can set it to off to shield log.

TimeoutIdle 600 # client idle time setting. The default value is 600 seconds.

DisplayLogin welcome. msg # Set the ftp login welcome information file

RootLogin on # Allow the root user to log on, which is not allowed by default. This option is not recommended for security reasons.

Welcome word settings

The settings of the welcome File Include the following parameters:

% T current time

% F remaining disk capacity

% C Current Directory

% R Client host name

% L Server host name

% U User Account Name

% M maximum number of allowed connections

% N current server connection count

% E ftp server administrator email

% I number of files uploaded this time

% O number of files downloaded this time

% T number of files uploaded and downloaded

If you know these parameters, you can write a friendly welcome speech file, for example:

Welcome to % U. This is the T-force test FTP server;

Current Time: % T;

The server allows a maximum of % M user connections;

Currently, there are % N user connections on the server;

Your current directory is % C;

% F bytes are left on the hard disk where the directory is located.

Anonymous configuration Block

In the configuration file, the anonymous configuration block is a very important part. The global account permission configuration is generally controlled by it. The following is a common example.

# A basic anonymous configuration,

No upload directories.

If you do not

# Want anonymous users,

Simply delete this entire

Section.

# Specify the logon directory for anonymous users

User ftp <>

# Specify the user set for this block

Group ftp

# Specify the user group set for this block

# We want clients to be able to login

With "anonymous" as well as "ftp"

UserAlias anonymous ftp

# Set the user's alias

AnonRequirePassword on

# Password required for login

# Limit the maximum number

Of anonymous logins

MaxClients 10

# We want 'Welcome. msg 'displayed

At login, and '. message' displayed

# In each newly chdired directory.

DisplayLogin welcome. msg

DisplayFirstChdir. message

# Limit WRITE everywhere

In the anonymous chroot

DenyAll

AllowAll

The focus of the anonymous configuration block is to perform detailed permission management on the specified directory through Limit. The permission control of Limit is complete, and various complex permission control can be achieved through different combinations, its control items are as follows:

CMD: Change Working Directory Change Directory

MKD: MaKe Directory permission for creating Directories

RNFR: ReName FRom change directory name permission

DELE: DELEte permission for deleting objects

RMD: ReMove Directory permission to delete Directory

RETR: RETRieve permission for downloading data from the server to the client

STOR: The permission for STORe to upload data from the client to the server.

READ: READ Permission, excluding the column directory permission,

Equivalent to RETR, STAT, etc.

WRITE: permission to WRITE files or directories, including MKD and RMD.

DIRS: whether to allow column directories, which is equivalent to LIST,

NLST and other permissions are more practical.

Note: When testing whether a file can be downloaded, an empty file with a length of 0 cannot be used for testing. A file with a content must be used (the file size cannot be 0 k ).

Objects applied to the above Limit include the following

The Limit allowed by AllowUser for a user

DenyUser's Limit for a user

The Limit allowed by AllowGroup for a user group

DenyGroup's Limit for a user group

AllowAll Limit allowed for all user groups

DenyAll indicates the Limit forbidden by all users.

5. A simple and practical configuration management method:

The combination of proftpd and mysql can complete a relatively large and complete permission control, but it also increases the complexity of management and maintenance. Here I will introduce a simple configuration method, applicable to applications with less than 100 users. The core of this method is the clever use of setting gid bits. It is best for readers to find information about the relevant knowledge. The Configuration Management of this method is quite small and simple, and a clear permission system structure can be maintained.

1. Ideas

First, we need to clarify the relationship between proftpd users and linux users: users in linux are proftpd users. The permission control of proftpd is based on the permission control of the Linux system. That is, you must first have the permission of the Linux system for a file or directory. On this basis, proftpd can set its unique permissions. In fact, Linux's own permission system is a relatively complete permission system. We can only use this permission system to meet our requirements.

We set an ftp administrator ftpadmin to belong to the ftpadmin group. the ftp root directory/ftp is the personal root directory of ftpadmin, so that ftpadmin can complete routine management. By setting the/ftp gid, you can ensure that the newly uploaded file belongs to the ftpadmin user, and set the umask value 002 to ensure the read and write permissions of the uploaded file group, in this way, the administrator can manage the files under the management, while ensuring that the owner of the file is not changed.

For ftp users, we only need to create a new Linux user, and define the user directory under/ftp. The operation is simple.

2. Create an ftp administrator: ftpadmin

[Root @ localhost root] groupadd ftpadmin # ftpadmin is the name of the newly added group

[Root @ localhost root] useradd-d

/Ftp-g ftpadmin-s/sbin/nologin admin

[Root @ localhost root] chmod 2775/ftp

At the same time, ensure that ftpadmin is the owner of/ftp, and ftpadmin is the group owner of/ftp. This ensures that ftpadmin has all permissions on the/ftp directory to be managed.

-S/sbin/nologin indicates that the user cannot log on from the shell. That is to say, the user can only log on through ftp. This is out of security considerations.

Modify/usr/local/etc/proftpd. conf

Nobody ftpadmin

Nogroup ftpadmin

Umask 002

# Allow the owner and group users to manage ftp.

Change the mask Umask to 002. Both the group members and owner can add, delete, and modify folders. Other users can read and execute, but cannot write. In this way, the ftpadmin user can read and write all files through the same group of identities without changing the original permissions of the content. That is to say, the owner identity of the files in this folder is not changed, but these files can be managed at the same time.

Chmod 2775/ftp, by setting the gid of the folder, all the files written in this folder, no matter who the owner is, the file group must be ftpadmin (because the/ftp group belongs to ftpadmin), which is reasonably managed by ftpadmin.

3. Add User: user1

Useradd-d/ftp/user1-g ftpadmin-s

/Sbin/nologin user1

In this way, user1 has full permissions on the/ftp/user1 directory. as an administrator, you can also manage directories through group permissions.

Whenever users need to be added, simply add a Linux User.

4. Corresponding configuration file: Important entries in proftpd. conf

Umask 002

DefaultRoot

Umask 002 ensures that the newly created file has the Group read and write permissions.

DefaultRoot ~ Make sure that each user is locked in his/her own directory after logging on, and the directories of other users are invisible.