Info

listed in /etc/shells. Default: RequireValidShell on Context: server config, VirtualHost, Anonymous, Global

ScoreboardPath path

Directory that holds proftpd runtime Scoreboard files. Default: ScoreboardPath /var/run Context: server config

ServerAdmin "admin-email-address"

E-mail address of the server or virtual host administrator. Default: ServerAdmin [email protected][ServerName] Context: server config, VirtualHost

ServerType type-identifier

The server daemon's operating mode, either inetd or standalone.

Default: ServerType standalone Context: server config

Timeoutldle seconds

Maximum number of seconds proftpd allows clients to stay connected without any activity. Default: TimeoutIdle 600 Context: server config

Umask octal-mask

Permissions applied to newly created file and directory within a given context. Default: None

Context: server config, Anonymous, VirtualHost, Directory, Global, .ftpaccess

User userid

The user the proftpd daemon runs as. Default: None

Context: server config, VirtualHost, Anonymous, Global

UserAlias login-user userid

Maps a login name used by a client to a user ID on the server. A client logging in as login-user is actually logged in as user ID.

Often used inside an Anonymous block to allow specified login-names to perform an anonymous login. Default: None

Context: server config, VirtualHost, Anonymous, Global

VirtualHost address

Configuration directives that apply to a particular hostname or IP address. Often used with virtual servers that run on the same physical machine. The block is terminated with a /VirtualHost directive. By using the Port directive inside a VirtualHost block, creating a virtual server that uses the same address as the master server, but that listens on a separate TCP port, is possible. Default: None Context: server config

proftpd -c newfile.conf

Different kinds of directives exist. Many set values, such as MaxClients, which set the maximum number of clients, or NameServer, which sets the name of the FTP server. Others create blocks that can hold directives that apply to specific FTP server components. Block directives are entered in pairs: a beginning directive and a terminating directive. The terminating directive defines the end of the block and consists of the same name, beginning with a slash. Block directives take an argument that specifies the particular object to which the directives will apply. For the Directory block directive, you must specify a directory name to which it will apply. The <Directory mydir> block directive creates a block whose directives within it apply to the mydir directory. The block is terminated by a </Directory> directive. <Anonymous fp-dir> configures the anonymous service for your FTP server. You need to specify the directory on your system used for your anonymous FTP service, such as /var/ftp. The block is terminated with the </Anonymous> directive. The <VirtualHost hostaddress> block directive is used to configure a specific virtual FTP server and must include the IP or the domain name address used for that server. </VirtualHost> is its terminating directive. Any Directives you place within this block are applied to that virtual FTP server. The <Limit permission> directive specifies the kind of access you want to limit. It takes as its argument one of several keywords indicating the kind of permission to be controlled: WRITE for write access, READ for read access, STOR for transfer access (uploading), and LOGIN to control user login.

A sample of the standard proftpd.conf file installed as part of the ProFTPD software package is shown here. Notice the default ServerType is standalone. If you want to use xinetd to run your server, you must change this entry to inetd. Detailed examples of proftpd.conf files, showing various anonymous FTP and virtual host configurations, can be found with the ProFTPD documentation, located in /usr/doc, and on the ProFPTD Web site at www.proftpd.net.

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"

ServerType standalone

DefaultServer on

# Port 21 is the standard FTP port. Port 21

Umask 022

MaxInstances 30

# Set the user and group that the server normally runs at. User nobody

Group nobody

# Normally, we want files to be overwriteable. <Directory /*>

AllowOverwrite on

</Directory>

# A basic anonymous configuration, with one incoming directory. <Anonymous ~ftp>

User ftp read access. A second Directory directive creates an exception to this rule for the incoming directory. An incoming directory is usually set up on FTP sites to let users upload files. For this directory, the first Limit directive prevents both READ and WRITE access by users with its DenyAll directive, effectively preventing users from deleting or reading files here. The second Limit directive lets users upload files, however, permitting transfers only (STOR) with the AllowAll directive.

One important directive for anonymous FTP configurations is the RequireValidShell. By default, the FTP daemon first checks to see if the remote user is attempting to log in using a valid shell, such as the BASH shell or the C shell. The FTP daemon obtains the list of valid shells from the /etc/shells file. If the remote user does not have a valid shell, a connection is denied. You can turn off the check using the RequireValidShell directive and the off option. The remote user can then log in using any kind of shell.

<Anonymous /var/ftp> User ftp Group ftp

UserAlias anonymous ftp RequireValidShell off <Directory *>

<Limit WRITE>

DenyAll

# The only command allowed in incoming is STOR

# (transfer file from client to server) <Directory incoming>

<Limit READ WRITE> DenyAll

<Limit STOR>

AllowAll

</Limit> </Directory> </Anonymous>

Recall that FTP was originally designed to let a remote user connect to an account of his or her own on the system. Users can log in to different accounts on your system using the FTP service. Anonymous users are restricted to the anonymous user account. However, you can create other users and their home directories that also function as anonymous FTP accounts with the same restrictions. Such accounts are known as guest accounts. Remote users are required to know the username and, usually, the password. Once connected, they only have read access to that account's files; the rest of the file system is hidden from them. In effect, you are creating a separate anonymous FTP site at the same location with more restricted access.

To create a guest account, first create a user and the home directory for it. You then create an Anonymous block in the proftpd.conf file for that account. The Anonymous directive includes the home directory of the guest user you create. You can specify this directory with a ~ for the path and the directory name, usually the same as the username. Within the Anonymous block, you use the User and Group directives to specify the user and group name for the user account. Set the AnonRequirePassword directive to on if you want remote users to provide a password. A UserAlias directive defines aliases for the username. A remote user can use either the alias or the original username to log in. You then enter the remaining extra IP addresses can be used for virtual servers, not independent machines. You can use such an extra IP address to set up a virtual FTP server, giving you another FTP site on the same system. This added server would use the extra IP address as its own. Remote users could access it using that IP address, instead of the system's main IP address. Because such an FTP server is not running independently on a separate machine but is, instead, on the same machine, it is known as a virtual FTP server or virtual host. This feature lets you run what appears to others as several different FTP servers on one machine. When a remote user uses the virtual FTP server's IP address to access it, the ProFTPD daemon detects that request and operates as the FTP service for that site. ProFTPD can handle a great many virtual FTP sites at the same time on a single machine.

Note Given its configuration capabilities, you can also tailor any of the virtual FTP sites to specific roles, such as a guest site, an anonymous site for a particular group, or an anonymous site for a particular user.

You configure a virtual FTP server by entering a <VirtualHost> directive for it in your proftpd.conf file. Such an entry begins with the VirtualHost directive and the IP address, and ends with a terminating VirtualHost directive, </VirtualHost>. Any directives placed within these are applied to the virtual host. For anonymous or guest sites, add Anonymous and Guest directives. You can even add Directory directives for specific directories. With the Port directive on a standalone configuration, you can create a virtual host that operates on the same system but connects on a different port.

<VirtualHost 10.0.0.1>

ServerName "My virtual FTP server" </VirtualHost>

Xinetd and standalone configurations handle virtual hosts differently. Xinetd detects a request for a virtual host, and then hands it off to an FTP daemon. The FTP daemon then examines the address and port specified in the request and processes the request for the appropriate virtual host. In the standalone configuration, the FTP daemon continually listens for requests on all specified ports and generates child processes to handle ones for different virtual hosts as they come in. In the standalone configuration, ProFTPD can support a great many virtual hosts at the same time.

The following example shows a sample configuration of a virtual FTP host. The VirtualHost directives use domain name addresses for their arguments. When a domain name address is used, it must be associated with an IP address in the network's domain name server. The IP address, in turn, has to reference the machine on which the ProFTPD daemon is running. On the ftp.mypics.com virtual FTP server, an anonymous guest account named robpics is configured that requires a password to log in. An anonymous FTP account is also configured that uses the home directory /var/ftp/virtual/pics.

<VirtualHost ftp.mypics.com>

ServerName "Mypics FTP Server"

MaxClients 10

MaxLoginAttempts 1

DeferWelcome on

<Anonymous ~robpics> User robpics

Group robpics

AnonRequirePassword on

<Anonymous /var/ftp/virtual/pics>

User

Group ftp ftp

UserAlias anonymous ftp

</Anonymous>

</VirtualHost>

Was this article helpful?

0 0

Post a comment