ProFTPD

Posted by on

ProFTPD (Professional FTP Daemon) — FTP-сервер для Linux и UNIX-подобных операционных систем. ProFTPD использует лишь один конфигурационный файл proftpd.conf.
Сервер может быть настроен для работы нескольких виртуальных хостов, также поддерживает chroot. Может быть запущен в виде отдельного сервера (демона) или в составе суперсервера inetd. Также поддерживает IPv6.

Расширения: поддерживает модули, добавляющие SSL/TLS-шифрование, аутентификацию через LDAP, работу с SQL, туннелирование соединений через SSH.

$ sudo yum update
$ sudo yum install proftpd

Правим:

nano /etc/proftpd.conf
ServerName            "FTP server"
ServerIdent           on "FTP Server ready."
ServerAdmin           root@localhost
DefaultServer         on
UseIPv6               off
IdentLookups          off
PassivePorts          40900 40999
DefaultRoot           ~ !adm
AuthPAMConfig         proftpd
AuthOrder             mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS         off
User                  nobody
Group                 nobody
MaxInstances          20
UseSendfile           off
SystemLog             /var/log/proftpd/proftpd.log
TransferLog           /var/log/proftpd/xfer.log
ExtendedLog           /var/log/proftpd/access.log WRITE,READ write
ExtendedLog           /var/log/proftpd/auth.log AUTH auth
DebugLevel            9
LoadModule            mod_ctrls_admin.c
LoadModule            mod_vroot.c
ModuleControlsACLs    insmod,rmmod allow user root
ModuleControlsACLs    lsmod allow user *
ControlsEngine        on
ControlsACLs          all allow user root
ControlsSocketACL     allow user *
ControlsLog           /var/log/proftpd/controls.log


<IfModule mod_ctrls_admin.c>
    AdminControlsEngine   on
    AdminControlsACLs     all allow user root
</IfModule>
<IfModule mod_vroot.c>
    VRootEngine on
</IfModule>
<IfDefine TLS>
    TLSEngine on
    TLSRequired on
    TLSRSACertificateFile    /etc/pki/tls/certs/proftpd.pem
    TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
    TLSCipherSuite           ALL:!ADH:!DES
    TLSOptions               NoCertRequest
    TLSVerifyClient          off
    #TLSRenegotiate          ctrl 3600 data 512000 required off timeout 300
    TLSLog                   /var/log/proftpd/tls.log
 <IfModule mod_tls_shmcache.c>
 TLSSessionCache             shm:/file=/var/run/proftpd/sesscache
 </IfModule>
</IfDefine>
<IfDefine DYNAMIC_BAN_LISTS>
    LoadModule               mod_ban.c
    BanEngine                on
    BanLog                   /var/log/proftpd/ban.log
    BanTable                 /var/run/proftpd/ban.tab
 # If the same client reaches the MaxLoginAttempts limit 2 times
 # within 10 minutes, automatically add a ban for that client that
 # will expire after one hour.
    BanOnEvent               MaxLoginAttempts 2/00:10:00 01:00:00
 # Inform the user that it's not worth persisting
    BanMessage              "Host %a has been banned"
# Allow the FTP admin to manually add/remove bans
    BanControlsACLs         all allow user ftpadm
</IfDefine>
<IfDefine QOS>
    LoadModule              mod_qos.c
 # RFC791 TOS parameter compatibility
    QoSOptions              dataqos throughput ctrlqos lowdelay
 # For a DSCP environment (may require tweaking)
 #QoSOptions dataqos CS2 ctrlqos AF41
</IfDefine>
<Global>
 # Umask 022 is a good standard umask to prevent new dirs and files
 # from being group and world writable
    Umask                   022
 # Allow users to overwrite files and change permissions
 AllowOverwrite             yes
 <Limit ALL SITE_CHMOD>
 AllowAll
 </Limit>
</Global>
<IfDefine ANONYMOUS_FTP>
 <Anonymous ~ftp>
 User                      ftp
 Group                     ftp
 AccessGrantMsg "Anonymous login ok, restrictions apply."
 # We want clients to be able to login with "anonymous" as well as "ftp"
 UserAlias                 anonymous ftp
 # Limit the maximum number of anonymous logins
 MaxClients                10 "Sorry, max %m users -- try again later"
 # Put the user into /pub right after login
 #DefaultChdir /pub
 # We want 'welcome.msg' displayed at login, '.message' displayed in
 # each newly chdired directory and tell users to read README* files.
    DisplayLogin /welcome.msg
    DisplayChdir .message
    DisplayReadme README*
 # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser on ftp
    DirFakeGroup on ftp
 # Limit WRITE everywhere in the anonymous chroot
 <Limit WRITE SITE_CHMOD>
    DenyAll
 </Limit>
 # An upload directory that allows storing files but not retrieving
 # or creating directories.
 #
 # Directory specification is slightly different if mod_vroot is in
 # use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
 # https://bugzilla.redhat.com/show_bug.cgi?id=1045922


<IfModule mod_vroot.c>
 <Directory /uploads/*>
    AllowOverwrite     no
 <Limit READ>
    DenyAll
 </Limit>

<Limit STOR>
    AllowAll
 </Limit>
 </Directory>
 </IfModule>
 <IfModule !mod_vroot.c>
 <Directory uploads/*>
    AllowOverwrite no
 <Limit READ>
    DenyAll
 </Limit>

<Limit STOR>
    AllowAll
 </Limit>
 </Directory>
 </IfModule>
 # Don't write anonymous accesses to the system wtmp file (good idea!)
 WtmpLog off
 # Logging for the anonymous transfers
    ExtendedLog       /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog       /var/log/proftpd/auth.log AUTH auth
 </Anonymous>
</IfDefine>

С такой настройкой уже можно подключаться любым системным пользователем.

Переходим к более безопасному и гибкому варианту – виртуальным пользователям.

 

image_pdfimage_print

Leave a Reply

Your email address will not be published. Required fields are marked *