Installing and configuring ProFTPD (CentOS, Red Hat)

Servername ProFTPD
#ServerType standalone
DefaultServer on
DefaultRoot ~
RootLogin off
VRootEngine off
DefaultChdir/
AllowForeignAddress off
DefaultTransferMode ascii
PassivePorts 6000 7000
TimeoutSession 86400
AllowOverwrite on
AllowOverride is off
UseReverseDNS off
IdentLookups off
RequireValidShell off
AuthPAM on
Proftpd AuthPAMConfig
UseFtpUsers on
TimesGMT off
AuthGroupFile/etc/group
Setenv TZ: called
Port 21
Umask 022
MaxInstances 30
ScoreboardFile/var/run/proftpd/scoreboard
ExtendedLog/var/log/ftp.log
TransferLog/var/log/xferlog
SystemLog/var/log/syslog.log
Order allow, deny
Allow from all
Deny from all
To search for errors at startup, use the command from the console
#proftpd
And here’s another, check the name of the server hostname
It is best to put the IP address of your server
#hostname IP
Each virtual host requires a separate port or IP address.
Proftpd can operate in modes (ServerType directive): standalone or inetd.
Possible to run ProFTPD without root privileges. However, you must install a Port above 1023, disable AuthPAM and WtmpLog, be sure to use the AuthUserFile and the AuthGroupFile, set User and Group themselves. You cannot use the DefaultRoot and Anonymous.
To use the DefaultRoot (chroot) is required to run the server as root. Some may require a specific file in the root directory (for example, Solaris requires/dev/tcp and/dev/zero). Symbolic links may not indicate outside (although you can use hard links or mount-bind).
Proftpd allows you to create “virtualusers with AuthUserFile and AuthGroupFile directives (or using LDAP and SQL DB using additional modules). AuthUserFile/etc/passwd to change determines the same format for the AuthGroupFile/etc/group. The encrypted passwords are stored here (equivalent to the/etc/shadow is not), so read the files should have only the user specified in the User of the virtual server (presumably a separate user for ftpd). See the DirFakeUser and DirFakeGroup.
Allocation of ip addresses or domain names on the template classes using directives “Class name of the ip address/mask and “Class name regex pattern allows you to limit the number of simultaneous connections for each class using the Class name of the directives limit the number (requires inclusion of a classification by “Classes on” and work in standalone mode).
The scope of the configuration directives (section are defined as in the Apache configuration file using HTML-like opening and closing tags):
primary serverall that out of other areas of action
Here are the parameters that are common to all virtual servers
setting guidelines for virtual server; use inside the Port directive allows you to use one address for many virtual servers (standalone only)
by default chroot () and the password is not checked, unlike wu-ftpd does not require other files and libraries in the reservation; is part of the main server or virtual host
set options specific to the directory; cannot be nested; the last name may be “*; the path must be absolute, with the exception of the Anonymous block; You cannot specify a symbolic links; You can use the character ‘ ~ ‘ to specify the home directory
defines the limits on the use of objects in the directory (complements but does not replace the file system access rights); In addition to the FTP commands you can use Group names: READ (SITE, SIZE, RETR, STAT), WRITE (APPE, DELE, MKD, RMD, RNTO, STOR, XMKD, XRMD), DIRS (CDUP, CWD, LIST, NLST, MDTM, PWD, RNFR, XCUP, XCWD, XPWD), ALL (READ, WRITE, DIRS), LOGIN (only in the areas of:the principal server, Anonymous, VirtualHost) and names of type SITE_CHMOD; blocks with group names are of lower priority; Unit for internal scope takes precedence over external; When you define a block, you can specify multiple command names separated by space
ftpaccess file allows the owner of the directory to override its settings on the fly; You can suppress the generation of files with the same name or disable an override directive AllowOverride” off (as of version 1.2.8)
Tcp/ip Settings:
Bind IP address (scopeprincipal, VirtualHost)
DefaultAddress IP address (primary serverscope)
DefaultServer off | on (whether to use this configuration when connecting to addresses other than those in the VirtualHost; scopeprincipal, VirtualHost)
IdentLookup on | off (use ident (RFC 1413) to identify the client’s podsledinivšegosâ it is recommended that you disable, this Protocol no longer uses; scopeprincipal, Global, VirtualHost)
PassivePorts min max (the interval of ports that can be used for connections in passive mode)
Port portnumber (only the standalone mode)
So
Access control in the actions pane, Limit:
Allow from all | None | host | network
permission for the action, as defined in the directive, Limit, depending on the pattern of IP addresses (192.168.) or domain name (. company.ru); scope-Limit; defaultfrom all;
AllowAll (explicit permission to Limit scope, Anonymous or Directory)
AllowGroup listgroups-throughcomma
to access the commands described in the scope of the Limit, the user must log on to all these groups (AND possibly denial, set an exclamation mark before the name of the Group)
AllowUser listnames-viacomma
to access the commands described in the scope of the Limit, the user must have the names (AND possibly denial, set an exclamation mark before the name)
Deny from all | None | host | network
the ban on the action defined in the directive, Limit, depending on the pattern of IP addresses (192.168.) or domain name (. company.ru); scope-Limit; default-from none;
DenyAll (synonym for command: “order deny, allow deny from all;)
DenyGroup listgroups-throughcomma
denied access to the commands that are described in this scope, Limit, users belonging to all these groups (AND possibly denial, set an exclamation mark before the name of the Group)
DenyUser listnames-viacomma
denied access to the commands that are described in this scope Limit for users with the specified name (AND possibly denial, set an exclamation mark before the name)
Order allow, deny | deny, allow (determines the sequence of checking the Allow and Deny directives, as well as default action; allow, deny, Allow directives, are checked: If a match is found, the access is granted, otherwise the Deny directive are checked and if a match is found, the access is prohibited, otherwise access is granted the allow, deny;: Deny directive are checked and if a match is found, the access is denied, or the Allow directives are checked, and if it finds a match, access is grantedotherwise access is prohibited; Note that the apache default is produced the opposite effect!)
Managing anonymous access:
AnonRequirePassword off | on
Anonymous root-directory (sets the scope for anonymous access, use the directory to chroot; used in scopeprincipal, Global, VirtualHost)
AnonymousGroup listgroups-throughcomma (read users from this group as the anonymous password is not required, it is the chroot in the home directory of the user must be in; all these groups (AND possibly denial, set an exclamation mark before the name of the Group); scopeprincipal, Global, VirtualHost)
AuthUsingAlias off | on (scopeby Anonymous)
Security management:
AllowFilter regular expression (limit text command parameters FTP protocol specified template in the actions pane, principal, Global, VirtualHost, Anonymous; it is recommended that you specify a template to use letters, numbers, underscore, dot, comma, and backslash)
AllowForeignAddress on | off (allow clients to specify an IP address in the PORT command that allows you to send data from one server to another server in the actions pane, principal, Global, VirtualHost, Anonymous)
AllowOverride (?, for apache, this directive specifies what configuration options can be modified using .htaccess; offdisables the use of the ftpaccess.?)
AllowOverwrite on | off (allow to overwrite existing files, scopeserver config, VirtualHost, Anonymous, Directory, Global, ftpaccess.)
AuthAliasOnly off | on (give access only to pol′zovateleâm, UserAlias directive mentioned above, scopeserver config, VirtualHost, Anonymous, Global)
AuthGroupFile file-name (instead of/etc/group; opened before chroot; scopeserver config, VirtualHost, Global)
AuthOrder?
AuthPAM on | off (scopeprincipal, Global, VirtualHost)
AuthPAMAuthoritative off | on (if PAM rejects authorization, the other modules do not even called; scopeprincipal, Global, VirtualHost)
AuthPAMConfig service (PAM service name; default-ftp; scopeprincipal, Global, VirtualHost)
AuthUserfile file-name (instead of/etc/passwd; opened before chroot; if multiple users have the same uid, the files must be separated using DefaultRoot ~; in this case it is recommended to use the directive DirFakeUser on ~ DirFakeGroup on ~; and the encrypted password is stored in the same file (there is no equivalent of the/etc/shadow); Md5?; access rights to the file should be sufficient for reading the uid/gid set User/Group directives, but closed from all of the others (it is recommended that you create a special user instead of nobody/nogroup); scopeserver config, VirtualHost, Global)
CommandBufferSize number of characters (limiting the maximum length of the commands
PathDenyFilter regular expression (no files are created with names specified template in the actions pane, principal, Global, VirtualHost, Anonymous:
PathDenyFilter (ftpaccess.) |(.htaccess) $ “
PersistentPasswd on | off (keep/etc/passwd files and open the/etc/group in proftpd, including chroot)
RLimitCPU soft-limit | Max “[hard-limit |Max “] (the maximum number of CPU seconds devoted to the execution of the process)
RLimitMemory soft-limit | Max “[hard-limit |Max “] (the maximum number of bytes to process)
RLimitOpenFiles soft-limit | Max “[hard-limit |Max “]
RequireValidShell on | off (to authorize the client only if it has the basic shell of the list/et/shells; scopeprincipal, Global, VirtualHost, Anonymous)
RootLogin off | on (allow root login; scopeprincipal, Global, VirtualHost, Anonymous)
TCPAccessFiles name-allowfile namedeny-file (the file names contain the IP address or name patterns in grid format tcpwrapper hosts allow and hosts. deny;; names must be absolute or start with the “~/ or “~ name/username/; scopeprincipal, Global, VirtualHost, Anonymous)
TCPGroupAccessFiles template group namename of the fileallow-deny-file (set the individual hosts allow and hosts. deny certain groups.; possibly denial, set an exclamation mark before the name of the Group; basic serverscoped, Global, VirtualHost)
TCPServiceName nameservice (used instead of the default hosts file parsing proftpd. allow and hosts. deny; scopeprincipal, Global, VirtualHost, Anonymous)
TCPUserAccessFiles templatenameuser namename of the fileallow-deny-file (set the individual hosts allow and hosts. deny certain users.; possibly denial, set an exclamation mark before the name of the user; scopeprincipal, Global, VirtualHost)
UseFtpUsers on | off (users, found in the file/etc/ftpusers not allowed; scopeprincipal, Global, VirtualHost, Anonymous)
User uid (user ID under which the server will be running; scopeserver config, VirtualHost, Global, Anonymous)
UserAlias input name uid (client name you entered is displayed on the system uid; scopeprincipal, Global, VirtualHost, Anonymous)
UserAlias anonymous ftp
UserDirRoot off | on (chroot on the anonymous Server subdirectory based on the behalf of the client; scopeby Anonymous)
UserAlias foo ftp
UserDirRoot on
# authentication under the name foo results in a chroot ~ ftp/foo
UserPassword encrypted uid-cryptpassword (replaces the password from/etc/shadow or his counterpart; scopeprincipal, Global, VirtualHost, Anonymous)
File management:
AllowStoreRestart off | on (allow resume writing to server scopeserver config, VirtualHost, Anonymous, Directory, Global, ftpaccess.)
DefaultChdir namedirectory [listgroups-throughcomma] (can be relative to the home directory by defaultin it; you must be in all these groups (AND possibly denial, set an exclamation mark before the name of the Group); scopeserver config, VirtualHost, Anonymous, Global)
DefaultTransferMode ascii | binary
DeleteAbortedStores off | on
GroupOwner is the name of the band (which group attributed to newly created files and directories; are limiting access rights for the current user scopeAnonymous Directory ftpaccess.)
HiddenStor on | off (AKA HiddenStores, when a file is uploaded to the server, it is written under a temporary name, and then rename to avoid use of partially uploaded files; AllowStoreRestart; is incompatible with the directive‘s scopeDirectory, VirtualHost, Global)
StoreUniquePrefix prefix (the prefix is added to the unique 6-character file names created by STOU)
Umask maskgenerated-filesdirectories-generated mask (set the octal number (see umask (2)); does not allow you to leave the bits eXecute normal files, but there is a command SITE CHMOD file-name rights; scopeserver config, VirtualHost, Anonymous, Global Directory ftpaccess.)
UserOwner nameuser (uid attribute to any newly created files and directories; are limiting access rights for the current user; can not be equal to 0; scopeAnonymous Directory ftpaccess.)
Manage messages issued by clients:
AccessDenyMsg message
AccessGrantMsg message
DeferWelcome off | on (hold the greeting to authentication; part is still welcome)
DisplayConnect is the name of the file (the file name is an absolute or relative to the home directory)
DisplayFirstChdir is the name of the file (the file name is an absolute or relative to the directory; you can use the macros:
% Tcurrent time
% F-free space in the file system
% (C)the name of the current directory
% Rremote host name
% L-local host name
%uPaul
Records management (by default, syslog daemon, debug/: authpriv):
AllowLogSymlinks on | off (enable write log files specified by symbolic links, scopeprincipal, Global, VirtualHost)
DebugLevel (level Debug printing, see the-debug)
ExtendedLog file-name [list of classescommands] name format (specifies a file name for the log entry, the name of a specific command LogFormat format, and a comma-separated list of classes of commands: NONE, AUTH, INFO, DIRS, READ, WRITE, MISC, ALL; should not be given write access to the directory and file to anyone except root; as the name of the file, you can use the string “syslog level)
LogFormat formatname “string formatting (bind format string to format name; any metacharacters (% A,% d,% D,% F,% l,% m% r,% U are passed from the client without processing and can contain anything you want, including control characters):
%%% symbol
% a-IP address of the client
% A-password string for anonymous or UNKNOWN
% b-bytes sent
% {name environment variable}
% d is the simple name of the directory for commands work with directories
% D is the fully qualified name of the directory for commands work with directories
%f-the absolute file name
% F is the name of the file from the client’s perspective
% h-DNS client name
% l-name of the client, some via ident or UNKNOWN
% L-IP address of the server
% m is the name of the command received from the client
%pthe port number on the server
% P-pid of the server
% rcommand line text
%s-a numeric code for the server’s response
% tlocal time
% {format} tlocal time in the format strftime (3)
% Tnumber of seconds spent on transfer
% u-uid, under which the server
% U-USER command parameter
% v-the server name of the ServerName
% Vthe DNS name of the server
Xfer_fmt LogFormat % t% u% f”
ExtendedLog/var/log/upload write xfer_fmt
ExtendedLog/var/log/dnload read xfer_fmt
ServerLog (?)
SyslogFacility source message (by default, the authentication messages as others-DAEMON AUTHPRIV)
SyslogLevel levelseverity (from which messages will be sent to syslog; scopeserver, VirtualHost, Global)
SystemLog name file | None (redirect messages to a file instead of syslog)
TCPAccessSyslogLevels [leveltolevel-forallow deny] (severity level when writing syslog messages to tcpwrapper; by default-info and warn)
TransferLog file-name | None (a file name for the log file in the format of wu-ftpd;/var/log/xferlog; scopeVirtualHost, the server Anonymous, Global
WtmpLog on | off | None (the scope of the server, Which, by Anonymous, Global)
Conditional statements: Define (you can also define parameters on the command line when running proftpd), IfDefine, IfModule. Can be nested. There is also an Include directive.
The format of the table of contents directory (LIST, NLST, STAT)
DirFakeGroup
DirFakeMode
DirFakeUser
LsDefaultOptions “string(the scope of the server, the VirtualHost, Anonymous, Global)
Listoptions
ShowDotFiles off | on (equivalent to LsDefaultOptions -A”; server-scope, VirtualHost, Anonymous, Global)
ShowSymlinks on | off (display symbolic links or rezul′tatiruûŝie files; the scope of server, VirtualHost, Anonymous, Global)
TimesGMTon | off (display GMT or local time; the scope of server, VirtualHost, Anonymous, Global)
UseGlobbing on | off (enables you to use templates instead of file names; the scope of server, VirtualHost, Anonymous, Global)
The locations of the localized files:
PidFile file-name (standalone mode only)
ScoreboardFile file-name (/var/run/proftpd.scoreboard; file that stores information about the current session)
Traffic limitation.
primary serverall that out of other areas of action
Here are the parameters that are common to all virtual servers
setting guidelines for virtual server; use inside the Port directive allows you to use one address for many virtual servers (standalone only)
by default chroot () and the password is not checked, unlike wu-ftpd does not require other files and libraries in the reservation; is part of the main server or virtual host
set options specific to the directory; cannot be nested; the last name may be “*; the path must be absolute, with the exception of the Anonymous block; You cannot specify a symbolic links; You can use the character ‘ ~ ‘ to specify the home directory
defines the limits on the use of objects in the directory (complements but does not replace the file system access rights); In addition to the FTP commands you can use Group names: READ (SITE, SIZE, RETR, STAT), WRITE (APPE, DELE, MKD, RMD, RNTO, STOR, XMKD, XRMD), DIRS (CDUP, CWD, LIST, NLST, MDTM, PWD, RNFR, XCUP, XCWD, XPWD), ALL (READ, WRITE, DIRS), LOGIN (only in scopesprincipal, VirtualHost