Table of Contents
Install software
Install ProFTPd:
sudo apt-get install proftpd-mysql
You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/
I assume you already has a MySQL server installed.
proFTPd Administrator
Setup Apache
Make the following site by creating the file proftpd in /etc/apache2/sites-available.
Listen 666 <VirtualHost *:666> DocumentRoot "/var/www/proftpd_admin" ServerName localhost:666 ServerAdmin you@example.com ErrorLog /var/log/apache2/proftpd_error_log TransferLog /var/log/apache2/proftpd_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key <Directory "/var/www/proftpd_admin"> SSLOptions +StdEnvVars SSLRequireSSL </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/pureftpd_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /var/www/proftpd_admin> AllowOverride AuthConfig Order deny,allow Allow from all </Directory> </VirtualHost>
Now extract proftpd administrator into this directory.
Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server. Alternatively you can protect it with username/password. See howto here
Setup MySQL
Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:
... ... GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123';
Next import the files by running these commands:
mysql -uroot -p < db_structure.sql mysql -uroot -p < powerdns.sql mysql -uroot -p < upgrade_to_v0.9.sql mysql -uroot -p < vhosts.sql
Now you should have a database called proftpd_admin with a lot of tables in it.
Setup file structure
Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.
ProFTPd config
Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf.
Insert in the first line:
Include /etc/proftpd/modules.conf
Otherwise you will not be loading the needed modules for sql authentication.
Also this part of the config:
... ... <Directory /ftp/*> AllowOverwrite off HideNoAccess off <Limit READ> AllowAll </Limit> <Limit WRITE> DenyGroup !admins </Limit> </Directory> <Directory /ftp/incoming/*> AllowOverwrite on HideNoAccess on <Limit READ> DenyGroup !admins </Limit> <Limit STOR MKD> AllowAll </Limit> </Directory>
As I like to use /var/ftp instead it should look like this:
<Directory /var/ftp/*> AllowOverwrite off HideNoAccess off <Limit READ> AllowAll </Limit> <Limit WRITE> DenyGroup !admins </Limit> </Directory> <Directory /var/ftp/incoming/*> AllowOverwrite on HideNoAccess on <Limit READ> DenyGroup !admins </Limit> <Limit STOR MKD> AllowAll </Limit> </Directory>
If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.
Create/Delete user script
You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.
To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:
# Cmnd alias specification Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh # User privilege specification www-data ALL=(ALL) NOPASSWD: CREATE_USER www-data ALL=(ALL) NOPASSWD: DELETE_USER
What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.
It works and it is a compromise and I don't like it!
Setup TLS/SSL
To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.
All you have to do is run one command and include a conf file to proftpd.conf.
Use this oneliner to make the certificate:
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt
Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.
Next make a file called tls.conf in /etc/proftpd:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 # # Server's certificate # TLSRSACertificateFile /etc/proftpd/proftpd.crt TLSRSACertificateKeyFile /etc/proftpd/proftpd.key # # CA the server trusts #TLSCACertificateFile /etc/ssl/certs/CA.pem # or avoid CA cert TLSOptions NoCertRequest # # Authenticate clients that want to use FTP over TLS? # TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # TLSRequired off # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off </IfModule>
Insert the statement:
Include /etc/proftpd/tls.conf
at the top of your proftpd.conf file.
Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client.