User Tools

Site Tools


howtos:proftpd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:proftpd [d/m/Y H:i] (current)
Line 1: Line 1:
 +====== Install software ======
  
 +Install ProFTPd:
 +<​code>​
 +sudo apt-get install proftpd-mysql
 +</​code>​
 +
 +You can find ProFTPd Administrator here: http://​sourceforge.net/​projects/​proftpd-adm/​
 +
 +I assume you already has a MySQL server installed.
 +
 +====== proFTPd Administrator ======
 +
 +===== Setup Apache =====
 +Make the following site by creating the file proftpd in /​etc/​apache2/​sites-available.
 +
 +<​file>​
 +Listen 666
 +<​VirtualHost *:666>
 +DocumentRoot "/​var/​www/​proftpd_admin"​
 +ServerName localhost:​666
 +ServerAdmin you@example.com
 +ErrorLog /​var/​log/​apache2/​proftpd_error_log
 +TransferLog /​var/​log/​apache2/​proftpd_access_log
 +SSLEngine on
 +SSLCipherSuite ALL:​!ADH:​!EXPORT56:​RC4+RSA:​+HIGH:​+MEDIUM:​+LOW:​+SSLv2:​+EXP:​+eNULL
 +SSLCertificateFile /​etc/​apache2/​ssl.crt/​server.crt
 +SSLCertificateKeyFile /​etc/​apache2/​ssl.key/​server.key
 +<​Directory "/​var/​www/​proftpd_admin">​
 +    SSLOptions +StdEnvVars
 +    SSLRequireSSL
 +</​Directory>​
 +SetEnvIf User-Agent "​.*MSIE.*"​ \
 +         ​nokeepalive ssl-unclean-shutdown \
 +         ​downgrade-1.0 force-response-1.0
 +CustomLog /​var/​log/​apache2/​pureftpd_request_log \
 +          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"​%r\"​ %b"
 +<​Directory /​var/​www/​proftpd_admin>​
 +    AllowOverride AuthConfig
 +    Order deny,allow
 +    Allow from all
 +</​Directory>​
 +</​VirtualHost>​
 +</​file>​
 +
 +Now extract proftpd administrator into this directory.
 +
 +Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server.
 +Alternatively you can protect it with username/​password. See howto [[howtos:​digest_authentication|here]]
 +
 +===== Setup MySQL =====
 +Inside /​var/​www/​proftpd_admin/​misc/​database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:
 +<​file>​
 +...
 +...
 +GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY '​abc123';​
 +GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY '​abc123';​
 +GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY '​abc123';​
 +</​file>​
 +
 +Next import the files by running these commands:
 +<​code>​
 +mysql -uroot -p < db_structure.sql
 +mysql -uroot -p < powerdns.sql
 +mysql -uroot -p < upgrade_to_v0.9.sql
 +mysql -uroot -p <  vhosts.sql
 +</​code>​
 +
 +Now you should have a database called proftpd_admin with a lot of tables in it.
 +
 +===== Setup file structure =====
 +Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.
 +
 +===== ProFTPd config =====
 +Inside the folder /​var/​www/​proftpd_admin/​misc/​sample_config you will find two files. Copy the file called proftpd_quota.conf to /​etc/​proftpd and call it proftpd.conf.
 +
 +Insert in the first line:
 +<​file>​
 +Include /​etc/​proftpd/​modules.conf
 +</​file>​
 +
 +Otherwise you will not be loading the needed modules for sql authentication.
 +
 +Also this part of the config:
 +<​file>​
 +...
 +...
 +<​Directory /ftp/*>
 +        AllowOverwrite ​         off
 +        HideNoAccess ​           off
 +        <Limit READ>
 +                AllowAll
 +        </​Limit>​
 +
 +        <Limit WRITE>
 +                DenyGroup ​      ​!admins
 +        </​Limit>​
 +</​Directory>​
 +
 +<​Directory /​ftp/​incoming/​*>​
 +        AllowOverwrite ​         on
 +        HideNoAccess ​           on
 + 
 +        <Limit READ>
 +                DenyGroup ​      ​!admins
 +        </​Limit>​
 +
 +        <Limit STOR MKD>
 +                AllowAll
 +        </​Limit>​
 +</​Directory>​
 +</​file>​
 +
 +As I like to use /var/ftp instead it should look like this:
 +<​file>​
 +<​Directory /​var/​ftp/​*>​
 +        AllowOverwrite ​         off
 +        HideNoAccess ​           off
 +        <Limit READ>
 +                AllowAll
 +        </​Limit>​
 +
 +        <Limit WRITE>
 +                DenyGroup ​      ​!admins
 +        </​Limit>​
 +</​Directory>​
 +
 +<​Directory /​var/​ftp/​incoming/​*>​
 +        AllowOverwrite ​         on
 +        HideNoAccess ​           on
 + 
 +        <Limit READ>
 +                DenyGroup ​      ​!admins
 +        </​Limit>​
 +
 +        <Limit STOR MKD>
 +                AllowAll
 +        </​Limit>​
 +</​Directory>​
 +</​file>​
 +
 +If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.
 +
 +===== Create/​Delete user script =====
 +You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.
 +
 +To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:
 +
 +<​file>​
 +# Cmnd alias specification
 +Cmnd_Alias CREATE_USER = /​var/​www/​proftpd_admin/​misc/​user_script/​create_user.sh
 +Cmnd_Alias DELETE_USER = /​var/​www/​proftpd_admin/​misc/​user_script/​delete_user.sh
 +
 +# User privilege specification
 +www-data ALL=(ALL) NOPASSWD: CREATE_USER
 +www-data ALL=(ALL) NOPASSWD: DELETE_USER
 +</​file>​
 +
 +What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.
 +
 +It works and it is a compromise and I don't like it!
 +
 +                                    ​
 +
 +===== Setup TLS/SSL =====
 +To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.
 +
 +All you have to do is run one command and include a conf file to proftpd.conf.
 +
 +Use this oneliner to make the certificate:​
 +<​code>​
 +openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /​etc/​proftpd/​proftpd.key -nodes -out /​etc/​proftpd/​proftpd.crt
 +</​code>​
 +
 +Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.
 +
 +Next make a file called tls.conf in /​etc/​proftpd:​
 +<​file>​
 +<​IfModule mod_tls.c>​
 +TLSEngine ​                              on
 +TLSLog ​                                 /​var/​log/​proftpd/​tls.log
 +TLSProtocol ​                            ​SSLv23
 +#
 +# Server'​s certificate
 +#
 +TLSRSACertificateFile ​                  /​etc/​proftpd/​proftpd.crt
 +TLSRSACertificateKeyFile ​               /​etc/​proftpd/​proftpd.key
 +#
 +# CA the server trusts
 +#​TLSCACertificateFile ​                   /​etc/​ssl/​certs/​CA.pem
 +# or avoid CA cert
 +TLSOptions ​                             NoCertRequest
 +#
 +# Authenticate clients that want to use FTP over TLS?
 +#
 +TLSVerifyClient ​                        off
 +#
 +# Are clients required to use FTP over TLS when talking to this server?
 +#
 +TLSRequired ​                            off
 +#
 +# Allow SSL/TLS renegotiations when the client requests them, but
 +# do not force the renegotations. ​ Some clients do not support
 +# SSL/TLS renegotiations;​ when mod_tls forces a renegotiation,​ these
 +# clients will close the data connection, or there will be a timeout
 +# on an idle data connection.
 +#
 +#​TLSRenegotiate ​                         required off
 +</​IfModule>​
 +</​file>​
 +
 +Insert the statement:
 +<​file>​
 +Include /​etc/​proftpd/​tls.conf
 +</​file>​
 +
 +at the top of your proftpd.conf file.
 +
 +Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client. ​
howtos/proftpd.txt · Last modified: d/m/Y H:i (external edit)