KBTAG: kben10000041
URL: http://www.securityportal.com/lskb/10000000/kben10000041.html
Date created: 27/06/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: ProFTPD configuration including
chroot'ing users
Keywords: Network/Servers/FTP
ProFTPD is a GPL licensed ftp server that can run on a variety on UNIX platforms. It supports newer features such as virtual ftp, per directory configuration (using .ftpaccess files similar to Apaches .htaccess files), support for expired accounts and more. It also supports really useful features such as limiting downloads and much tighter security controls then WU-FTPD. I highly recommend it over any other freely available FTP server for UNIX.
ProFTPDs main configuration file is /etc/proftpd.conf, it has a rather Apache-esque configuration style which I like a lot. ProFTPD can be run from inetd (and make use of TCP_WRAPPERS) or it can be run as a stand-alone server. It also supports per directory config files to limit access and so forth. ProFTPD supports virtual ftp as well (although unlike virtual www serving, extra IP addresses are required) and each site can be configured differently (different anonymous access, if any, and more things along those lines). The general proftpd.conf typically has a section covering global settings (inetd or standalone, maximum number of processes to run, who to run as, and so on), followed by a default config, followed by specific site (virtual sites) configuration. On a server doing virtual hosting it is probably a good idea to turn DefaultServer off, so any clients ftping in aimlessly are denied instead of being dumped into a default site.
Sample configuration for a ProFTPD server being run from inetd with no anonymous access:
ServerName "ProFTPD Default Installation" ServerType inetd DefaultServer on Port 21 Umask 022 MaxInstances 30 User nobody Group nobody <Directory /*> AllowOverwrite on </Directory>
Lets say, like me, that you are paranoid and want to control access to the ftp server by IP addresses, hostnames and domain names (although I would recommend only relying on IPs). You could accomplish via firewall rules, but that tends to slow the machine down (especially if you are adding lots of rules as would be prone to happen). You could use TCP_WRAPPERS, but you wouldnt be able to selectively limit access to virtual sites, anonymous sites, just the server itself. Or you could do it in the proftpd.conf file using the <Limit LOGIN> directive.
The following example will limit access to 10.1.*.* and 1.2.3.4, all other machines will be denied access.
<Limit LOGIN> Order Allow,Deny Allow from 10.1., 1.2.3.4 Deny from all </Limit>
If you place this within a <VirtualHost> or <Anonymous> directives it applies only to that virtual site or anonymous setup, if placed in a <Global> directive it will apply to all the <VirtualHost> and <Anonymous> sections, and if placed in the server config (i.e. with the ServerName and related items) it will behave like TCP_WRAPPERS would, anyone not from 10.1.*.* or 1.2.3.4 immediately gets bumped when they try to connect to port 21, as opposed to simply being denied login if its in a <Global>, <VirtualHost> or <Anonymous> section.
If you want to add anonymous access simply append:
<Anonymous ~ftp> User ftp Group ftp RequireValidShell off UserAlias anonymous ftp MaxClients 10 DisplayLogin welcome.msg DisplayFirstChdir .message <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
This would assign the ftp users home directory (assuming a normal setup ~ftp would probably be /home/ftp) as the root anonymous directory, the ProFTPD would run as the user ftp and group ftp when people log in anonymously (as opposed to logging in as a normal user), and anonymous logins would be limited to 10. As well the file /home/ftp/welcome.msg would be displayed when anonymous users ftp in, and any directory with a .message file containing text would be displayed when they changed into it. The <Directory *> covers /home/ftp/*, and then denies write access for all, meaning no-one can upload any files. If you wanted to add an incoming directory simply add the following after the <Directory *> directives:
<Directory incoming> <Limit WRITE> AllowAll </Limit> <Limit READ> DenyAll </Limit> </Directory>
This would allow people to write files to /home/ftp/incoming/, but not read (i.e. download) them. As you can see ProFTPD is very flexible, this results in ProFTPD requiring more horsepower then WU-FTPD, but it is definitely worth it for the added control.
http://www.proftpd.net/ - ProFTPD and documentation
ftp://ftp.proftpd.net/ - ProFTPD source and packages
http://horde.net/~jwm/software/proftpd-ldap/ - proftpd-ldap