howtos:proftpd
Differences
This shows you the differences between two versions of the page.
howtos:proftpd [25/08/2017 13:53] – created domingo | howtos:proftpd [02/12/2018 21:34] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Install software ====== | ||
+ | Install ProFTPd: | ||
+ | < | ||
+ | sudo apt-get install proftpd-mysql | ||
+ | </ | ||
+ | |||
+ | You can find ProFTPd Administrator here: http:// | ||
+ | |||
+ | I assume you already has a MySQL server installed. | ||
+ | |||
+ | ====== proFTPd Administrator ====== | ||
+ | |||
+ | ===== Setup Apache ===== | ||
+ | Make the following site by creating the file proftpd in / | ||
+ | |||
+ | < | ||
+ | Listen 666 | ||
+ | < | ||
+ | DocumentRoot "/ | ||
+ | ServerName localhost: | ||
+ | ServerAdmin you@example.com | ||
+ | ErrorLog / | ||
+ | TransferLog / | ||
+ | SSLEngine on | ||
+ | SSLCipherSuite ALL: | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | < | ||
+ | SSLOptions +StdEnvVars | ||
+ | SSLRequireSSL | ||
+ | </ | ||
+ | SetEnvIf User-Agent " | ||
+ | | ||
+ | | ||
+ | CustomLog / | ||
+ | "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \" | ||
+ | < | ||
+ | AllowOverride AuthConfig | ||
+ | Order deny,allow | ||
+ | Allow from all | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Now extract proftpd administrator into this directory. | ||
+ | |||
+ | Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server. | ||
+ | Alternatively you can protect it with username/ | ||
+ | |||
+ | ===== Setup MySQL ===== | ||
+ | Inside / | ||
+ | < | ||
+ | ... | ||
+ | ... | ||
+ | GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY ' | ||
+ | GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY ' | ||
+ | GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY ' | ||
+ | </ | ||
+ | |||
+ | Next import the files by running these commands: | ||
+ | < | ||
+ | mysql -uroot -p < db_structure.sql | ||
+ | mysql -uroot -p < powerdns.sql | ||
+ | mysql -uroot -p < upgrade_to_v0.9.sql | ||
+ | mysql -uroot -p < vhosts.sql | ||
+ | </ | ||
+ | |||
+ | Now you should have a database called proftpd_admin with a lot of tables in it. | ||
+ | |||
+ | ===== Setup file structure ===== | ||
+ | Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder. | ||
+ | |||
+ | ===== ProFTPd config ===== | ||
+ | Inside the folder / | ||
+ | |||
+ | Insert in the first line: | ||
+ | < | ||
+ | Include / | ||
+ | </ | ||
+ | |||
+ | Otherwise you will not be loading the needed modules for sql authentication. | ||
+ | |||
+ | Also this part of the config: | ||
+ | < | ||
+ | ... | ||
+ | ... | ||
+ | < | ||
+ | AllowOverwrite | ||
+ | HideNoAccess | ||
+ | <Limit READ> | ||
+ | AllowAll | ||
+ | </ | ||
+ | |||
+ | <Limit WRITE> | ||
+ | DenyGroup | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | AllowOverwrite | ||
+ | HideNoAccess | ||
+ | |||
+ | <Limit READ> | ||
+ | DenyGroup | ||
+ | </ | ||
+ | |||
+ | <Limit STOR MKD> | ||
+ | AllowAll | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | As I like to use /var/ftp instead it should look like this: | ||
+ | < | ||
+ | < | ||
+ | AllowOverwrite | ||
+ | HideNoAccess | ||
+ | <Limit READ> | ||
+ | AllowAll | ||
+ | </ | ||
+ | |||
+ | <Limit WRITE> | ||
+ | DenyGroup | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | AllowOverwrite | ||
+ | HideNoAccess | ||
+ | |||
+ | <Limit READ> | ||
+ | DenyGroup | ||
+ | </ | ||
+ | |||
+ | <Limit STOR MKD> | ||
+ | AllowAll | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements. | ||
+ | |||
+ | ===== Create/ | ||
+ | You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user. | ||
+ | |||
+ | To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file: | ||
+ | |||
+ | < | ||
+ | # Cmnd alias specification | ||
+ | Cmnd_Alias CREATE_USER = / | ||
+ | Cmnd_Alias DELETE_USER = / | ||
+ | |||
+ | # User privilege specification | ||
+ | www-data ALL=(ALL) NOPASSWD: CREATE_USER | ||
+ | www-data ALL=(ALL) NOPASSWD: DELETE_USER | ||
+ | </ | ||
+ | |||
+ | What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver. | ||
+ | |||
+ | It works and it is a compromise and I don't like it! | ||
+ | |||
+ | | ||
+ | |||
+ | ===== Setup TLS/SSL ===== | ||
+ | To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not. | ||
+ | |||
+ | All you have to do is run one command and include a conf file to proftpd.conf. | ||
+ | |||
+ | Use this oneliner to make the certificate: | ||
+ | < | ||
+ | openssl req -x509 -days 3650 -newkey rsa:1024 -keyout / | ||
+ | </ | ||
+ | |||
+ | Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server. | ||
+ | |||
+ | Next make a file called tls.conf in / | ||
+ | < | ||
+ | < | ||
+ | TLSEngine | ||
+ | TLSLog | ||
+ | TLSProtocol | ||
+ | # | ||
+ | # Server' | ||
+ | # | ||
+ | TLSRSACertificateFile | ||
+ | TLSRSACertificateKeyFile | ||
+ | # | ||
+ | # CA the server trusts | ||
+ | # | ||
+ | # or avoid CA cert | ||
+ | TLSOptions | ||
+ | # | ||
+ | # Authenticate clients that want to use FTP over TLS? | ||
+ | # | ||
+ | TLSVerifyClient | ||
+ | # | ||
+ | # Are clients required to use FTP over TLS when talking to this server? | ||
+ | # | ||
+ | TLSRequired | ||
+ | # | ||
+ | # Allow SSL/TLS renegotiations when the client requests them, but | ||
+ | # do not force the renegotations. | ||
+ | # SSL/TLS renegotiations; | ||
+ | # clients will close the data connection, or there will be a timeout | ||
+ | # on an idle data connection. | ||
+ | # | ||
+ | # | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Insert the statement: | ||
+ | < | ||
+ | Include / | ||
+ | </ | ||
+ | |||
+ | at the top of your proftpd.conf file. | ||
+ | |||
+ | Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client. |
howtos/proftpd.txt · Last modified: 02/12/2018 21:34 by 127.0.0.1