User Tools

Site Tools


howtos:proftpd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:proftpd [d/m/Y H:i] (current)
Line 1: Line 1:
 +====== Install software ======
  
 +Install ProFTPd:
 +<code>
 +sudo apt-get install proftpd-mysql
 +</code>
 +
 +You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/
 +
 +I assume you already has a MySQL server installed.
 +
 +====== proFTPd Administrator ======
 +
 +===== Setup Apache =====
 +Make the following site by creating the file proftpd in /etc/apache2/sites-available.
 +
 +<file>
 +Listen 666
 +<VirtualHost *:666>
 +DocumentRoot "/var/www/proftpd_admin"
 +ServerName localhost:666
 +ServerAdmin you@example.com
 +ErrorLog /var/log/apache2/proftpd_error_log
 +TransferLog /var/log/apache2/proftpd_access_log
 +SSLEngine on
 +SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 +SSLCertificateFile /etc/apache2/ssl.crt/server.crt
 +SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
 +<Directory "/var/www/proftpd_admin">
 +    SSLOptions +StdEnvVars
 +    SSLRequireSSL
 +</Directory>
 +SetEnvIf User-Agent ".*MSIE.*" \
 +         nokeepalive ssl-unclean-shutdown \
 +         downgrade-1.0 force-response-1.0
 +CustomLog /var/log/apache2/pureftpd_request_log \
 +          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 +<Directory /var/www/proftpd_admin>
 +    AllowOverride AuthConfig
 +    Order deny,allow
 +    Allow from all
 +</Directory>
 +</VirtualHost>
 +</file>
 +
 +Now extract proftpd administrator into this directory.
 +
 +Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server.
 +Alternatively you can protect it with username/password. See howto [[howtos:digest_authentication|here]]
 +
 +===== Setup MySQL =====
 +Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:
 +<file>
 +...
 +...
 +GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123';
 +GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123';
 +GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123';
 +</file>
 +
 +Next import the files by running these commands:
 +<code>
 +mysql -uroot -p < db_structure.sql
 +mysql -uroot -p < powerdns.sql
 +mysql -uroot -p < upgrade_to_v0.9.sql
 +mysql -uroot -p <  vhosts.sql
 +</code>
 +
 +Now you should have a database called proftpd_admin with a lot of tables in it.
 +
 +===== Setup file structure =====
 +Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.
 +
 +===== ProFTPd config =====
 +Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf.
 +
 +Insert in the first line:
 +<file>
 +Include /etc/proftpd/modules.conf
 +</file>
 +
 +Otherwise you will not be loading the needed modules for sql authentication.
 +
 +Also this part of the config:
 +<file>
 +...
 +...
 +<Directory /ftp/*>
 +        AllowOverwrite          off
 +        HideNoAccess            off
 +        <Limit READ>
 +                AllowAll
 +        </Limit>
 +
 +        <Limit WRITE>
 +                DenyGroup       !admins
 +        </Limit>
 +</Directory>
 +
 +<Directory /ftp/incoming/*>
 +        AllowOverwrite          on
 +        HideNoAccess            on
 + 
 +        <Limit READ>
 +                DenyGroup       !admins
 +        </Limit>
 +
 +        <Limit STOR MKD>
 +                AllowAll
 +        </Limit>
 +</Directory>
 +</file>
 +
 +As I like to use /var/ftp instead it should look like this:
 +<file>
 +<Directory /var/ftp/*>
 +        AllowOverwrite          off
 +        HideNoAccess            off
 +        <Limit READ>
 +                AllowAll
 +        </Limit>
 +
 +        <Limit WRITE>
 +                DenyGroup       !admins
 +        </Limit>
 +</Directory>
 +
 +<Directory /var/ftp/incoming/*>
 +        AllowOverwrite          on
 +        HideNoAccess            on
 + 
 +        <Limit READ>
 +                DenyGroup       !admins
 +        </Limit>
 +
 +        <Limit STOR MKD>
 +                AllowAll
 +        </Limit>
 +</Directory>
 +</file>
 +
 +If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.
 +
 +===== Create/Delete user script =====
 +You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.
 +
 +To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:
 +
 +<file>
 +# Cmnd alias specification
 +Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh
 +Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh
 +
 +# User privilege specification
 +www-data ALL=(ALL) NOPASSWD: CREATE_USER
 +www-data ALL=(ALL) NOPASSWD: DELETE_USER
 +</file>
 +
 +What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.
 +
 +It works and it is a compromise and I don't like it!
 +
 +                                    
 +
 +===== Setup TLS/SSL =====
 +To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.
 +
 +All you have to do is run one command and include a conf file to proftpd.conf.
 +
 +Use this oneliner to make the certificate:
 +<code>
 +openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt
 +</code>
 +
 +Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.
 +
 +Next make a file called tls.conf in /etc/proftpd:
 +<file>
 +<IfModule mod_tls.c>
 +TLSEngine                               on
 +TLSLog                                  /var/log/proftpd/tls.log
 +TLSProtocol                             SSLv23
 +#
 +# Server's certificate
 +#
 +TLSRSACertificateFile                   /etc/proftpd/proftpd.crt
 +TLSRSACertificateKeyFile                /etc/proftpd/proftpd.key
 +#
 +# CA the server trusts
 +#TLSCACertificateFile                    /etc/ssl/certs/CA.pem
 +# or avoid CA cert
 +TLSOptions                              NoCertRequest
 +#
 +# Authenticate clients that want to use FTP over TLS?
 +#
 +TLSVerifyClient                         off
 +#
 +# Are clients required to use FTP over TLS when talking to this server?
 +#
 +TLSRequired                             off
 +#
 +# Allow SSL/TLS renegotiations when the client requests them, but
 +# do not force the renegotations.  Some clients do not support
 +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
 +# clients will close the data connection, or there will be a timeout
 +# on an idle data connection.
 +#
 +#TLSRenegotiate                          required off
 +</IfModule>
 +</file>
 +
 +Insert the statement:
 +<file>
 +Include /etc/proftpd/tls.conf
 +</file>
 +
 +at the top of your proftpd.conf file.
 +
 +Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client. 
howtos/proftpd.txt · Last modified: d/m/Y H:i (external edit)