User Tools

Site Tools


howtos:proftpd

Install software

Install ProFTPd:

sudo apt-get install proftpd-mysql

You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/

I assume you already has a MySQL server installed.

proFTPd Administrator

Setup Apache

Make the following site by creating the file proftpd in /etc/apache2/sites-available.

Listen 666
<VirtualHost *:666>
DocumentRoot "/var/www/proftpd_admin"
ServerName localhost:666
ServerAdmin you@example.com
ErrorLog /var/log/apache2/proftpd_error_log
TransferLog /var/log/apache2/proftpd_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
<Directory "/var/www/proftpd_admin">
    SSLOptions +StdEnvVars
    SSLRequireSSL
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/pureftpd_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory /var/www/proftpd_admin>
    AllowOverride AuthConfig
    Order deny,allow
    Allow from all
</Directory>
</VirtualHost>

Now extract proftpd administrator into this directory.

Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server. Alternatively you can protect it with username/password. See howto here

Setup MySQL

Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:

...
...
GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123';
GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123';
GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123';

Next import the files by running these commands:

mysql -uroot -p < db_structure.sql
mysql -uroot -p < powerdns.sql
mysql -uroot -p < upgrade_to_v0.9.sql
mysql -uroot -p <  vhosts.sql

Now you should have a database called proftpd_admin with a lot of tables in it.

Setup file structure

Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.

ProFTPd config

Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf.

Insert in the first line:

Include /etc/proftpd/modules.conf

Otherwise you will not be loading the needed modules for sql authentication.

Also this part of the config:

...
...
<Directory /ftp/*>
        AllowOverwrite          off
        HideNoAccess            off
        <Limit READ>
                AllowAll
        </Limit>

        <Limit WRITE>
                DenyGroup       !admins
        </Limit>
</Directory>

<Directory /ftp/incoming/*>
        AllowOverwrite          on
        HideNoAccess            on
 
        <Limit READ>
                DenyGroup       !admins
        </Limit>

        <Limit STOR MKD>
                AllowAll
        </Limit>
</Directory>

As I like to use /var/ftp instead it should look like this:

<Directory /var/ftp/*>
        AllowOverwrite          off
        HideNoAccess            off
        <Limit READ>
                AllowAll
        </Limit>

        <Limit WRITE>
                DenyGroup       !admins
        </Limit>
</Directory>

<Directory /var/ftp/incoming/*>
        AllowOverwrite          on
        HideNoAccess            on
 
        <Limit READ>
                DenyGroup       !admins
        </Limit>

        <Limit STOR MKD>
                AllowAll
        </Limit>
</Directory>

If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.

Create/Delete user script

You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.

To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:

# Cmnd alias specification
Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh
Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh

# User privilege specification
www-data ALL=(ALL) NOPASSWD: CREATE_USER
www-data ALL=(ALL) NOPASSWD: DELETE_USER

What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.

It works and it is a compromise and I don't like it!

Setup TLS/SSL

To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.

All you have to do is run one command and include a conf file to proftpd.conf.

Use this oneliner to make the certificate:

openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt

Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.

Next make a file called tls.conf in /etc/proftpd:

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
#
# Server's certificate
#
TLSRSACertificateFile                   /etc/proftpd/proftpd.crt
TLSRSACertificateKeyFile                /etc/proftpd/proftpd.key
#
# CA the server trusts
#TLSCACertificateFile                    /etc/ssl/certs/CA.pem
# or avoid CA cert
TLSOptions                              NoCertRequest
#
# Authenticate clients that want to use FTP over TLS?
#
TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired                             off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate                          required off
</IfModule>

Insert the statement:

Include /etc/proftpd/tls.conf

at the top of your proftpd.conf file.

Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client.

howtos/proftpd.txt · Last modified: 02/12/2018 20:34 by 127.0.0.1