http://vwiki.co.uk/index.php?action=history&feed=atom&title=ProFTPDProFTPD - Revision history2026-06-03T21:05:06ZRevision history for this page on the wikiMediaWiki 1.43.6http://vwiki.co.uk/index.php?title=ProFTPD&diff=1954&oldid=prevSstrutt: /* Enable TLS Encryption (FTPS) */ typo fix2012-05-22T09:15:56Z<p><span class="autocomment">Enable TLS Encryption (FTPS): </span> typo fix</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en-GB">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:15, 22 May 2012</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l31">Line 31:</td>
<td colspan="2" class="diff-lineno">Line 31:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create Self-Signed Certificate<ins style="font-weight: bold; text-decoration: none;">]</ins>] for info), required files...</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Self-Signed Certificate] for info), required files...</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#* Certificate Authority certificate (eg <code> self-ca.crt </code>)</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#* Certificate Authority certificate (eg <code> self-ca.crt </code>)</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#* Server Private Key (eg <code> my-server.key </code>)</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#* Server Private Key (eg <code> my-server.key </code>)</div></td></tr>
</table>Sstrutthttp://vwiki.co.uk/index.php?title=ProFTPD&diff=1887&oldid=prevSstrutt: Initial creation2012-05-01T16:14:15Z<p>Initial creation</p>
<p><b>New page</b></p><div>All procedures etc on this page have been created by me, with usage of the [http://www.proftpd.org/localsite/Userguide/linked/userguide.html ProFTPD manual], unless otherwise stated.<br />
<br />
== Installation ==<br />
On Ubuntu the basic install is incredibly taxing, as you'd expect...<br />
# Start installation<br />
#* <code> apt-get install proftpd </code><br />
# When prompted, select the following options<br />
#* Accept "unable to authenticate"<br />
#* Select "standalone"<br />
<br />
This will provide access to existing users of the server (no anonymous access). Users will be directed to their home directory, but able to change into any other directory on the system (so the same permissions as is they were SSH'ed to the system).<br />
<br />
Suggested config changes (edit <code> /etc/proftpd/proftpd.conf </code>)...<br />
* <code> ServerName "name"</code><br />
** This is displayed during login, and can be useful to remind/verify that you've logged into the correct server (though isn't shown if you enable <code> DeferWelcome </code>)<br />
* <code> DeferWelcome on</code><br />
** Prevents welcome message being displayed until after successful login, which restricts what information might be given away to unwanted probers, such as local IP address. Note that the fact that its a ProFTPD serer and the running version is still displayed unless you set in <code>ServerIdent</code>!<br />
* <code> ServerIdent on "FTP Server ready" </code><br />
** Sets the message displayed on initial connect (on by default) <br />
* <code> DefaultRoot ~ </code><br />
** Locks users into their home directory (this is NOT infallible and can, with quite a bit of effort, be broken out from, see http://www.bpfh.net/simes/computing/chroot-break.html)<br />
<br />
To limit which systems users are allowing to login, use the following in <code> /etc/proftpd/proftpd.conf </code>...<br />
<Limit LOGIN><br />
AllowUser usera, userb<br />
DenyAll<br />
</Limit><br />
<br />
<br />
=== Enable TLS Encryption (FTPS) ===<br />
Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21).<br />
<br />
# Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create <br />
<br />
Self-Signed Certificate] for info), required files...<br />
#* Certificate Authority certificate (eg <code> self-ca.crt </code>)<br />
#* Server Private Key (eg <code> my-server.key </code>)<br />
#* Server Site Certificate (eg <code> ftp-my-server.crt </code>)<br />
# Edit master config file, <code> /etc/proftpd/tls.conf </code> and uncomment TLS config include<br />
#* <code> Include /etc/proftpd/tls.conf </code><br />
# Edit <code> /etc/proftpd/tls.conf </code> as shown below<br />
# Restart the ProFTPD service<br />
#* <code> service proftpd restart </code><br />
<br />
<pre><br />
TLSEngine on<br />
TLSLog /var/log/proftpd/tls.log<br />
TLSProtocol SSLv3 TLSv1<br />
<br />
TLSRSACertificateFile /etc/proftpd/ftp-my-server.crt<br />
TLSRSACertificateKeyFile /etc/apache2/ssl/web2-server.key<br />
TLSCACertificateFile /etc/apache2/ssl/self-ca.crt<br />
<br />
TLSVerifyClient off<br />
TLSRequired off<br />
</pre><br />
<br />
== Create Locked Down User ==<br />
The following example creates a user with access to a specific (home) directory only.<br />
<br />
The example creates the user <code> ftp-user </code>, with access tied to an existing folder <code>/var/www/wp</code> (which could be the root of a [http://wordpress.org/ WordPress] blog, allowing one-click updating of the software from the WordPress interface)<br />
<br />
# Create a dummy (non existent) shell, by editing <code> /etc/shells </code><br />
#* <code> /bin/false </code><br />
# Create user account with home dir, and no shell<br />
#* <code> useradd ftp-user -p ftp-password -d /var/www/wp -s /bin/false </code><br />
<br />
Note that unless the user (<code>ftp-user</code> in the above example) has access to write in the folder already, that user will not be able to write. Assuming that the group ownership for the files in folder is <code>www-data</code>, then the user will need to be added to the <code>www-data</code> group. To determine which group has rights over the files, do a <code> ls -l </code> in the directory, the second name is the group, so in the example below, the user is <code>me</code> and the group is <code>www-data</code>...<br />
<br />
root@server:/var/www/wp# ls -l<br />
total 332<br />
-rw-rw-r-- 1 me www-data 4268 2010-10-20 15:40 wp-activate.php<br />
drwxrwxr-x 9 me www-data 4096 2011-01-03 20:53 wp-admin<br />
-rw-rw-r-- 1 me www-data 40272 2010-10-28 16:48 wp-app.php<br />
-rw-rw-r-- 1 me www-data 274 2010-11-20 21:44 wp-blog-header.php<br />
....<br />
<br />
To add user <code>ftp-user</code> to group <code>www-data</code>...<br />
# Edit <code> vi /etc/group </code><br />
# Append <code>www-data</code> to the end of the line for <code>www-data</code><br />
#* EG <code> www-data:x:34:wibble,ftp-user </code><br />
<br />
<br />
Source: http://ubuntuforums.org/showthread.php?t=79588<br />
<br />
[[Category:ProFTPD]]<br />
[[Category:Ubuntu]]</div>Sstrutt