ProFTPD: Difference between revisions

From vwiki
Jump to navigation Jump to search
(Initial creation)
 
 
Line 31: Line 31:
Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21).
Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21).


# Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create  
# Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create Self-Signed Certificate]] for info), required files...
 
Self-Signed Certificate] for info), required files...
#* Certificate Authority certificate (eg <code> self-ca.crt </code>)
#* Certificate Authority certificate (eg <code> self-ca.crt </code>)
#* Server Private Key (eg <code> my-server.key </code>)
#* Server Private Key (eg <code> my-server.key </code>)

Latest revision as of 09:15, 22 May 2012

All procedures etc on this page have been created by me, with usage of the ProFTPD manual, unless otherwise stated.

Installation

On Ubuntu the basic install is incredibly taxing, as you'd expect...

  1. Start installation
    • apt-get install proftpd
  2. When prompted, select the following options
    • Accept "unable to authenticate"
    • Select "standalone"

This will provide access to existing users of the server (no anonymous access). Users will be directed to their home directory, but able to change into any other directory on the system (so the same permissions as is they were SSH'ed to the system).

Suggested config changes (edit /etc/proftpd/proftpd.conf )...

  • ServerName "name"
    • This is displayed during login, and can be useful to remind/verify that you've logged into the correct server (though isn't shown if you enable DeferWelcome )
  • DeferWelcome on
    • Prevents welcome message being displayed until after successful login, which restricts what information might be given away to unwanted probers, such as local IP address. Note that the fact that its a ProFTPD serer and the running version is still displayed unless you set in ServerIdent!
  • ServerIdent on "FTP Server ready"
    • Sets the message displayed on initial connect (on by default)
  • DefaultRoot ~

To limit which systems users are allowing to login, use the following in /etc/proftpd/proftpd.conf ...

<Limit LOGIN>
  AllowUser usera, userb
  DenyAll
</Limit>


Enable TLS Encryption (FTPS)

Unlike HTTPS, where a different TCP port is used to differentiate from HTTPS; this is not required for FTPS, which can use the same default ports as for FTP (TCP 20 and 21).

  1. Obtain / create appropriate certificates (see Create Self-Signed Certificate for info), required files...
    • Certificate Authority certificate (eg self-ca.crt )
    • Server Private Key (eg my-server.key )
    • Server Site Certificate (eg ftp-my-server.crt )
  2. Edit master config file, /etc/proftpd/tls.conf and uncomment TLS config include
    • Include /etc/proftpd/tls.conf
  3. Edit /etc/proftpd/tls.conf as shown below
  4. Restart the ProFTPD service
    • service proftpd restart
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv3 TLSv1

TLSRSACertificateFile                   /etc/proftpd/ftp-my-server.crt
TLSRSACertificateKeyFile                /etc/apache2/ssl/web2-server.key
TLSCACertificateFile                    /etc/apache2/ssl/self-ca.crt

TLSVerifyClient                         off
TLSRequired                             off

Create Locked Down User

The following example creates a user with access to a specific (home) directory only.

The example creates the user ftp-user , with access tied to an existing folder /var/www/wp (which could be the root of a WordPress blog, allowing one-click updating of the software from the WordPress interface)

  1. Create a dummy (non existent) shell, by editing /etc/shells
    • /bin/false
  2. Create user account with home dir, and no shell
    • useradd ftp-user -p ftp-password -d /var/www/wp -s /bin/false

Note that unless the user (ftp-user in the above example) has access to write in the folder already, that user will not be able to write. Assuming that the group ownership for the files in folder is www-data, then the user will need to be added to the www-data group. To determine which group has rights over the files, do a ls -l in the directory, the second name is the group, so in the example below, the user is me and the group is www-data...

root@server:/var/www/wp# ls -l
total 332
-rw-rw-r-- 1 me     www-data  4268 2010-10-20 15:40 wp-activate.php
drwxrwxr-x 9 me     www-data  4096 2011-01-03 20:53 wp-admin
-rw-rw-r-- 1 me     www-data 40272 2010-10-28 16:48 wp-app.php
-rw-rw-r-- 1 me     www-data   274 2010-11-20 21:44 wp-blog-header.php
....

To add user ftp-user to group www-data...

  1. Edit vi /etc/group
  2. Append www-data to the end of the line for www-data
    • EG www-data:x:34:wibble,ftp-user


Source: http://ubuntuforums.org/showthread.php?t=79588