ProFTPD: Difference between revisions
(Initial creation) |
m (→Enable TLS Encryption (FTPS): typo fix) |
||
Line 31: | Line 31: | ||
Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21). | Unlike [[Acronyms#H|HTTPS]], where a different TCP port is used to differentiate from [[Acronyms#H|HTTPS]]; this is not required for [[Acronyms#F|FTPS]], which can use the same default ports as for [[Acronyms#F|FTP]] (TCP 20 and 21). | ||
# Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create | # Obtain / create appropriate certificates (see [[Secure_Website#Create_Self-Signed_Certificate|Create Self-Signed Certificate]] for info), required files... | ||
Self-Signed Certificate] for info), required files... | |||
#* Certificate Authority certificate (eg <code> self-ca.crt </code>) | #* Certificate Authority certificate (eg <code> self-ca.crt </code>) | ||
#* Server Private Key (eg <code> my-server.key </code>) | #* Server Private Key (eg <code> my-server.key </code>) |
Latest revision as of 09:15, 22 May 2012
All procedures etc on this page have been created by me, with usage of the ProFTPD manual, unless otherwise stated.
Installation
On Ubuntu the basic install is incredibly taxing, as you'd expect...
- Start installation
apt-get install proftpd
- When prompted, select the following options
- Accept "unable to authenticate"
- Select "standalone"
This will provide access to existing users of the server (no anonymous access). Users will be directed to their home directory, but able to change into any other directory on the system (so the same permissions as is they were SSH'ed to the system).
Suggested config changes (edit /etc/proftpd/proftpd.conf
)...
ServerName "name"
- This is displayed during login, and can be useful to remind/verify that you've logged into the correct server (though isn't shown if you enable
DeferWelcome
)
- This is displayed during login, and can be useful to remind/verify that you've logged into the correct server (though isn't shown if you enable
DeferWelcome on
- Prevents welcome message being displayed until after successful login, which restricts what information might be given away to unwanted probers, such as local IP address. Note that the fact that its a ProFTPD serer and the running version is still displayed unless you set in
ServerIdent
!
- Prevents welcome message being displayed until after successful login, which restricts what information might be given away to unwanted probers, such as local IP address. Note that the fact that its a ProFTPD serer and the running version is still displayed unless you set in
ServerIdent on "FTP Server ready"
- Sets the message displayed on initial connect (on by default)
DefaultRoot ~
- Locks users into their home directory (this is NOT infallible and can, with quite a bit of effort, be broken out from, see http://www.bpfh.net/simes/computing/chroot-break.html)
To limit which systems users are allowing to login, use the following in /etc/proftpd/proftpd.conf
...
<Limit LOGIN> AllowUser usera, userb DenyAll </Limit>
Enable TLS Encryption (FTPS)
Unlike HTTPS, where a different TCP port is used to differentiate from HTTPS; this is not required for FTPS, which can use the same default ports as for FTP (TCP 20 and 21).
- Obtain / create appropriate certificates (see Create Self-Signed Certificate for info), required files...
- Certificate Authority certificate (eg
self-ca.crt
) - Server Private Key (eg
my-server.key
) - Server Site Certificate (eg
ftp-my-server.crt
)
- Certificate Authority certificate (eg
- Edit master config file,
/etc/proftpd/tls.conf
and uncomment TLS config includeInclude /etc/proftpd/tls.conf
- Edit
/etc/proftpd/tls.conf
as shown below - Restart the ProFTPD service
service proftpd restart
TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv3 TLSv1 TLSRSACertificateFile /etc/proftpd/ftp-my-server.crt TLSRSACertificateKeyFile /etc/apache2/ssl/web2-server.key TLSCACertificateFile /etc/apache2/ssl/self-ca.crt TLSVerifyClient off TLSRequired off
Create Locked Down User
The following example creates a user with access to a specific (home) directory only.
The example creates the user ftp-user
, with access tied to an existing folder /var/www/wp
(which could be the root of a WordPress blog, allowing one-click updating of the software from the WordPress interface)
- Create a dummy (non existent) shell, by editing
/etc/shells
/bin/false
- Create user account with home dir, and no shell
useradd ftp-user -p ftp-password -d /var/www/wp -s /bin/false
Note that unless the user (ftp-user
in the above example) has access to write in the folder already, that user will not be able to write. Assuming that the group ownership for the files in folder is www-data
, then the user will need to be added to the www-data
group. To determine which group has rights over the files, do a ls -l
in the directory, the second name is the group, so in the example below, the user is me
and the group is www-data
...
root@server:/var/www/wp# ls -l total 332 -rw-rw-r-- 1 me www-data 4268 2010-10-20 15:40 wp-activate.php drwxrwxr-x 9 me www-data 4096 2011-01-03 20:53 wp-admin -rw-rw-r-- 1 me www-data 40272 2010-10-28 16:48 wp-app.php -rw-rw-r-- 1 me www-data 274 2010-11-20 21:44 wp-blog-header.php ....
To add user ftp-user
to group www-data
...
- Edit
vi /etc/group
- Append
www-data
to the end of the line forwww-data
- EG
www-data:x:34:wibble,ftp-user
- EG