Contact:[email protected]
ProFTPD Setup Guide By: Vincent Hillier [email protected] ---------------------------------------------------------------------------- ---- NOTE: All users using 1.2.0pre10 are urged to upgrade asap. 1.2.0rc1 fixes a format string vulnerability. Ok, first thing you need to do is get the source code for ProFTPD. I'd recommend getting the latest version availible, the latest is 1.2.0rc1. The source can be found on anyone of the sites below. (choose which one is closest to you) Chicago, IL, USA: ftp.proftpd.net:/pub/proftpd Los Angeles, CA, USA: ftp.stikman.com:/pub/proftpd London, England: ftp.linux.co.uk:/pub/packages/proftpd Amsterdam, The Netherlands: ftp.nl.uu.net:/pub/ftp/proftpd Canada: ftp.localhost.ca:/pub/proftpd Now that you have the source, lets extract it and make the new directory our CWD by executing the following commands... tar xzvf proftpd-1.2.0rc1.tar.gz cd proftpd-1.2.0rc1/ Ok now we need to configure how ProFTPD is built. Basically, what this below commands is saying, is to put everything into /usr/local/ and keep the proftpd.conf file in /etc/ and enable shadow password support, you will probably need shadow password support and if your not sure on whether you do or not, check /etc for a file called "shadow", if you don't have it you do not need shadow support, if it does exist, you need shadow support. ./configure --prefix=/usr/local --sysconfdir=/etc --enable-shadow Now we have to compile and install ProFTPD, By executing the following commands. make make install Ok, now that that's done, we need to configure ProFTPD, switch to your /etc/ directory, and open proftpd.conf in your favourite editor. Ok the Server Name directive, is what you want your users to see, as a server name (whoa, does it really? :)) ServerName "Vince's FTP Server" The next entry is Server Type, this can be either standalone or inetd, I am only covering standalone in this guide, if you would like to use inetd, proftpd.net has some FAQs for you :) ServerType standalone Next up is Default Server, this controls the server configuration to use, for each incoming connection. This directive is nice, for virtual hosting, but I will not cover it in this guide, if you would like me to, you can mail me a money order for $20.00 and I can tell you all about it. :) (Just kidding about the money order part, if ya need to know more information about it, check here... http://proftpd.net/docs/configuration.html#DefaultServer DefaultServer on Ok, next is the port directive, if you want to run your ftp server on a non standard port (21) then change this here, keep in mind nobody could connect to your FTP server without knowing the port. Don't get all excited thinking "Oh if I change the port, no one would no it is running, and could never exploit it, shall a exploit arise" this is just wrong, the port could easily be found with a port scanner, www.insecure.org has one of the more popular port scanners, get NMAP (port scanner) from there and give it a shot :) Port 21 Next we have umask, wtf is umask you ask? Umask is used to set initial file permissions. The default umask (022) is equivelent to 0644 using chmod, which would give to a file permission like rw-r--r--. You can always change file attributes after they are created, so just leave this default, and change if need be. Umask 022 Now the next directive is MaxInstances, This is here to try and prevent DoS attacks. What this directive does is set a limit of the maximum number of child processes that can be spawned from the parent process, in other words, this number is the maximum allowed users on the ftp server at one time. This directive only works in Standalone mode, which is what we are running as. MaxInstances 30 The following User and Group directives, are which user & group Proftpd should switch to after initially running as root. It is absolutely required that proftpd is run as root, to start because FTPD uses port 21 (by default) which is a privelegded port on *NIX systems. I recommend using the "nobody" user and group. User nobody Group nobody ---------------------------------------------------------- I was notified about this by Hunter Matthews <[email protected]> He requested that Seth Vidal <[email protected]> also got credit for it, so I give you both credit, thank you Hunter for sending me the mail, and thank you Seth for finding out how to do this... ---------------------------------------------------------- For the benefit of those of us running nis/nis+/ldap/hesiod, apparently the following is required. AuthPamAuthoritative on PersistentPasswd off it should work then. Please check http://www.proftpd.net/docs/configuration.html#PersistentPasswd for more information. ---------------------------------------------------------- Thank you once again :) ---------------------------------------------------------- So basically if you run nis/nis+/ldap/hesoid, those directives would go here :) Now the following directive is pretty self explanatory, but if you don't understand it, if you want files to be allowed to be overwritten set it to "on", if not make it "off". This does not mean that anyone can overwrite files, a login is required. AllowOverwrite on Ok, the following is very very obvious, so I will not comment on this part as the comments are really in plain english and not tech talk :) ---------------------------------------------------------- Contributed by: diablero <[email protected]> ---------------------------------------------------------- On Redhat systems, you must add: RequireValidShell off In the anonymous section, because user ftp doesn't have a valid shell. ---------------------------------------------------------- Thank you for your help diablero. ---------------------------------------------------------- So basically, if you run redhat, add RequireValidShell off in the context of the below / tags. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> Ok, that's about it! You can run protftpd now by executing /usr/local/sbin/proftpd The config file discussed above, would look like the following in proftpd.conf... ServerName "Vince's FTP Server" ServerType standalone DefaultServer on Port 21 Umask 022 MaxInstances 30 User nobody Group nobody <Directory /*> AllowOverwrite on </Directory> <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> And that's all she wrote :) If you are running Slackware Linux, you can add the following to make ProFTPD start at boot time, add this to your /etc/rc.d/rc.inet2 #Start ProFTPD... if [ -x /usr/local/sbin/proftpd ]; then echo -n "ProFTPD" /usr/local/sbin/proftpd fi ---------------------------------------------------------- Contributed by: Mark <[email protected]> ---------------------------------------------------------- On redhat, you can put it in /etc/rc.d/rc.sysinit, in the following manner: if [ -x /usr/local/sbin/proftpd ]; then action "Starting FTP Server" /usr/local/sbin/proftpd fi --------------------------------------------------- If you use any other distribution... your on your own, sorry, If you know how to add it the startup scripts on another distribution please, email me and I will add it here. If you have any questions, comments, or complaints, please post them to our site feedback forum at http://www.lansystems.com/forum/list.php?f=7 or email me at [email protected], if you have flames, please direct them to /dev/null, cause that's where I'll send em :) Back to the Index