Instalacja serwera FTP

Przedstawiamy sposób na insta­lację ser­w­era proft­pd pod sys­te­mem LINUX DEBIAN. Instalacja jest pros­ta i nie powin­na przys­porzyć kłopotów. Po zapoz­na­niu się z wpisem, będziemy się cieszyć z insta­lacji prostego ser­w­era FTP.

Zaczynamy.

Potrzebny nam będzie sys­tem oper­a­cyjny debian.

Wykonujemy kole­jno polecenia:

apt-get update

oraz

apt-get install proftpd

Serwer instalu­je­my na 2 sposo­by, jako stand­alone, wów­czas kiedy zależy nam na jego wyda­jnoś­ci oraz lub instalowany, uruchami­any za pomocą demona inetd, kiedy ma za zadanie obsłużyć niewielką ilość połączeń.

Jeżeli chce­my aby ser­w­er uruchami­ał jako "stand­alone" na końcu pliku /etc/rc.d/rc.local musimy umieś­cić lin­ię /usr/sbin/proftpd, która automaty­cznie uru­cho­mi ser­w­er FTP zaraz po załad­owa­niu się sys­te­mu. Jeżeli ser­w­er ma być uruchami­any przez "inetd" to w pliku /etc/inetd.conf szukamy następu­jącej linii:

ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd

Zamieniamy ją następującą:

ftp stream tcp nowait root /usr/sbin/proftpd proftpd

Uwaga! Jeżeli ser­w­er ma być "stand­alone" pamię­ta­jmy o wstaw­ie­niu znacz­ka # przed tą linią.

Jeżeli w naszym sys­temie mamy zain­stalowany "xinetd" to pod­da­je­my edy­cji plik /etc/xinetd.conf wpisu­jąc poniższe lin­ij­ki, lub tworzymy plik /etc/xinetd.d/proftpd z tą treścią.

ser­vice ftp

{
flags= REUSE
socket_type= stream
instances= 50
wait= no
user= root
serv­er= /usr/sbin/proftpd
bind=
log_on_success = HOST PID
log_on_failure  = HOST RECORD
}

 

*W sys­temie debian moż­na łat­wo zmienić sposób uruchami­a­nia ser­w­era proftp po jego insta­lacji za pomocą polecenia.

dpkg-recon­fig­ure proftpd-basic

 

1)      Konfigurujemy plik /etc/proftpd/proftpd.conf

Ja mam taką postać pliku:

###################################################################

# /etc/proftpd/proftpd.conf — This is a basic ProFTPD con­fig­u­ra­tion file.

# To real­ly apply changes, reload proft­pd after mod­i­fi­ca­tions, if

# it runs in dae­mon mode. It is not required in inetd/xinetd mode.

#

 

# Includes DSO modules

Include /etc/proftpd/modules.conf

 

# Set off to dis­able IPv6 sup­port which is annoy­ing on IPv4 only boxes.

UseIPv6                                                              off

# If set on you can expe­ri­ence a longer con­nec­tion delay in many cases.

IdentLookups                                   off

 

ServerName                                     "Debian"

ServerType                                       stand­alone

DeferWelcome                                               off

 

MultilineRFC2228                            on

DefaultServer                                  on

ShowSymlinks                                  on

 

TimeoutNoTransfer                       600

TimeoutStalled                                600

TimeoutIdle                                      1200

 

DisplayLogin                    welcome.msg

DisplayChdir                      .mes­sage true

ListOptions                        "-l"

 

DenyFilter                                          \*.*/

 

# Use this to jail all users in their homes

# DefaultRoot                                  ~

 

# Users require a valid shell list­ed in /etc/shells to login.

# Use this direc­tive to release that constrain.

# RequireValidShell                       off

 

# Port 21 is the stan­dard FTP port.

Port                                                      21

 

# In some cas­es you have to spec­i­fy pas­sive ports range to by-pass

# fire­wall lim­i­ta­tions. Ephemeral ports can be used for that, but

# feel free to use a more nar­row range.

# PassivePorts                  49152 65534

 

# If your host was NATted, this option is use­ful in order to

# allow pas­sive tran­fers to work. You have to use your public

# address and open­ing the pas­sive ports used on your fire­wall as well.

# MasqueradeAddress                1.2.3.4

 

# This is use­ful for mas­querad­ing address with dynam­ic IPs:

# refresh any con­fig­ured MasqueradeAddress direc­tives every 8 hours

<IfModule mod_dynmasq.c>

# DynMasqRefresh 28800

</IfModule>

 

# To pre­vent DoS attacks, set the max­i­mum num­ber of child processes

# to 30.  If you need to allow more than 30 con­cur­rent connections

# at once, sim­ply increase this val­ue.  Note that this ONLY works

# in stand­alone mode, in inetd mode you should use an inetd server

# that allows you to lim­it max­i­mum num­ber of process­es per service

# (such as xinetd)

MaxInstances                                  30

 

# Set the user and group that the serv­er nor­mal­ly runs at.

User                                                     proft­pd

Group                                                  nogroup

 

# Umask 022 is a good stan­dard umask to pre­vent new files and dirs

# (sec­ond parm) from being group and world writable.

Umask                                                 022  022

# Normally, we want files to be overwriteable.

AllowOverwrite                                              on

 

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:

# PersistentPasswd                       off

 

# This is required to use both PAM-based authen­ti­ca­tion and local passwords

# AuthOrder                                     mod_auth_pam.c* mod_auth_unix.c

 

# Be warned: use of this direc­tive impacts CPU aver­age load!

# Uncomment this if you like to see progress and trans­fer rate with ftpwho

# in down­loads. That is not need­ed for uploads rates.

#

# UseSendFile                                  off

 

TransferLog /var/log/proftpd/xferlog

SystemLog   /var/log/proftpd/proftpd.log

 

# Logging onto /var/log/lastlog is enabled but set to off by default

#UseLastlog on

 

# In order to keep log file dates con­sis­tent after chroot, use time­zone info

# from /etc/localtime.  If this is not set, and proft­pd is con­fig­ured to

# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight

# sav­ings time­zone regard­less of whether DST is in effect.

#SetEnv TZ :/etc/localtime

 

<IfModule mod_quotatab.c>

QuotaEngine off

</IfModule>

 

<IfModule mod_ratio.c>

Ratios off

</IfModule>

 

 

# Delay engine reduces impact of the so-called Timing Attack described in

# http://www.securityfocus.com/bid/11430/discuss

# It is on by default.

<IfModule mod_delay.c>

DelayEngine on

</IfModule>

 

<IfModule mod_ctrls.c>

ControlsEngine        off

ControlsMaxClients    2

ControlsLog           /var/log/proftpd/controls.log

ControlsInterval      5

ControlsSocket        /var/run/proftpd/proftpd.sock

</IfModule>

 

<IfModule mod_ctrls_admin.c>

AdminControlsEngine off

</IfModule>

 

#

# Alternative authen­ti­ca­tion frameworks

#

#Include /etc/proftpd/ldap.conf

#Include /etc/proftpd/sql.conf

 

#

# This is used for FTPS connections

#

#Include /etc/proftpd/tls.conf

 

#

# Useful to keep VirtualHost/VirtualRoot direc­tives separated

#

#Include /etc/proftpd/virtuals.conf

 

# A basic anony­mous con­fig­u­ra­tion, no upload directories.

 

# <Anonymous ~ftp>

#   User                                                               ftp

#   Group                                                            nogroup

#   # We want clients to be able to login with "anony­mous" as well as "ftp"

#   UserAlias                                      anony­mous ftp

#   # Cosmetic changes, all files belongs to ftp user

#   DirFakeUser on ftp

#   DirFakeGroup on ftp

#

#   RequireValidShell                     off

#

#   # Limit the max­i­mum num­ber of anony­mous logins

#   MaxClients                                  10

#

#   # We want 'welcome.msg' dis­played at login, and '.mes­sage' displayed

#   # in each new­ly chdired directory.

#   DisplayLogin                                welcome.msg

#   DisplayChdir                .mes­sage

#

#   # Limit WRITE every­where in the anony­mous chroot

#   <Directory *>

#     <Limit WRITE>

#       DenyAll

#     </Limit>

#   </Directory>

#

#   # Uncomment this if you're brave.

#   # <Directory incoming>

#   #   # Umask 022 is a good stan­dard umask to pre­vent new files and dirs

#   #   # (sec­ond parm) from being group and world writable.

#   #   Umask                                                     022  022

#   #            <Limit READ WRITE>

#   #            DenyAll

#   #            </Limit>

#   #            <Limit STOR>

#   #            AllowAll

#   #            </Limit>

#   # </Directory>

#

# </Anonymous>

 

<Anonymous /data/>

User                  userftp

Group                 users

AnonRequirePassword             on

RequireValidShell                        off

Umask 000

DirFakeUser on userftp

DirFakeGroup on users

 

#UserAlias

 

 

#<Limit LOGIN>

#                             Order Allow,Deny

#                                            AllowUser

#                                            DenyAll

#             </Limit>

 

<Directory /data/>

<Limit ALL>

Allow All

</Limit>

<Limit All>

Order Allow,Deny

AllowAll

IgnoreHidden on

</Limit>

</Directory>

</Anonymous>

 

 

 

 

# Include oth­er cus­tom con­fig­u­ra­tion files

Include /etc/proftpd/conf.d/

###########################################################################

2)      Pozostaje ter­az utworzyć kat­a­log /data i nadać mu prawa do czy­ta­nia i pisa­nia dla grupy users.

3)      Trzeba utworzyć użytkown­i­ka o nazwie userftp i dobrze by było, jak wyłączymy mu dostęp do powło­ki systemu.