[PLUG] Getting proftpd configured securely...

Michael Robinson michael at robinson-west.com
Sat Apr 26 13:07:02 UTC 2003


Accounts I set up for it.

proftpd:x:121:121::/chroot/ftp/:/bin/false
ftp:x:501:501::/home/ftp:/bin/bash

Config file I currently have.

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "Robinson-west.com "
ServerType                      inetd
DefaultServer                   on
Bind                            192.168.1.12

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            proftpd
Group                           proftpd

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous /chroot/ftp/pub>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

Service file under /etc/xinetd.d

service ftp
{
        disable                 = no
        flags                   = REUSE
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/proftpd
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        nice                    = 10
        bind                    = 192.168.1.12
}

I want to make sure that this ftp server only supports downloads from an 
anonymous archive rooted at /chroot/ftp/pub.  There should be no writing
of any sort allowed and user logins should be denied.  I have found that user 
logins do work, ughh.  Do I need the proftpd accounts?  What do I need to
do to my firewall or ftp file under xinetd.d to make this service available 
on my outside interface?

This is a lot easier to set up than wu-ftpd, thanks guys :-)




More information about the PLUG mailing list