[PLUG] Getting proftpd configured securely...
Michael Robinson
michael at robinson-west.com
Sat Apr 26 13:07:02 UTC 2003
Accounts I set up for it.
proftpd:x:121:121::/chroot/ftp/:/bin/false
ftp:x:501:501::/home/ftp:/bin/bash
Config file I currently have.
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "Robinson-west.com "
ServerType inetd
DefaultServer on
Bind 192.168.1.12
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User proftpd
Group proftpd
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous /chroot/ftp/pub>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
Service file under /etc/xinetd.d
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/proftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
bind = 192.168.1.12
}
I want to make sure that this ftp server only supports downloads from an
anonymous archive rooted at /chroot/ftp/pub. There should be no writing
of any sort allowed and user logins should be denied. I have found that user
logins do work, ughh. Do I need the proftpd accounts? What do I need to
do to my firewall or ftp file under xinetd.d to make this service available
on my outside interface?
This is a lot easier to set up than wu-ftpd, thanks guys :-)
More information about the PLUG
mailing list