[PLUG] Getting proftpd configured securely...
Derek Loree
drl at drloree.com
Sat Apr 26 14:59:01 UTC 2003
On Sat, 2003-04-26 at 13:02, Michael Robinson wrote:
> Accounts I set up for it.
>
> proftpd:x:121:121::/chroot/ftp/:/bin/false
> ftp:x:501:501::/home/ftp:/bin/bash
The ftp user should probably have /chroot/ftp as the home directory, and
it _needs_ to have /bin/false or /dev/null as the shell.
>
> Config file I currently have.
>
> # This is a basic ProFTPD configuration file (rename it to
> # 'proftpd.conf' for actual use. It establishes a single server
> # and a single anonymous login. It assumes that you have a user/group
> # "nobody" and "ftp" for normal operation and anon.
>
> ServerName "Robinson-west.com "
> ServerType inetd
> DefaultServer on
> Bind 192.168.1.12
>
> # Port 21 is the standard FTP port.
> Port 21
>
> # Umask 022 is a good standard umask to prevent new dirs and files
> # from being group and world writable.
> Umask 022
>
> # To prevent DoS attacks, set the maximum number of child processes
> # to 30. If you need to allow more than 30 concurrent connections
> # at once, simply increase this value. Note that this ONLY works
> # in standalone mode, in inetd mode you should use an inetd server
> # that allows you to limit maximum number of processes per service
> # (such as xinetd).
> MaxInstances 30
>
> # Set the user and group under which the server will run.
> User proftpd
> Group proftpd
>
> # To cause every FTP user to be "jailed" (chrooted) into their home
> # directory, uncomment this line.
> #DefaultRoot ~
>
> # A basic anonymous configuration, no upload directories. If you do not
> # want anonymous users, simply delete this entire <Anonymous> section.
> <Anonymous /chroot/ftp/pub>
> User ftp
> Group ftp
>
> # We want clients to be able to login with "anonymous" as well as "ftp"
> UserAlias anonymous ftp
>
> # Limit the maximum number of anonymous logins
> MaxClients 10
>
> # We want 'welcome.msg' displayed at login, and '.message' displayed
> # in each newly chdired directory.
> DisplayLogin welcome.msg
> DisplayFirstChdir .message
>
> # Limit WRITE everywhere in the anonymous chroot
> <Limit WRITE>
> DenyAll
> </Limit>
> </Anonymous>
>
> Service file under /etc/xinetd.d
>
> service ftp
> {
> disable = no
> flags = REUSE
> socket_type = stream
> wait = no
> user = root
> server = /usr/sbin/proftpd
> log_on_success += DURATION USERID
> log_on_failure += USERID
> nice = 10
> bind = 192.168.1.12
> }
>
> I want to make sure that this ftp server only supports downloads from an
> anonymous archive rooted at /chroot/ftp/pub. There should be no writing
> of any sort allowed and user logins should be denied. I have found that user
> logins do work, ughh.
Change the shell, see above.
> Do I need the proftpd accounts?
Yes, but the shell shouldn't function.
> What do I need to
> do to my firewall or ftp file under xinetd.d to make this service available
> on my outside interface?
The firewall needs to be set up to forward the appropriate ports.
> This is a lot easier to set up than wu-ftpd, thanks guys :-)
Good Luck
Derek Loree
More information about the PLUG
mailing list