[PLUG] Getting proftpd configured securely...

Sat Apr 26 14:59:01 UTC 2003

On Sat, 2003-04-26 at 13:02, Michael Robinson wrote:
> Accounts I set up for it.
> 
> proftpd:x:121:121::/chroot/ftp/:/bin/false
> ftp:x:501:501::/home/ftp:/bin/bash

The ftp user should probably have /chroot/ftp as the home directory, and
it _needs_ to have /bin/false or /dev/null as the shell. 
> 
> Config file I currently have.
> 
> # This is a basic ProFTPD configuration file (rename it to
> # 'proftpd.conf' for actual use.  It establishes a single server
> # and a single anonymous login.  It assumes that you have a user/group
> # "nobody" and "ftp" for normal operation and anon.
> 
> ServerName                      "Robinson-west.com "
> ServerType                      inetd
> DefaultServer                   on
> Bind                            192.168.1.12
> 
> # Port 21 is the standard FTP port.
> Port                            21
> 
> # Umask 022 is a good standard umask to prevent new dirs and files
> # from being group and world writable.
> Umask                           022
> 
> # To prevent DoS attacks, set the maximum number of child processes
> # to 30.  If you need to allow more than 30 concurrent connections
> # at once, simply increase this value.  Note that this ONLY works
> # in standalone mode, in inetd mode you should use an inetd server
> # that allows you to limit maximum number of processes per service
> # (such as xinetd).
> MaxInstances                    30
> 
> # Set the user and group under which the server will run.
> User                            proftpd
> Group                           proftpd
> 
> # To cause every FTP user to be "jailed" (chrooted) into their home
> # directory, uncomment this line.
> #DefaultRoot ~
> 
> # A basic anonymous configuration, no upload directories.  If you do not
> # want anonymous users, simply delete this entire <Anonymous> section.
> <Anonymous /chroot/ftp/pub>
>   User                          ftp
>   Group                         ftp
> 
>   # We want clients to be able to login with "anonymous" as well as "ftp"
>   UserAlias                     anonymous ftp
> 
>   # Limit the maximum number of anonymous logins
>   MaxClients                    10
> 
>   # We want 'welcome.msg' displayed at login, and '.message' displayed
>   # in each newly chdired directory.
>   DisplayLogin                  welcome.msg
>   DisplayFirstChdir             .message
> 
>   # Limit WRITE everywhere in the anonymous chroot
>   <Limit WRITE>
>     DenyAll
>   </Limit>
> </Anonymous>
> 
> Service file under /etc/xinetd.d
> 
> service ftp
> {
>         disable                 = no
>         flags                   = REUSE
>         socket_type             = stream
>         wait                    = no
>         user                    = root
>         server                  = /usr/sbin/proftpd
>         log_on_success          += DURATION USERID
>         log_on_failure          += USERID
>         nice                    = 10
>         bind                    = 192.168.1.12
> }
> 
> I want to make sure that this ftp server only supports downloads from an 
> anonymous archive rooted at /chroot/ftp/pub.  There should be no writing
> of any sort allowed and user logins should be denied.  I have found that user 
> logins do work, ughh.  

Change the shell, see above.
> Do I need the proftpd accounts?

Yes, but the shell shouldn't function.

>   What do I need to
> do to my firewall or ftp file under xinetd.d to make this service available 
> on my outside interface?

The firewall needs to be set up to forward the appropriate ports.

> This is a lot easier to set up than wu-ftpd, thanks guys :-)

Good Luck

Derek Loree