欢迎光临
我们一直在努力

Professional FTP Daemon FAQ-网管专栏,FTP服务

建站超值云服务器,限时71元/月

——————————————————————————–
$id: proftpdfaq.sgml,v 1.13 2001/02/21 19:44:49 flyhmstr exp $ this document sets out many of the faqs related to the installation, functioning and configuration of proftpd. it also provides some guidance on policy and security issues.
——————————————————————————–

1. introduction to proftpd

2. compilation and installing

3. compatibility and integration

4. common running problems

5. configuration problems

6. security

7. user authentication

8. hamster droppings

9. faq notes

1. introduction to proftpd
1.1 what is proftpd
proftpd is a ftp server primarily written for the various unix variants though it will now compile under win32. it has been designed to be much like apache in concept taking many of the ideas (configuration format, modular design, etc) from it.

1.2 what is the current version?

stable: 1.2.1
unstable: none

1.3 who codes/maintains it
as with all open source projects no one person can really lay claim to the entire package. the proftpd project was started by floody who took it to approximately 1.2.0pre2/3 before he found that his available time was insufficient to handle this project as well as his other commitments. since then (mid-late 1999) macgyver has taken over the project and is pushing towards cleaning up the outstanding patches and getting 1.2.0 shipped.

as of early 2001 floody is back on the team and we are actively pushing for 1.2.0-release, this is expected before the end of march 2001

there are also numerous people involved in developing modules, and documentation for the project. a number of these have been merged into the core distribution and more are likely to follow.

1.4 version numbering scheme
at the moment there is a little irrationality in the numbering scheme however it can be summarised as follows

1.0.x
this is the previous stable version.

1.1.x
development code

1.2.0prex
pre-release testing versions, development code.

1.2.0rcx
release candidate code, these releases are pretty much bug free and are testing releases prior to the final stable code.

1.2.x
this will be the stable cycle with the final .x being the incremental patches to fix bugs discovered after the release version is issued.

1.3.x
once 1.2.0 is released onward development will start with 1.3.0 much like the linux kernel numbering cycle.

1.5 website & documentation
http://www.proftpd.org/ is now online and contains copies of this faq, other documentation resources and information on the project. the documentation is being brought back into shape at the moment, the configuration on the website is now approaching where it should be but more work is required and is ongoing. there is also a mirror at http://proftpd.vom.tm/ and the documentation is also availible on http://pdd.sourceforge.net/

helping with documentation
writing documentation is a little time consuming and requires some work but its not actually difficult. get the source code from cvs, run “showundocumented” in the doc directory. this will list what needs work. grep through the code in the looking for something like

 

——————————————————————————–

check_conf(cmd,conf_root|conf_virtual|conf_anon|conf_global)

——————————————————————————–

to figure out where the directive is valid (server config, , , for the above example). once you think you understand what it does, test, play, break (if possible). then copy the format in configuration.html and add the new documentation.

once the documentation is complete run

cvs diff -uw configuration.html > configuration.html.patch

and send it to hamster@vom.tm and the devel list.

1.6 bug reporting?
bug reports should be made via http://bugs.proftpd.org/ which uses the bugzilla tracking system. patches should be mailed to the proftpd-devel mailing list or macgyver directly.

1.7 ive found a security hole
please report all security problems with the code to security@proftpd.org before releasing the information into the public domain. it would be appreciated if you give the core team a few days to put together a patch and/or new release to address the issue.

please adhere to the proceedures and timescales given in the rf policy document http://www.wiretrip.net/rfp/policy.html, this will give the core development team a chance to get a fix or workaround in place before the problem becomes fully public domain.

1.8 downloading
there are two main methods of getting the software. downloading a compressed tarball or rpm (there is also a debian package available in the main distribution) from proftpd.org or from a mirror site, alternatively if you wish to run the latest bleeding edge code then collecting from the cvs server is the best method.

mirror sites
there is a complete and maintained list of ftp mirror sites available from http://www.proftpd.org/download.html

cvs
cvs: cvs -d :pserver:anonymous@proftpd.org:/var/proftpd login (password is proftpd)

then do:

cvs -d :pserver:anonymous@proftpd.org:/var/proftpd checkout proftpd-1.2

to obtain the latest/greatest updates, just hop into the proftpd-1.2 directory and do: cvs update

a couple of sites generate downloadable tarballs of the latest cvs code to make obtaining the test code easier.

1.9 mailing lists
there are three lists for proftpd

announce
proftpd-announce@proftpd.org

this is a very low traffic list where only proftpd announcements/changes will be announced.

subscribe by sending a message to proftpd-announce-request@proftpd.org with “subscribe” in the subject.

users
proftpd@proftpd.org

this is intended to the the user support channel for the software, in most likelihood this is going to be a high traffic list and slightly chatty. please read the faq, the documentation and the list archives before posting a question.

subscribe by sending a message to proftpd-request@proftpd.org with “subscribe” in the subject.

development
proftpd-devel@proftpd.org

this list is intended for discussion of development-related issues of proftpd, and feature design. it is not intended to be a user help group.

subscribe by sending a message to proftpd-devel-request@proftpd.org with subscribe in the subject.

archives
the mailing list archives can be found at http://www.proftpd.org/proftpd-l-archive/ http://www.proftpd.org/proftpd-devel-archive/

1.10 copyright issues
the software is currently distributed under the gnu general public license (version 2 or later) as published by the free software foundation. copyright is held by public flood software.

2. compilation and installing
2.1 what platforms will it compile on?
there have been reports of proftpd compiling on all the following platforms (and versions).

linux 2.0.x & 2.2.x (glibc 2.x only) & 2.4.x
bsdi 3.1 & 4.0
irix 6.2, 6.3, 6.4, 6.5
solaris 2.5.1, 2.6 & 2.7
aix 3.2 & 4.2
openbsd 2.2/2.3
freebsd 2.2.7
digital unix 4.0a
dec ofs/1

why not libc5 on linux?
there are several known problems with libc5-based systems, including improperly implemented library routines (vsprintf and vsnprintf are examples). there are known problems with the resolver library. for these reasons and others lib5 is not being supported at all, the latest versions of the major distributions (inc debian, redhat and suse) are all glibc.

2.2 cvs
cvs (concurrent versions system), is a version control system which allows multiple developers (scattered across the same room or across the world) to maintain a single codebase and keep a record of all changes to the work.

the cvs repository for proftpd is available for non-developers in read-only mode, however this code is right on the bleeding edge and is not guaranteed to even compile let alone work. access to cvs is given to allow important security patches out into the wild and to allow users and interested users to test out the latest changes on real systems.

recommended /.cvsrc settings

cvs -z 3
update -pd
diff -uw

where can i get information on cvs?
cvs is produced by cyclic software (http://www.cyclic.com/) and details on cvs can be found on their website. the cvs documentation is clear, detailed and above all heavy when printed. id recommend reading it if youre planning on using cvs a lot.

2.3 how do i get debug output
the easiest way is to fire up proftpd manually from the command line with the debug level cranked up.

/usr/local/sbin/proftpd -d9 -n

this will result in maximal debug output direct to the console. warning, this can get messy on a busy server, for testing i would suggest copying the config and altering the port the server binds to and then testing.

2.4 patches
any patches should be submitted in universal format, this makes integrating them into the main cvs source a lot easier. when generating a diff against the current cvs source use “cvs diff -uw” to generate the patch.

cvs diff -uw filename > filename.patch

or

cvs diff -uw > bigger.patch

patches that add configuration directives without proper documentation. will be rejected. new features without documentation are less than useless to the community at large.

2.5 using non-default modules
simply configure proftpd with

./configure –with-modules=mod_module1:mod_module2:mod_module3
make
make install

2.6 plans for next version (1.3.x)
the new development series will be 1.3.x, using the same number scheme as the linux kernel developers. the targets/goals are:

refining/redefining the module api to make it more extensible and useful.
dynamic modules
security apis and implementations
mod_ls rewrite
implementing some security-related rfcs
creating a web and gui configuration interface to proftpd.

2.0.x will be the production release of the 1.3.x development set.

2.7 nt support
if/when a port is undertaken for nt, it will only be after a near complete rethinking of proftpd. this is planned for 2.0 and onwards.

2.8 new features/modules
while anything new is welcomed its probably better to at least float the idea first on the devel mailing list to ensure that someone else isnt already hacking on it. also when submitting the patch or module for inclusion into the proftpd source full documentation is needed.

suggestions made for future development

gui based configuration tool
cdb based authentication

3. compatibility and integration
3.1 sql
proftpd has support for authentication and logging via sql databases using the mod_sql module as supplied in the main distribution.

3.2 ssh
unfortunately while integration into proftpd itself might be possible its pretty useless without the corresponding implementation within the commonly used ftp clients.

3.3 sendfile()
sendfile() is a system call which streamlines the copying of data between the disk and the tcp socket. the call copied from the page cache directly rather than requiring a kernel -> user space -> kernel space copy for every read() and write() call. generally the advantages are only felt on heavily loaded servers. the call is supported in proftpd for linux and freebsd.

linux 2.0.x
sendfile is not supported under 2.0.x, this is not an issue when compiling for 2.0.x on a 2.0.x system. however when compiling on a 2.2.x system for use on 2.0.x use the –disable-sendfile flag.

runtime detection of sendfile()
there are two patches available for runtime detection of sendfile() which gets round the 2.0.x problems.

johnie ingram (aka netgod)s: http://www.proftpd.org/proftpd-devel-archive/99-10/msg00073.html

john pierce http://www.proftpd.org/proftpd-devel-archive/99-10/msg00112.html

what are these log lines in pre8?
the pre8 code has some additional debug logging going on tracking how sendfile is working. nothing to get excited about its probably a case of macgyver forgetting to comment it out.

problems with sendfile
there appear to be a number of problems with sendfile() particularly with the directives and features which require accurate determination of filesize. such as the rate* functions and downloading large files, the best advice at the moment appears to be to disable sendfile by default ( –disable-sendfile ).

sendfile() also appears to be the source of a number of file corruption problems.

3.4 ipv6
there is currently no official support for ipv6 within the 1.2.x code tree, however there is an unofficial patch and more comprehensive support will probably be developed during the 1.3.x development cycle.

3.5 filename case sensitivity
proftpd is utterly dependant on the underlying os to handle filename case sensitivity. if the underlying os is case sensitive then proftpd will be, there are currently no plans for a module to handle this.

3.6 fxp
fxp is capable of bouncing data between websites. there have been a number of reports of problems in configuring proftpd to function cleanly with this program (http://flashfxp.skuz.net/).

to support fxp when connecting as a user place “allowforeignaddress on” in the global or virtualhost context.

to support fxp when connecting as anon “allowforeignaddress on” must be placed in the anonymous context.

the config will happily support “allowforeignaddress on” in multiple places within the config.

4. common running problems
4.1 proftpd doesnt seem to work.
starting proftpd in standalone mode it doesnt show in ps it could be many things, possibly something like not running proftpd as root (it needs to be run as root initially, but will switch to a non-privileged user). regardless, proftpd logs all errors via the standard syslog mechanism. you need to check your system logs in order to determine what the problem is.

it doesnt work!
there are many times when theres a completely random problem which appears to be insoluble. the best place to ask for help is definately the mailing list (proftpd-l) but its not productive to ask for help without giving enough information for intelligent debugging.

have you?

checked your logs
tried the server in debug mode
read the faq?
checked the mailing list archive?
are you running the latest version?

when posting try giving enough information, this might include but not be limited to.

os and server version (proftpd -vv)
list of included modules (proftpd -l)
appropriate log extracts
output fom debug mode
configration fragments

4.2 “inet_create_connection() failed: operation not permitted”.
you arent starting proftpd as root, or you have inetd configured to run proftpd as a user other than root. the proftpd daemon must be started as root in order to bind to tcp ports lower than 1024, or to open your shadow password file when authenticating users. the daemon switches uid/gids to the user and group specified by the user/group directives during normal operation, so a `ps will show it running as the user you specified.

4.3 unable to bind to port/address already in use
youve configured proftpd to run as standalone, but youve left the line for the ftp service in /etc/inetd.conf. comment out the line starting “ftp” in /etc/inetd.conf and restart (killall -hup inetd or something similar should do the trick) and try again. alternatively check to see if theres another copy of proftpd is running.

4.4 “fatal: socket operation on non-socket”
you have proftpd configured to run in inetd mode rather than standalone. in this mode, proftpd expects that it will be run from the inetd super-server, which implies that stdin/stdout will be sockets instead of terminals. as a result, socket operations will fail and the above error will be printed. if you wish to run proftpd from the shell, in standalone mode, youll need to modify your proftpd.conf configuration file and add or edit the servertype directive to read:

servertype standalone

4.5 “fatal: unable to determine ip address of hostname”
the hosting machine has a poorly configured hostname setup to the point where the resolver library cannot determine the ip from the name. solutions include, fixing the dns for the domain, fixing the hostname, fixing the /etc/hosts file. which one works for you will largely depend on your os and exactly what is wrong.

4.6 im having problems with ftp clients behind firewalls
the ftp specification defines that two sockets should be used for all communications. the first runs over port 21 and is the control channel over which all commands and response codes are sent. whenever data is required to be transfered, for example for a file download, a directory listing etc etc. a second channel is created on demand, this socket can take one of two forms.

non-passive
the server end of the data socket uses port 20. this is nice and easy to work into a firewall configuration.

passive
the port at either end is dynamically allocated. this is virtually impossible to cater for in a firewall configuration given that the port mapping will be different for every data connection.

the solution is to force the users to configure their clients to use the non-passive mode (ie port 20)

4.7 can i run more that one virtualhost on a single ip?
no, or at least not in the http/1.1 manner of virtual hosting. this is an inbuilt limitation of the current ftp rfc., unlike the http/1.1 spec there is no mechanism comparable to the “host: foo.bar.com” http header for specifying which host the connection is for. therefore the only method for determining which virtualhost the connection is destined for is by the destination ip.

the one exception to this is if you host multiple servers on the same ip but using different ports, however this requires that the connecting client uses a non-standard port and therefore is probably not a good solution for mass hosting.

is there anything in the pipeline to fix this?
there is a draft standard draft standard with the ietf which extends and improves on the ftp specification including support for a host command. however given that the ip crunch is coming from websites and not virtual ftp servers this is unlikely to be pushed through any time soon.

4.8 how do i run proftpd from inetd?
find the line in /etc/inetd.conf that looks something like this:

ftp stream tcp nowait root in.ftpd in.ftpd

replace it with:

ftp stream tcp nowait root in.proftpd in.proftpd

then, find your inetd process in the process listing and send it the sighup signal so that it will rehash and reconfigure itself. you may also need to add in.proftpd to hosts.allow on your system.

4.9 can i use tcp-wrappers with proftpd?
yup. although proftpd has built-in ip access control (see the deny and allow directives), many admins choose to consolidate ip access control in one place via in.tcpd. just configure proftpd to run from inetd as any other tcp-wrapper wrapped daemon and add the appropriate lines to hosts.allow/deny files.

4.10 can i run an ftp server on a non-standard port?
yes. use a block with your machines fqdn (fully qualified domain name) or ip address, and a port directive inside the block. for example, if your host is named “myhost.mydomain.com” and you want to run an additional ftp server on port 2001, you would:

 

——————————————————————————–

port 2001

 

——————————————————————————–

4.11 can control upload/download ratios?
yes the mod_ratio module provides for doing just this.

the ratio directives take four numbers: file ratio, initial file credit, byte ratio, and initial byte credit. setting either ratio to 0 disables that check.

the directives are hostratio (matches fqdn, wildcards allowed), anonratio (matches password entered at login), userratio (accepts “*” for any user), and groupratio.

 

——————————————————————————–

ratios on # enable module
userratio ftp 0 0 0 0
hostratio master.debian.org 0 0 0 0 # leech access (default)
groupratio proftpd 100 10 5 100000 # 100:1 files, 10 file cred
5:1 bytes, 100k byte cred
anonratio billg@microsoft.com 1 0 1 0 # 1:1 ratio, no credits
userratio * 5 5 5 50000 # special default case

——————————————————————————–

this example is for someone who (1) has downloaded 1 file of 82k, (2) has uploaded nothing, (3) has a ratio of 5:1 files and 5:1 bytes, (4) has 4 files and 17k credit remaining, and (5) is now changing directory to /art/nudes/young/carla. the initial credit, not shown, was 5 files and 100k (userratio * 5 5 5 100000).

version 2.0 and above of this module integrate with mod_sql.

limitations of mod_ratio
it appears that the ratio limits in mod_ratio are only maintained on a per session basis and there is no ongoing tracking of usage.

4.12 slow logins
this is probably caused by a firewall or dns timeout. by default proftpd will try to do both dns and ident lookups against the incoming connection. if these are blocked or excessively delayed a slower than normal login will result. to turn off dns and ident use:

 

——————————————————————————–

usereversedns off
identlookups off

——————————————————————————–

identlookups and tcpwrappers***
4.13 lots of “ftp session closed” messages

oct 7 12:30:48 salvage2 proftpd[8874]: ftp session closed.
oct 7 12:30:48 salvage2 proftpd[8874]: ftp session closed.
oct 7 12:30:48 salvage2 proftpd[8874]: ftp session closed.
oct 7 12:30:48 salvage2 proftpd[8874]: ftp session closed.

the above log extract is likely to be caused by a local monitoring system or a particularly aggressive dos attack. most service monitoring systems try opening the ftp port on the target server to detect whether it is active and running. most of the time these tests are followed by an immediate “quit” or disconnection.

tcpdump/tcpshow on the server in question should show which machine on your network is is generating these connections.

4.14 how do i see who is connected?
the ftpwho command lists the state of each ftp connection to the server and what its current activity is. however this does not detail the connection information on a virtual by virtual basis.

4.15 can i force proftpd to listen on only one ip?
sort, of its not quite as clean as the socket binding under apache but the principle works something like this.

standalone mode

to listen on the primary ip of a host
use the socketbindtight directive

to listen on a interfaces which are not the primary host interface
use the socketbindtight directive, place your server configuration in a block and use “port 0” for the main host configuration and and “port 21” inside the virtualhost block.

inetd
there are two approaches possible, the first is to use the patch from daniel roesen (check the mailing list archives).

the second method is to run proftpd from xinetd (http://synack.net/xinetd/), a more advanced replacement of inetd. an entry for this in xinetd.conf would be something like this:

 

——————————————————————————–

service ftp
{
flags = reuse
socket_type = stream
instances = 50
wait = no
user = root
server = /usr/sbin/proftpd
bind =
log_on_success = host pid
log_on_failure = host record
}

——————————————————————————–

4.16 “ftp server shut down … please try again later.”
check for /etc/shutmsg and delete it.

4.17 how do i shutdown the server without killing proftpd?
ftpshut, allows the server to disallow connections with a message without actually taking down the service. the shutdown can be scheduled for a point in the future or right now, existing connections can be allowed to finish, or be terminated now. re-enabling is done by removing the /etc/shutmsg file.

4.18 is is possible to shutdown a single virtualhost?
no, the shutmsg file works at a daemon level not at a virtual host level.

4.19 error 421
this appears to be a general catch all error code meaning something nasty has gone wrong.

connection has timed out
the defaultroot specified doesnt exist
the parent server has been killed
check /etc/services
wrong permissions on the defaultroot

you get the idea…

4.20 proftpd doesnt show in the processlist
two possible reasons, first that its simply not running, try proftpd -n -d2 to run in debug mode and see what happens. the other is that its running from inetd and there are no active sessions at the moment.

4.21 how do i restart/reload the server?
this depends on the mode youre running the server in.

inetd
unless youre making a configuration change to inetd itself nothing needs doing. the server reloads the configuration everytime a new connection is made.

standalone
either stop and start the server completely (a little aggressive for most admins tastes) or send a sighup to the master daemon process.

4.22 503 no port command issued
a bug was introduced in 1.2.0rc2 which prevented the port command working properly and therefore breaking the data socket under certain conditions. the bug was documented as bug 240 and has been fixed in cvs. a rc3 release is due before the end of jan 2001.

4.23 fatal: unable to determine ip address of
proftpd was unable to work out what ip is associated with the hostname in the virtualhost block. normally caused by a problem with the dns resolution of the host, check the resolv.conf file and that your chosen nameservers are functional.

4.24 451 append/restart not permitted, try again
allowstorerestart is disabled by default because it will allow any writable file to be corrupted by a malicious user. it is recommended that this option is only used with authenticated users and then only in certain directories.

4.25 the time being displayed is wrong
the default behaviour for proftpd is to display all times relative to gmt. to use local time set “timesgmt off” in the server section of the config. there is a known issue with redhat 7, with regard to time handling. http://www.redhat.com/support/errata/rh7-errata-bugfixes.html

4.26 authentication is taking too long
make sure that reversedns is disabled, turn off ident lookups. additionally check the size of your /etc/passwd (or shadow) file, if it is large then the only solution may be to move to another authentication scheme.

4.27 corrupted files
there appear to be some problems with both the use of sendfile() in proftpd and with the implementation within certain operating systems.

4.28 can i upgrade proftpd without terminating the current sessions?
short answer, no. longer answer is no, but you can minimise the effects. the cleanest approach on servers which have significant amounts of traffic appears to be to use ftpshut to block new connections and terminate existing ones after a pre-determined time period and then to upgrade and restart. this approach limits the number of downloads which are terminated part way through.

5. configuration problems
problems encountered in trying to make the server behave exactly as required after compilation and installation are complete and the server is running.

5.1 how do i add another anonymous login or guest account?
you should look in the sample-configurations/ directory from your distribution tarball. basically, youll need to create another user on your system for the guest/anonymous ftp login. for security reasons, its very important that you make sure the user account either has a password or has an “unmatchable” password. the root directory of the guest/anonymous account doesnt have to be the users directory, but it makes sense to do so. after you have created the account, put something like the following in your /etc/proftpd.conf file (assuming the new user/group name is private/private):

 

——————————————————————————–

anonrequirepassword off
user private
group private
requirevalidshell off

denyall

 

 

——————————————————————————–

this will allow ftp clients to login to your site with the username “private” and their e-mail address as a password. you can change the anonrequirepassword directive to “on” if you want clients to be forced to transmit the correct password for the private account. this sample configuration allows clients to change into, list and read all directories, but denies write access of any kind.

5.2 how do i ftp as root?
first off this is a bad idea ftping as root is insecure, there are better more secure ways of shifting files as root.

to enable root ftp ensure that the directive “rootlogin on” is included in your configuration.

5.3 how do i provide a secure upload facility?
the following snippet from a sample configuration file illustrates how to protect an “upload” directory in such a fashion (which is a very good idea if you dont want people using your site for “warez”):

 

——————————————————————————–

# all files uploaded are set to username.usergroup ownership
user username
group usergroup
useralias ftp username
authaliasonly on
requirevalidshell off

 

allowall

denyall

 

 

——————————————————————————–

this denies all write operations to the anonymous root directory and sub-directories, except “incoming/” where the permissions are reversed and the client can store but not read. if you used instead of on , ftp clients would be allowed to perform all write operations to the sub-dir, including deleting, renaming and creating directories.

5.4 how can i stop my users from using their space as a warez repository
the above fragment will control anonymous users however if a local user with a full account with up and download capability is abusing their space then the technical measures which can be taken are limited. applying a sane system quota is a good start, using the mod_quota and mod_ratio modules may control the rates of upload/download making it less useful as a warez repository. in the end it comes down to system monitoring and good site aups and enforcement.

5.5 can i rotate files out of an upload directory after upload?
yes. youll need to write a script which either checks the contents of the directory regularly and moves once its detected no size change in a file for xyz seconds. or a script which monitors an upload log. there is no automatic method for doing this.

5.6 how can i hide a directory from anonymous clients.
use the hideuser or hidegroup directive in combination with the proper user/group ownership on the directive. for example, if you have the follow directory in your anonymous ftp directory tree:

drwxrwxr-x 3 ftp staff 6144 apr 21 16:40 private

you can use a directive such as “hidegroup staff” to hide the private directory from a directory listing. for example:

 

——————————————————————————–

hidegroup staff

 

——————————————————————————–

5.7 file/directory hiding isnt working for me!
you need to make sure that the group you are hiding isnt the anonymous ftp users primary group, or hidegroup wont apply.

5.8 i want to prevent users from accessing a hidden directory
you can either change the permissions on the directory to prevent the anonymous ftp user from accessing it, or if you want to make it appear completely invisible (as though there is no such directory), use the ignorehidden directive inside a block for one or more commands that you want to completely ignore the hidden directory entries (ignore = act as if the directory entry does not exist).

5.9 how do i setup a virtual ftp server?
youll need to configure your host to be able to handle multiple ip addresses. this is often called “aliasing”, and can generally be configured through an ip alias or dummy interface. you need to read your operating system documentation to figure out how to do this. once your have the host configured to accept the additional ip address that you wish to offer a virtual ftp server on, use the configuration directive to create the virtual server:

 

——————————————————————————–

servername “my virtual ftp server”

 

——————————————————————————–

you can add additional directive blocks into the block in order to create anonymous/guest logins and the like which are only available on the virtual host.

5.10 i only want to allow anonymous access to a virtual server.
use a block to deny access at the top-level of the virtual host, then use again in your block to allow access to the anonymous login. this permits logins to a virtual anonymous server, but denies to everything else. example:

 

——————————————————————————–

servername “my virtual ftp server”

denyall

user private
group private

allowall

 

——————————————————————————–

5.11 how does work, and where should i use it?
the directive is used to control connection or login access to a particular context (the directive block which contains it). when a client initially connects to proftpd, the daemon searches the configuration tree for directives, and attached parameters (such as allow, deny, etc). if it determines that there is no possible way for the client to ever be allowed to login, such as a “deny from” matching the clients source address, without an overriding “allow from” at a lower level, the client is disconnected without being offered the opportunity to transmit a user and password.

however, if it is possible for the client to be allowed a login, proftpd continues as per normal, allowing the client to login only if the proper applies. normally, directive blocks are allowed in the server config, , and contexts. however, should not be used in a context, as clients do not connect/login to a directory (and thus it is meaningless).

by way of example, the following configuration snippet illustrates a deny which will cause any incoming connections from the 10.1.1.x subnet to be immediately disconnected, without a welcome message:

 

——————————————————————————–

order deny,allow
deny from 10.1.1.
allow from all

——————————————————————————–

next, an example of a configuration using that will not immediately disconnect an incoming client, but will return “login invalid” for all login attempts except anonymous.

 

——————————————————————————–

denyall

allowall

——————————————————————————–

5.12 how can i limit users to a particular directory tree?
for general open access you can use an directive context block, possibly in combination with a userpassword/anonrequirepassword directive.

however if you wish to jail an entire group (or groups) of users, you can use the defaultroot directive. defaultroot lets you specify a root jailed directory (or for the users home directory), and an optional group-expression argument which can be used to control which groups of users the jail will be applied to. for example:

 

——————————————————————————–

defaultroot ~

this creates a configuration where all users who log into
myhost.mynet.foo are jailed into their home directories (cannot chdir
into a higher level directory). alternatively, you could:

defaultroot /u2/public users,!staff

 

——————————————————————————–

in this example, all users who are members of group users, but not members of group “staff” are jailed into /u2/public. if a user does not meet the group-expression requirements, they login as per normal (not jailed, default directory is their home). you can use multiple defaultroot directives to create multiple jails inside the same directive context. if two defaultroot directives apply to the same user, proftpd arbitrarily chooses one (based on how the configuration file was parsed).

security implications
the defaultroot directive is implemented using the chroot(2) system call. this moves the “/” (or root) directory to a specified point within the file system and jails the user into this sub-tree. however this is not the holy grail of security, a chroot jail can be broken, it is not a trivial matter but its nowhere near impossible. defaultroot should be used as part of a general system of security not the only security measure.

a more detailed discussion on this subject and on the breaking of chroot jails has been written by simon burr

non-root server issues
the chroot() system call will not work under a non-root ftp server process, the call requires root privaliges. without them it simply doesnt work, there doesnt appear to be any checking in the code of the uid/gid before calling chroot so using defaultroot in such a setup will cause the server to fail.

symlinks
symlinks will not work from within a chrooted area. the reason should be clear from a casual inspection of the nature of the chroot command. it is not possible to have a symbolic link to a directory which cant be reached beacuse its outside of the current chroot. work arounds to allow access to other parts of the file system include exporting the part of the filesystem to be accessed from inside the chroot and mounting via nfs, using hard file links or (on solaris) using lofs to mount the directory via the loopback.

mount -flofs /home/data1 /ftp/data1
mount -flofs /home/data2 /ftp/data2

5.13 how do i create individual anonymous ftp sites for my users?
there are two methods of accomplishing this (possibly more). first, you can create a directory structure inside your anonymous ftp root directory, creating a single directory for each user and setting ownership/permissions as appropriate. then, either create a symlink from each users home directory into the ftp site, or instruct your users on how to access their directory.

the alternate method (and more versatile) of accomplishing per-user anonymous ftp is to use anonymousgroup in combination with the defaultroot directory. youll probably want to do this inside a , otherwise none of your users will be able to access your system without being stuck inside their per-user ftp site. additionally, youll want to use a deferred block to carefully limit outside access to each users site.

create a new unix group on your system named `anonftp. please each user who will have per-user anonymous ftp in this group.
create an `anon-ftp and `anon-ftp/incoming directory in each users home directory.
modify your /etc/proftpd.conf file to look something like this (youll probably want to customize this to your needs):

 

——————————————————————————–

 

# the next line limits all logins to this virtual host, so that only
anonftp users can connect

denygroup !anonftp

# limit access to each users anon-ftp directory, we want read-only
except on incoming

 

denyall

 

# permit stor access to each users anon-ftp/incoming directory,
but deny everything else

 

allowall

denyall

 

# provide a default root for all logins to this virtual host.
defaultroot ~/anon-ftp
# finally, force all logins to be anonymous for the anonftp group
anonymousgroup anonftp

 

——————————————————————————–

5.14 i want to support normal login and anonymous under a particular user
you can use the authaliasonly directive to control how and where real usernames get authenticated (as opposed to aliased names, via the useralias directive). note that it is still impossible to have two identical aliased names login to different anonymous sites; for that you would need .

example:

 

——————————————————————————–

user jrluser
group jrluser
useralias ftp jrluser
useralias anonymous jrluser
authaliasonly on

 

——————————————————————————–

here, the configuration for jrluser is set to allow alias authentication only. thus, if a client attempts to authenticate as jrluser, the anonymous config will be ignored and the client will be authenticated as if they were a normal user (typically resulting in `jrluser logging in normally). however, if the client uses the aliased username `ftp or `anonymous, the anonymous block is applied.

5.15 why doesnt anonymous ftp work (550 login incorrect)?
things to check check the following first:

make sure the user/group you specified inside the block actually exists. this must be a real user and group, as it is used to control whom the daemon runs as and authenticates as.
if requirevalidshell is not specifically turned off, make sure that your “ftp user” (as specified by the user directive inside an block), has a valid shell listed in /etc/shells. if you do not wish to give the user a valid shell, you can always use “requirevalidshell off” to disable this check.
if useftpusers is not specifically turned off, make sure that your “ftp user” is not listed in /etc/ftpusers.

if all else fails, you should check your syslog. when authentication fails for any reason, proftpd uses the syslog mechanism to log the reason for failure; using the auth (or authpriv) facility. if you need further assistance, you can send email, including related syslog entries and your configuration file, to the proftpd mailing list mentioned elsewhere in this faq.

5.16 bandwidth control
the bandwidth directive has been removed as of 1.2.0pre8, this directive acted on a per-virtual basis. it was generally held that it worked on the principle that a single connection to a given virtual could take the full bandwidth limit until other connections were made. however, the server uses either separate server (inetd) or forked (standalone) model there is no way for the various processes to communicate, therefore is no way they could share the bandwidth allocation.

the replacement actually does the same but does it in a more rigorous manner and more precisely. the directives ratereadbps, ratereadfreebytes, ratereadhardbps work by limiting on a per-connection basis.

bandwidth 81920

is replaced with something like

ratereadbps 81920
ratereadfreebytes 5120
ratereadhardbps on

to achieve a total limit on a per virtual basis a mix of ratereadbps and maxclients is needed. ie ratereadbps x maxclients = total bandwidth allocation. there is no way (at the moment) to specify that virtual server xyz has a maximum total bandwidth of 200k/s that it can use between all connections.

per-virtual, per-user and global limits are currently in the “to be coded” pile and are being penciled in for the 1.3.x development series. there is some work in providing for a shared communication system between servers before this can happen.

rate controls arent working
in pre9 and earlier rate* does not work if sendfile is enabled, recompile with –without-sendfile and all should be as expected.

5.17 chmod isnt working
as of rc1 the allowchmod command was added to allow control over who is allowed to use the chmod command. the default value for this directive is off.

5.18 how can i limit the size of uploaded files?
there is no way within proftpd itself to control how large a file can be uploaded. the best solution to this problem at the moment is to use whatever disk quota tools are available within your os.

6. security
6.1 general
between versions 1.2.0pre3 – 1.2.0pre7 there were a number of buffer overflow type security problems with proftpd, with the coming release of pre7 these should be under control. though no absolute statement can be given on the security of the software (this is true for every piece of software out there). a significant amount of effort has been put into removing the more dangerous system calls which are prone to overflow attacks.

versions 1.2.0 should be considered to be production code and few if any new features will be added to this code branch to maintain stability.

what about using stackguard?
stackguard is a gcc variant which can protect programs from stack-smashing attacks, programs compiled using stackguard dies without executing the stack code. while this approach is a good first line of defense against future problems its not a complete cure-all. some of the buffer overflows were found on static variables, which are not protected by stack protection mechanisms.

6.2 surely running proftpd as non-root will help?
running proftpd as a non-root user gives only a marginal security improvement on the normal case and adds some functional problems. such as not being able to bind to ports 20 or 21, unless its spawned from inetd.

proftpd takes a middle road in terms of security. it only uses root privileges where required and drops to the uid defined in the config file at all other times. times when root is required include, binding to ports < 1024, setting resource limits, reading configuration information and some network code.

for linux 2.2.x kernel systems there is the posix style mod_linuxprivs module which allows very fine grain control over privileges. this is highly recommended for security-conscious admins.

6.3 how can i control what commands the server accepts?
use a sane allow/denyfilter, these directives use regular expressions to control all text sent over the control socket. (if anyone has some good examples please let me know.)

6.4 how can i prevent the server version from being displayed
setting severident to “off” should turn off the information about what type of server is running. to have maximum effect this directive should either be in the global context or included in every virtual host block and the default block.

 

——————————————————————————–

serverident on “linux.co.uk server”

serverident off

——————————————————————————–

6.5 i want to show a message prior to login
use the displayconnect directive to specify a file containing a message to be displayed prior to login.

 

——————————————————————————–

displayconnect /ftp/ftp.virtualhost/login.msg

——————————————————————————–

6.6 i want to display a message after login
use the displaylogin directive, this sends a specified ascii file to the connected user.

 

——————————————————————————–

displaylogin /etc/proftp.msg

——————————————————————————–

6.7 can i have a custom welcome response?
use the accessgrantmsg directive, this sends a simple single line message back to the user after a successful authentication. magic cookies appear to be honoured in this directive.

 

——————————————————————————–

accessgrantmsg “guest access granted for %u.”

——————————————————————————–

note, this directive has an overriding default and needs to be specified in both virtualhost and anonymous blocks.

6.8 external programs
proftpd has been designed to run as a secure ftp server, this means that it tries to keep as much as possible under its control. an external program is a security risk in itself because its behaviour is not controllable from within the ftpd code.

7. user authentication
this section is being re-written due to major structural changes to the sql module prior to 1.2.0

7.1 why is pam the default authentication system?
security, pure and simple. pam is the most secure (or securable) of the available authentication systems. many of the issues and configuration hints for pam are contained in readme.pam which is bundled with the server source and in the various packaged builds. to use /etc/passwd manual compilation will be required with the configure script being run with the –without-pam flag. unless the pam subsystem is properly configured authentication will fail.

7.2 authentication methods supported

pam
standard /etc/passwd lookups
nis
shadow passwords
indvidual passwd/group files for each virtual
sql databases

if these dont fit in with your system then writing a custom module or using such as the ld.so.preload approach to intercept getpwbynam() system calls works happily with proftpd.

7.3 problems with non-pam authentication
generally these problems will be cured by either disabling pam completely or by ensuring that these directives are set

 

——————————————————————————–

persistentpasswd off
authpamauthoritative off

——————————————————————————–

7.4 authpamauthorative is an unknown directive!
check the spelling it should be authpamauthoritative not authpamauthorative or any other variation.

7.5 configuring pam
there is a readme.pam in the top directory of the proftpd install directory :

redhat linux

——————————————————————————–

#%pam-1.0
auth required /lib/security/pam_listfile.so item=user
sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

——————————————————————————–

suse linux
suse appears to uses pam_unix rather than pam_pwdb which is the redhat approach. all references to pam_pwdb should be replaced with “pam_unix” on suse systems.

the following fragment is reported to work fine on suse 6.2

 

——————————————————————————–

/etc/pam.d/ftpd
#%pam-1.0

# uncomment this to achieve what used to be ftpd -a.
# auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail

auth required /lib/security/pam_listfile.so item=user
sense=deny file=/etc/ftpusers onerr=succeed
auth sufficient /lib/security/pam_ftp.so
auth required /lib/security/pam_unix.so
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so

——————————————————————————–

freebsd
freebsd does not support pam session directives. if you remove the following line from the freebsd section of readme.pam, pam should work properly under recent versions of freebsd.

 

——————————————————————————–

ftp session required pam_unix.so try_first_pass

——————————————————————————–

7.6 pam_sm_open_session errors
proftpd requires pam version 0.59 or better. pam_sm_open_session is not part of previous versions.

7.7 normal users cant login, only anon.
check that the /etc/pam.d/ftp file exists on the system and is configured as detailed in readme.pam

7.8 authpamauthoritative
currently authpamauthoritative defaults on “on” resulting in login failures if pam cannot authenticate the user. this breaks the authuserfile directive as it never gets a chance to authenticate the user unless the authpamauthoritative directive is set to “off”

the reasoning behind the current default is to ensure that the system is secure by default requiring that the admin explicitly and knowingly has to disable it. there are discussions underway which may result in the directive flipping to a default of “off” if authuserfile is specified.

note: as of the current cvs and the forthcoming pre9 release the default has changed to “off”

7.9 ldap
mod_ldap is currently stable; there were a couple bugs that were squashed after release 1.0 of the module. it is still udner development , check the website for more information. there is an example config fragment on the authors site which gives a reasonable idea on how to use this module.

7.10 encrypted passwords
there are patches which are being merged in at the moment to provide sha encryption. the plan is to have the server get all user information except passwords via an anonymous bind. the server will then reconnect as a user is logging in and attempt to get the password via an encrypted connection. this should be in the next major release (2.5)

7.11 secureid
no support yet

7.12 one time passwords
this is possible using either pam or the opie modules. the module passes back a challenge which the user puts into a key generator along with their pass phrase and it gives them back 5 words which get sent as the password. as long as you do it correctly it will never repeat.

it requires opie to be installed on the server. there are key gen clients for win95/98, *nix, mac.

ftp://ftp.urbanrage.com/pub/c/mod_opie.c

7.13 radius
radius support isnt built into proftpd, though theres nothing stopping someone writing a module and submitting it for inclusion in the code tree. possibly the easist way to implement radius is by using the modules available for pam and using the inbuilt pam support.

7.14 anonymous password checking
is it possible to check an offered email address in an anonymous login before allowing access. simple answer, not a hope in hell, anonymous access is pretty much designed to be freely open without checks and restrictions other than those placed on upload/download from the site. the best that can be hoped for is decent logging and tracking of accesses, and the requesting ip.

7.15 configuring for sql authentication ith-modules=mod_sqlpw:mod_mysql

configure –with-modules=mod_sqlpw:mod_mysql
edit make.rules
compile with: make
then install per the proftpd instructions: make install
edit the proftpd configuration file/usr/local/etc/proftpd.conf
set up your system so libmysqlclient.so can be found

note the ordering of the modules in the configure command is significant, incorrect ordering will cause problems.

edit make.rules

add the location of the mysql include files to the cppflags in make.rules:
cppflags=$(default_paths) $(platform) -i.. -i$(top_srcdir)/include -i/usr/local/mysql/include/mysql
add the location of the mysql client library to the ldflags in make.rules:
ldflags=-l/home/builds/proftpd-1.2.0pre10/lib -l/usr/local/mysql/lib/mysql
add the mysql client library to the libs variable so that it will be required at link time.
libs=-lsupp -ldl -lcrypt -lm -lmysqlclient -lpam

edit the proftpd.conf file
make sure to add these lines and change where appropriate (example: the password)

 

——————————————————————————–

–[ proftpd.conf ]–
# auth using mysql host login pass db
mysqlinfo localhost hamster ***** proftpd
sqlusertable ftp
sqlusernamefield username
sqluidfield uid
sqlgidfield gid
sqlpasswordfield password
sqlhomedirfield homedir
sqllogincountfield count
sqlauthoritative on
sqlplaintextpasswords on
–[ proftpd.conf ]–

——————————————————————————–

set up your system so libmysqlclient.so can be found

first decide how to do it:
on linux: make it system wide by editing /etc/ld.so.conf modify the ld_library_path for root, or in a shell wrapper script to proftpd. note: if you have linux and are not installing more than one version of mysql use the edit ld.so.conf solution. linux: editing /etc/ld.so.conf, as root: add the same path you added to ldflags at the bottom of the file /usr/local/mysql/lib/mysql run the ldconfig program. note: there will be no visible sign that this has worked, it just will… modify the ld_library_path add these lines to either roots .profile (or .bashrc) or to a shell script that is wrappering proftpd

 

——————————————————————————–

if [ -z “$ld_library_path” ] ; then

export ld_library_path=”/usr/local/mysql/lib/mysql”
else
export ld_library_path=”/usr/local/mysql/lib/mysql:$ld_library_path”

——————————————————————————–

detailing how to use mysql is outside the scope of this document, so heres some links.

administration
intro

quick rundown of whats needed to make a database

create a user for proftpd to access the database as
create permissions for this user
create new database (mine is called proftpd)
reload as required to make this live
create a table within proftpd (mine is ftp)

creating a user

connect to the mysql access db: mysql mysql
use insert to the user you want proftpd to use to access the db
insert into user values (%, hamster, password(mypasswd),y,n,y,n,n,n,n,n,n,n ,n,n,n,n);

the above insert will work for mysql v3.23.x, if you are using an older mysql remove the last 4 n. your user access table in mysql v3.23.x should look like:

 

——————————————————————————–

+——+———–+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+
| host | user | password | select_priv | insert_priv | update_priv | delete_priv | create_priv | drop_priv | reload_priv | shutdown_priv | process_priv | file_priv | grant_priv | references_priv | index_priv | alter_priv |
+——+———–+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+
| % | hamster | 0d26d1e75ffa7efb | y | n | y | n | n | n | n | n | n | n | n | n | n | n |
+——+———–+——————+————-+————-+————-+————-+————-+———–+————-+—————+————–+———–+————+—————–+————+————+

——————————————————————————–

creating the db

use the mysqladmin command to create the database:
mysqladmin create proftpd

reloading and refreshing the mysql daemon

use the mysqladmin command to refresh and reload its db pointers and configurations
mysqlamdin refresh
mysqlamdin reload

creating the table

copy the following sql create statement to a file and run it.
mysql proftpddb < table_create_file

 

——————————————————————————–

#mysqldump proftpd ftp
# mysql dump 8.2
#
# host: localhost database: proftpd
#——————————————————–
# server version 3.23.13a-alpha-log

#
# table structure for table ftp
#

create table ftp (
username varchar(60) binary,
uid int(11),
gid int(11),
password varchar(30),
homedir varchar(250),
count int(11)
);

——————————————————————————–

you may want to refresh and reload mysql again, how to is listed above. what you should end up with is something that looks like this:

 

——————————————————————————–

database changed
mysql> show tables;
+——————-+
| tables in proftpd |
+——————-+
| ftp |
+——————-+
1 row in set (0.02 sec)

mysql> show columns from ftp ;
+———-+——————–+——+—–+———+——-+—————+
| field | type | null | key | default | extra | privileges |
+———-+——————–+——+—–+———+——-+—————+
| username | varchar(60) binary | yes | | null | | select,update |
| uid | int(11) | yes | | null | | select,update |
| gid | int(11) | yes | | null | | select,update |
| password | varchar(30) | yes | | null | | select,update |
| homedir | varchar(250) | yes | | null | | select,update |
| count | int(11) | yes | | null | | select,update |
+———-+——————–+——+—–+———+——-+—————+
6 rows in set (0.00 sec)

——————————————————————————–

note: in mysql v3.23.x and above you will see a privileges column, if you are running an older version, you will not see that.

database permissions
at the very least the user/host the profptd daemon uses to connect to the sql server should have select permission. if the “count” field is being used to track a users usage then update is also required. the lack of these permissions may cause the server to fail.

gotchas

421 service not availible
make sure that the home directory of the user concerned actually exists and has the right ownerships/permissions

cant connect to the database

is it running?
is it listening?
does the user proftpd is using have the right permissions?

7.16 can i run the whole process in a chroot()?
no, not at the moment, proftpd was not designed to run chrooted and needs access to various system files through out its normal running lifetime. (/etc/passwd for example). –>

8. hamster droppings
8.1 why…
this chapter is not meant to be meaningful, its where i cut and paster ideas, comments, code fragments before i work them into the main part of the document.

8.2 odds and ends
why cant i delete a directory with dele ?

port bouncing, ftp bouncing, priv ports

hiding dire

赞(0)
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com 特别注意:本站所有转载文章言论不代表本站观点! 本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。未经允许不得转载:IDC资讯中心 » Professional FTP Daemon FAQ-网管专栏,FTP服务
分享到: 更多 (0)