proftpd安装文档----ftp虚拟用户
ftp虚拟用户
proftpd安装文档ftp虚拟用户
http://www.proftpd.org/
作者:linuxpf
注:此文档proftpd安装入门参考资料,也为本人学习总结,文中参考网络中部分资料,如有不对请指点,欢迎大家一同交流
qq群:19180048
源码软件包:proftpd是开源自由软件,目前最新稳定版本为1.3.1,注proftpd1.3.1安装与1.2.X配置文件语法有些不同
平台:centos4.6
一:RPM安装,其实图方便采用rpm效果并不差,关健于实用性强,稳定性好
#wget
ftp://194.199.20.114/linux/dag/redhat/el4/en/i386/dag/RPMS/proftpd-1.3.1-1.el4.rf.i386.rpm
#wget http://www.castaglia.org/proftpd/contrib/ftpasswd
#cp ftpasswd /sbin/bin
#chmod +x ftpasswd
#rpm -ivh proftpd-1.3.1-1.el4.rf.i386.rpm
修改配置文件:
#cd /etc
#cp proftpd.conf proftpd.conf-dist
#vi proftpd.conf
----------------------------------------------------------------
"proftpd.conf" 155L, 4484C
# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
ServerName
"The ProFTPD
server"
ServerIdent
on "FTP Server
ready."
ServerAdmin
rot@localhost
ServerType
standalone
#ServerType
inetd
DefaultServer
on
AccessGrantMsg
"User %u logged in."
#DisplayConnect
/etc/ftpissue
#DisplayLogin
/etc/ftpmotd
#DisplayGoAway
/etc/ftpgoaway
DeferWelcome
off
# Use this to excude users from the chroot
#DefaultRoot
~ !adm
DefaultRoot
~
# Use pam to authenticate (default) and be authoritative
AuthPAM
on
AuthPAMConfig
proftpd
AuthOrder
mod_auth_file.c
AuthUserFile
/etc/proftpd/ftpd.passwd
AuthGroupFile
/etc/proftpd/ftpd.group
RequireValidShell off
# Do not perform ident nor DNS lookups (hangs when the
port is filtered)
IdentLookups
off
UseReverseDNS
off
# Port 21 is the standard FTP port.
Port
21
# Umask 022 is a good standard umask to prevent new dirs and
files
# from being group and world writable.
Umask
022
# Default to show dot files in directory listings
ListOptions
"-a"
# See Configuration.html for these (here are the default
values)
#MultilineRFC2228
off
RootLogin
off
#LoginPasswordPrompt
on
MaxLoginAttempts
6
#MaxClientsPerHost
none
#AllowForeignAddress
off # For FXP
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart
on
AllowStoreRestart
on
# To prevent DoS attacks, set the maximum number of child
processes
# to 30. If you need to allow more than 30 concurrent
connections
# at once, simply increase this value. Note that this
ONLY works
# in standalone mode, in inetd mode you should use an inetd
server
# that allows you to limit maximum number of processes per
service
# (such as xinetd)
MaxInstances
10
# Set the user and group that the server normally runs at.
User
nobody
Group
nobody
# Disable sendfile by default since it breaks displaying the
download speeds in
# ftptop and ftpwho
UseSendfile
no
# This is where we want to put the pid file
ScoreboardFile
/var/run/proftpd.score
# Normally, we want users to do a few things.
AllowOverwrite
yes
AllowAll
PassivePorts 60000 65534
# Define the log formats
LogFormat
default "%h %l %u %t
/"%r/" %s %b"
LogFormat
auth "%v
[%P] %h %t /"%r/" %s"
# TLS
# Explained at
http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine
on
#TLSRequired
on
#TLSRSACertificateFile
/etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile
/etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite
ALL:!ADH:!DES
#TLSOptions
NoCertRequest
#TLSVerifyClient
off
##TLSRenegotiate
ctrl 3600 data 512000 required off timeout
300
#TLSLog
/var/log/proftpd/tls.log
# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#
# A basic anonymous configuration, with an upload directory.
#
# User
ftp
# Group
ftp
# AccessGrantMsg
"Anonymous login ok, restrictions
apply."
#
# # We want clients to be able to login with "anonymous"
as well as "ftp"
# UserAlias
anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients
10 "Sorry, max %m
users -- try again later"
#
# # Put the user into /pub right after login
# #DefaultChdir
/pub
#
# # We want 'welcome.msg' displayed at login, '.message'
displayed in
# # each newly chdired directory and tell users to read
README* files.
# DisplayLogin
/welcome.msg
# DisplayFirstChdir
.message
# DisplayReadme
README*
#
# # Some more cosmetic and not vital stuff
# DirFakeUser
on ftp
# DirFakeGroup
on ftp
#
# # Limit WRITE everywhere in the anonymous chroot
#
# DenyAll
#
#
# # An upload directory that allows storing files but
not retrieving
# # or creating directories.
#
# AllowOverwrite
no
#
# DenyAll
#
#
#
# AllowAll
#
#
#
# # Don't write anonymous accesses to the system wtmp
file (good idea!)
# WtmpLog
off
#
# # Logging for the anonymous transfers
# ExtendedLog
/var/log/proftpd/access.log WRITE,READ default
# ExtendedLog
/var/log/proftpd/auth.log AUTH auth
#
#
---------------------------------------------------------------------------------
参数说明:
DefaultRoot
~
//默认ftp用户主目录
ServerType
standalone
//ftp启动方式,支持守护进程,和xinetd模式
AuthPAM
on //PAM认证支持启用
AuthPAMConfig
proftpd
AuthOrder
mod_auth_file.c
//启用认证方式
AuthUserFile
/etc/proftpd/ftpd.passwd //ftp用户密码文件
AuthGroupFile
/etc/proftpd/ftpd.group
User
nobody
//启动proftpd用户,为了安全起见
Group
nobody
MaxInstances
10
//最大用户数,防止DDOS
AllowOverwrite
yes
AllowAll
PassivePorts 60000 65534
//启用ftp被动模式端口范围
#chkconfig --add proftpd
#chkconfig proftpd on
#service proftpd restart
建立虚拟用户,脱离于系统用户,安全性增加了许多:
# mkdir -p /etc/proftpd
# ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=ftpadmin
--uid=99 --home=/home/ftpdata --shell=/sbin/nologin
# ftpasswd --group --file=/etc/proftpd/ftpd.group --name=admin
--gid=99
# ftpasswd --group --name=admin --gid=99 --member=ftpadmin
注脚:
?passwd指定建立一个新的虚拟用户,?group则建立一个虚拟组;
?file指定存储虚拟用户的文件;
?name指定此虚拟用户的用户名,密码会在命令执行时要求输入;
?uid指定此虚拟用户对应的系统用户UID,此虚拟用户将以此系统UID的身份读写文件
?home指定此虚拟用户的根目录,就是其登陆FTP后的根目录;
?shell指定此虚拟用户的shell,为了安全当然指定一个不可登陆的shell了。
用户权限指派,建议采用方法1,以免引起不必在的麻烦,Linux上POSIX 权限管理并不是所有人都熟悉
Linux上POSIX
权限管理相关知识参考:http://www.linuxpf.com.cn/bbs/viewthread.php?tid=402&extra=page%3D1
方法1:
uid指定此虚拟用户对应的系统用户UID,此虚拟用户将以此系统UID的身份读写文件;
#chown -R nobody.root /home/ftpdata/
nobody uid 99,对用户主目录赋予所有权限
关于权限颗粒化设置:请使用Limit
以下设置ftpadmin所有权限,并禁止其它人访问
Order allow,deny
DenyUser !ftpadmin
AllowUser ftpadmin
参考:更多细节配置http://www.linuxpf.com.cn/bbs/vi ...
=370&extra=page%3D1
http://castaglia.org/proftpd/doc/README.PAM.html
http://www.castaglia.org/proftpd ... O-VirtualUsers.html
有关ftpQuota只到1.3.1才开始支持,此处不做过多说明,欢迎大家一起交流
方法二:
setfacl -m user:peter:rwx file.txt
setfacl -m u:1002:rwx /home/apache/htdocs
至此一个实用的ftp服务器已经能够正常运行
如果还存在问题请调试proftpd,并分析log
测试:使且被动,主动模式,开户防火墙.设置正确有虚拟用户权限
#iptables -I INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
#iptables -I INPUT -m state --state NEW -m tcp -p tcp
--dport 21:22 -j ACCEPT
#iptbbles -I INPUT -m state --state NEW -m tcp -p tcp --dport
60000:65534 -j ACCEPT
或者直接修改防火墙配置文件/etc/sysconfig/iptables
找到-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
在其下增加
#iptables -A RH-Firewall-1-INPUT-m state --state NEW -m tcp -p tcp
--dport 21:22 -j ACCEPT
#iptbbles -A RH-Firewall-1-INPUT-m state --state NEW -m tcp -p tcp
--dport 60000:65534 -j ACCEPT
二:源码安装:
#wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.1.tar.gz
#tar -zxvf proftpd-1.3.1.tar.gz
#cd proftpd-1.3.1
#
#./configure --prefix=/usr --syscOnfdir=/etc
--localstatedir=/var/run --mandir=/usr/local/man
--with-modules=mod_ratio:mod_readme:mod_auth_pam:mod_dso:mod_ctrls:mod_tls
#make
#make install
mod_dso mod_ctrlsmod_tls.
报错:cannot find -lpam缺少pam头文件
#yum install pam pam-devel
解决
拷贝启动脚本:
# which proftpd
/usr/sbin/proftpd
# proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_ratio.c
mod_readme.c
mod_auth_pam.c
mod_cap.c
#cd /home/download/proftpd-1.3.1/contrib/dist/rpm
#cp proftpd.init.d /etc/rc.d/init.d/proftpd
#chmod +x /etc/rc.d/init.d/proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/init3.d/S97proftpd
#cp /home/download/proftpd-1.3.1/contrib/ftpasswd
/usr/local/bin/
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp and add
the
following lines for RedHat installations:
#vi /etc/pam.d/proftpd
----------------------------------------------------------------
#%PAM-1.0
auth required
/lib/security/pam_pwdb.so shadow nullok
account required
/lib/security/pam_pwdb.so
session required
/lib/security/pam_pwdb.so
----------------------------------------------------------------
注意,如有以上设置,请确保proftpd.conf中AuthPAMConfig 设置为
'ftpd',如果有改动,请同步AuthPAMConfig设置,否则会不能够工作
如果/etc/pam.d/ftpd,对应
AuthPAMConfig
ftpd
less README
#less README.PAM
#more README.modules
获得更多帮助
修改自定义路径:
#vi /etc/rc.d/init.d/proftpd
-----------------------------------
PATH="$PATH:/home/proftpd/sbin"
-----------------------------------
对比分析修改:
diff /home/download/proftpd-1.3.1/contrib/dist/rpm/proftpd.init.d
/etc/rc.d/init.d/proftpd
------------------------------------------------------------
25c25
> PATH="$PATH:/home/proftpd/sbin"
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/S99proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/K99proftpd
------------------------------------------------------------
配置/etc/proftpd.conf同上
|
调试请用 #proftpd -n -d 10 动态调试登陆过程,并分析日志 更多: proftpd --help |
1. 下载ftpasswd
cd /usr/local/etc/proftpd
wget http://www.castaglia.org/proftpd/contrib/ftpasswd
chmod +x ftpasswd
./ftpasswd --passwd --name=test --home=/home/test
--shell=/bin/sh --uid=2222
./ftpasswd --passwd --name=ftp --home=/home/test --shell=/bin/sh
--uid=2223
./ftpasswd --group --gid=2223 --name=ftp
wget http://www.castaglia.org/proftpd/contrib/ftpquota
chmod +x ftpquota
./ftpquota --create-table --type=limit
./ftpquota --add-record --type --bytes-upload=5000000
--limit-type=soft --name=test --quota-type=user
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有