Proftpd

[root@hal ~]# uname -a Linux hal.t0e.org 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:34:46 EST 2006 x86_64 x86_64 x86_64 GNU/Linux [root@hal ~]# yum install proftpd ...

The original /etc/proftpd.conf file:

ServerName                     "ProFTPD server" ServerIdent                    on "FTP Server ready." ServerAdmin                    root@localhost ServerType                     standalone DefaultServer                  on AccessGrantMsg                  "User %u logged in." DeferWelcome                   off DefaultRoot                    ~ !adm AuthPAMConfig                  proftpd AuthOrder                      mod_auth_pam.c* mod_auth_unix.c IdentLookups                    off UseReverseDNS                  off Port                           21 Umask                          022 ListOptions                    "-a" AllowRetrieveRestart           on AllowStoreRestart               on MaxInstances                    20 User                           nobody Group                          nobody UseSendfile                    no ScoreboardFile                  /var/run/proftpd.score  AllowOverwrite               yes  AllowAll   LogFormat                      default "%h %l %u %t \"%r\" %s %b" LogFormat                      auth    "%v [%P] %h %t \"%r\" %s" # # # # # # # # # # #
 * 1) This is the ProFTPD configuration file
 * 2) $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
 * 1) ServerType                    inetd
 * 1) DisplayConnect                /etc/ftpissue
 * 2) DisplayLogin                  /etc/ftpmotd
 * 3) DisplayGoAway                 /etc/ftpgoaway
 * 1) Use this to excude users from the chroot
 * 1) Use pam to authenticate (default) and be authoritative
 * 1) Do not perform ident nor DNS lookups (hangs when the port is filtered)
 * 1) Port 21 is the standard FTP port.
 * 1) Umask 022 is a good standard umask to prevent new dirs and files
 * 2) from being group and world writable.
 * 1) Default to show dot files in directory listings
 * 1) See Configuration.html for these (here are the default values)
 * 2) MultilineRFC2228              off
 * 3) RootLogin                     off
 * 4) LoginPasswordPrompt           on
 * 5) MaxLoginAttempts              3
 * 6) MaxClientsPerHost             none
 * 7) AllowForeignAddress           off     # For FXP
 * 1) Allow to resume not only the downloads but the uploads too
 * 1) To prevent DoS attacks, set the maximum number of child processes
 * 2) to 30.  If you need to allow more than 30 concurrent connections
 * 3) at once, simply increase this value.  Note that this ONLY works
 * 4) in standalone mode, in inetd mode you should use an inetd server
 * 5) that allows you to limit maximum number of processes per service
 * 6) (such as xinetd)
 * 1) Set the user and group that the server normally runs at.
 * 1) Disable sendfile by default since it breaks displaying the download speeds in
 * 2) ftptop and ftpwho
 * 1) This is where we want to put the pid file
 * 1) Normally, we want users to do a few things.
 * 1) Define the log formats
 * 1) TLS
 * 2) Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
 * 3) TLSEngine                     on
 * 4) TLSRequired                   on
 * 5) TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
 * 6) TLSRSACertificateKeyFile      /etc/pki/tls/certs/proftpd.pem
 * 7) TLSCipherSuite                ALL:!ADH:!DES
 * 8) TLSOptions                    NoCertRequest
 * 9) TLSVerifyClient               off
 * 10) TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
 * 11) TLSLog                        /var/log/proftpd/tls.log
 * 1) SQL authentication Dynamic Shared Object (DSO) loading
 * 2) See README.DSO and howto/DSO.html for more details.
 * 3) 
 * 4)   LoadModule mod_sql.c
 * 5)   LoadModule mod_sql_mysql.c
 * 6)   LoadModule mod_sql_postgres.c
 * 7) 
 * 1) A basic anonymous configuration, with an upload directory.
 * 2) 
 * 3)  User                         ftp
 * 4)  Group                                ftp
 * 5)  AccessGrantMsg               "Anonymous login ok, restrictions apply."
 * 1)  # We want clients to be able to login with "anonymous" as well as "ftp"
 * 2)  UserAlias                    anonymous ftp
 * 1)  # Limit the maximum number of anonymous logins
 * 2)  MaxClients                   10 "Sorry, max %m users -- try again later"
 * 1)  # Put the user into /pub right after login
 * 2)  #DefaultChdir                        /pub
 * 1)  # We want 'welcome.msg' displayed at login, '.message' displayed in
 * 2)  # each newly chdired directory and tell users to read README* files.
 * 3)  DisplayLogin                 /welcome.msg
 * 4)  DisplayFirstChdir            .message
 * 5)  DisplayReadme                        README*
 * 1)  # Some more cosmetic and not vital stuff
 * 2)  DirFakeUser                  on ftp
 * 3)  DirFakeGroup                 on ftp
 * 1)  # Limit WRITE everywhere in the anonymous chroot
 * 2)  
 * 3)    DenyAll
 * 4)  
 * 1)  # An upload directory that allows storing files but not retrieving
 * 2)  # or creating directories.
 * 3)  
 * 4)    AllowOverwrite             no
 * 5)    
 * 6)      DenyAll
 * 7)    
 * 1)    
 * 2)      AllowAll
 * 3)    
 * 4)  
 * 1)  # Don't write anonymous accesses to the system wtmp file (good idea!)
 * 2)  WtmpLog                      off
 * 1)  # Logging for the anonymous transfers
 * 2)  ExtendedLog          /var/log/proftpd/access.log WRITE,READ default
 * 3)  ExtendedLog          /var/log/proftpd/auth.log AUTH auth
 * 1) 

My modified /etc/proftpd.conf file:

ServerName                     "-=hello=-" ServerIdent                    on "Hello World" ServerType                     standalone DefaultServer                  on Port                            21 Umask                          022 MaxInstances                   30 User                           nobody Group                          nobody DefaultRoot ~ IdentLookups off AuthOrder mod_auth_file.c AuthUserFile /etc/proftpd/passwd AuthGroupFile /etc/proftpd/group DirFakeUser on ~ AllowOverwrite on <IfModule mod_delay.c> DelayEngine off </IfModule> <Limit SITE_CHMOD> DenyAll </Limit>  AnonRequirePassword on  RequireValidShell off User duck Group duck </Anonymous>
 * 1) Port 21 is the standard FTP port.
 * 1) Umask 022 is a good standard umask to prevent new dirs and files
 * 2) from being group and world writable.
 * 1) To prevent DoS attacks, set the maximum number of child processes
 * 2) to 30.  If you need to allow more than 30 concurrent connections
 * 3) at once, simply increase this value.  Note that this ONLY works
 * 4) in standalone mode, in inetd mode you should use an inetd server
 * 5) that allows you to limit maximum number of processes per service
 * 6) (such as xinetd).
 * 1) Set the user and group under which the server will run.
 * 1) To cause every FTP user to be "jailed" (chrooted) into their home
 * 2) directory, uncomment this line.
 * 1) Don't do ident lookups:
 * 2) http://freebsd.munk.me.uk/archives/73-ProFTPD-Delay-Whilst-Authenticating.html
 * 3) When connecting to the proftpd server, a noticeable delay of
 * 4) around 5 seconds can be seen. To fix this I switched off ident
 * 5) lookups in proftpd.conf and all was fine:
 * 1) Use only AuthUserFiles when authenticating, and not the system's /etc/passwd
 * 2) for /etc/passwd mod_auth_unix.c
 * 1) AuthUserFile -- Specify alternate passwd file
 * 1) AuthGroupFile -- Specify alternate group file
 * 1) make listed files appear to be owned by the logged-in user
 * 1) Normally, we want files to be overwriteable.
 * 1) Delay engine reduces impact of the so-called Timing Attack described in
 * 2) http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
 * 3) It is on by default.
 * 1) Bar use of SITE CHMOD by default

[root@hal proftpd]# cat group duck:x:501: [root@hal proftpd]# cat passwd duck:$1$6MYsRLDl$NACe/Kd5k5LPM3qQs8niO.:501:501::/var/duck:/bin/false

ftpasswd download from: http://www.castaglia.org/proftpd/contrib/ftpasswd ftpasswd info: http://www.castaglia.org/proftpd/ ftpasswd usage: http://www.castaglia.org/proftpd/contrib/ftpasswd.html add user to password file...
 * 1) echo "password" | ftpasswd --passwd --file=/etc/proftpd/passwd --name=duck --uid=501 --gid=501 --home=/var/duck --shell=/bin/false --stdin