proftpd 配置及虚拟用户验证
proftpd安装文档----ftp虚拟用户
ftp虚拟用户
proftpd安装文档ftp虚拟用户
http://www.proftpd.org/
作者:linuxpf
注:此文档proftpd安装入门参考资料,也为本人学习总结,文中参考网络中部分资料,如有不对请指点,欢迎大家一同交流
qq群:19180048
源码软件包:proftpd是开源自由软件,目前最新稳定版本为1.3.1,注proftpd1.3.1安装与1.2.X配置文件语法有些不同
平台:centos4.6
一:RPM安装,其实图方便采用rpm效果并不差,关健于实用性强,稳定性好
#wget ftp://194.199.20.114/linux/dag/redhat/el4/en/i386/dag/RPMS/proftpd-1.3.1-1.el4.rf.i386.rpm
#wget http://www.castaglia.org/proftpd/contrib/ftpasswd
#cp ftpasswd /sbin/bin
#chmod +x ftpasswd
#rpm -ivh proftpd-1.3.1-1.el4.rf.i386.rpm
修改配置文件:
#cd /etc
#cp proftpd.conf proftpd.conf-dist
#vi proftpd.conf
----------------------------------------------------------------
"proftpd.conf" 155L, 4484C
# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
ServerName "The ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin rot@localhost
ServerType standalone
#ServerType inetd
DefaultServer on
AccessGrantMsg "User %u logged in."
#DisplayConnect /etc/ftpissue
#DisplayLogin /etc/ftpmotd
#DisplayGoAway /etc/ftpgoaway
DeferWelcome off
# Use this to excude users from the chroot
#DefaultRoot ~ !adm
DefaultRoot ~
# Use pam to authenticate (default) and be authoritative
AuthPAM on
AuthPAMConfig proftpd
AuthOrder mod_auth_file.c
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
RequireValidShell off
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# Default to show dot files in directory listings
ListOptions "-a"
# See Configuration.html for these (here are the default values)
#MultilineRFC2228 off
RootLogin off
#LoginPasswordPrompt on
MaxLoginAttempts 6
#MaxClientsPerHost none
#AllowForeignAddress off # For FXP
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 10
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile no
# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score
# Normally, we want users to do a few things.
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
PassivePorts 60000 65534
</Global>
# Define the log formats
LogFormat default "%h %l %u %t /"%r/" %s %b"
LogFormat auth "%v [%P] %h %t /"%r/" %s"
# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine on
#TLSRequired on
#TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite ALL:!ADH:!DES
#TLSOptions NoCertRequest
#TLSVerifyClient off
##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
#TLSLog /var/log/proftpd/tls.log
# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#</IfModule>
# A basic anonymous configuration, with an upload directory.
#<Anonymous ~ftp>
# User ftp
# Group ftp
# AccessGrantMsg "Anonymous login ok, restrictions apply."
#
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
#
# # Limit the maximum number of anonymous logins
# MaxClients 10 "Sorry, max %m users -- try again later"
#
# # Put the user into /pub right after login
# #DefaultChdir /pub
#
# # We want 'welcome.msg' displayed at login, '.message' displayed in
# # each newly chdired directory and tell users to read README* files.
# DisplayLogin /welcome.msg
# DisplayFirstChdir .message
# DisplayReadme README*
#
# # Some more cosmetic and not vital stuff
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# # Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE SITE_CHMOD>
# DenyAll
# </Limit>
#
# # An upload directory that allows storing files but not retrieving
# # or creating directories.
# <Directory uploads/*>
# AllowOverwrite no
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
#
# # Don't write anonymous accesses to the system wtmp file (good idea!)
# WtmpLog off
#
# # Logging for the anonymous transfers
# ExtendedLog /var/log/proftpd/access.log WRITE,READ default
# ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
#</Anonymous>
---------------------------------------------------------------------------------
参数说明:
DefaultRoot ~ //默认ftp用户主目录
ServerType standalone //ftp启动方式,支持守护进程,和xinetd模式
AuthPAM on //PAM认证支持启用
AuthPAMConfig proftpd
AuthOrder mod_auth_file.c //启用认证方式
AuthUserFile /etc/proftpd/ftpd.passwd //ftp用户密码文件
AuthGroupFile /etc/proftpd/ftpd.group
User nobody //启动proftpd用户,为了安全起见
Group nobody
MaxInstances 10 //最大用户数,防止DDOS
<Global>
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
PassivePorts 60000 65534 //启用ftp被动模式端口范围
</Global>
#chkconfig --add proftpd
#chkconfig proftpd on
#service proftpd restart
建立虚拟用户,脱离于系统用户,安全性增加了许多:
# mkdir -p /etc/proftpd
# ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=ftpadmin --uid=99 --home=/home/ftpdata --shell=/sbin/nologin
# ftpasswd --group --file=/etc/proftpd/ftpd.group --name=admin --gid=99
# ftpasswd --group --name=admin --gid=99 --member=ftpadmin
注脚:
–passwd指定建立一个新的虚拟用户,–group则建立一个虚拟组;
–file指定存储虚拟用户的文件;
–name指定此虚拟用户的用户名,密码会在命令执行时要求输入;
–uid指定此虚拟用户对应的系统用户UID,此虚拟用户将以此系统UID的身份读写文件
–home指定此虚拟用户的根目录,就是其登陆FTP后的根目录;
–shell指定此虚拟用户的shell,为了安全当然指定一个不可登陆的shell了。
用户权限指派,建议采用方法1,以免引起不必在的麻烦,Linux上POSIX 权限管理并不是所有人都熟悉
Linux上POSIX 权限管理相关知识参考:http://www.linuxpf.com.cn/bbs/viewthread.php?tid=402&extra=page%3D1
方法1:
uid指定此虚拟用户对应的系统用户UID,此虚拟用户将以此系统UID的身份读写文件;
#chown -R nobody.root /home/ftpdata/
nobody uid 99,对用户主目录赋予所有权限
关于权限颗粒化设置:请使用Limit
以下设置ftpadmin所有权限,并禁止其它人访问
<limit LOGIN>
Order allow,deny
DenyUser !ftpadmin
</limit>
<Directory /var/ftp/upload>
<Limit CMD MKD RNFR DELE RMD RETR STOR READ WRITE DIRS NLST >
AllowUser ftpadmin
</Limit>
<Directory>
参考:更多细节配置http://www.linuxpf.com.cn/bbs/vi ... =370&extra=page%3D1
http://castaglia.org/proftpd/doc/README.PAM.html
http://www.castaglia.org/proftpd ... O-VirtualUsers.html
有关ftpQuota只到1.3.1才开始支持,此处不做过多说明,欢迎大家一起交流
方法二:
setfacl -m user:peter:rwx file.txt
setfacl -m u:1002:rwx /home/apache/htdocs
至此一个实用的ftp服务器已经能够正常运行
如果还存在问题请调试proftpd,并分析log
测试:使且被动,主动模式,开户防火墙.设置正确有虚拟用户权限
#iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 21:22 -j ACCEPT
#iptbbles -I INPUT -m state --state NEW -m tcp -p tcp --dport 60000:65534 -j ACCEPT
或者直接修改防火墙配置文件/etc/sysconfig/iptables
找到-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
在其下增加
#iptables -A RH-Firewall-1-INPUT-m state --state NEW -m tcp -p tcp --dport 21:22 -j ACCEPT
#iptbbles -A RH-Firewall-1-INPUT-m state --state NEW -m tcp -p tcp --dport 60000:65534 -j ACCEPT
二:源码安装:
#wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.1.tar.gz
#tar -zxvf proftpd-1.3.1.tar.gz
#cd proftpd-1.3.1
#
#./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/run --mandir=/usr/local/man --with-modules=mod_ratio:mod_readme:mod_auth_pam:mod_dso:mod_ctrls:mod_tls
#make
#make install
mod_dso mod_ctrlsmod_tls.
报错:cannot find -lpam缺少pam头文件
#yum install pam pam-devel
解决
拷贝启动脚本:
# which proftpd
/usr/sbin/proftpd
# proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_ratio.c
mod_readme.c
mod_auth_pam.c
mod_cap.c
#cd /home/download/proftpd-1.3.1/contrib/dist/rpm
#cp proftpd.init.d /etc/rc.d/init.d/proftpd
#chmod +x /etc/rc.d/init.d/proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/init3.d/S97proftpd
#cp /home/download/proftpd-1.3.1/contrib/ftpasswd /usr/local/bin/
To use PAM with ProFTPD, you must edit /etc/pam.d/ftp and add the
following lines for RedHat installations:
#vi /etc/pam.d/proftpd
----------------------------------------------------------------
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
----------------------------------------------------------------
注意,如有以上设置,请确保proftpd.conf中AuthPAMConfig 设置为 'ftpd',如果有改动,请同步AuthPAMConfig设置,否则会不能够工作
如果/etc/pam.d/ftpd,对应
AuthPAMConfig ftpd
less README
#less README.PAM
#more README.modules
获得更多帮助
修改自定义路径:
#vi /etc/rc.d/init.d/proftpd
-----------------------------------
PATH="$PATH:/home/proftpd/sbin"
-----------------------------------
对比分析修改:
diff /home/download/proftpd-1.3.1/contrib/dist/rpm/proftpd.init.d /etc/rc.d/init.d/proftpd
------------------------------------------------------------
25c25
< PATH="$PATH:/usr/local/sbin"
---
> PATH="$PATH:/home/proftpd/sbin"
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/S99proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/K99proftpd
------------------------------------------------------------
配置/etc/proftpd.conf同上
调试请用 #proftpd -n -d 10 动态调试登陆过程,并分析日志 更多: proftpd --help |
1. 下载ftpasswd
cd /usr/local/etc/proftpd
wget http://www.castaglia.org/proftpd/contrib/ftpasswd
chmod +x ftpasswd
2. 建立用户和组
./ftpasswd --passwd --name=test --home=/home/test --shell=/bin/sh --uid=2222
./ftpasswd --passwd --name=ftp --home=/home/test --shell=/bin/sh --uid=2223
./ftpasswd --group --gid=2223 --name=ftp
3. 下载ftpquota
wget http://www.castaglia.org/proftpd/contrib/ftpquota
chmod +x ftpquota
4. 设置quota
./ftpquota --create-table --type=limit
./ftpquota --add-record --type --bytes-upload=5000000 --limit-type=soft --name=test --quota-type=user
更多推荐
所有评论(0)