Thursday, September 15, 2011

Deploying ProFTPD: Open source FTP server software


Proftpd is a highly configurable and modular FTP daemon, whose configuration and setting up is almost similar to the web server Apache. The installation, pre and post install configuration are discussed briefly in this document.
The document requires fair knowledge of Linux and Apache webserver.

Installation.

Installation is done through ./configure script. By default, proftpd and ftpshut are installed in /usr/local/sbin/, ftpcount and ftpwho in /usr/local/bin/, the configuration file in /usr/local/etc/, and the man pages in /usr/local/man/man?/. Further, /usr/local/var/proftpd/ is used to hold the runtime scoreboard files. See the “Directory and file names” section of the ./configure –help output for the arguments to change these defaults. For instance, to place all these directories under /usr/ rather than /usr/local/, you could use:
$ ./configure --prefix=/usr
Or, to place the configuration file in /etc/ and the runtime state files in /var/proftpd/, you would use:
$ ./configure --sysconfdir=/etc --localstatedir=/var

1. Optional modules

$ ./configure --with-modules=mod_readme:mod_ldap
Some operating systems require you to use either –enable-autoshadow or –enable-shadow if you wish to use the system’s shadow password file for user authentication. Using autoshadow allows proftpd to work with either shadow or traditional password files.
If you wish to use SQL for user authentication, you must specify mod_sql and one SQL backend module, either mod_sql_mysql or mod_sql_postgres. Further, the backend module must be specified later in the module list, e.g. –with-modules=mod_sql:mod_sql_postgres. Otherwise, compilation will succeed, but SQL authentication will not work.

2. Verify correct configure operation.

Watch the output of the configure script. After configure has run, you may wish to inspect the config.h file to make sure configure didn’t make any wrong “guesses” for your platform.

3. Modify the proftpd configuration file.

This default configuration causes Proftpd to run as stand alone server.
ServerType Standalone
This configuration causes Proftpd to run as a subserver of inetd/xinetd
ServerType inetd

4. Modify the inetd/xinetd superserver configuration file.

Edit /etc/inetd.conf and then send the inetd process the HUP signal, so that it will reread the updated configuration file. On some systems there are other mechanisms to tell inetd to reread its configuration file, e.g. refresh -s inetd on AIX. Check your system documentation to see what command is appropriate.
If proftpd is to be run from inetd, find the line in /etc/inetd.conf that looks something like:
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
And replace it with:
ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd
Or, if the tcp wrappers package is installed on your system, you may use a line something like:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/proftpd
If proftpd is to be run in standalone mode, you should comment out any ftp line in the /etc/inetd.conf file by inserting a # at the beginning of the line. Then signal the inetd process to reread /etc/inetd.conf.
If your system is using xinetd instead of inetd then either edit your /etc/xinetd.conf file or add a proftpd file in /etc/xinetd.d/:
service ftp
{
flags = REUSE
socket_type = stream
instances = 50
wait = no
user = root
server = /usr/sbin/proftpd
bind =
log_on_success = HOST PID
log_on_failure = HOST RECORD
}

5. Create the runtime state directory.

In order for the MaxClients and MaxClientsPerHost directives and the ftpwho and ftpcount utilities to work, proftpd must have a directory to hold its scoreboard files. The default is /usr/local/var/proftpd/, though it may have been changed in the configuration process in Step 2. The default location also can be overriden at run-time by using the ScoreboardPath directive in the proftpd.conf configuration file. Whatever diretory is used, it must exist prior to starting proftpd. If you have installed from an installation package, the installation scripts may have created the default directory. Nonetheless, if it does not already exist you must create it manually. No special permissions are needed on the directory, unless you wish to restrict who is allowed to run ftpwho and ftpcount.

Testing the Software

As of ProFTPD 1.2.0, there are no automated regression tests. However, you are encouraged to perform your own ad-hoc, manual tests.
Note that you can start proftpd directly from your shell prompt, but do remember that it must run as root for all functions to operate properly. Nonetheless, many operations can be verified without root privileges. An alternate configuration file can be specified using the -c command line switch. In the configuration file, the TCP ports may be changed from the standard default ftp (21) and ftp-data (20) ports, and an alternate passwd file may be specified. Since such a daemon will not be able to change its uid, you also must specify the user and group names to match those used to start the daemon.
To demonstrate this process, a set of example config files have been included in the sample-configurations subdirectory.
% sh sample-configurations/PFTEST.install
Sample test files successfully installed in /tmp/PFTEST.
% ./proftpd -n -d 5 -c /tmp/PFTEST/PFTEST.conf
Then, in another window, connect to the unprivileged port. PFTEST.conf uses port 2021, and PFTEST.passwd defines a user “proftpd” with password “proftpd”. Using the traditional Unix ftp client, it might look something like this:
% ftp -n -d
ftp> open 2021
ftp> user proftpd
---> USER proftpd
331 Password required for proftpd.
Password: [proftpd]
—> PASS proftpd
230 User proftpd logged in.
ftp>

Commands for showing the run time details

ftpshut : Sutting down the server at a particular time.
ftpwho,ftpcount :Shows No:of users connected
proftpd :command line interface
For more information refer man pages.

The important Proftpd Configuration Files

/etc/proftpd.conf -------------> Main conf file

/etc/proftpd/passwd.vhosts-----> Proftpd passwd file(AuthUserFile)

.ftpaccess -------------------->Overriding file, like .htaccess
The configuration is similar to httpd.conf and includes mainly three sections.
* Global environment.
* Main server configuration.
* Virtualhosts configuration.
Important configuration sections and directives are as below

Virtual-Hosts(For dedicated IPs) and Anonymous Users configuration

ExtendedLog /etc/httpd/domlogs/ftp.domain.com-ftpbytes_log READ BytesLog
TransferLog /etc/httpd/domlogs/ftp.domain.com-ftp_log
ServerName ftp.domain.com
AuthUserFile /etc/proftpd/user
MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m). Please try again later"
DirFakeGroup On ftpgroup
DirFakeUser On ftpuser
DefaultRoot ~    //The default ftp home directory(which is usually /home/user/)

AllowOverwrite on
HideGroup wheel
HideUser root

UseFtpUsers on
RequireValidShell off
User ftp
Group ftp
UserAlias anonymous ftp
DisplayLogin welcome.msg
DisplayFirstChdir .message

DenyAll

AllowAll

DenyAll

Main Server Configuration

Add this to your proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation.

ServerName "ProFTPD"
AuthUserFile /etc/proftpd/passwd.vhosts
LogFormat BytesLog "%b"
ServerType standalone
DeferWelcome off
DefaultServer on
DefaultRoot ~ !wheel
TransferLog /usr/local/apache/domlogs/ftpxferlog
Port 21