Thursday, May 27, 2010

Proftpd "how to" ( proftpd.conf )

If you want to setup a secure anonymous ftp server then you might want to consider Proftpd.
ProFTPD grew out of the desire to have a secure and configurable FTP server, and out of a significant admiration of the Apache web server.
When the Project began, the most commonly used server was wu-ftpd. While wu-ftpd provides excellent performance and is generally a good product, it lacks numerous features found in newer Win32 FTP servers and has a poor security history. Many people, including the developers who work on ProFTPD, had spent a great deal of time fixing bugs and hacking features into wu-ftpd. Unfortunately, it quickly became clear that a complete redesign was necessary in order to implement the configurability and features desired.
In addition to wu-ftpd, there are a few of other FTP servers available which are designed to be light-weight and secure at the expense of configurability. For example, Troll FTP is an excellent FTP daemon which is considerably more secure and less resource-intensive than wu-ftpd. Unfortunately, while it is quite suitable for basic FTP services, it does not offer the feature set required for more sophisticated FTP sites.
ProFTPD is not a hack based on any other server, it's an independent source tree from the ground up. A number of well known and high traffic sites use ProFTPD. Proftpd


Getting Started

In this excerse we are going to setup a stand alone ftp daemon listening on port 21. It will allow anonymous read only access to the /ftp tree and also allow ftp logins from the local LAN. The clients on the local LAN will be allowed to read and write files and directories. The clients are going to be limited to the amount of total connects made, the amount of connects per client and the number of clients per ip address. The server is going to run with minimal privileges of the user "nobody" and full logging will be enabled. Finally, we are going to limit clients to specific connection timeouts and limit the command characters we will accept from all ftp clients.
You can download the config here by doing a "save as" or just clicking on the link and choosing download. Before using the config file take a look it below or download it and look at the options. calomel.org proftpd.conf
#######################################################
###  Calomel.org proftpd.conf   BEGIN
#######################################################

ServerName                      "YOUR_SERVER name"
ServerType                      standalone
AllowOverride                   off
DefaultServer                   on
ServerIdent                     off
UseReverseDNS                   off
IdentLookups                    off
DisplayConnect                  /usr/local/etc/issue.ftp
DisplayLogin                    /usr/local/etc/welcome.msg
DisplayChdir                    /usr/local/etc/.message
ScoreboardFile                  /var/run/proftpd.score
ListOptions                      +R strict
TimesGMT                        off
AllowRetrieveRestart            on
ShowSymlinks                    off
DenyFilter                      [^*/A-Za-z0-9_.-]

# Lockdown connections and connection attemps.
MaxClients                      80 "Maximum of %m users are already connected."
MaxInstances                    80
MaxClientsPerUser               80
MaxHostsPerUser                 80
MaxClientsPerHost               80 "Maximum of 80 clients per host allowed."
MaxLoginAttempts                1
RequireValidShell               no

# Lockdown command send/recieve sizes and type.
PassivePorts                    49152 65534
SocketOptions rcvbuf            8192
SocketOptions sndbuf            8192
CommandBufferSize               512

# Limit login times and timeouts to drop dead clients.
TimeoutLogin                    60
TimeoutIdle                     150
TimeoutNoTransfer               150
TimeoutStalled                  150

# Log format and location
TransferLog none

## Normal Mode
LogFormat awstats "%t %h %u %m %f %s %b"
ExtendedLog /var/log/xferlog read,write awstats

## Debug Mode for testing
# LogFormat debug "%t %a %A %U %r %D %s %F %b %T"
# ExtendedLog /var/log/xferlog all debug

# No ftp user ever needs root
RootLogin                       off

# Port 21 and umask 022
Port                            21
Umask                           022

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nobody

# Setup fake properties if needed.
DirFakeGroup                    On
DirFakeUser                     On
DirFakeMode                     0400

# Limit ftp logins to the internal lan.
 
  Order                 allow,deny
  Allow                 from 10.10.
  Deny                  from all
 


  # Limit CHMOD everywhere in the anonymous chroot
        
                DenyAll
        
        
                DenyAll
        

# Normally, we want files to be over write able.

  AllowOverwrite                on

# A basic anonymous configuration, no upload directories.

        # Allow logins if they are disabled above.
        
            AllowAll
        

        User            ftp
        Group           ftp
        UserAlias       anonymous ftp
        HideNoAccess    on

        # Limit WRITE everywhere in the anonymous chroot
        
                DenyAll
        

        # Drop CHMOD permission
        
                DenyAll
        
#
#######################################################
###  Calomel.org proftpd.conf  END
#######################################################






Building the binaries

Step 1: First you need to download the latest source code for proftpd. Make a directory to work in and change to that directory. We are going to use /tmp for the example. Goto the Proftpd home page and get the latest tar ball. Then untar it in /tmp and change to the directory proftpd un-tared into.
Step 2: You now need to build proftpd. We are going to build it without pam support to simplify the setup. This line will build the binaries and install them into the default path /usr/local/
./configure --disable-auth-pam && make && make install
Step 3: Now that proftpd is built and installed download the proftpd.conf file above and put it in /usr/local/etc/proftpd.conf.


Looking at the proftpd.conf

The config file has a lot of options and there a few that will need your attention before you are ready to start the demon. Remember that entire books are written on Proftpd and we can not cover every option here. For the options we do not cover please take a look at the Proftpd project documentation.
ServerName is the name of the daemon sent to the clients. Proftpd is the normal string, but you can change that here.
DenyFilter is the list of characters we will accept. if a client sends a character not in this set the will recieve an error. Trust no one.
Lockdown connections and connection attemtps are are the timeouts in seconds we level against clients. if the client hits these limits they are disconnected.
Lockdown command send/recieve sizes and type is the section we list out the data connection ports and the send recieve buffer sizes. The defaults should be fine for any server.
The LogFormat directive comes in the "normal mode" and the "debug mode." When running the server in testing we suggest using the debug mode and you will see everything a client does. Remember you logs will get very large when debug is on, so use "normal mode" when you ftp server is ready to go live.
User and Group the server runs at is "nobody" for this example. This is the unprivileged user the server will run as.
Fake properties will obviscate the user, group and permisions of the file the clients will see. in the example we will be making the user ftp, the group ftp and the chmod 0400 for the directories. This will _NOT_ change the file system perms, just the what the ftp clients will see.
Limit ftp logins to the internal lan will keep anyone _not_ on the 10.10/16 network from being able to log in with any privileged user. All users will be able to log in with read only anonymous access though.
Global directives set rules for the entire server. We are going to DenyAll to any chmod commands. We are also going to DenyAll requests for EPSV (enhanced passive mode), EPRT (enhanced port mode), PORT (active ftp mode) access.
Directory is going to set the AllowOverwrite directive to on. This means that anyone on the local lan who authenticates a login with a privileged user can overwrite files if they have been given that permission.
Anonymous are the rule for all anonymous users. We are going to allow them to login under the name "ftp" or "anonymous". They will _not_ be able to write anything and they are restricted from chmod commands completly.


Starting the daemon

Now that proftpd is built and installed and the proftpd.conf is in place we can now start the daemon. The daemon will run as the user you selected in the conf file, "nobody" for this example, so make sure that user exists. When the ftp server starts it will listen on port 21 be default.
To start the daemon execute the following:
/usr/local/sbin/proftpd


Testing the ftp server

To test the server use your favorite ftp client and point it to the machine you started the daemon on. Log in anonymously wit the user name "ftp" and the password "ftp@ftp.com". Once logged in you should be able to do a "ls -la" and see all of the files in the /ftp directory.


Questions?

What is "server said: Forbidden command argument" ?
The ftp client has sent a command to the server that is _not_ in the DenyFilter list. The DenyFilter is a list of characters the server will accept. Any other character is _not_ accepted and will recieve this error.
Why doesn't "ls -R" work?
A recursive directory listing is a server intensive task and normally not allowed. If you really want to allow the ftp clients to do recursive listing then comment out the line "ListOptions +R strict" in the proftpd.conf file. We DO NOT recommend doing this as a single client can load your server by doing repeated "ls -R" requests.
Can a client resume / continue a incomplete download without starting over?
Yes. Make sure the directive AllowRetrieveRestart is set to "on". This will allow for resumed downloads on the server side. Remember the client must also have the ability to resume downloads.
Can I hide a directory, but still allow access without a password?
Yes, you can. By putting a period in front of the name of the directory it will not show up when the ftp user does a ls. If the user knows about it, they can change directory into that name by manually typing it out. Once in the hidden dir they can list out files using ls like normal.
Can I setup a message when the users connect?
Yes you can. You need to put some text into the file you identified in the DisplayConnect directive. In the example we used the file /usr/local/etc/issue.ftp . In this file you could put something like the following and all users will see it when they connect.
######################################################################
#//                                                                 \#
#|                     Welcome Leechers.                            |#
#\                                                                 //#
######################################################################

...or how about ascii art?

No comments: