Installing ProFTPd

Date: November 15, 2003 (6th Revision)

This document describes the compile/install and configuration of a very basic ProFTPD service.

INSTALLATION

Grab the proftpd-1.2.9.tar.gz (tar-ball) from Proftpd website. I am using Caldera OpenLinux 3.1, so I configured the package with these switches, and use checkinstall-1.5.2 to turn the package into an regular RPM for installation. Note that I included some of the plug-in modules in /contrib directory of proftpd.

#!/bin/bash

#

# decompress the archive in /usr/src

#

cd /usr/src

tar xzvf /path/to/proftpd-1.2.9.tar.gz

#

# configure it

#

cd proftpd-1.2.9

./configure \

--prefix=/usr \

--sysconfdir=/etc \

--localstatedir=/var/run

--with-modules=mod_readme:mod_wrap:mod_ratio

#

# later on, you may want to compile with these modules to deploy

# more advanced features like mysql and openldap support

# mod_sql:mod_sql_mysql:mod_ldap

#

make -j 3

#

# you may use checkinstall to install proftpd, which will

# keep a record of all the files installed by `check install`

# and build an rpm

#

# checkinstall -si make install

#

make install

NOTE: checkinstall-1.5.2 would require you to enter the path to Caldera's RPM repository in /usr/src/OpenLinux.

If everything goes well, you will find the following files installed:

root@server: html> rpm -qil proftpd

Name : proftpd Vendor: (none)

Version : 1.2.9 Distribution: (none)

Release : 1 Build Host: server.donkeyware.org

Install Date: 2003-11-02T03:54:58Z Build Date: 2003-11-02T03:54:45Z

Size : 968322 Source RPM: proftpd-1.2.9-1.src.rpm

Group : Applications/System

Copyright : GPL

Packager : checkinstall-1.5.2

Summary : Package created with checkinstall 1.5.2

Description :

Package created with checkinstall 1.5.2

/usr/bin/ftpcount

/usr/bin/ftptop

/usr/bin/ftpwho

/usr/doc/proftpd-1.2.9/COPYING

/usr/doc/proftpd-1.2.9/CREDITS

/usr/doc/proftpd-1.2.9/ChangeLog

/usr/doc/proftpd-1.2.9/INSTALL

/usr/doc/proftpd-1.2.9/NEWS

/usr/doc/proftpd-1.2.9/README

/usr/doc/proftpd-1.2.9/README.AIX

/usr/doc/proftpd-1.2.9/README.FreeBSD

/usr/doc/proftpd-1.2.9/README.IPv6

/usr/doc/proftpd-1.2.9/README.LDAP

/usr/doc/proftpd-1.2.9/README.PAM

/usr/doc/proftpd-1.2.9/README.Solaris2.5x

/usr/doc/proftpd-1.2.9/README.Unixware

/usr/doc/proftpd-1.2.9/README.capabilities

/usr/doc/proftpd-1.2.9/README.cygwin

/usr/doc/proftpd-1.2.9/README.mod_sql

/usr/doc/proftpd-1.2.9/README.modules

/usr/doc/proftpd-1.2.9/README.ports

/usr/man/man1/ftpcount.1.gz

/usr/man/man1/ftptop.1.gz

/usr/man/man1/ftpwho.1.gz

/usr/man/man5/xferlog.5.gz

/usr/man/man8/ftpshut.8.gz

/usr/man/man8/proftpd.8.gz

/usr/sbin/ftpshut

/usr/sbin/in.proftpd

/usr/sbin/proftpd

DIRECTORY PERMISSIONS

Next step, you need create the home directories of the default ftp. For my linux server, the home directory of my ftp account in /etc/passwd is /home/ftp. For this sample installation, there would be an additional directory /home/ftpdown for download only:

mkdir /home/ftp; chmod 753 /home/ftp; chown ftp:ftp /home/ftp

mkdir /home/ftpdown;chmod 555 /home/ftpdown; chown nobody:nobody /home/ftpdown

DISABLING WU-FTPD

Most linux distribution came with wu-ftpd pre-installed. You have to disable it in inetd (/etc/inetd.conf or /etc/inet.d/ftp) or xinetd (/etc/xinetd.conf), restart inet tcp wrapper daemon. Otherwise it will be holding the ftp port (default: 20-21) foreever. Certain packages like portsentry will also bind itself to any un-used priviledge ports. So beware.

You can always know what programs are holding the port 21 (or any port number) by this command:

netstat -anp | grep 21

And then you can find out more about the program. The following shows how to find out more information about the progrma with a name of "ftp":

ps aux | grep ftp

CONFIGURATION

Before we actually invoke /usr/sbin/proftpd, we need to write a configuration file called /etc/proftpd.conf:

- Our proftpd will be a standalone daemon, which gives us speed and reliability.
- All users will login as anonymous users. Users who want to upload will login as upload, which in fact is an alias for the same anonymous account.
- The anonymous account is linked to a real user account ftp in /etc/passwd.
- ftp:x:14:50:FTP User:/home/ftp:/bin/false
- For security sake, the ftp account will use a shell /bin/false to guarantee no login except for file transfer.
- The home directory for the ftp account is specified in /etc/passwd as well.
- To upload, users goes to ftp://111.222.333.444
- Unlimited number of users can always upload (which you may not want that)
- All uploads go to /home/ftp, to be owned by ftp:ftp, such that on one can download from it.
- To allow files to be downloaded, chown nobody:nobody the_file and move them to /home/ftpdown.
- To download, users goes to ftp://download@111.222.333.444
- Users can download from /home/ftpdown only.
- 3 users can download at any time (MaxClients)
- Each download connection has bandwidth locked at 20000 kb/s (RateReadBPS).
- Each downloader can connect to your ftp server once only (MaxsClientPerHost).
- No linux users can login their home directory (well, I would study about it later)

Time to convert all these decign decisions into the proftpd config file /etc/proftpd.conf. You may cut-and-paste the following into the file /etc/proftpd.conf:

# beginning of proftpd.conf

ServerName "Your FTP Server"

# If you want to use inetd/xinetd, make sure you edit their

# config files to use in.proftpd as daemon name, and change

# ServerType to inetd.

ServerType standalone

# if not switched on, won't answer calls from unknown destinations

DefaultServer on

DefaultTransferMode binary

ServerIdent off

DefaultRoot ~

# Port 21 is the standard FTP port.

Port 21

# If you do want normal users logging in at all, comment this

DenyAll

</LIMIT>

# Set the user and group that the server normally runs at.

User nobody

Group nogroup

MaxInstances 10

# Set the maximum number of seconds a data connection is allowed

# to "stall" before being aborted.

TimeoutStalled 300

UseFtpUsers off

RootLogin off

PersistentPasswd off

# these speed up the login process but makes log less readable

UseReverseDNS off

IdentLookup off

# you can have a separate file from the regular /etc/passwd

#AuthUserFile /etc/proftpd-passwd

Umask 022

RequireValidShell off

AllowForeignAddress on

DirFakeGroup on ~

DirFakeUser on ~

DirFakeMode 0440

HiddenStor on

</Global>

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin welcome.msg

DisplayFirstChdir .message

AccessDenyMsg "404 Access for %u has been denied.

AllowAll

</Limit>

# you can use the alias as a password for your downloaders. :)

UserAlias download ftp

#

# But if you really use a password, you need to encrypt the password

# and paste the encrypted text below and uncomment the 2 lines below

# AnonRequirePassword on

# UserPassword ftp crypted-text

#

RequireValidShell off

User ftp

Group ftp

# you may not like the bandwidth control below

# TransferRate RETR|STOR|APPE|STOU KBrate:freebytes

TransferRate RETR 20:0

# older version use the following directive instead.

# RateReadBPS 20000

MaxClients 3 "550 Too Many Users (Limit=%m)"

MaxClientsPerHost 1 "551 One connection per IP"

# allow resume in downloading

HideNoAccess on

AllowRetrieveRestart on

DenyAll

</Limit>

</Anonymous>

AllowAll

</Limit>

UserAlias anonymous ftp

User ftp

Group ftp

RequireValidShell off

# allow resume in uploading

AllowStoreRestart on

AllowOverwrite on

AllowAll

</Limit>

DenyAll

</Limit>

# Reject all files with leading periods or dashes:

PathDenyFilter "(^|/)[-.]"

</Anonymous>

# end of proftpd.conf

You will notice that there is a crypted-text above. It's the password for the ftp directory, encrypted by linux. You can use cli-crypt-1.0.tar.gz, which is a package that can be downloaded from http://freshmeat.net basically written for generating password with proftpd. Another simple way is to use a simple perl script (courtesy of http://www.}linuxjournal.com):

perl -e 'print("userPassword: ".crypt("secret","salt")."\n");'

Just run the script, cut and paste the password into the blank above will do.

DAEMON CONTROL

The following is a script to start/stop proftpd daemon:

#!/bin/bash

# reference:

# http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Stopping.html

#

# ProFTPD files

FTPD_BIN=/usr/sbin/proftpd

FTPD_CONF=/etc/proftpd.conf

PIDFILE=/var/run/proftpd.pid

# If PIDFILE exists, does it point to a proftpd process?

if [ -f $PIDFILE ]; then

pid=`cat $PIDFILE`

fi

if [ ! -x $FTPD_BIN ]; then

echo "$0: $FTPD_BIN: cannot execute"

exit 1

fi

case $1 in

start)

if [ -n "$pid" ]; then

echo "$0: proftpd [PID $pid] already running"

exit

fi

if [ -r $FTPD_CONF ]; then

echo "Starting proftpd..."

rm -f /etc/shutmsg

$FTPD_BIN -c $FTPD_CONF

else

echo "$0: cannot start proftpd -- $FTPD_CONF missing"

fi

;;

stop)

if [ -n "$pid" ]; then

echo "Stopping proftpd..."

kill -TERM $pid

else

echo "$0: proftpd not running"

exit 1

fi

;;

restart)

if [ -n "$pid" ]; then

echo "Rehashing proftpd configuration"

kill -HUP $pid

else

echo "$0: proftpd not running"

exit 1

fi

;;

*)

echo "usage: $0 {start|stop|restart}"

exit 1

;;

esac

exit 0

LOG ANALYSIS

Proftpd generates a log file that's similar to the log file wu-ftpd, ie /var/log/xferlog. That means, you can use the xferstats script in the /usr/src/proftpd-1.2.9/contrib directory of the proftpd source (or the one from wu-ftpd which has bugs) to analyze the log. I put the xferstats script in /usr/sbin. There is a newer version of xferstats. Search for it via google.com using keyword "xferstats" or try http://xferstats.off.net . For a graphical presentation, you may use awstats. In her website, he got an article teaching you how to modify the proftpd log format to suit her presentation.

For your convinience, here's my /etc/logrotate.d/ftpd for proftpd's logs (in /var/log):

# beginning of /etc/logrotate.d/ftpd

missingok

/var/log/xferlog {

size=256k

nocopytruncate

postrotate

/usr/bin/killall -HUP syslogd

endscript

}

/var/log/ftp {

daily

rotate 7

postrotate

/usr/bin/killall -HUP syslogd

endscript

}

# end of /etc/logrotate.d/ftpd

MONITOR

Just like wu-ftpd, the command ftpwho will tell you what users are currently connecting to your proftpd. For more detail, you can use ftpwho -v. With verbose mode, the transfer rate of each connection would be shown. And with the release of proftpd-1.2.7 and later, there is a new command called ftptop.

Alternatively, you may use SNMP tools like MRTG. One linux-sxs editor recommneded console tools pppstatus and ethstatus. I have found a tool called ifstat which is really simple.

root@server: init.d> ifstat eth0 eth1 KB/s in KB/s out KB/s in KB/s out 0.67 16.96 0.00 0.00 1.25 33.58 0.00 0.00 0.67 16.81 0.00 0.00

There is also ntop, which is you can view its results via web browser (just like webmin). You can find them in http://freshmeat.net!

Useful References

- log analysis using awstats: http://awstats.sourceforge.net/docs/awstats_faq.html#FTP
- active vs passive ftp: http://slacksite.com/other/ftp.html
- documentation in source code directory: /usr/src/proftpd-1.2.9/doc
- documenetation for more advanced topics: http://www.castaglia.org/proftpd/
- another mod for proftpd: ftp://ftp.opaopa.org/pub/proftpd/proftpd-site_index-0.1.tar.gz
- chinese how-to: http://dns.bmes.tnc.edu.tw/notebook/proftp.htm