• Choose a category
• All
• Classic-Fiction

DirFakeGroup on ~

DisplayLogin welcome.msg

DisplayFirstChdir .message

TransferLog /var/log/xferlog

ScoreboardFile /var/lib/proftpd/scoreFile

AllowOverwrite on

User ftp

Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"

UserAlias anonymous ftp

# Limit the maximum number of anonymous logins

MaxClients 15

AllowAll

# Limit WRITE everywhere in the anonymous chroot

DenyAll

TransferRate RETR 40.0:1024

AllowAll

Let us first have a look at how users are handled. FTP is an old protocol that sends passwords unencrypted over the wire, so it is desirable to separate users with "real" accounts from users with FTP-only accounts. To do this, we use two configuration directives,

AuthUserFile /etc/proftpd.passwd

AuthGroupFile /etc/proftpd.group

to point ProFTPD at alternative passwd and group files. The format is the same as the regular Linux /etc/passwd and /etc/group files. The contents of /etc/proftpd.passwd for testing purposes are as follows:

joe:$1$KdLsLL1G$LNGq21xp9l/4vhF/l/0N1.:20000:20000:Joe User:/srv/ftp/joe:

The password is "qwerty" in cleartext and is hashed using the ftpasswd utility that can be found in the contrib directory in the ProFTPD tarball. /etc/proftpd.group contains only a single line: ftpusers:x:20000: This is used in conjunction with the

Order Deny,Allow

AllowGroup ftpusers

section in the configuration file to block regular users from logging in and to allow only members of our special group ftpusers to log in. Notice that this is not the same as the legacy file /etc/ftpusers, which can be used for listing system users who are not allowed to use FTP. The documentation states that the file specified in AuthUserFile replaces the system /etc/passwd file, but this seems not to be the case currently — hence the special group to only allow users listed in our alternative passwd file.

It is possible to have multiple users in /etc/proftpd.passwd with the same Unix numeric user ID. This is useful if you want to provide FTP access for a huge number of users without running out of user IDs. To make files appear to be owned by the currently authenticated user and group, we put in the:

DirFakeUser on ~

DirFakeGroup on ~

directives. This is only for cosmetic purposes to give users the nice fuzzy feeling that they in fact own their files. The ScoreboardFile directive specifies the location of the file used for runtime session information. This file is required for utilities such as ftpwho and ftpcount to work. This completes the main server configuration.

The next part of the config file is a read-only context for users anonymous and ftp in /srv/ftp/anonymous, with a maximum of 15 concurrent users. There is also a download rate limit specified by the TransferRate RETR 40.0:1024 directive. The numbers mean that the download rate is limited to 40 KB per second for all files larger than 1 KB.

The last context of the config file specifies a writable directory /upload for the user joe. By default nothing is writable for any user because of the directive in the main server context, so user joe is granted the special privilege to be allowed to upload files to his upload directory.

Virtual Hosts

ProFTPD supports virtual hosting via the context. The FTP protocol unfortunately does not support host-based virtual hosting, unlike, for example, HTTP, but it is still possible to serve different ports or network interfaces with different configurations. All this will, of course, only work if ProFTPD is run in standalone mode; if run from inetd, the ports and interfaces that are listened to are in the hands of inetd and not ProFTPD.

Let's look at an example with a few virtual hosts configured:

ServerName "Acme FTP Server"

ServerType standalone

### Main server config

# Set