To allow anonymous uploads, insert these lines into the
'Anonymous' section of your 'proftpd.conf' file:
<Directory incoming> <Limit STOR CWD> AllowAll </Limit> <Limit READ RMD DELE MKD> DenyAll </Limit> </Directory>
and create as 'root' an 'incoming' directory in '/var/ftp'
with write permissions for the 'ftp' user:
chmod 770 /var/ftp/incoming
chown ftp:ftp !$
The options in detail:
section index top
Well, if you insist ...
Full Accounts
Every user on the system running the FTP server can access
their home directory via FTP logging in with their user name and password.
If you don't want that, i.e if you only want to allow
anonymous access to the FTP server, add the directive
<Limit LOGIN> DenyAll </Limit>
to the general section of 'proftpd.conf'.
Like with anonymous users, you can put authenticated
users into a change rooted 'jail' by using the 'DefaultRoot' directive:
DefaultRoot /var/ftp
will redirect all users logging in via FTP to the '/var/ftp'
directory and 'jail' them in there (i.e. they won't be able to change into
any directory outside the '/var/ftp' hierarchy).
Guest Accounts
In order to create a password protected anonymous login,
a so-called 'guest account', you have to create a user account on the server
with a password (e.g. using useradd or 'Userdrake'). The directive
you need is 'AnonRequirePassword on'. Let's assume you have created the user
account 'ftplogin'. Your 'Anonymous' section would then look like this:
<Anonymous ~ftp> User ftplogin Group ftp AnonRequirePassword on RequireValidShell off <Limit WRITE> DenyAll </Limit> </Anonymous>
Now your anonymous FTP users have to login with the user
name 'ftplogin' and the password you've provided when creating the account.
Security notice: you shouldn't provide that
user account with a valid login shell. Use '/bin/false' instead, either by
using the appropriate option to 'useradd' or in 'Userdrake', or by editing
the file '/etc/passwd' after creating the account. With 'useradd', you'd do
something like this (as 'root'):
useradd -d /var/ftp -s /bin/false -g ftp -p password
ftplogin
This creates a user account 'ftplogin', group 'ftp',
with the home directory '/var/ftp', the (invalid) shell '/bin/false' and the
passwordpassword.
Adopting this configuration, you can create 'home directories'
for particular users by creating accounts for them with home directories in
the '/var/ftp' tree.
For more options and features like ratios, virtual servers
etc, have a look at the fine ProFTPd
documentation site, especially the FAQ.
section index top
Running any kind of server for untrusted clients poses
a security thread. If you want to do this, you are advised to follow security
advisories closely, e.g. by subscribing to lists like the famous Bugtraq. Mandrakesoft also offers
twosecurity mailing
lists, security-announce and security-discuss.
There are some more options for '/etc/proftpd.conf' which
you should consider for the sake of security.
Restricting Access
You can restrict access to certain IP ranges or hostnames
with theLimit LOGIN option:
<Limit LOGIN> Order Allow,Deny Allow from 128.44.26.,myhost.mydomain.edu Deny from all </Limit>
Notice that you are advised to use IP addresses instead
of domain names.
Setting Filters
AllowFilter and DenyFilter
allow you to filter out string based attacks. The server will only accept
commands which matchAllowFilter and / or reject everything which
matchesDenyFilter .
AllowFilter "^[a-zA-Z0-9 ,]*$"
lets only alphanumeric characters and the whitespace
trough. A similar option is CommandBufferSize number
which allows you to control to maximum size of commands sent to the server.
PathAllowFilter and PathDenyFilter
on the other hand let you filter out unwanted file names or restrict names
to a certain pattern.
To reject all files with leading periods or dashes, use
PathDenyFilter "(^|/)[-.]"
Limiting Resources
ProFTPd lets you limit resources in various ways: you
can limit the storage place, the number of connections, the amount of bytes
transferred simultaneously and the resources for the server itself.
To prevent people from filling up the file system '/var/ftp/incoming'
is on, you can set a quota with:
Quotas on
DefaultQuota bytes
Other quota options like QuotaExempt UID
allow you finer grained control on who is allowed to upload how much. But
you could also set an external quota for the 'ftp' and other anonymous user
accounts usingsetquota .
To set a maximum number of simultaneous connections,
you use the already mentioned maxclients option. To set a maximum
number of simultaneous connections per user, you useMaxClientsPerUser .
To prevent certain kinds of Denial-of-Service or fork
attacks, you can limit the number of child processes ProFTPd spawns (each
child is one connection) with MaxInstances .
RateReadBPS , RateReadFreeBytes ,
RateReadHardBPS , RateWriteBPS ,
RateWriteFreeBytes and RateWriteHardBPS
allow you to adjust the bandwidth clients are allowed to use.
RLimitCPU , RLimitMemory andRLimitOpenFiles
are used to set limits to ProFTPd's resource usage on the hosting machine.
Others
To make it harder for a potential attacker, you can hide
the name of the software and its version either by giving ServerIdent
some kind of text or by turning it off .
section index top
|