*DocIndex - Connectivity

Configuring An FTP Server II

* Allowing Anonymous Uploads
* Authenticated FTP
* More Security

Related Resources:

ProFTPd Homepage
ProFTPd FAQ
ProFTPd User Guide
Directive List
Example configurations and more in '/usr/share/ doc/proftpd-[...]'

Revision / Modified: May 04, 2002
Author: Tom Berger

 

* Allowing Anonymous Uploads

To allow anonymous uploads, insert these lines into the 'Anonymous' section of your 'proftpd.conf' file:

<Directory incoming>
<Limit STOR CWD>
AllowAll
</Limit>
<Limit READ RMD DELE MKD>
DenyAll
</Limit>
</Directory>

and create as 'root' an 'incoming' directory in '/var/ftp' with write permissions for the 'ftp' user:

chmod 770 /var/ftp/incoming
chown ftp:ftp !$

The options in detail:

  • <Directory incoming>
    <Limit STOR CWD>
    AllowAll
    </Limit>
    Anonymous users are allowed to change into (CWD) the 'incoming' directory and put files (STOR) there.
  •        <Limit READ RMD DELE MKD SITE_CHMOD>
    DenyAll
    </Limit>
    But they are not allowed to read the contents of 'incoming' (but they may list the files), to delete or create or change permissions on files or directories in that directory. This prevents people from turning your 'incoming' directory into a warez relay.

* section index * top

* Authenticated FTP

Well, if you insist ...

Full Accounts

Every user on the system running the FTP server can access their home directory via FTP logging in with their user name and password.

If you don't want that, i.e if you only want to allow anonymous access to the FTP server, add the directive

<Limit LOGIN>
DenyAll
</Limit>

to the general section of 'proftpd.conf'.

Like with anonymous users, you can put authenticated users into a change rooted 'jail' by using the 'DefaultRoot' directive:

DefaultRoot /var/ftp

will redirect all users logging in via FTP to the '/var/ftp' directory and 'jail' them in there (i.e. they won't be able to change into any directory outside the '/var/ftp' hierarchy).

Guest Accounts

In order to create a password protected anonymous login, a so-called 'guest account', you have to create a user account on the server with a password (e.g. using useradd or 'Userdrake'). The directive you need is 'AnonRequirePassword on'. Let's assume you have created the user account 'ftplogin'. Your 'Anonymous' section would then look like this:

<Anonymous ~ftp>
User ftplogin
Group ftp
AnonRequirePassword on
RequireValidShell off
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

Now your anonymous FTP users have to login with the user name 'ftplogin' and the password you've provided when creating the account.

Security notice: you shouldn't provide that user account with a valid login shell. Use '/bin/false' instead, either by using the appropriate option to 'useradd' or in 'Userdrake', or by editing the file '/etc/passwd' after creating the account. With 'useradd', you'd do something like this (as 'root'):

useradd -d /var/ftp -s /bin/false -g ftp -p password ftplogin

This creates a user account 'ftplogin', group 'ftp', with the home directory '/var/ftp', the (invalid) shell '/bin/false' and the passwordpassword.

Adopting this configuration, you can create 'home directories' for particular users by creating accounts for them with home directories in the '/var/ftp' tree.

For more options and features like ratios, virtual servers etc, have a look at the fine ProFTPd documentation site, especially the FAQ.

* section index * top

* More Security

Running any kind of server for untrusted clients poses a security thread. If you want to do this, you are advised to follow security advisories closely, e.g. by subscribing to lists like the famous Bugtraq. Mandrakesoft also offers twosecurity mailing lists, security-announce and security-discuss.

There are some more options for '/etc/proftpd.conf' which you should consider for the sake of security.

Restricting Access

You can restrict access to certain IP ranges or hostnames with theLimit LOGIN option:

<Limit LOGIN>
Order Allow,Deny
Allow from 128.44.26.,myhost.mydomain.edu
Deny from all
</Limit>

Notice that you are advised to use IP addresses instead of domain names.

Setting Filters

AllowFilter and DenyFilter allow you to filter out string based attacks. The server will only accept commands which matchAllowFilter and / or reject everything which matchesDenyFilter.

AllowFilter "^[a-zA-Z0-9 ,]*$"

lets only alphanumeric characters and the whitespace trough. A similar option is CommandBufferSize number which allows you to control to maximum size of commands sent to the server.

PathAllowFilter and PathDenyFilter on the other hand let you filter out unwanted file names or restrict names to a certain pattern.
To reject all files with leading periods or dashes, use

PathDenyFilter "(^|/)[-.]"

Limiting Resources

ProFTPd lets you limit resources in various ways: you can limit the storage place, the number of connections, the amount of bytes transferred simultaneously and the resources for the server itself.

To prevent people from filling up the file system '/var/ftp/incoming' is on, you can set a quota with:

Quotas on
DefaultQuota bytes

Other quota options like QuotaExempt UID allow you finer grained control on who is allowed to upload how much. But you could also set an external quota for the 'ftp' and other anonymous user accounts usingsetquota.

To set a maximum number of simultaneous connections, you use the already mentioned maxclients option. To set a maximum number of simultaneous connections per user, you useMaxClientsPerUser.

To prevent certain kinds of Denial-of-Service or fork attacks, you can limit the number of child processes ProFTPd spawns (each child is one connection) with MaxInstances.
RateReadBPS, RateReadFreeBytes, RateReadHardBPS, RateWriteBPS, RateWriteFreeBytes and RateWriteHardBPS allow you to adjust the bandwidth clients are allowed to use.
RLimitCPU, RLimitMemory andRLimitOpenFiles are used to set limits to ProFTPd's resource usage on the hosting machine.

Others

To make it harder for a potential attacker, you can hide the name of the software and its version either by giving ServerIdent some kind of text or by turning it off.

* section index * top

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.