Saturday, September 01, 2007

FTP Server: Proftpd

I put a server to share files with friends and I had in my hands a little project on how to share them. For this time I chose to use the always friendly FTP service. Googling around I found Proftpd as one of the heavyweights for this and decided to install it. It can be found at: http://www.proftpd.org/.

I am using Debian, 3.1 with kernel 2.6.22.6. Installation thanks to apt is quite easy..

a) apt-get install proftpd .. that was it. no more. (there is a question on installing as inetd or standalone, you should choose your favorite).

The next steps were to set it up so I can create ftp users "virtual" without shell access (they are not that good friends!) and limit them to upload/download only in certain directories.

First add the following on /etc/proftpd/proftpd.conf

# Set /home/FTP-shared directory as home directory
DefaultRoot /media/muploads

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group


Umask 022 022
AllowOverwrite off

DenyAll




Umask 022 022
AllowOverwrite off

DenyAll



/media/muploads/uploads/>
Umask 022 022
AllowOverwrite on

DenyAll


The directories /media/muploads/uploads and /media/muploads/downloads should exist already.

Second you have to create the users. For this you need to download a file called ftpasswd. This script would be used to create 2 files, ftp.passwd and ftp.group. Both files replaces the system group and passwd files. Read the documentation to learn more about them.

ftpasswd --passwd --name=user --uid=501 --gid=500 --home=/media/muploads --she
ll=/bin/false
ftpasswd --group --name=ftpvirt --gid=500 --member=user

The first command with the --passwd flag will ask you for a password for the user "user", just add it.

The next step is to add the shell /bin/false to the /etc/shells file. If this step is not done when user "user" tries to log in it would get an error as the shell doesn't exist. Note that the shell actually doesn't exist as we don't want the uses to telnet or ssh to the pc but adding the line /bin/false to the file solves the problem.

The final step is to change the permissions of the directories.

on /media/muploads do a:

chown 500:501 downloads
chown 500:501 uploads
chmod 777 uploads

The userid and groupid are the same for all users and directory. It doesn't matter that they don't exists (keep an eye if you have several users not to use this ids). The chmod 777 is quite extreme and you should use something more secure.

The result, an ftp server that allows connections from virtual users. Diverts them directory to a general home directory and not systems home directories and that are allowed to download from one directory and only upload into another.

As always I am sure there are security holes the size on the moon on this procedure but it is a start.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)