ProFTPD is an Open Source FTP Server and one of the most used, secure and reliable file transfer daemons on Unix environments, due to its file configurations simplicity speed and easy setup.
This tutorial will guide you on how you can install and use ProFTPD Server on CentOS/RHEL 6 Linux distributions for a simple file transfer from your local system accounts to remote systems.
Step 1: Install ProFTPD Server
1. Official RHEL/CentOS 6 repositories doesn’t provide any binary package for ProFTPD Server, so you need to add extra package repositories on your system provided by EPEL 6 Repo, using the following command.
|
1 2 3 |
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm |
2. Now it’s time to install ProFTPD Server on your system and some required ftp utilities that we will be using later by issuing following command.
|
1 2 3 |
yum install proftpd proftpd-utils |
Step 2: Configure ProFTPD
The default configuration file is located at /etc/proftpd.conf. To edit the configuration file, enter:
|
1 2 3 |
vi /etc/proftpd.conf |
Checking the syntax of the configuration file
|
1 2 3 |
proftpd -t6 |
Open /etc/proftpd.conf file:
|
1 2 3 |
vi /etc/proftpd.conf |
1. Set a server name (usually, the server’s hostname is added here):
|
1 2 3 |
ServerName "ProFTPD server" |
2. Remove the comment from DefaultRoot option. This will prevent the FTP users from going outside of their default directory and, for example, to access other users’ folders.
|
1 2 3 |
DefaultRoot ~ |
3. Define the range of ports for passive mode connections
|
1 2 3 4 |
# Use the IANA registered ephemeral port range PassivePorts 49152 65534 |
4. Define the files which we will use for authentication. The AuthUserFile and AuthGroupFile files will be created later, but we can define them now to complete the configuration.
|
1 2 3 4 5 6 |
# Don’t check against /etc/passwd, use only AuthUserFile AuthOrder mod_auth_file.c AuthUserFile /etc/proftpd/ftpd.passwd AuthGroupFile /etc/proftpd/ftpd.group |
5. Disable PAM authentication
|
1 2 3 4 |
PersistentPasswd off AuthPAM off |
6. Don’t check against /etc/shells
|
1 2 3 |
RequireValidShell off |
Create the files /etc/proftpd/ftpd.passwd and /etc/proftpd/ftpd.group and change the permission and ownership of the files and the proftpd folder as below :
|
1 2 3 4 5 6 7 8 |
mkdir /etc/proftpd touch /etc/proftpd/ftpd.passwd touch /etc/proftpd/ftpd.group chown -R nobody.nobody /etc/proftpd chmod 400 /etc/proftpd/ftpd.passwd chmod 400 /etc/proftpd/ftpd.group |
ProFTPD runs as user nobody in the server by default. The User option from the /etc/proftpd.conf can be used to change the user under which ProFTPD is being run. Please make sure to change the ownership of the files and ProFTPD directory accordingly in case, the user has been modified.
After making these changes, restart ProFTPD using the command :
|
1 2 3 |
service proftpd restart |
Step 3: Configuring iptables
We need to open ports 20, 21 and the port range that we have specified in the config file for the Passive connections.
|
1 2 3 4 5 6 7 8 |
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport 49152:65534 --dport 49152:65534 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 49152:65534 --dport 49152:65534 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT |
Load ip_conntrack_ftp modul
|
1 2 3 |
modprobe ip_conntrack_ftp |
make modprobe ip_conntrack_ftp persist a reboot
Edit /etc/sysconfig/iptables-config and add the module to IPTABLES_MODULES. The delimiter is a space. For example:
|
1 2 3 |
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp" |
Step 4: Virtual users authentication configuration
When you install ProFTPD, it is almost ready to use by anonymous users, you only have to uncomment anonymous section in /etc/proftpd.conf but if you want authenticated access then you must configure extra directives, keep in mind these to virtual users authentication.
Check for the UID and GID of the user under which the Virtual users are created
|
1 2 3 4 |
grep <username> /etc/passwd grep <groupname> /etc/group |
Example
|
1 2 3 4 5 6 7 |
# grep nginx /etc/passwd nginx:x:498:498:Nginx web server:/var/lib/nginx:/sbin/nologin # grep nginx /etc/group nginx:x:498: |
Once the UID and GID has been identified use the ftpasswd command to add the Virtual user
|
1 2 3 |
ftpasswd -file /etc/proftpd/ftpd.passwd -uid 498 -gid 498 -name fuhrer -shell /bin/false -home /var/www/vhost/fuhrer.com/public_html -passwd |
Add members to the group
|
1 2 3 |
ftpasswd -file /etc/proftpd/ftpd.group -group -name nginx -gid 498 -member fuhrer |
Check the files /etc/proftpd/ftpd.passwd and /etc/proftpd/ftpd.group make and sure that details of the user and group have been added
|
1 2 3 4 5 6 7 |
# cat /etc/proftpd/ftpd.passwd fuhrer:$1$fyueFbAt$DOq7iTlSjNqcPPLzYOm1O0:498:498::/var/www/vhost/fuhrer.com/public_html:/bin/false # cat /etc/proftpd/ftpd.group nginx:x:498:fuhrer |
Restart ProFTPD using the command :
|
1 2 3 |
service proftpd restart |
Test yours ProFTPD Server
DONE
Sample /etc/proftpd.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html # Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html ServerName "ProFTPD server" ServerIdent on "FTP Server ready." ServerAdmin [email protected] DefaultServer on # Cause every FTP user except adm to be chrooted into their home directory # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to # work at session-end time (http://bugzilla.redhat.com/477120) VRootEngine on DefaultRoot ~ VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf # Use the IANA registered ephemeral port range PassivePorts 49152 65534 # Don’t check against /etc/passwd, use only AuthUserFile AuthOrder mod_auth_file.c AuthUserFile /etc/proftpd/ftpd.passwd AuthGroupFile /etc/proftpd/ftpd.group PersistentPasswd off AuthPAM off RequireValidShell off # Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off # Set the user and group that the server runs as User nobody Group nobody # To prevent DoS attacks, set the maximum number of child processes # to 20. MaxInstances 20 # Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off # Define the log formats LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" # Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global> # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 022 # Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit> </Global> # A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd # |
…
