Shulou(Shulou.com)06/01 Report--

Editor to share with you how to install, configure and manage proftpd under Linux. I believe most people don't know much about it, so share this article for your reference. I hope you can learn a lot after reading this article. Let's learn about it together.

one。 Introduction to proftpd.

Proftpd is an open source ftp server software. it is an improved version of wu-ftpd, which is the most widely used in the world. it corrects many defects of wu-ftpd and makes significant improvements in many aspects. one of the important changes is that it learns the configuration of Apache and makes the configuration and management of proftpd easier to understand.

two。 Related resources of the software.

Official website: http://www.proftpd.org/

three。 Installation of software.

1. Installation

Download its source code package proftpd-1.2.10. Tar.gz . Next I will explain some of the important steps in the installation process:

[root@localhost root] # tar xzvf proftpd-1.2.10. Tar.gz [root@localhost root] # cd bind-9.3.1 [root@localhost bind-9.3.1] #. / configure [root@localhost bind-9.3.1] # make [root@localhost bind-9.3.1] # make install

Tar xzvf bind-9.3.1.tar.gz decompression package.

. / configure checks and sets up the installation of the machine. Most of the work is done automatically by the machine, but users can complete certain settings through some parameters. The common options are:

. / configure-- help looks at the parameter setting help.

-- enable-ipv6 supports ipv6.

There are many parameters that can be set, and you can see what you need through-help. In general, the default setting is fine.

By default, the installation process should be established:

The deamon of proftpd is / usr/local/sbin/proftpd

Configuration file for proftpd, / usr/local/etc/proftpd.conf.

two。 Start:

[root@localhost root] # / usr/local/sbin/proftpd-c / usr/local/etc/proftpd.conf

The-c option is used to specify the location of the configuration file. Otherwise, the default location is / usr/local/etc/proftpd.conf.

Normally, proftpd should start, ps aux should be able to find the process of proftpd, or netstat-an should also see that the service on port 21 has been up. (ftp default port)

If you want to set up a boot ftp server, simply add a line to / etc/rc.d/rc.local

/ usr/local/sbin/proftpd #! / bin/sh## This script will be executed*after* all the other init scripts.# You can put your own initialization stuff in here if you don't# want to do the full Sys V style init stuff.touch / var/lock/subsys/local/usr/local/sbin/proftpd

four。 Configuration of software.

1. Initial configuration file

The location of the default profile is:

/ usr/local/etc/proftpd.conf (if the file does not exist, you can copy the sample configuration file from the archive) analyze some of the common options item by item below: (# comments later)

# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use.It establishes a single server# and a single anonymous login. It assumes that you have a user/group# "nobody" and "ftp" for normal operation and anon.ServerName "ServerType standaloneDefaultServer on# Port 21 is the standard FTP port.Port 21"

ServerType specifies the startup type of FTP Server. Generally speaking, it is relatively simple to use standalone. If the traffic is not large, consider using xinetd to listen for startup in order to save resources. You must specify it here. Port specifies the listening port of FTP. Port 21 is generally used.

# Umask 022 is a good standard umask to prevent new dirs and files# from being group and world writable.Umask 022# To prevent DoS attacks, set themaximum number of child processes# to 30. If you need to allow more than 30 concurrent connections# at once, simply increase this value. Note that this ONLY works# in standalone mode, in inetd modeyou should use an inetd server# that allows you to limit maximumnumber of processes per service# (such as xinetd). MaxInstances 30

Umask specifies the Umask value of the FTP server process, which is consistent with the default value of the Linux system.

MaxInstances specifies the number of * connections for FTP server.

# Set the user and group under which the server will run.User nobody Group nogroup # To cause every FTP user to be "jailed" (chrooted) into their home# directory, uncomment this line.#DefaultRoot ~ DefaultRoot

User and Group specify the valid user ID when the proftpd process starts. For security reasons, the default identity is nobody. It should be pointed out that there is no nogroup group by default in general Red Linux 9.0, and Group can be specified as nobody.

The DefaultRoot option restricts Linux system users to be restricted to their home directory when logging in through FTP.

# Set the maximum number of secondsa data connection is allowed# to "stall" before being aborted.#TimeoutStalled 300AllowRetrieveRestart onAllowStoreRestart on# Normally, we want files to be overwriteable. AllowOverwrite on

TimeoutStalled specifies the timeout for a connection.

AllowRetriveRestart and AllowStroeRestart specify that breakpoint continuation is allowed.

User ftp Group ftp# We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp# Limit the maximum number of anonymous logins MaxClients 1 million We want 'welcome.msg' displayed at login, and' .message 'displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chrootDenyAll

This part will be described in more detail later.

two。 Configuration file structure analysis

# Global Settings Project 1 Parameter 1 set Project 2 parameters "Settings of a directory. # Settings for anonymous login.

Common global settings

DefaultRoot ~ # restricts each FTP user to his or her own directory and cannot view the directory at a higher level

When downloading AllowRetrieveRestart on #, allow breakpoint to resume upload

When uploading AllowStoreRestart on #, breakpoints are allowed to resume upload.

ServerIdent off # shielding server version information

TransferRate STOR | RETR Speed (Kbytes/s) user user # sets the user transfer rate

MaxHostsPerUser 1 # allows a maximum of 1 source ip per account, which is useful to prevent ftp accounts.

MaxClientsPerUser 1 # each account can log in at most one time on each client, which can prevent the server from being damaged by multithreaded software downloads.

MaxClientsPerHost 1 # only one account can log in to the same client.

WtmpLog on # whether to record ftp in the log, if you don't want to, you can set off to block the log log.

TimeoutIdle 600 # client idle time setting. Default is 600 seconds.

DisplayLogin welcome.msg # set up ftp login welcome information file

RootLogin on # allows root users to log in, which is not allowed by default, and is not recommended for security reasons.

Welcome word setting

The settings for the welcome file include the following parameters:

% T current time

% F remaining capacity of the hard drive

The directory where% C is currently located

Host name on R Client side

Host name of L Server side

% U user account name

% M * * allowed number of connections

% N current number of server connections

% E email of FTP server administrator

% I the number of files uploaded this time

% o number of files downloaded this time

% t number of files uploaded and downloaded this time

Knowing these parameters, you can write a friendly welcome file, such as:

Welcome% U, this is T-force 's test FTP server; the current time is:% T; this server allows a maximum of% M user connections; currently there are% N user connections on the server; currently your directory is% C; the hard drive where the directory is located still has% F bytes left.

Anonymous configuration block

The anonymous configuration block is a very important part of the configuration file, which generally controls the permission configuration of global accounts. Here is a common example.

# A basic anonymous configuration, no upload directories. If you do not# want anonymous users, simply delete this entiresection.# specify anonymous user login directory User ftp# specify this block settings user Group ftp# specify this block settings user belonging group # We want clients to be able to loginwith "anonymous" as well as "ftp" UserAlias anonymous ftp# set user alias AnonRequirePassword on # login requires password # Limit the maximum numberof anonymous loginsMaxClients 1 login We want 'welcome.msg' displayed at login, and' .message 'displayed# in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chrootDenyAllAllowAll

The focus of the anonymous configuration block is to manage the specified directory in detail through Limit. The permission control of Limit is relatively complete, and all kinds of complex permission control can be achieved through different combinations. The controls are as follows:

CMD:Change Working Directory change directory MKD:MaKe Directory create directory permission RNFR: ReName FRom change directory name permission DELE:DELEte delete file permission RMD:ReMove Directory delete directory permission RETR:RETRieve download from the server to the client permission STOR:STORe upload from the client to the server READ: readable permission, excluding column directory permission, equivalent to WRITE such as RETR,STAT: write file or directory permission Including MKD and RMDDIRS: whether to allow column directories, which is equivalent to LIST,NLST and other permissions, is more practical.

Note: when testing whether it can be downloaded, do not use an empty file with length 0, but a file with content (the file size cannot be 0k).

For the objects applied by the above Limit, it also includes the following scope

AllowUser for a user's allowed LimitDenyUser, for a user's prohibited LimitAllowGroup, for a user group's allowed LimitDenyGroup, for a user group's prohibited LimitAllowAll, for all user groups's allowed LimitDenyAll, for all user's prohibited Limit.

five。 A simple and practical way of configuration management:

The combination of proftpd and mysql can achieve relatively large and complete access control, but it also increases the complexity of management and maintenance. Here I introduce a simple and easy configuration method, which is suitable for applications with less than 100 users. The core of this method lies in the ingenious use of setting the gid bit, and the reader will look for information to learn about it. The configuration management work of this method is very little, and it is quite simple, at the same time, it can maintain a clear permission system structure.

1. Train of thought

The first concept that needs to be clear is the relationship between the user of proftpd and the user of linux system: the user of linux system is the user of proftpd. The authority control of proftpd is based on the access control of the Linux system, that is, for a file or directory, the user must have the permissions of the Linux system, on this basis, proftpd can set some of its unique permissions. In fact, generally speaking, Linux's own permission system is a relatively perfect permission system, we can only use this permission system, it is enough to meet our requirements.

We set up a ftp administrator ftpadmin that belongs to the ftpadmin group, and the root directory of ftp / ftp is the personal root of ftpadmin, so that ftpadmin can complete the day-to-day management. By setting the gid of / ftp, you can ensure that the newly uploaded file belongs to the ftpadmin user, and then set the umask value 002 to ensure the group read and write permissions of the uploaded file, so that the administrator can manage the file under its management without changing the owner of the file.

For ftp users, we only need to create a new Linux user and set his user directory under / ftp. It's easy to operate.

two。 Establish a ftp administrator: ftpadmin

[root@localhost root] groupadd ftpadmin # ftpadmin is the name of the newly added group [root@localhost root] useradd-d / ftp-g ftpadmin-s / sbin/nologin admin [root@localhost root] chmod 2775 / ftp

At the same time, ensure that ftpadmin is the owner of / ftp and ftpadmin is the group owner of / ftp. This ensures that ftpadmin has full permissions on the / ftp directory to be managed.

-s / sbin/nologin specifies that users cannot log in from shell, that is, they can only log in from ftp, which is for security reasons.

Modify / usr/local/etc/proftpd.conf

Nobody ftpadminnogroup ftpadminUmask 002 # allows owners and group users to manage ftp.

The mask Umask is changed to 002. That is, both group members and owners can add, delete, modify and other operations on the folder. Other users can read and execute, but not write. In this way, ftpadmin users can read and write all files through the identity of the same group without changing the original permissions of their contents. In other words, the ownership of the files in this folder is not changed, but at the same time they can be managed.

Chmod 2775 / ftp, by setting the gid of the folder, all files written under this folder, no matter who the owner is, the group of files must be ftpadmin (because the group of / ftp belongs to ftpadmin), are reasonably under the management of ftpadmin.

3. Add user: user1

Useradd-d / ftp/user1-g ftpadmin-s/sbin/nologin user1

In this way, user1 has full permissions on the directory of / ftp/user1, and as an administrator, you can manage the directory through group permissions.

Whenever you need to add a user, you just need to easily add a Linux user.

4. Corresponding configuration file: important entries in proftpd.conf

Umask 002DefaultRoot

Umask 002 ensures that newly created files have group read and write permissions.

DefaultRoot ~ ensures that each user is locked in his or her own directory after logging in and cannot see other users' directories.

These are all the contents of the article "how to install, configure and manage proftpd under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.