Installing ProFTPD

Date: November 15, 2003 (6th Revision)

This document describes the compile/install and configuration of a very basic ProFTPD service.

INSTALLATION

Grab the proftpd-1.2.9.tar.gz (tar-ball) from Proftpd website. I am using Caldera OpenLinux 3.1, so I configured the package with these switches, and use checkinstall-1.5.2 to turn the package into an regular RPM for installation. Note that I included some of the plug-in modules in /contrib directory of proftpd.

#!/bin/bash
# 
# decompress the archive in /usr/src
#
cd /usr/src
tar xzvf /path/to/proftpd-1.2.9.tar.gz
# 
# configure it
#
cd proftpd-1.2.9
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run
--with-modules=mod_readme:mod_wrap:mod_ratio
# 
# later on, you may want to compile with these modules to deploy
# more advanced features like mysql and openldap support
# mod_sql:mod_sql_mysql:mod_ldap
#
# 
make -j 3
#
# you may use checkinstall to install proftpd, which will
# keep a record of all the files installed by `check install`
# and build an rpm
#
# checkinstall -si make install
#
make install

NOTE: checkinstall-1.5.2 would require you to enter the path to Caldera's RPM repository in /usr/src/OpenLinux.

If everything goes well, you will find the following files installed:

root@server: html> rpm -qil proftpd
Name        : proftpd                      Vendor: (none)
Version     : 1.2.9                  Distribution: (none)
Release     : 1                        Build Host: server.donkeyware.org
Install Date: 2003-11-02T03:54:58Z     Build Date: 2003-11-02T03:54:45Z
Size        : 968322                   Source RPM: proftpd-1.2.9-1.src.rpm
Group       : Applications/System
Copyright   : GPL
Packager    : checkinstall-1.5.2
Summary     : Package created with checkinstall 1.5.2
Description :
Package created with checkinstall 1.5.2
/usr/bin/ftpcount
/usr/bin/ftptop
/usr/bin/ftpwho
/usr/doc/proftpd-1.2.9/COPYING
/usr/doc/proftpd-1.2.9/CREDITS
/usr/doc/proftpd-1.2.9/ChangeLog
/usr/doc/proftpd-1.2.9/INSTALL
/usr/doc/proftpd-1.2.9/NEWS
/usr/doc/proftpd-1.2.9/README
/usr/doc/proftpd-1.2.9/README.AIX
/usr/doc/proftpd-1.2.9/README.FreeBSD
/usr/doc/proftpd-1.2.9/README.IPv6
/usr/doc/proftpd-1.2.9/README.LDAP
/usr/doc/proftpd-1.2.9/README.PAM
/usr/doc/proftpd-1.2.9/README.Solaris2.5x
/usr/doc/proftpd-1.2.9/README.Unixware
/usr/doc/proftpd-1.2.9/README.capabilities
/usr/doc/proftpd-1.2.9/README.cygwin
/usr/doc/proftpd-1.2.9/README.mod_sql
/usr/doc/proftpd-1.2.9/README.modules
/usr/doc/proftpd-1.2.9/README.ports
/usr/man/man1/ftpcount.1.gz
/usr/man/man1/ftptop.1.gz
/usr/man/man1/ftpwho.1.gz
/usr/man/man5/xferlog.5.gz
/usr/man/man8/ftpshut.8.gz
/usr/man/man8/proftpd.8.gz
/usr/sbin/ftpshut
/usr/sbin/in.proftpd
/usr/sbin/proftpd

DIRECTORY PERMISSIONS

Next step, you need create the home directories of the default ftp. For my linux server, the home directory of my ftp account in /etc/passwd is /home/ftp. For this sample installation, there would be an additional directory /home/ftpdown for download only:

mkdir /home/ftp; chmod 753 /home/ftp; chown ftp:ftp /home/ftp
mkdir /home/ftpdown;chmod 555 /home/ftpdown; chown nobody:nobody /home/ftpdown

DISABLING WU-FTPD

Most linux distribution came with wu-ftpd pre-installed. You have to disable it in inetd (/etc/inetd.conf or /etc/inet.d/ftp) or xinetd (/etc/xinetd.conf), restart inet tcp wrapper daemon. Otherwise it will be holding the ftp port (default: 20-21) foreever. Certain packages like portsentry will also bind itself to any un-used priviledge ports. So beware.

You can always know what programs are holding the port 21 (or any port number) by this command:

netstat -anp | grep 21

And then you can find out more about the program. The following shows how to find out more information about the progrma with a name of "ftp":

ps aux | grep ftp

CONFIGURATION

Before we actually invoke /usr/sbin/proftpd, we need to write a configuration file called /etc/proftpd.conf:

Our proftpd will be a standalone daemon, which gives us speed and reliability.

All users will login as anonymous users. Users who want to upload will login as upload, which in fact is an alias for the same anonymous account.

The anonymous account is linked to a real user account ftp in /etc/passwd.
ftp:x:14:50:FTP User:/home/ftp:/bin/false

For security sake, the ftp account will use a shell /bin/false to guarantee no login except for file transfer.

The home directory for the ftp account is specified in /etc/passwd as well.

To upload, users goes to ftp://111.222.333.444

Unlimited number of users can always upload (which you may not want that)

All uploads go to /home/ftp, to be owned by ftp:ftp, such that on one can download from it.

To allow files to be downloaded, chown nobody:nobody the_file and move them to /home/ftpdown.

To download, users goes to ftp://download@111.222.333.444

Users can download from /home/ftpdown only.

3 users can download at any time (MaxClients)

Each download connection has bandwidth locked at 20000 kb/s (RateReadBPS).

Each downloader can connect to your ftp server once only (MaxsClientPerHost).

No linux users can login their home directory (well, I would study about it later)

Time to convert all these decign decisions into the proftpd config file /etc/proftpd.conf. You may cut-and-paste the following into the file /etc/proftpd.conf:

# beginning of proftpd.conf ServerName "Your FTP Server" # If you want to use inetd/xinetd, make sure you edit their # config files to use in.proftpd as daemon name, and change # ServerType to inetd. ServerType standalone # if not switched on, won't answer calls from unknown destinations DefaultServer on DefaultTransferMode binary ServerIdent off DefaultRoot ~ # Port 21 is the standard FTP port. Port 21 # If you do want normal users logging in at all, comment this <LIMIT LOGIN> DenyAll </LIMIT> # Set the user and group that the server normally runs at. User nobody Group nogroup MaxInstances 10 # Set the maximum number of seconds a data connection is allowed # to "stall" before being aborted. TimeoutStalled 300 UseFtpUsers off RootLogin off PersistentPasswd off # these speed up the login process but makes log less readable UseReverseDNS off IdentLookup off # you can have a separate file from the regular /etc/passwd #AuthUserFile /etc/proftpd-passwd <Global> Umask 022 RequireValidShell off AllowForeignAddress on DirFakeGroup on ~ DirFakeUser on ~ DirFakeMode 0440 HiddenStor on </Global> # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message AccessDenyMsg "404 Access for %u has been denied. <Anonymous /home/ftpdown> <Limit LOGIN> AllowAll </Limit> # you can use the alias as a password for your downloaders. :) UserAlias download ftp # # But if you really use a password, you need to encrypt the password # and paste the encrypted text below and uncomment the 2 lines below # AnonRequirePassword on # UserPassword ftp crypted-text # RequireValidShell off User ftp Group ftp # you may not like the bandwidth control below # TransferRate RETR|STOR|APPE|STOU KBrate:freebytes TransferRate RETR 20:0 # older version use the following directive instead. # RateReadBPS 20000 MaxClients 3 "550 Too Many Users (Limit=%m)" MaxClientsPerHost 1 "551 One connection per IP" # allow resume in downloading HideNoAccess on AllowRetrieveRestart on <Limit WRITE> DenyAll </Limit> </Anonymous> <Anonymous /home/ftp> <Limit LOGIN> AllowAll </Limit> UserAlias anonymous ftp User ftp Group ftp RequireValidShell off # allow resume in uploading AllowStoreRestart on AllowOverwrite on <Limit REST STOR MKD APPE> AllowAll </Limit> <Limit RMD RNFR RNTO RETR DELE> DenyAll </Limit> # Reject all files with leading periods or dashes: PathDenyFilter "(^|/)[-.]" </Anonymous> # end of proftpd.conf

You will notice that there is a crypted-text above. It's the password for the ftp directory, encrypted by linux. You can use cli-crypt-1.0.tar.gz, which is a package that can be downloaded from http://freshmeat.net basically written for generating password with proftpd. Another simple way is to use a simple perl script (courtesy of http://www.}linuxjournal.com):

perl -e 'print("userPassword: ".crypt("secret","salt")."\n");'

Just run the script, cut and paste the password into the blank above will do.

DAEMON CONTROL

The following is a script to start/stop proftpd daemon:

#!/bin/bash
# reference:
# http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Stopping.html
#

# ProFTPD files
FTPD_BIN=/usr/sbin/proftpd
FTPD_CONF=/etc/proftpd.conf
PIDFILE=/var/run/proftpd.pid

# If PIDFILE exists, does it point to a proftpd process?

if [ -f $PIDFILE ]; then
   pid=`cat $PIDFILE`
fi

if [ ! -x $FTPD_BIN ]; then
    echo "$0: $FTPD_BIN: cannot execute"
    exit 1
fi

case $1 in

    start)
      if [ -n "$pid" ]; then
        echo "$0: proftpd [PID $pid] already running"
        exit
      fi

      if [ -r $FTPD_CONF ]; then
        echo "Starting proftpd..."
	rm -f /etc/shutmsg
        $FTPD_BIN -c $FTPD_CONF

      else
        echo "$0: cannot start proftpd -- $FTPD_CONF missing"
      fi
      ;;

    stop)
      if [ -n "$pid" ]; then
        echo "Stopping proftpd..."
        kill -TERM $pid

      else
        echo "$0: proftpd not running"
        exit 1
      fi
      ;;

    restart)
      if [ -n "$pid" ]; then
        echo "Rehashing proftpd configuration"
        kill -HUP $pid

      else
        echo "$0: proftpd not running"
        exit 1
      fi
      ;;

    *)
      echo "usage: $0 {start|stop|restart}"
      exit 1
      ;;
esac

exit 0

LOG ANALYSIS

Proftpd generates a log file that's similar to the log file wu-ftpd, ie /var/log/xferlog. That means, you can use the xferstats script in the /usr/src/proftpd-1.2.9/contrib directory of the proftpd source (or the one from wu-ftpd which has bugs) to analyze the log. I put the xferstats script in /usr/sbin. There is a newer version of xferstats. Search for it via google.com using keyword "xferstats" or try http://xferstats.off.net . For a graphical presentation, you may use awstats. In her website, he got an article teaching you how to modify the proftpd log format to suit her presentation.

For your convinience, here's my /etc/logrotate.d/ftpd for proftpd's logs (in /var/log):

# beginning of /etc/logrotate.d/ftpd missingok /var/log/xferlog { size=256k nocopytruncate postrotate /usr/bin/killall -HUP syslogd endscript } /var/log/ftp { daily rotate 7 postrotate /usr/bin/killall -HUP syslogd endscript } # end of /etc/logrotate.d/ftpd

MONITOR

Just like wu-ftpd, the command ftpwho will tell you what users are currently connecting to your proftpd. For more detail, you can use ftpwho -v. With verbose mode, the transfer rate of each connection would be shown. And with the release of proftpd-1.2.7 and later, there is a new command called ftptop.

Alternatively, you may use SNMP tools like MRTG. One linux-sxs editor recommneded console tools pppstatus and ethstatus. I have found a tool called ifstat which is really simple.

root@server: init.d> ifstat
       eth0                eth1
 KB/s in  KB/s out   KB/s in  KB/s out
    0.67     16.96      0.00      0.00
    1.25     33.58      0.00      0.00
    0.67     16.81      0.00      0.00

There is also ntop, which is you can view its results via web browser (just like webmin). You can find them in http://freshmeat.net!

Useful References

log analysis using awstats: http://awstats.sourceforge.net/docs/awstats_faq.html#FTP
active vs passive ftp: http://slacksite.com/other/ftp.html
documentation in source code directory: /usr/src/proftpd-1.2.9/doc
documenetation for more advanced topics: http://www.castaglia.org/proftpd/
another mod for proftpd: ftp://ftp.opaopa.org/pub/proftpd/proftpd-site_index-0.1.tar.gz
chinese how-to: http://dns.bmes.tnc.edu.tw/notebook/proftp.htm