輕鬆proftpd虛擬用戶

←手機掃碼閱讀火星人 @ 2014-03-04 , reply:0

proftpd安裝文檔----ftp虛擬用戶
proftpd安裝文檔ftp虛擬用戶
http://www.proftpd.org/
作者：linuxpf
注:此文檔proftpd安裝入門參考資料,也為本人學習總結,文中參考網路中部分資料,如有不對請指點,歡迎大家一同交流
qq群:19180048
源碼軟體包：proftpd是開源自由軟體，目前最新穩定版本為1.3.1，注proftpd1.3.1安裝與1.2.X配置文件語法有些不同
平台：centos4.6
一：RPM安裝，其實圖方便採用rpm效果並不差，關健於實用性強，穩定性好
#wget ftp://194.199.20.114/linux/dag/redhat/el4/en/i386/dag/RPMS/proftpd-1.3.1-1.el4.rf.i386.rpm
#wget http://www.castaglia.org/proftpd/contrib/ftpasswd
#cp ftpasswd /sbin/bin
#chmod +x ftpasswd
#rpm -ivh proftpd-1.3.1-1.el4.rf.i386.rpm
修改配置文件:
#cd /home/proftpd/etc/
#cp proftpd.conf proftpd.conf-dist
#vi proftpd.conf
----------------------------------------------------------------
"proftpd.conf" 155L, 4484C
# This is the ProFTPD configuration file
# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $

ServerName                   "The ProFTPD server"
ServerIdent                   on "FTP Server ready."
ServerAdmin                   rot@localhost
ServerType                   standalone
#ServerType                   inetd
DefaultServer                on
AccessGrantMsg                "User %u logged in."
#DisplayConnect                /etc/ftpissue
#DisplayLogin                /etc/ftpmotd
#DisplayGoAway                /etc/ftpgoaway
DeferWelcome                   off

# Use this to excude users from the chroot
#DefaultRoot                   ~ !adm
DefaultRoot                   ~
# Use pam to authenticate (default) and be authoritative
AuthPAM                         on
AuthPAMConfig                proftpd
AuthOrder                      mod_auth_pam.c* mod_auth_file.c

AuthUserFile                   /etc/proftpd/ftpd.passwd
AuthGroupFile                /etc/proftpd/ftpd.group
RequireValidShell off
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups                   off
UseReverseDNS                off

# Port 21 is the standard FTP port.
Port                         21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                         022

# Default to show dot files in directory listings
ListOptions                   "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228             off
RootLogin                      off
#LoginPasswordPrompt          on
MaxLoginAttempts             6
#MaxClientsPerHost             none
#AllowForeignAddress          off    # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart          on
AllowStoreRestart             on

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                   10

# Set the user and group that the server normally runs at.
User                         nobody
Group                         nobody

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile                   no

# This is where we want to put the pid file
ScoreboardFile                /var/run/proftpd.score

# Normally, we want users to do a few things.

   AllowOverwrite             yes

   AllowAll

PassivePorts 60000 65534

# Define the log formats
LogFormat                      default "%h %l %u %t \"%r\" %s %b"
LogFormat                      auth "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine                   on
#TLSRequired                   on
#TLSRSACertificateFile       /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile    /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite                ALL:!ADH:!DES
#TLSOptions                   NoCertRequest
#TLSVerifyClient             off
##TLSRenegotiate             ctrl 3600 data 512000 required off timeout 300
#TLSLog                      /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#

# LoadModule mod_sql.c
# LoadModule mod_sql_mysql.c
# LoadModule mod_sql_postgres.c
#

# A basic anonymous configuration, with an upload directory.
#

#  User                      ftp
#  Group                               ftp
#  AccessGrantMsg             "Anonymous login ok, restrictions apply."
#
#  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias                   anonymous ftp
#
#  # Limit the maximum number of anonymous logins
#  MaxClients                10 "Sorry, max %m users -- try again later"
#
#  # Put the user into /pub right after login
#  #DefaultChdir                      /pub
#
#  # We want 'welcome.msg' displayed at login, '.message' displayed in
#  # each newly chdired directory and tell users to read README* files.
#  DisplayLogin                /welcome.msg
#  DisplayFirstChdir          .message
#  DisplayReadme                      README*
#
#  # Some more cosmetic and not vital stuff
#  DirFakeUser                on ftp
#  DirFakeGroup                on ftp
#
#  # Limit WRITE everywhere in the anonymous chroot
#
# DenyAll
#
#
#  # An upload directory that allows storing files but not retrieving
#  # or creating directories.
#
# AllowOverwrite          no
#
#    DenyAll
#
#
#
#    AllowAll
#
#
#
#  # Don't write anonymous accesses to the system wtmp file (good idea!)
#  WtmpLog                   off
#
#  # Logging for the anonymous transfers
#  ExtendedLog       /var/log/proftpd/access.log WRITE,READ default
#  ExtendedLog       /var/log/proftpd/auth.log AUTH auth
#
#

---------------------------------------------------------------------------------
參數說明:
DefaultRoot                   ~                                                       //默認ftp用戶主目錄
ServerType                   standalone                                           //ftp啟動方式，支持守護進程，和xinetd模式
AuthPAM                         on　　　　　　　　　　　　　　　　　　 //PAM認證支持啟用
AuthPAMConfig                proftpd
AuthOrder                      mod_auth_pam.c* mod_auth_file.c          //啟用認證方式

AuthUserFile                   /etc/proftpd/ftpd.passwd                      //ftp用戶密碼文件
AuthGroupFile                /etc/proftpd/ftpd.group
User                         nobody                                                    //啟動proftpd用戶，為了安全起見
Group                         nobody
MaxInstances                   10　　　　　　　　　　                //最大用戶數，防止DDOS

   AllowOverwrite             yes

   AllowAll

PassivePorts 60000 65534                                                          //啟用ftp被動模式埠範圍

#chkconfig --add proftpd
#chkconfig proftpd on
#service proftpd restart
建立虛擬用戶,脫離於系統用戶，安全性增加了許多:
# mkdir -p /etc/proftpd
# ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=ftpadmin --uid=99 --home=/home/ftpdata --shell=/sbin/nologin
# ftpasswd --group --file=/etc/proftpd/ftpd.group --name=admin --gid=99
# ftpasswd --group --name=admin --gid=99 --member=ftpadmin
註腳:
–passwd指定建立一個新的虛擬用戶，–group則建立一個虛擬組；
–file指定存儲虛擬用戶的文件；
–name指定此虛擬用戶的用戶名，密碼會在命令執行時要求輸入；
–uid指定此虛擬用戶對應的系統用戶UID，此虛擬用戶將以此系統UID的身份讀寫文件
–home指定此虛擬用戶的根目錄，就是其登陸FTP后的根目錄；
–shell指定此虛擬用戶的shell，為了安全當然指定一個不可登陸的shell了。
用戶許可權指派,建議採用方法1,以免引起不必在的麻煩,Linux上POSIX 許可權管理並不是所有人都熟悉
Linux上POSIX 許可權管理相關知識參考：
http://www.linuxpf.com.cn/bbs/viewthread.php?tid=402&extra=page%3D1
方法1:
uid指定此虛擬用戶對應的系統用戶UID，此虛擬用戶將以此系統UID的身份讀寫文件；
#chown -R nobody.root /home/ftpdata/
nobody　uid　99，對用戶主目錄賦予所有許可權
關於許可權顆粒化設置：請使用Limit

以下設置ftpadmin所有許可權，並禁止其它人訪問

Order allow,deny
DenyUser !ftpadmin

   AllowUser ftpadmin


參考：更多細節配置
http://www.linuxpf.com.cn/bbs/viewthread.php?tid=370&extra=page%3D1
http://castaglia.org/proftpd/doc/README.PAM.html
http://www.castaglia.org/proftpd ... O-VirtualUsers.html
有關ftpQuota只到1.3.1才開始支持,此處不做過多說明,歡迎大家一起交流

方法二:
setfacl -m user:peter:rwx file.txt
setfacl -m u:1002:rwx /home/apache/htdocs
至此一個實用的ftp伺服器已經能夠正常運行
如果還存在問題請調試proftpd，並分析log

二：源碼安裝:
#wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.1.tar.gz
#tar -zxvf proftpd-1.3.1.tar.gz
#cd proftpd-1.3.1
#
#./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/run --mandir=/usr/local/man --with-modules=mod_ratio:mod_readme:mod_auth_pam:mod_dso:mod_ctrls:mod_tls
#make
#make install
mod_dso  mod_ctrlsmod_tls.
報錯:cannot find -lpam缺少pam頭文件
#yum install pam pam-devel
解決
拷貝啟動腳本:
# which proftpd
/usr/sbin/proftpd
# proftpd -l
Compiled-in modules:
   mod_core.c
   mod_xfer.c
   mod_auth_unix.c
   mod_auth_file.c
   mod_auth.c
   mod_ls.c
   mod_log.c
   mod_site.c
   mod_delay.c
   mod_ratio.c
   mod_readme.c
   mod_auth_pam.c
   mod_cap.c

#cd /home/download/proftpd-1.3.1/contrib/dist/rpm
#cp proftpd.init.d /etc/rc.d/init.d/proftpd
#chmod +x /etc/rc.d/init.d/proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/init3.d/S97proftpd
#cp /home/download/proftpd-1.3.1/contrib/ftpasswd /usr/local/bin/

To use PAM with ProFTPD, you must edit /etc/pam.d/ftp and add the
following lines for RedHat installations:
#vi /etc/pam.d/proftpd
----------------------------------------------------------------
   #%PAM-1.0
   auth    required    /lib/security/pam_pwdb.so shadow nullok
   account required    /lib/security/pam_pwdb.so
   session required    /lib/security/pam_pwdb.so
----------------------------------------------------------------
注意，如有以上設置，請確保proftpd.conf中AuthPAMConfig 設置為 'ftpd',如果有改動，請同步AuthPAMConfig設置,否則會不能夠工作
如果/etc/pam.d/ftpd,對應
AuthPAMConfig                ftpd
less README
#less README.PAM
#more README.modules
獲得更多幫助
修改自定義路徑:
#vi /etc/rc.d/init.d/proftpd
-----------------------------------
PATH="$PATH:/home/proftpd/sbin"
-----------------------------------
對比分析修改:
diff /home/download/proftpd-1.3.1/contrib/dist/rpm/proftpd.init.d /etc/rc.d/init.d/proftpd
------------------------------------------------------------
25c25
< PATH="$PATH:/usr/local/sbin"
---
> PATH="$PATH:/home/proftpd/sbin"
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/S99proftpd
#ln -s /etc/rc.d/init.d/proftpd /etc/rc.d/rc3.d/K99proftpd
------------------------------------------------------------
配置/etc/proftpd.conf同上

Tags: proftpd 虛擬用戶

[火星人 ] 輕鬆proftpd虛擬用戶已經有913次圍觀

本文地址：http://coctec.com/docs/service/show-post-22635.html

輕鬆proftpd虛擬用戶

熱門文章

最新文章