Aerospace Software Ltd.

PoFtpd Howto

For Mandrake 9.1, Aug 2003

Herman Oosthuysen

When To Use FTP - And When Not

FTP still is a protocol of choice when it comes to distributing larger amounts of data among non-authenticated users. Don't use FTP for anything involving authentication outside a trusted network, as the whole authorization process is unencrypted and the client can't know if the server is who it pretends to be and the same goes for the server.

Use SSH for authenticated services. FTP clients like the highly popular and graphical gftp (included in Mandrake Linux) support SSH transparently. Notice that tunneling FTP via SSH only encrypts the control connection (i.e. the channel via which the password is sent), not the data channel. If you need an FTP work-alike which encrypts both channels, use sftp.

Installation

Mandrake Linux comes with four major FTP server packages: the traditional FTP server, the well-known WU-FTPd from the University of Washington, ProFTPd, usually regarded as the rightful heir to the former, and Pure-FTPd.

ProFTPd is much better documented and uses a central configuration scheme, similar to that of Apache. Configuration also doesn't require the creation of any directory trees.

Being 'root', type

urpmi proftpd

on a command line.

Basic Anonymous FTP Configuration

The configuration file is /etc/proftpd.conf. The configuration is done via directive - value pairs. These pairs can be applied on a per user basis, on a per directory basis or a mixture of those.

For a server allowing anonymous clients to download files:

ServerName "My FTP Server"
ServerType standalone
DefaultServer on
Umask 022
Port 21
User nobody
Group nobody
<Directory /*>
AllowOverwrite on
</Directory>
<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp
RequireValidShell off
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

The Options

ServerName: "My FTP Server" The name of your FTP server. Use what you like.

ServerType: standalone ProFTPd can either run on its own or via a 'super server' like xinetd.

In order to run it via 'xinetd', change this option from standalone to inetd, then edit '/etc/xinetd.d/proftpd-xinetd' and set 'disable' from 'yes' to 'no' and restart 'xinetd'. Do not run any extra commands to start the FTP server from now on, this will be completely handled on the fly by 'xinetd'.

Use the 'standalone' mode when setting up the server, since it makes debugging much easier. You can switch to 'inetd' mode later on, if you want to do so.

DefaultServer on: All incoming connections use this configuration unless told otherwise.

Umask 022: Default permissions on all new files and directories (this resolves to 755 or rwx-rw-rw). Notice that you can employ a second umask especially for directories (indeed you have to use it if you remove the execute bit and still want to use subdirectories).

MaxInstances 30: The maximum of allowed simultaneous connections.

Port 21: On which port the server should listen to incoming connections. If you change this, most clients will have to specify the new port before connecting.

User nobody

Group nogroup: User and group under which ProFTPd runs. Older versions of Mandrake Linux might use group 'nobody' instead.

Overwrite option

<Directory /*>
AllowOverwrite on
</Directory>

You'll find this setting in the default ProFTPd configuration file. It allows FTP clients to overwrite files with the same name in all directories. For an anonymous only server you might want to remove it.

<Anonymous ~ftp>: This starts the section for anonymous users and tells ProFTPd to use the directory '/var/ftp' as the 'change rooted' start directory for these users. This means anonymous FTP users won't be able to even see the parent directory, let alone any other directory on the server apart from those in the '/var/ftp' hierarchy.

User ftp

Group ftp: Local user account for anonymous users.

UserAlias anonymous ftp Users logging in as 'anonymous' (default in all clients) are treated like the 'ftp' user.

RequireValidShell off: Either you add this setting here, or you add '/bin/false' to 'ftp's entry in '/etc/passwd' and to '/etc/shells'. Choose! ;-) It's easier to do it here, and I don't know of any security implications.

Limit

<Limit WRITE>
DenyAll
</Limit>

We don't allow anonymous users to create or delete files or directories anywhere in the '/var/ftp' hierarchy.

</Anonymous> Marks the end of the section for anonymous uulrs.

This basic configuration allows a single anonymous login (not much, but it's a start ;-))

My hack

# This is a basic ProFTPD configuration file 
# (rename it to 'proftpd.conf' for actual use.  
# It establishes a single server and a single anonymous login.  
# It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "Odin at Aerospace Software Ltd."
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port. So, we could use the gopher port 70.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server

UserAlias anonymous ftp

# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nobody

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite	on
</Directory>

# Needed for NIS.
PersistentPasswd off
AuthPAMAuthoritative off

# Public ftp area in /var/ftp
# Anonymous access granted only to a guest user who knows the password for
user guest

<Anonymous ~ftp>
User guest
Group ftp 
AnonRequirePassword on

DisplayLogin readme.txt

<Limit LOGIN>
AllowAll
</Limit>

<Limit WRITE>  
AllowAll
</Limit>

<Limit READ>
AllowAll
</Limit>

</Anonymous>

# ARMdimension FTP area
# Anonymous access granted only to a guest user who knows the password
for user adeng
<Anonymous /home/data/ARMdimension>

User				adeng 
Group				adeng
AnonRequirePassword		on

DisplayLogin	readme.txt

# We want all uploaded files to be owned by'adeng' group and
# group writable.
GroupOwner			adeng
Umask				007

# Hide all files owned by users 'root' and 'herman'
HideUser			root
HideUser			herman

# Disallow clients from any access to hidden files.
<Limit READ DIRS>
IgnoreHidden			on
</Limit>

<Limit LOGIN>
AllowAll
</Limit>

<Limit WRITE>
AllowAll
IgnoreHidden	on
</Limit>
           
<Limit READ>
AllowAll
IgnoreHidden			on
</Limit>

</Anonymous>

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
#DefaultRoot /home/foo foo
#DefaultRoot /var/ftp/pub guest

# Security
#<Limit LOGIN>
#  DenyALL
#</Limit>

#AllowFilter "^[a-zA-Z0-9,]*$"
#PathDenyFilter "(^|/)[-.]"

Testing

Before venturing any further, it's a good idea to test if this standard setup works. Start the server as 'root' with this command

service proftpd start

Next start an FTP client from your user account and connect to 'localhost'. Try to execute some commands (list directories, change directories). Notice that you're so far not allowed to upload files. If everything works, congratulations!

Security notice: With your next login, the FTP server will be started automatically on each login. This might not be preferable. To change this behavior, run this command as 'root':

chkconfig proftpd off

It will prevent the system from starting ProFTPd without an explicit 'root' command. This only applies if the server is run in 'standalone' mode.

Troubleshooting

If you get this error message:

Starting proftpd: hostname - Fatal: unable to determine IP address of 'hostname'

there's a problem with your DNS (name resolution). The most common cause for this problem is a hostname assigned to a machine which gets its IP via DHCP on a network without a DNS server.

A quick fix for this problem is adding the hostname to the '/etc/hosts' file while using the same IP used for 'localhost', i.e. '127.0.0.1':

127.0.0.1 localhost.localdomain localhost
127.0.0.1 hostname-of-machine short-name

If you don't know the hostname of your machine, run the hostname command.

Having made that change, restart the network as root with

service network restart

and try starting the FTP server again.

If you can login into the server, but you can't execute any commands, you have to dig deeper. First let proftpd check its configuration file for syntax errors with

proftpd --configtest

If everything looks OK there, stop the FTP server with

service proftpd stop

and start it again with this line

proftpd -d4 -n

This sets the debugging level to '4' and will log all messages from ProFTPd to the console. Now open a new ftp client session and try to execute the commands again. Check the terminal window ProFTPd is running on for error messages. Check the FAQ and the rest of the ProFTPd documentation if the error message you are getting is mentioned.

Notice that if you run the server in 'standalone' mode, you will either have to reload the server after every change applied to the configuration file with

service proftpd restart

or stop and start it.

Allowing Anonymous Uploads

To allow anonymous uploads, insert these lines into the 'Anonymous' section of your 'proftpd.conf' file:

<Directory incoming>
 <Limit STOR CWD>
AllowAll
</Limit>

<Limit READ RMD DELE MKD>
DenyAll
</Limit>
</Directory>

and create as 'root' an 'incoming' directory in '/var/ftp' with write permissions for the 'ftp' user:

chmod 770 /var/ftp/incoming
chown ftp:ftp !$

'Hope this helps!
Herman