ProFTPD is a secure (as secure as an insecure protocol can be), simple, and easily configured FTP Server.
This document covers the creation of a secure, multiuser FTP Server. This document does not attempt to explain every directive available for the proftpd.conf file. This document does not attempt to explain how to start and stop the ProFTPD daemon as this process varies based on what *nix / BSD Distribution you are running the daemon on. This article does assume general familiarity with *nix / BSD system administration such as adding users, setting user passwords, creating directories, etc.
Before we start; the title of this article is a bit of a misnomer since FTP in its self is an insecure protocol due to the fact that it does not encrypt usernames, passwords, or data. If you require a totally secure method of transferrring files, I suggest that you look into SCP, which is an extension to the SSH (Secure Shell) Protocol.
Premise
We will be working with three "levels" of security to secure our server. Our first layer of "security" is to jail all FTP users in a chroot jail. Luckily, ProFTPD provides a built-in facility for this purpose. Our second layer of protection needed for a "secure" FTP Server is to deny a valid shell to the FTP users. Our third layer of security is to notuse account names for real users as FTP accounts, this is irrelevant in the scope of this tutorial because because we will be setting up FTP users with invalid shells.
I : Preparing the System
To deny a valid shell to the FTP users, the /etc/shells file will need to be edited. This file contains all the valid FTP shells. We want to add an executable that does nothing to this file so we can assign this “nothing†executable to the FTP users so that they have no shell if they break out of the chrooot jail.
Add the following line to /etc/shells:
/bin/false
(/bin/false) does nothing – check out the man page if you wish.
We also want to secure the directory where we will be storing the FTP Server's files, create a new group using whichever tool you normally use and call it ftp-users.
II : Create The FTP File Area
Decide on a base (root) directory where you wish to keep all the uploaded and downloadable files for your FTP Server. In this document, I will refer to this directory as /ftproot. Create the following directory structure below it.
/ftproot/upload
/ftproot/download
Next, set the permissions on the ftp directory structure.
chown -R ftp.ftpusers /ftproot
chmod -R 770 /ftproot
III: Create FTP Users
We already know why it is not a good idea to use valid user accounts for FTP. So let's create some FTP users.
Using whatever tool you normally use to create users, create some special FTP accounts. I suggest that you use the useradd tool instead of adduser as useradd does not create a home directory unless you specify it (we do not want to create standard home directories for the FTP users). I use the following format for ftp user names.
Ftp. For example, John Doe's FTP account would be ftpjd (I will use ftpjd as an example FTP account for the rest of this document)
If you accidentally created a home directory (/home/ftpjd) for the FTP user, delete it now.
Next, we want to give the user an invalid shell, put him or her in the ftp-users group, add a comment to the user's file that identifies the user as an FTP user, and change his or her home directory to the root directory of our FTP server. Edit the /etc/passwd file OR use the usermod tool as in the example below.
usermod -c FTP -d /ftproot -g ftp-users -s /bin/false ftpjd
IV: Configure ProFTPD
First, we will set the chroot jailing. The chroot jailing in ProFTPD works with the home directory that is set for the user in /etc/passwd. Since we changed all of our FTP users' home directories to /ftproot, they will all start off jailed in /ftproot when they log in to our FTP server. Configuring the chroot jail inProFTPD is as simple as adding the following line to your /etc/proftpd.conf file somewhere in the first half of the file.
#Jail all users
DefaultRoot ~
Next, we will add permissions directives for our FTP directory structure. Add the following to the end of your /etc/proftpd.conf file.
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
The directives above set the server to read only in all directories except the upload directory. This allows the admin to control which files are made public. For more detailed information on these directives, please see the ProFTPD documentation.
Start up your ProFTPD Daemon and you finished.
V : A Working ProFTPD Configuration
I have bolded some of the important directives in the example configuration that this document does not cover that you should look up in the ProFTPD documentation.
# ProFTPD for "EXAMPLE" FTP Server
ServerIdent on "Please enter your username and password. Anonymous logins are disabled.
ServerName EXAMPLE
ServerType inetd
ServerAdmin Private@whatever.net
DeferWelcome on
ShowDotFiles off
ShowSymlinks off
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on
MaxClients 10
MaxClientsPerHost 1 "You are already logged on once."
RequireValidShell off
TimeoutNoTransfer 20
TimeoutStalled 10
TimeoutLogin 20
TimeoutIdle 1200
RootLogin off
UseFtpUsers off
Port 21
MaxInstances 30
ExtendedLog /var/log/ftp.log auth,all
LsDefaultOptions "-l"
DenyFilter \*.*/
# Set the user and group that the server normally runs at.
User ftp
Group ftp-users
# Lock users into the ftproot directory
DefaultRoot ~
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
