NAS 4220-B - Configure FTP
Page updated 21 July 2008
|
NAS 4220-B - Configure FTP
Page updated 21 July 2008 |
This page describes how to configure FTP in as secure a manner as possible. By default the FTP server is too open to be safe.
It will be necessary to:
This my new script
| Script Code | Description |
|---|---|
|
# Server characteristics ServerName "Soroban NAS FTPD" ServerType standalone DefaultServer on # # Port and usage control Port 21 PassivePorts 60000 65535 MaxInstances 30 # # Miscellaneous Umask 006 RequireValidShell off IdentLookups off UseReverseDNS off # # Administration/log file management ScoreboardFile /var/run/proftpd.pid SystemLog /var/log/messages WtmpLog off
# # Character set definition CharsetLocal UTF-8 CharsetRemote CP1252 # # Daemon user context - Default to invalid values User nobody Group nobody # # Unidentified receivefile on ## This parameter is for TSS. You can fill in either "on" or "off". ### |
Server sectionThis section defines some standard settings for the FTP server. Check umask setting |
|
# Required for FTP behind NAT routers MasqueradeAddress sorobansystems.plus.com # |
NAT RulesMasquerade needed because I am behind a NAT Firewall. Replace with your own EXTERNAL ftp address. |
|
# Download/upload/Overwrite controls <global> AllowOverwrite on AllowRetrieveRestart on AllowStoreRestart on </global> |
Global SectionThis section globakk allows Overwrite of files. |
|
DefaultRoot /mnt/md1/ftp DefaultRoot /mnt/md1/ftp ftp-admin DefaultRoot /mnt/md1/ftp/ftp-read ftp-read DefaultRoot /mnt/md1/ftp/ftp-upload ftp-upload # <Anonymous //mnt/md1/ftp> # Daemon user context - over-rides previous User ftp-admin Group ftp-admin AnonRequirePassword off # # Define aliases to internl names UserAlias guest ftp-read UserAlias upload ftp-upload # # Control access to download folder structure <Directory /mnt/md1/ftp/ftp-read/*> <Limit WRI <Directory /mnt/md1/ftp/ftp-upload/*TE> AllowGroup ftp-admin DenyAll </Limit </Directory> # # control access to upload directory structure <Directory /mnt/md1/ftp/ftp-upload/* <Limit STOR> AllowG <Directory /mnt/md1/ftp/ftp-upload/* <Directory /mnt/md1/ftp/ftp-upload/*roup ftp-admin,ftp-upload DenyAll </Limit> </Directory> # # Control access to FTP Root directory <Directory /mnt/md1/ftp/* <Limit ALL> AllowGroup ftp-admin DenyAll </Limit> </Directory> <Anonymous>
#UserAlias guest guest-share #UserAlias anonymous guest-share #UserAlias ftp guest-share <Directory *> AllowOverwrite on <Limit WRITE> AllowAll </Limit> </Directory> </Anonymous> |
Annoymous Section |
| ListOptions "-l" DenyFilter \*.*/ <Directory /mnt/md1/ftp/ftp-upload/* # # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> #### userscript - mod #### # <Directory /mnt/md1/lost+found> HideNoAccess on <Limit ALL> DenyAll </Limit> </Directory> # <Directory /mnt/md1/admin> <Limit DIRS READ WRITE> DenyAll/mnt/md1/ftp/ftp-user </Limit> <Limit DIRS READ WRITE> AllowUser admin </Limit> </Directory> # <Directory /mnt/md1/guest-share> <Limit DIRS READ WRITE> DenyAll </Limit> <Limit DIRS READ WRITE> AllowUser guest-share </Limit> </Directory> <Directory /mnt/md1/public> <Limit DIRS READ WRITE> DenyAll </Limit> <Limit DIRS READ WRITE> AllowUser admin </Limit> </Directory> |
This is a copy of the ptoftpd.conf.md1 file in userscripts/sample/conf. Lines containing ... show where lines have been removed as not needing explanation. These are typically lines of comment. Note that you need to select the appropriaye file. This script is for a RAID 1 configuration.
A detailed description of the commands can be found here
| Script Code | Item | Description |
|---|---|---|
|
#### BEWARE!!!!<Directory /mnt/md1/public> ... #
ServerType standalone DefaultServer on DefaultRoot /mnt |
ServerName | The name displayed to a user when they connect to the FTP server. We may want to change this |
| Servertype | The type required for this application is standalone | |
| DefaultServer | on ensures that the server is operational | |
| DefaultRoot | The default root for the FTP server is /mnt. We will probably want to change this | |
|
CharsetLocal UTF-8 CharsetRemote CP1252 |
CharsetLocal CharsetRemote |
Define the character set supported |
|
SystemLog /var/log/messages |
SystemLog |
Location for syslog messages |
|
Port 21 |
Port | FTP port number |
|
Umask 006 |
Umask | mask used for setting file and directory permissions see chmod in UNIX documentation for values |
|
User nobody Group nobody |
User Group |
It is recommended that a new user and group are created rather than use the traditional "nobody" |
|
RequireValidShell |
offCharsetRemote | TBD |
|
#### userscript - mod # Tuning settings IdentLookups off UseReverseDNS off WtmpLog off ListOptions "-l" DenyFilter
\*.*/ |
IdUserUserentLookups | Default is on. Controls whether the ident protocol is used to verify the user. |
| UseReverseDNS | Default is off. Used to verify user. Off prevents a hang under some cirumstances | |
| WtmpLog | Defult is on. Controls logging to host's wtmp log file. | |
| ListOptions | -l will list one file per line. | |
| DenyFilter | A filter to deny access to command arguments. There is a corresponding AllowFilter | |
|
receivefile on ## This parameter is for TSS. You can fill in either "on" or "off". ## |
receivefile | TBD |
|
ScoreboardFile /var/run/proftpd.pid |
ScoreboardFile | This is file used to hold the PID. This is necessary for some functions to operate correctly |
|
#
Normally, we want files to be overwriteable. AllowOverwrite on </Directory> |
Directory | Directory /* selects all files/folders but not the directory itself |
| AllowOverwrite | Permits files to be overwritten | |
|
#### userscript - mod # Downloadresume <global> AllowOverwrite on AllowRetrieveRestart on AllowStoreRestart on </global> #### |
Global | Sets commands that apply globally |
| AllowOverwrite | on permits files to be overwritten globally | |
| AllowRetrieveRestart | on allows clients to restart downloads | |
| AllowStoreRestart | on allows clients to restart uploads | |
|
<Anonymous //mnt/md1/guest-share> User guest-share Group guest-share UserAlias guest guest-share UserAlias anonymous guest-share UserAlias ftp guest-share <Directory *> AllowOverwrite on <Limit WRITE> AllowAll </Limit> </Directory> </Anonymous> |
Anonymous | Defines the root used for annonymous FTP access |
| User | Username that the daemon will use for annonymous file access | |
| Group | The group used for annonlmous access | |
| UserAlias | Alias a number of user names to a common guest-share | |
| Directory | Wildcard match | |
| Limit | WRITE prevents writing to the folder | |
| AllowAll | Allows all | |
|
<Directory /mnt/md1/lost+found> HideNoAccess on <Limit ALL> DenyAll </Limit> </Directory> |
Directory | /mnt/md1/lost+found |
| HideNoAccess | Hide access to this directory | |
| Limit | ALL will apply to all commands | |
| DenyAll | Prevents access to anyone | |
|
<Directory /mnt/md1/admin> <Limit DIRS READ WRITE> DenyAll </Limit> <Limit DIRS READ WRITE> AllowUser admin </Limit> </DiALLrALLectory> |
Directory | /mnt/md1/admin |
| Limit | DIRS READ WRITE - applies to attempts to read or write directories | |
| DenyAll | Denies access | |
| Limit | DIRS READ WRITE - applies to attempts to read or write directories | |
| AllowUser | admin - enables user admin to override earlier DenyAll and to access onw folder | |
|
<Directory /mnt/md1/guest-share> <Limit DIRS READ WRITE> DenyAll </Limit> <Limit DIRS READ WRITE> AllowUser guest-share </Limit> |
Directory | /mnt/md1/guest-share |
| Limit | DIRS READ WRITE as above | |
| DenyAll | as above | |
| Limit | DIRS READ WRITE as above | |
| AllowUser | guest-share - enable annonymous users (together with aliases) to access the guest share | |
|
<Directory /mnt/md1/public> <Limit DIRS READ WRITE> DenyAll </Limit> <Limit DIRS READ WRITE> AllowUser admin </Limit> </Directory> |
Ditto | /mnt/md1/public - allow admin to access this folder |