Linux Step By Steps

Installing ProFTPD

From: M.W.Chang

Date: October 9, 2002 (5th Revision)

This document describes the compile/install and configuration of a very basic ProFTPD service.

INSTALLATION

Grab the proftpd-1.2.8.tar.gz (tar-ball) from Proftpd website. I am using Caldera OpenLinux 3.1, so I configured the package with these switches, and use checkinstall-1.5.1 to turn the package into an regular RPM for installation. Note that I included some of the plug-in modules in /contrib directory of proftpd.

#!/bin/bash
# 
# decompress the archive in /usr/src
#
cd /usr/src
tar xzvf /path/to/proftpd-1.2.7.tar.gz
# 
# configure it
#
cd proftpd-1.2.7
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run
--with-modules=mod_readme:mod_wrap:mod_ratio
# 
# later on, you may want to compile with these modules to deploy
# more advanced features like mysql and openldap support
# mod_sql:mod_sql_mysql:mod_ldap
#
# 
make -j 3
#
# you may use checkinstall to install proftpd, which will
# keep a record of all the files installed by `check install`
# and build an rpm
#
# checkinstall -si make install
#
make install
#
# create the necessary directories
#
mkdir /home/ftp; chmod 753 /home/ftp; chown ftp:ftp /home/ftp
mkdir /home/ftpdown;chmod 555 /home/ftpdown; chown nobody:nobody /home/ftpdown

NOTE: checkinstall-1.5.1 would require you to enter the path to Caldera's RPM repository in /usr/src/OpenLinux.

If everything goes well, you will find the following files installed:

root@server: scripts> rpm -qil proftpd
Name        : proftpd                      Vendor: (none)
Version     : 1.2.7                  Distribution: (none)
Release     : 1                        Build Host: server.donkeyware.org
Install Date: 2002-12-08T02:37:52Z     Build Date: 2002-12-08T02:37:47Z
Size        : 645567                   Source RPM: proftpd-1.2.7-1.src.rpm
Group       : Applications/System
Copyright   : GPL
Packager    : checkinstall-1.5.2
Summary     : Package created with checkinstall 1.5.2
Description :
Package created with checkinstall 1.5.2
/usr/bin/ftpcount
/usr/bin/ftptop
/usr/bin/ftpwho
/usr/doc/proftpd-1.2.7/COPYING
/usr/doc/proftpd-1.2.7/CREDITS
/usr/doc/proftpd-1.2.7/ChangeLog
/usr/doc/proftpd-1.2.7/INSTALL
/usr/doc/proftpd-1.2.7/NEWS
/usr/doc/proftpd-1.2.7/README
/usr/doc/proftpd-1.2.7/README.AIX
/usr/doc/proftpd-1.2.7/README.FreeBSD
/usr/doc/proftpd-1.2.7/README.LDAP
/usr/doc/proftpd-1.2.7/README.PAM
/usr/doc/proftpd-1.2.7/README.Solaris2.5x
/usr/doc/proftpd-1.2.7/README.Unixware
/usr/doc/proftpd-1.2.7/README.cygwin
/usr/doc/proftpd-1.2.7/README.linux-privs
/usr/doc/proftpd-1.2.7/README.mod_sql
/usr/doc/proftpd-1.2.7/README.modules
/usr/doc/proftpd-1.2.7/README.ports
/usr/man/man1/ftpcount.1.gz
/usr/man/man1/ftpwho.1.gz
/usr/man/man5/xferlog.5.gz
/usr/man/man8/ftpshut.8.gz
/usr/man/man8/proftpd.8.gz
/usr/sbin/ftpshut
/usr/sbin/in.proftpd
/usr/sbin/proftpd

Most linux distribution came with wu-ftpd pre-installed. You have to disable it in inetd (/etc/inetd.conf or /etc/inet.d/ftp) or xinetd (/etc/xinetd.conf), restart inet tcp wrapper daemon. Otherwise it will be holding the ftp port (default: 20-21) foreever. Certain packages like portsentry will also bind itself to any un-used priviledge ports. So beware.

You can always know what programs are holding the port 21 (or any port number) by this command:

netstat -anp | grep 21

And then you can find out more about the program. The following shows how to find out more information about the progrma with a name of "ftp":

ps aux | grep ftp

CONFIGURATION

Before we actually invoke /usr/sbin/proftpd, we need to write a configuration file called /etc/proftpd.conf:

Time to convert all these decign decisions into the proftpd config file /etc/proftpd.conf:

# beginning of proftpd.conf ServerName "Your FTP Server" # If you want to use inetd/xinetd, make sure you edit their # config files to use in.proftpd as daemon name, and change # ServerType to inetd. ServerType standalone # if not switched on, won't answer calls from unknown destinations DefaultServer on DefaultTransferMode binary ServerIdent off DefaultRoot ~ # Port 21 is the standard FTP port. Port 21 # If you do want normal users logging in at all, comment this <LIMIT LOGIN> DenyAll </LIMIT> # Set the user and group that the server normally runs at. User nobody Group nogroup MaxInstances 10 # Set the maximum number of seconds a data connection is allowed # to "stall" before being aborted. TimeoutStalled 300 UseFtpUsers off RootLogin off PersistentPasswd off # these speed up the login process but makes log less readable UseReverseDNS off IdentLookup off # you can have a separate file from the regular /etc/passwd #AuthUserFile /etc/proftpd-passwd <Global> Umask 022 RequireValidShell off AllowForeignAddress on DirFakeGroup on ~ DirFakeUser on ~ DirFakeMode 0440 HiddenStor on </Global> # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message AccessDenyMsg "404 Access for %u has been denied. <Anonymous /home/ftpdown> <Limit LOGIN> AllowAll </Limit> # you can use the alias as a password for your downloaders. :) UserAlias download ftp # # But if you really use a password, you need to encrypt the password # and paste the encrypted text below and uncomment the 2 lines below # AnonRequirePassword on # UserPassword ftp crypted-text # RequireValidShell off User ftp Group ftp # you may not like the bandwidth control below # TransferRate RETR|STOR|APPE|STOU KBrate:freebytes TransferRate RETR 20:0 # older version use the following directive instead. # RateReadBPS 20000 MaxClients 3 "550 Too Many Users (Limit=%m)" MaxClientsPerHost 1 "551 One connection per IP" # allow resume in downloading HideNoAccess on AllowRetrieveRestart on <Limit WRITE> DenyAll </Limit> </Anonymous> <Anonymous /home/ftp> <Limit LOGIN> AllowAll </Limit> UserAlias anonymous ftp User ftp Group ftp RequireValidShell off # allow resume in uploading AllowStoreRestart on AllowOverwrite on <Limit REST STOR MKD APPE> AllowAll </Limit> <Limit RMD RNFR RNTO RETR DELE> DenyAll </Limit> # Reject all files with leading periods or dashes: PathDenyFilter "(^|/)[-.]" </Anonymous> # end of proftpd.conf

You will notice that there is a crypted-text above. It's the password for the ftp directory, encrypted by linux. You can use cli-crypt-1.0.tar.gz, which is a package that can be downloaded from http://freshmeat.net basically written for generating password with proftpd. Another simple way is to use a simple perl script (courtesy of http://www.}linuxjournal.com):

perl -e 'print("userPassword: ".crypt("secret","salt")."\n");'

Just run the script, cut and paste the password into the blank above will do.

DAEMON CONTROL

The following is a script to start/stop proftpd daemon:

#!/bin/bash
# reference:
# http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Stopping.html
#

# ProFTPD files
FTPD_BIN=/usr/sbin/proftpd
FTPD_CONF=/etc/proftpd.conf
PIDFILE=/var/run/proftpd.pid

# If PIDFILE exists, does it point to a proftpd process?

if [ -f $PIDFILE ]; then
   pid=`cat $PIDFILE`
fi

if [ ! -x $FTPD_BIN ]; then
    echo "$0: $FTPD_BIN: cannot execute"
    exit 1
fi

case $1 in

    start)
      if [ -n "$pid" ]; then
        echo "$0: proftpd [PID $pid] already running"
        exit
      fi

      if [ -r $FTPD_CONF ]; then
        echo "Starting proftpd..."
	rm -f /etc/shutmsg
        $FTPD_BIN -c $FTPD_CONF

      else
        echo "$0: cannot start proftpd -- $FTPD_CONF missing"
      fi
      ;;

    stop)
      if [ -n "$pid" ]; then
        echo "Stopping proftpd..."
        kill -TERM $pid

      else
        echo "$0: proftpd not running"
        exit 1
      fi
      ;;

    restart)
      if [ -n "$pid" ]; then
        echo "Rehashing proftpd configuration"
        kill -HUP $pid

      else
        echo "$0: proftpd not running"
        exit 1
      fi
      ;;

    *)
      echo "usage: $0 {start|stop|restart}"
      exit 1
      ;;
esac

exit 0

LOG ANALYSIS

Proftpd generates a log file that's similar to the log file wu-ftpd. That means, you can use the xferstats script in the /contrib directory of the proftpd source (or the one from wu-ftpd which has bugs) to analyze the log. I put the xferstats script in /usr/sbin. There is a newer version of xferstats. Search for it via google.com using keyword "xferstats" or try http://xferstats.off.net . For a graphical presentation, you may use awstats. In her website, he got an article teaching you how to modify the proftpd log format to suit her presentation.

For your convinience, here's my /etc/logrotate.d/ftpd for proftpd's logs (in /var/log):

# beginning of /etc/logrotate.d/ftpd
missingok

/var/log/xferlog {
  size=256k
  nocopytruncate
  postrotate
    /usr/bin/killall -HUP syslogd
  endscript
}

/var/log/ftp {
  daily
  rotate 7
  postrotate
    /usr/bin/killall -HUP syslogd
  endscript
}
# end of /etc/logrotate.d/ftpd

MONITOR

Just like wu-ftpd, ftpwho will tell you what users are currently connecting to your proftpd. For more detail, you can use ftpwho -v. And with the release of proftpd-1.2.7, there is a new command called ftptop.

To know the transfer rates, however, you may use SNMP tools like MRTG. One linux-sxs editor recommneded console tools pppstatus and ethstatus. I have found a tool called ifstat which is really simple.

root@server: init.d> ifstat
       eth0                eth1
 KB/s in  KB/s out   KB/s in  KB/s out
    0.67     16.96      0.00      0.00
    1.25     33.58      0.00      0.00
    0.67     16.81      0.00      0.00

There is also ntop, which is you can view its results via web browser (just like webmin). You can find them in http://freshmeat.net!

Useful References