For those who are new to linux and don't want to use a FTP server without GUI, or just for those who don't use often their FTP server and wish to set it quickly without a high level of security, there is a GTK GUI for proftpd.
Be careful, it's less secure than configuring yourself your server.
1- Install proftpd and gproftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd gproftpd
Beware no support is offered here for this tool but it shouldn't be too hard to use.
B- The secure way
1- Install proftpd with synaptic or with this command :
Code:
sudo apt-get install proftpd
Code:
/bin/false
Code:
cd /home sudo mkdir FTP-shared
To make this section clearer, i give you the equivalent command line to create the user, but it would be better to use the GUI (System > Administration > User & Group) to create the user since users here often got problems with the user creation and the password (530 error) with the command line, so i really advice to use the GUI :
Code:
sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false sudo passwd userftp
Code:
cd /home/FTP-shared/ sudo mkdir download sudo mkdir upload
Code:
cd /home sudo chmod 755 FTP-shared cd FTP-shared sudo chmod 755 download sudo chmod 777 upload
Code:
sudo gedit /etc/proftpd.conf
Code:
sudo gedit /etc/proftpd/proftpd.conf
Code:
# To really apply changes reload proftpd after modifications. AllowOverwrite on AuthAliasOnly on # Choose here the user alias you want !!!! UserAlias sauron userftp ServerName "ChezFrodon" ServerType standalone DeferWelcome on MultilineRFC2228 on DefaultServer on ShowSymlinks off TimeoutNoTransfer 600 TimeoutStalled 100 TimeoutIdle 2200 DisplayChdir .message ListOptions "-l" RequireValidShell off TimeoutLogin 20 RootLogin off # It's better for debug to create log files ;-) ExtendedLog /var/log/ftp.log TransferLog /var/log/xferlog SystemLog /var/log/syslog.log #DenyFilter \*.*/ # I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me) UseFtpUsers off # Allow to restart a download AllowStoreRestart on # Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want) Port 1980 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 8 # Set the user and group that the server normally runs at. User nobody Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 PersistentPasswd off MaxClients 8 MaxClientsPerHost 8 MaxClientsPerUser 8 MaxHostsPerUser 8 # Display a message after a successful login AccessGrantMsg "welcome !!!" # This message is displayed for each access good or not ServerIdent on "you're at home" # Lock all the users in home directory, ***** really important ***** DefaultRoot ~ MaxLoginAttempts 5 #VALID LOGINS <Limit LOGIN> AllowUser userftp DenyALL </Limit> <Directory /home/FTP-shared> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/download/*> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/upload/> Umask 022 022 AllowOverwrite on <Limit READ RMD DELE> DenyAll </Limit> <Limit STOR CWD MKD> AllowAll </Limit> </Directory>
user : sauron
password : the one you've set for userftp
4- To start/stop/restart your server :
Code:
sudo /etc/init.d/proftpd start sudo /etc/init.d/proftpd stop sudo /etc/init.d/proftpd restart
Code:
sudo proftpd -td5
other informations here
C- Advanced tricks
1- Enable TLS/SSL encryption (FTPS)
** Inportant note : proftpd versions before 1.3.2-rc2 may not work with latest filezilla versions using TLS encryption. See raymond.szebin's post for details.
The FTP file sharing protocol is an old protocol which was created when internet was still a secure place, therefore the default FTP protocol is not that secure.
For example the password and username for login are transmitted in plain text which obviously isn't secure.
That why, to fit the needs of our generation, encryption solutions were developed and one of them is TLS/SSH encryption.
This will encrypt the username and password and all the data you send, obviously to use it the FTP client must support SFTP protocol.
here are the steps to enable TLS/SSH encryption (FTPS):
Paste these commands in a terminal :
Code:
sudo apt-get install build-essential sudo apt-get install libssl-dev cd /etc sudo mkdir ftpcert cd ftpcert/ sudo openssl genrsa -des3 -out server.key 1024 sudo openssl req -new -key server.key -out server.csr sudo openssl genrsa -des3 -out ca.key 1024 sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt ** download the sign.sh file (at the bottom of the post) and put it in ftpcert directory ** sudo chmod +x sign.sh sudo ./sign.sh server.csr
Code:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/ftpd/tls.log TLSProtocol TLSv1 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off # Server's certificate TLSRSACertificateFile /etc/ftpcert/server.crt TLSRSACertificateKeyFile /etc/ftpcert/server.key # CA the server trusts TLSCACertificateFile /etc/ftpcert/ca.crt # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off </IfModule>
Code:
Include /etc/proftpd/modules.conf
Optional step:
You will notice that you will be asked for the password you set for the server.key file each time you start/stop/restart the server, it is because the RSA private key is encrypted in the server.key file.
The solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file which is obviously less secure, anyway if you do that make sure that the server.key is readable only by root.
Once you know that it's less secure here are the command lines to remove the encryption of the RSA private key :
Code:
cd /etc/ftpcert cp server.key server.key.org openssl rsa -in server.key.org -out server.key
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca
http://www.castaglia.org/proftpd/doc...HOWTO-TLS.html
To use your TLS encrypted FTP server you will need a FTP client which support it like the latest versions of filezilla (the one present in the feisty repository has the TLS support).
In filezilla the option to use is called FTPES.
Thanks to nix4me for the help he provided and for the instructions.
2- Restrict access for some users
Some of you wish, for different reasons, to create more than one user and give a different access depending on the user.
For example if i create 2 users, one called user1 and the second called user2 and then want to deny access to the download directory for user2, You can do it as following :
First create the 2 users like userftp in the guide and give them alias names if you use aliases. Then allow your 2 users in the general LIMIT LOGIN section :
Code:
#VALID LOGINS <Limit LOGIN> AllowUser user1 AllowUser user2 DenyALL </Limit>
Code:
<Directory /home/FTP-shared/download/*> Umask 022 022 AllowOverwrite off <Limit ALL> Order Allow,Deny AllowUser user1 Deny ALL </Limit> <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory> /home/FTP-shared/upload/> Umask 022 022 AllowOverwrite on <Limit ALL> Order Allow,Deny AllowUser user1 AllowUser user2 Deny ALL </Limit> <Limit READ RMD DELE> DenyAll </Limit> <Limit STOR CWD MKD> AllowAll </Limit> </Directory>
That's all