CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
Copyright © 1999-2002 by Mark Lowes
Copyrights and Trademarks
This document may be reproduced in whole or in part, without fee, subject to the following restrictions:
Exceptions to these rules may be granted for academic purposes: Write to the author and ask. These restrictions are here to protect us as authors, not to restrict you as learners and educators.
ProFTPD is a ftp server primarily written for the various unix variants though it will now compile under win32. It has been designed to be much like Apache in concept taking many of the ideas (configuration format, modular design, etc) from it.
Release Candidate: 1.2.5rc1
At the moment there is a little irrationality in the numbering scheme however it can be summarised as follows
http://www.proftpd.org is now online and contains copies of this FAQ, other documentation resources and information on the project. The documentation is being brought back into shape at the moment, the configuration on the website is now approaching where it should be but more work is required and is ongoing. There are a number of geographic mirror sites, see http://www.proftpd.org for details or try www.<isocode>.proftpd.org (ie www.uk.proftpd.org).
Bug reports should be made via http://bugs.proftpd.org/ which uses the bugzilla tracking system. Patches should be mailed to the ProFTPD-Devel mailing list or MacGyver directly.
Please report all security problems with the code to <firstname.lastname@example.org> before releasing the information into the public domain. It would be appreciated if you give the core team a few days to put together a patch and/or new release to address the issue.
Please adhere to the proceedures and timescales given in the RF Policy document http://www.wiretrip.net/rfp/policy.html, this will give the core development team a chance to get a fix or workaround in place before the problem becomes fully public domain.
There are two main methods of getting the software. Downloading a compressed tarball or rpm (there is also a Debian package available in the main distribution) from proftpd.org or from a mirror site, alternatively if you wish to run the latest bleeding edge code then collecting from the cvs server is the best method.
There are a number of mailing lists for ProFTPD
The software is currently distributed under the GNU General Public License (version 2 or later) as published by the Free Software Foundation. Copyright is held by Public Flood Software.
There have been reports of ProFTPD compiling on all the following platforms (and versions).
There are several known problems with libc5-based systems, including improperly implemented library routines (vsprintf and vsnprintf are examples). There are known problems with the resolver library. For these reasons and others lib5 is not being supported at all, the latest versions of the major distributions (inc Debian, Redhat and Suse) are all glibc.
CVS (Concurrent Versions System), is a version control system which allows multiple developers (scattered across the same room or across the world) to maintain a single codebase and keep a record of all changes to the work.
The CVS repository for ProFTPD is available for non-developers in read-only mode, however this code is right on the bleeding edge and is not guaranteed to even compile let alone work. Access to CVS is given to allow important security patches out into the wild and to allow users and interested users to test out the latest changes on real systems.
cvs -z 3 update -Pd diff -u
The easiest way is to fire up proftpd manually from the command line with the debug level cranked up.
/usr/local/sbin/proftpd -d9 -n
This will result in maximal debug output direct to the console. Warning, this can get messy on a busy server, for testing I would suggest copying the config and altering the port the server binds to and then testing.
Any patches should be submitted in Universal format, this makes integrating them into the main cvs source a lot easier. When generating a diff against the current cvs source use "cvs diff -uw" to generate the patch.
cvs diff -u filename > filename.patch or cvs diff -u > bigger.patch
Patches that add configuration directives without proper documentation. Will be rejected. New features without documentation are less than useless to the community at large.
Simply configure ProFTPD with
./configure --with-modules=mod_module1:mod_module2:mod_module3 make make install
The new development series will be 1.3.x, using the same number scheme as the linux kernel developers. The targets/goals are:
2.0.x will be the production release of the 1.3.x development set.
If/when a port is undertaken for NT, it will only be after a near complete rethinking of ProFTPD. This is planned for 2.0 and onwards.
While anything new is welcomed it's probably better to at least float the idea first on the devel mailing list to ensure that someone else isn't already hacking on it. Also when submitting the patch or module for inclusion into the ProFTPD source full documentation is needed.
ProFTPD has support for authentication and logging via SQL databases using the mod_sql module as supplied in the main distribution.
There is a mini-HOWTO at http://www.castaglia.org/proftpd/doc/ detailing how to tunnel ftp connections over ssh.
sendfile() is a system call which streamlines the copying of data between the disk and the tcp socket. The call copied from the page cache directly rather than requiring a kernel -> user space -> kernel space copy for every read() and write() call. Generally the advantages are only felt on heavily loaded servers. The call is supported in ProFTPD for Linux and FreeBSD.
There is currently no official support for IPv6 within the 1.2.x code tree, however there is an http://www.t17.ds.pwr.wroc.pl/~misiek/ipv6/ and more comprehensive support will probably be developed during the 1.3.x development cycle.
ProFTPD is utterly dependant on the underlying OS to handle filename case sensitivity. If the underlying OS is case sensitive then ProFTPD will be, there are currently no plans for a module to handle this.
FXP is capable of bouncing data between websites. There have been a number of reports of problems in configuring ProFTPD to function cleanly with this program (http://flashfxp.skuz.net/).
To support FXP when connecting as a user place "AllowForeignAddress on" in the Global or VirtualHost context.
To support FXP when connecting as anon "AllowForeignAddress on" must be placed in the Anonymous context.
The config will happily support "AllowForeignAddress on" in multiple places within the config.
Starting ProFTPD in standalone mode it doesn't show in "ps" It could be many things, possibly something like not running ProFTPD as root (it needs to be run as root initially, but will switch to a non-privileged user). Regardless, ProFTPD logs all errors via the standard syslog mechanism. You need to check your system logs in order to determine what the problem is.
When posting try giving enough information, this might include but not be limited to.
You aren't starting ProFTPD as root, or you have inetd configured to run ProFTPD as a user other than root. The ProFTPD daemon must be started as root in order to bind to tcp ports lower than 1024, or to open your shadow password file when authenticating users. The daemon switches uid/gids to the user and group specified by the User/Group directives during normal operation, so a "ps" will show it running as the user you specified.
0.0.0.0 is INADDR_ANY, which means to bind to any interface. The "address in use" will normally mean that something has already bound to that address.
Under linux it is possible to run:
fuser -n tcp 21
to get the PID of the process currently bound to port ProFTPD is configured to run as.
The most common cause is that ProFTPD is configured standalone and inetd is still configured for port 21. Comment out the line starting "ftp" in /etc/inetd.conf and restart (killall -HUP inetd or something similar should do the trick) and try again.
You have ProFTPD configured to run in inetd mode rather than standalone. In this mode, ProFTPD expects that it will be run from the inetd super-server, which implies that stdin/stdout will be sockets instead of terminals. As a result, socket operations will fail and the above error will be printed. If you wish to run ProFTPD from the shell, in standalone mode, you'll need to modify your proftpd.conf configuration file and add or edit the ServerType directive to read:
The hosting machine has a poorly configured hostname setup to the point where the resolver library cannot determine the IP from the name. Solutions include, fixing the DNS for the domain, fixing the hostname, fixing the /etc/hosts file. Which one works for you will largely depend on your OS and exactly what is wrong.
The FTP Specification defines that two sockets should be used for all communications. The first runs over port 21 and is the control channel over which all commands and response codes are sent. Whenever data is required to be transfered, for example for a file download, a directory listing etc etc. A second channel is created on demand, this socket can take one of two forms.
No, or at least not in the HTTP/1.1 manner of virtual hosting. This is an inbuilt limitation of the current FTP RFC., unlike the HTTP/1.1 spec there is no mechanism comparable to the "Host: foo.bar.com" HTTP header for specifying which host the connection is for. Therefore the only method for determining which VirtualHost the connection is destined for is by the destination IP.
The one exception to this is if you host multiple servers on the same IP but using different ports, however this requires that the connecting client uses a non-standard port and therefore is probably not a good solution for mass hosting.
Find the line in /etc/inetd.conf that looks something like this:
Replace it with:
Then, find your inetd process in the process listing and send it the SIGHUP signal so that it will rehash and reconfigure itself. You may also need to add in.ProFTPD to hosts.allow on your system.
Yup. Although ProFTPD has built-in IP access control (see the Deny and Allow directives), many admins choose to consolidate IP access control in one place via in.tcpd. Just configure ProFTPD to run from inetd as any other tcp-wrapper wrapped daemon and add the appropriate lines to hosts.allow/deny files.
If running ProFTPD in standalone mode, mod_wrap can be used to direct the server to use the normal hosts.allow/deny files.
Yes. Use a <VirtualHost> block with your machine's FQDN (Fully Qualified Domain Name) or IP address, and a Port directive inside the <VirtualHost> block. For example, if your host is named "myhost.mydomain.com" and you want to run an additional FTP server on port 2001, you would:
... <VirtualHost myhost.mydomain.com> Port 2001 ... </VirtualHost>
Yes the mod_ratio module provides for doing just this.
The ratio directives take four numbers: file ratio, initial file credit, byte ratio, and initial byte credit. Setting either ratio to 0 disables that check.
The directives are HostRatio (matches FQDN, wildcards allowed), AnonRatio (matches password entered at login), UserRatio (accepts "*" for "any user"), and GroupRatio.
Ratios on # enable module UserRatio ftp 0 0 0 0 HostRatio master.debian.org 0 0 0 0 # leech access (default) GroupRatio proftpd 100 10 5 100000 # 100:1 files, 10 file cred 5:1 bytes, 100k byte cred AnonRatio email@example.com 1 0 1 0 # 1:1 ratio, no credits UserRatio * 5 5 5 50000 # special default case
This example is for someone who (1) has downloaded 1 file of 82k, (2) has uploaded nothing, (3) has a ratio of 5:1 files and 5:1 bytes, (4) has 4 files and 17k credit remaining, and (5) is now changing directory to /art/nudes/young/carla. The initial credit, not shown, was 5 files and 100k (UserRatio * 5 5 5 100000).
Version 2.0 and above of this module integrate with mod_sql.
This is probably caused by a firewall or DNS timeout. By default ProFTPD will try to do both DNS and ident lookups against the incoming connection. If these are blocked or excessively delayed a slower than normal login will result. To turn off DNS and ident use:
UseReverseDNS off IdentLookups off
IdentLookups and tcpwrappers ***
Oct 7 12:30:48 salvage2 proftpd: FTP session closed. Oct 7 12:30:48 salvage2 proftpd: FTP session closed. Oct 7 12:30:48 salvage2 proftpd: FTP session closed. Oct 7 12:30:48 salvage2 proftpd: FTP session closed.
The above log extract is likely to be caused by a local monitoring system or a particularly aggressive DoS attack. Most service monitoring systems try opening the ftp port on the target server to detect whether it is active and running. Most of the time these tests are followed by an immediate "QUIT" or disconnection.
TCPdump/TCPshow on the server in question should show which machine on your network is is generating these connections.
The ftpwho command lists the state of each ftp connection to the server and what it's current activity is. However this does not detail the connection information on a virtual by virtual basis.
Sort, of it's not quite as clean as the socket binding under Apache but the principle works something like this.
Check for /etc/shutmsg and delete it.
ftpshut, allows the server to disallow connections with a message without actually taking down the service. The shutdown can be scheduled for a point in the future or right now, existing connections can be allowed to finish, or be terminated now. Re-enabling is done by removing the /etc/shutmsg file.
No, the shutmsg file works at a daemon level not at a virtual host level.
This appears to be a general catch all error code meaning "something nasty has gone wrong".
You get the idea...
Two possible reasons, first that it's simply not running, try proftpd -n -d2 to run in debug mode and see what happens. The other is that it's running from inetd and there are no active sessions at the moment.
This depends on the mode you're running the server in.
A bug was introduced in 1.2.0rc2 which prevented the PORT command working properly and therefore breaking the data socket under certain conditions. The bug was documented as bug 240 and has been fixed in CVS. A rc3 release is due before the end of Jan 2001.
Proftpd was unable to work out what IP is associated with the hostname in the VirtualHost block. Normally caused by a problem with the DNS resolution of the host, check the resolv.conf file and that your chosen nameservers are functional.
AllowStoreRestart is disabled by default because it will allow any writable file to be corrupted by a malicious user. It is recommended that this option is only used with authenticated users and then only in certain directories.
As mentioned in the description of the HiddenStor configuration directive, use of that directive is incompatible with the FTP command REST. Either disable use of REST with the AllowRetrieveRestart and AllowStoreRestart directives, or do not use HiddenStor.
The default behaviour for ProFTPD is to display all times relative to GMT. To use local time set "TimesGMT off" in the server section of the config. There is a known issue with Redhat 7, with regard to time handling. http://www.redhat.com/support/errata/rh7-errata-bugfixes.html
Make sure that ReverseDNS is disabled, turn off ident lookups. Additionally check the size of your /etc/passwd (or shadow) file, if it is large then the only solution may be to move to another authentication scheme.
There appear to be some problems with both the use of sendfile() in ProFTPD and with the implementation within certain operating systems.
Short answer, no. Longer answer is no, but you can minimise the effects. The cleanest approach on servers which have significant amounts of traffic appears to be to use ftpshut to block new connections and terminate existing ones after a pre-determined time period and then to upgrade and restart. This approach limits the number of downloads which are terminated part way through.
The default ProFTPD configuration file uses the user "nouser" and the group "nogroup", some systems / distributions do not have the group "nogroup" defined. The solution is to either add the group "nogroup" to /etc/groups or to change the "nogroup" entry in the proftpd.conf to a group which does exist.
The setting of the group privileges for a process uses the setgroups(2) system call. This call will fail with the above error message for one of two reasons: there is a negative GID value for one of the groups, or the maximum number of groups for a single user has been exceeded.
Ideally, all IDs, both UID and GID, will be positive. Unfortunately, it is common on many systems to use -1 or -2, especially for such users as 'nobody', or group 'nogroup'. Use of these values uses C's treatment of data types to make the actual numeric value very high; some functions, like setgroups(), do not like this, though. In general, always use positive ID numbers.
The other limitation is the number of supplemental groups for a user (eg non-primary groups, the ones configured in /etc/group). The maximum number of supplemental groups to which a user may belong is defined by the operating system constant NGROUPS_MAX. On some operating systems, such as Solaris, this limitation may be tunable.
Some other applications may not encounter this error if they use the initgroups(3) function, which reads the /etc/group file for a user's supplemental group memberships, and sets those groups. This function, however, silently ignores any supplemental groups for user greater than NGROUPS_MAX, unlike setgroups(2), which complains.
If this is the cause of your error message, any solution will most likely involve reducing the number of groups your users are members of, or tuning the NGROUPS_MAX value, if your operating system allows it.
PAM(exit): Permission denied open_module: stat(/usr/lib/security/pam_unix.so.1) failed: No such file or directory load_modules: can not open module /usr/lib/security/pam_unix.so.1 PAM(exit): Dlopen failure.
These messages appear when the DefaultRoot configuration directive is in effect. This directive causes a user to be confined using the chroot(2) system call. This call, however, affects other system utilities, such as PAM. In this case, PAM's configuration is causing the PAM library to attempt to open PAM modules using a path that is no longer valid, thus the errors. This happens on logout because the chroot has already happened by that point; on login, the PAM modules are successfully found and loaded before the chroot, so no errors. These are merely cosmetic reporting errors, and do not really affect the functionality or security of the server.
Problems encountered in trying to make the server behave exactly as required after compilation and installation are complete and the server is running.
You should look in the sample-configurations/ directory from your distribution tarball. Basically, you'll need to create another user on your system for the guest/anonymous ftp login. For security reasons, it's very important that you make sure the user account either has a password or has an "unmatchable" password. The root directory of the guest/anonymous account doesn't have to be the user's directory, but it makes sense to do so. After you have created the account, put something like the following in your /etc/proftpd.conf file (assuming the new user/group name is private/private):
<Anonymous ~private> AnonRequirePassword off User private Group private RequireValidShell off <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
This will allow ftp clients to login to your site with the username "private" and their e-mail address as a password. You can change the AnonRequirePassword directive to "on" if you want clients to be forced to transmit the correct password for the "private" account. This sample configuration allows clients to change into, list and read all directories, but denies write access of any kind.
First off this is a bad idea ftping as root is insecure, there are better more secure ways of shifting files as root.
To enable root ftp ensure that the directive "RootLogin on" is included in your configuration.
The following snippet from a sample configuration file illustrates how to protect an "upload" directory in such a fashion (which is a very good idea if you don't want people using your site for "warez"):
<Anonymous /home/ftp> # All files uploaded are set to username.usergroup ownership User username Group usergroup UserAlias ftp username AuthAliasOnly on RequireValidShell off <Directory pub/incoming/> <Limit STOR CWD> AllowAll </Limit> <Limit READ RMD DELE MKD> DenyAll </Limit> </Directory> </Anonymous>
This denies all write operations to the anonymous root directory and sub-directories, except "incoming/" where the permissions are reversed and the client can store but not read. If you used <Limit WRITE> instead of <Limit STOR> on <Directory incoming>, ftp clients would be allowed to perform all write operations to the sub-dir, including deleting, renaming and creating directories.
The above fragment will control anonymous users however if a local user with a full account with up and download capability is abusing their space then the technical measures which can be taken are limited. Applying a sane system quota is a good start, using the mod_quota and mod_ratio modules may control the rates of upload/download making it less useful as a warez repository. In the end it comes down to system monitoring and good site AUP's and enforcement.
Yes. You'll need to write a script which either checks the contents of the directory regularly and moves once it's detected no size change in a file for xyz seconds. Or a script which monitors an upload log. There is no automatic method for doing this.
Use the HideUser or HideGroup directive in combination with the proper user/group ownership on the directive. For example, if you have the follow directory in your anonymous ftp directory tree:
drwxrwxr-x 3 ftp staff 6144 Apr 21 16:40 private
You can use a directive such as "HideGroup staff" to hide the private directory from a directory listing. For example:
<Anonymous ~ftp> ... <Directory Private> HideGroup staff </Directory> ... </Anonymous>
You need to make sure that the group you are hiding isn't the anonymous ftp user's primary group, or HideGroup won't apply.
You can either change the permissions on the directory to prevent the anonymous FTP user from accessing it, or if you want to make it appear completely invisible (as though there is no such directory), use the IgnoreHidden directive inside a <Limit> block for one or more commands that you want to completely ignore the hidden directory entries (ignore = act as if the directory entry does not exist).
You'll need to configure your host to be able to handle multiple IP addresses. This is often called "aliasing", and can generally be configured through an IP alias or dummy interface. You need to read your operating system documentation to figure out how to do this. Once your have the host configured to accept the additional IP address that you wish to offer a virtual FTP server on, use the <VirtualHost> configuration directive to create the virtual server:
<VirtualHost 10.0.0.1> ServerName "My virtual FTP server" </VirtualHost>
You can add additional directive blocks into the <VirtualHost> block in order to create anonymous/guest logins and the like which are only available on the virtual host.
Use a <Limit LOGIN> block to deny access at the top-level of the virtual host, then use <Limit LOGIN> again in your <Anonymous> block to allow access to the anonymous login. This permits logins to a virtual anonymous server, but denies to everything else. Example:
<VirtualHost 10.0.0.1> ServerName "My virtual FTP server" <Limit LOGIN> DenyAll </Limit> <Anonymous /usr/local/private> User private Group private <Limit LOGIN> AllowAll </Limit> ... </Anonymous> </VirtualHost>
The <LOGIN> directive is used to control connection or login access to a particular context (the directive block which contains it). When a client initially connects to ProFTPD, the daemon searches the configuration tree for <Limit LOGIN> directives, and attached parameters (such as Allow, Deny, etc). If it determines that there is no possible way for the client to ever be allowed to login, such as a "Deny from" matching the client's source address, without an overriding "Allow from" at a lower level, the client is disconnected without being offered the opportunity to transmit a user and password.
However, if it is possible for the client to be allowed a login, ProFTPD continues as per normal, allowing the client to login only if the proper <Limit LOGIN> applies. Normally, <Limit> directive blocks are allowed in the server config, <VirtualHost>, <Anonymous> and <Directory> contexts. However, <Limit LOGIN> should not be used in a <Directory> context, as clients do not connect/login to a directory (and thus it is meaningless).
By way of example, the following configuration snippet illustrates a <Limit LOGIN> deny which will cause any incoming connections from the 10.1.1.x subnet to be immediately disconnected, without a welcome message:
... <Limit LOGIN> Order deny,allow Deny from 10.1.1. Allow from all </Limit> ...
Next, an example of a configuration using <Limit LOGIN> that will not immediately disconnect an incoming client, but will return "Login invalid" for all login attempts except anonymous.
... <Limit LOGIN> DenyAll </Limit> <Anonymous ~ftp> ... <Limit LOGIN> AllowAll </Limit> ...
For general open access you can use an <Anonymous> directive context block, possibly in combination with a UserPassword/AnonRequirePassword directive.
However if you wish to jail an entire group (or groups) of users, you can use the DefaultRoot directive. DefaultRoot lets you specify a root jailed directory (or "~" for the user's home directory), and an optional group-expression argument which can be used to control which groups of users the jail will be applied to. For example:
... <VirtualHost myhost.mynet.foo> DefaultRoot ~ ... </VirtualHost>
This creates a configuration where all users who log into myhost.mynet.foo are jailed into their home directories (cannot chdir into a higher level directory). Alternatively, you could:
... <VirtualHost myhost.mynet.foo> DefaultRoot /u2/public users,!staff ... </VirtualHost>
In this example, all users who are members of group "users", but not members of group "staff" are jailed into /u2/public. If a user does not meet the group-expression requirements, they login as per normal (not jailed, default directory is their home). You can use multiple DefaultRoot directives to create multiple jails inside the same directive context. If two DefaultRoot directives apply to the same user, ProFTPD arbitrarily chooses one (based on how the configuration file was parsed).
There are two methods of accomplishing this (possibly more). First, you can create a directory structure inside your anonymous FTP root directory, creating a single directory for each user and setting ownership/permissions as appropriate. Then, either create a symlink from each user's home directory into the FTP site, or instruct your users on how to access their directory.
The alternate method (and more versatile) of accomplishing per-user anonymous FTP is to use AnonymousGroup in combination with the DefaultRoot directory. You'll probably want to do this inside a <VirtualHost>, otherwise none of your users will be able to access your system without being stuck inside their per-user FTP site. Additionally, you'll want to use a deferred <Directory> block to carefully limit outside access to each user's site.
You can use the AuthAliasOnly directive to control how and where real usernames get authenticated (as opposed to aliased names, via the UserAlias directive). Note that it is still impossible to have two identical aliased names login to different anonymous sites; for that you would need <VirtualHost>.
... <Anonymous ~jrluser> User jrluser Group jrluser UserAlias ftp jrluser UserAlias anonymous jrluser AuthAliasOnly on ... </Anonymous>
Here, the <Anonymous> configuration for ~jrluser is set to allow alias authentication only. Thus, if a client attempts to authenticate as "jrluser", the anonymous config will be ignored and the client will be authenticated as if they were a normal user (typically resulting in `jrluser" logging in normally). However, if the client uses the aliased username `ftp" or `anonymous", the anonymous block is applied.
Things to check
Check the following first:
If all else fails, you should check your syslog. When authentication fails for any reason, ProFTPD uses the syslog mechanism to log the reason for failure; using the AUTH (or AUTHPRIV) facility. If you need further assistance, you can send email, including related syslog entries and your configuration file, to the ProFTPD mailing list mentioned elsewhere in this FAQ.
The Bandwidth directive has been removed as of 1.2.0pre8, this directive acted on a per-virtual basis. It was generally held that it worked on the principle that a single connection to a given virtual could take the full bandwidth limit until other connections were made. However, the server uses either separate server (inetd) or forked (standalone) model there is no way for the various processes to communicate, therefore is no way they could share the bandwidth allocation.
The replacement actually does the same but does it in a more rigorous manner and more precisely. The directives RateReadBPS, RateReadFreeBytes, RateReadHardBPS work by limiting on a per-connection basis.
Bandwidth 81920 is replaced with something like RateReadBPS 81920 RateReadFreeBytes 5120 RateReadHardBPS on
To achieve a total limit on a per virtual basis a mix of RateReadBPS and MaxClients is needed. ie RateReadBPS x MaxClients = Total Bandwidth allocation. There is no way (at the moment) to specify that virtual server xyz has a maximum total bandwidth of 200K/s that it can use between all connections.
Per-virtual, per-user and global limits are currently in the "to be coded" pile and are being penciled in for the 1.3.x development series. There is some work in providing for a shared communication system between servers before this can happen.
As of rc1 the AllowChmod command was added to allow control over who is allowed to use the CHMOD command. The default value for this directive is off.
There is no way within ProFTPD itself to control how large a file can be uploaded. The best solution to this problem at the moment is to use whatever disk quota tools are available within your OS.
Yes, just remove all the <Anonymous> sections from your configuration file and reload the daemon.
This is not possible at this time, the directive appeared in the docs for a short period but the code was never added. The closest possible at the moment is to limit the number of connections from a given host.
To allow downloads to be resumed, you need to use the AllowRetrieveRestart configuration directive.
To allow uploads to be resumed, you need to use both the AllowOverwrite and AllowStoreRestart directives. The reason that both need to be allowed is that a restarted/resumed upload is a form of overwriting the file.
Also note that using HiddenStor and AllowStoreRestart is incompatible, as mentioned in the documentation for the AllowStoreRestart and HiddenStor directives.
The Bind directive is used to specify additional interfaces (addresses) for a given server; it is *not* used to configure the main interface for the server. For <VirtualHost> servers, this is not a problem, as the main interface for the server is set in the <VirtualHost> line.
For the main "default" server, however, the controlling of the main interface is more problematic. There is currently a bug report opened for this issue:
As with all software there have been a number of security issues during the life of the project. The most recent information can always be found on http://www.proftpd.org/security.html
Versions 1.2.0 and above should be considered to be production code and few if any new features will be added to this code branch to maintain stability.
Running ProFTPD as a non-root user gives only a marginal security improvement on the normal case and adds some functional problems. Such as not being able to bind to ports 20 or 21, unless it's spawned from inetd.
ProFTPD takes a middle road in terms of security. It only uses root privileges where required and drops to the UID defined in the config file at all other times. Times when root is required include, binding to ports < 1024, setting resource limits, reading configuration information and some network code.
For Linux 2.2.x kernel systems there is the POSIX style mod_linuxprivs module which allows very fine grain control over privileges. This is highly recommended for security-conscious admins.
Use a sane Allow/DenyFilter, these directives use regular expressions to control all text sent over the control socket. (If anyone has some good examples please let me know.)
Setting SeverIdent to "off" should turn off the information about what type of server is running. To have maximum effect this directive should either be in the Global context or included in every virtual host block and the default block.
ServerIdent On "Linux.co.uk server" ServerIdent Off
Use the DisplayConnect directive to specify a file containing a message to be displayed prior to login.
Use the DisplayLogin directive, this sends a specified ASCII file to the connected user.
Use the AccessGrantMsg directive, this sends a simple single line message back to the user after a successful authentication. Magic cookies appear to be honoured in this directive.
AccessGrantMsg "Guest access granted for %u."
Note, this directive has an overriding default and needs to be specified in both VirtualHost and Anonymous blocks.
ProFTPD has been designed to run as a secure ftp server, this means that it tries to keep as much as possible under it's control. An external program is a security risk in itself because it's behaviour is not controllable from within the ftpd code.
This message is generated by mod_tls, the third-party module that can be used to encrypt both the control and data connections with TLS (Transport Layer Security), the next generation of SSL. Certificates are used to establish the security context for this secure transport.
Generation of certifications is beyond the scope of this document; however, more information can be found here:
This section is being re-written due to major structural changes to the SQL module prior to 1.2.0
Security, pure and simple. PAM is the most secure (or securable) of the available authentication systems. Many of the issues and configuration hints for PAM are contained in README.PAM which is bundled with the server source and in the various packaged builds. To use /etc/passwd manual compilation will be required with the configure script being run with the --without-pam flag. Unless the PAM subsystem is properly configured authentication will fail.
Standard /etc/passwd lookups
Indvidual passwd/group files for each virtual
If these don't fit in with your system then writing a custom module or using such as the "ld.so.preload" approach to intercept getpwbynam() system calls works happily with ProFTPD.
Generally these problems will be cured by either disabling PAM completely or by ensuring that these directives are set
PersistentPasswd off AuthPAMAuthoritative off
Check the spelling it should be AuthPAMAuthoritative not AuthPAMAuthorative or any other variation.
There is a README.Pam in the top directory of the ProFTPD install directory :
#%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so
ProFTPD requires PAM version 0.59 or better. pam_sm_open_session is not part of previous versions.
Check that the /etc/pam.d/ftp file exists on the system and is configured as detailed in README.PAM
Currently AuthPAMAuthoritative defaults on "ON" resulting in login failures if PAM cannot authenticate the user. This breaks the AuthUserFile directive as it never gets a chance to authenticate the user unless the AuthPAMAuthoritative directive is set to "OFF"
The reasoning behind the current default is to ensure that the system is secure by default requiring that the admin explicitly and knowingly has to disable it. There are discussions underway which may result in the directive flipping to a default of "Off" if AuthUserFile is specified.
Note: as of the current CVS and the forthcoming pre9 release the default has changed to "Off"
mod_ldap is currently stable; there were a couple bugs that were squashed after release 1.0 of the module. it is still udner development , check the http://horde.net/~jwm/software/proftpd-ldap/ for more information. There is an example config fragment on the author's site which gives a reasonable idea on how to use this module.
There are patches which are being merged in at the moment to provide SHA encryption. The plan is to have the server get all user information except passwords via an anonymous bind. The server will then reconnect as a user is logging in and attempt to get the password via an encrypted connection. This should be in the next major release (2.5)
No support yet
This is possible using either PAM or the Opie modules. The module passes back a challenge which the user puts into a key generator along with their "pass phrase" and it gives them back 5 words which get sent as the password. As long as you do it correctly it will never repeat.
It requires http://inner.net/opie/ to be installed on the server. There are key gen clients for win95/98, *nix, mac.
Radius support isn't built into ProFTPD, though there's nothing stopping someone writing a module and submitting it for inclusion in the code tree. Possibly the easist way to implement Radius is by using the modules available for PAM and using the inbuilt PAM support.
Is it possible to check an offered email address in an anonymous login before allowing access. Simple answer, not a hope in hell, anonymous access is pretty much designed to be freely open without checks and restrictions other than those placed on upload/download from the site. The best that can be hoped for is decent logging and tracking of accesses, and the requesting IP.
If the operating system supports PAM (Pluggable Authentication Modules) proftpd will perform PAM authentication by default. However, this authentication is not "authoritative" by default, meaning that a PAM authentication failure will not necessary cause a login to fail. The use of PAM can be configured using the AuthPAM configuration directive; the "authoritativeness" of any PAM checks is controlled via the AuthPAMAuthoritative configuration directive.
The original text for this document was based on the configuration FAQ on www.proftpd.org. It was taken over in Sept 1999 when the maintainer of the software changed.
The faq is maintained by a group of people (usually lurking on irc or on proftpd-docs) using CVS and Docbook.
Thanks to the developers, anyone who's posted useful information to the mailing lists and those who've mailed me direct.
This document couldn't have been maintained without the Sgml Tools package and the document layout defined by the Linux HOWTO maintainers.
Some specific mentions, in no particular order, and I've missed anyone please drop me a line.