You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
430 lines
16 KiB
430 lines
16 KiB
# This is the ProFTPD configuration file |
|
# |
|
# See: http://www.proftpd.org/docs/directives/linked/by-name.html |
|
|
|
# Security-Enhanced Linux (SELinux) Notes: |
|
# |
|
# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux |
|
# in order to mitigate the effects of an attacker taking advantage of an |
|
# unpatched vulnerability and getting control of the ftp server. By default, |
|
# ProFTPD cannot read or write most files on a system nor connect to many |
|
# external network services, but these restrictions can be relaxed by |
|
# setting SELinux booleans as follows: |
|
# |
|
# setsebool -P ftpd_anon_write=1 |
|
# This allows the ftp daemon to write to files and directories labelled |
|
# with the public_content_rw_t context type; the daemon would only have |
|
# read access to these files normally. Files to be made available by ftp |
|
# but not writeable should be labelled public_content_t. |
|
# On older systems this boolean was called allow_ftpd_anon_write. |
|
# |
|
# setsebool -P ftpd_full_access=1 |
|
# This allows the ftp daemon to read and write all files on the system. |
|
# On older systems this boolean was called allow_ftpd_full_access, and there |
|
# was a separate boolean ftp_home_dir to allow the ftp daemon access to |
|
# files in users' home directories. |
|
# |
|
# setsebool -P ftpd_use_cifs=1 |
|
# This allows the ftp daemon to read and write files on CIFS-mounted |
|
# filesystems. |
|
# On older systems this boolean was called allow_ftpd_use_cifs. |
|
# |
|
# setsebool -P ftpd_use_fusefs=1 |
|
# This allows the ftp daemon to read and write files on ntfs/fusefs-mounted |
|
# filesystems. |
|
# |
|
# setsebool -P ftpd_use_nfs=1 |
|
# This allows the ftp daemon to read and write files on NFS-mounted |
|
# filesystems. |
|
# On older systems this boolean was called allow_ftpd_use_nfs. |
|
# |
|
# setsebool -P ftpd_connect_all_unreserved=1 |
|
# This setting is only available from Fedora 16/RHEL-7 onwards, and is |
|
# necessary for active-mode ftp transfers to work reliably with non-Linux |
|
# clients (see http://bugzilla.redhat.com/782177), which may choose to |
|
# use port numbers outside the "ephemeral port" range of 32768-61000. |
|
# |
|
# setsebool -P ftpd_connect_db=1 |
|
# This setting allows the ftp daemon to connect to commonly-used database |
|
# ports over the network, which is necessary if you are using a database |
|
# back-end for user authentication, etc. |
|
# |
|
# setsebool -P ftpd_use_passive_mode=1 |
|
# This setting allows the ftp daemon to bind to all unreserved ports for |
|
# passive mode. |
|
# |
|
# All of these booleans are unset by default. |
|
# |
|
# See also the "ftpd_selinux" manpage. |
|
# |
|
# Note that the "-P" option to setsebool makes the setting permanent, i.e. |
|
# it will still be in effect after a reboot; without the "-P" option, the |
|
# effect only lasts until the next reboot. |
|
# |
|
# Restrictions imposed by SELinux are on top of those imposed by ordinary |
|
# file ownership and access permissions; in normal operation, the ftp daemon |
|
# will not be able to read and/or write a file unless *all* of the ownership, |
|
# permission and SELinux restrictions allow it. |
|
|
|
# Server Config - config used for anything outside a <VirtualHost> or <Global> context |
|
# See: http://www.proftpd.org/docs/howto/Vhost.html |
|
|
|
# Trace logging, disabled by default for performance reasons |
|
# (http://www.proftpd.org/docs/howto/Tracing.html) |
|
#TraceLog /var/log/proftpd/trace.log |
|
#Trace DEFAULT:0 |
|
|
|
ServerName "ProFTPD server" |
|
ServerIdent on "FTP Server ready." |
|
ServerAdmin root@localhost |
|
DefaultServer on |
|
|
|
# Cause every FTP user except adm to be chrooted into their home directory |
|
DefaultRoot ~ !adm |
|
|
|
# Use pam to authenticate (default) and be authoritative |
|
AuthPAMConfig proftpd |
|
AuthOrder mod_auth_pam.c* mod_auth_unix.c |
|
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd |
|
#PersistentPasswd off |
|
|
|
# Don't do reverse DNS lookups (hangs on DNS problems) |
|
UseReverseDNS off |
|
|
|
# Set the user and group that the server runs as |
|
User nobody |
|
Group nobody |
|
|
|
# To prevent DoS attacks, set the maximum number of child processes |
|
# to 20. If you need to allow more than 20 concurrent connections |
|
# at once, simply increase this value. Note that this ONLY works |
|
# in standalone mode; in inetd mode you should use an inetd server |
|
# that allows you to limit maximum number of processes per service |
|
# (such as xinetd) |
|
MaxInstances 20 |
|
|
|
# Disable sendfile by default since it breaks displaying the download speeds in |
|
# ftptop and ftpwho |
|
UseSendfile off |
|
|
|
# Define the log formats |
|
LogFormat default "%h %l %u %t \"%r\" %s %b" |
|
LogFormat auth "%v [%P] %h %t \"%r\" %s" |
|
|
|
# Dynamic Shared Object (DSO) loading |
|
# See README.DSO and howto/DSO.html for more details |
|
# |
|
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) |
|
# LoadModule mod_sql.c |
|
# |
|
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables |
|
# (contrib/mod_sql_passwd.html) |
|
# LoadModule mod_sql_passwd.c |
|
# |
|
# Mysql support (requires proftpd-mysql package) |
|
# (http://www.proftpd.org/docs/contrib/mod_sql.html) |
|
# LoadModule mod_sql_mysql.c |
|
# |
|
# Postgresql support (requires proftpd-postgresql package) |
|
# (http://www.proftpd.org/docs/contrib/mod_sql.html) |
|
# LoadModule mod_sql_postgres.c |
|
# |
|
# SQLite support (requires proftpd-sqlite package) |
|
# (http://www.proftpd.org/docs/contrib/mod_sql.html, |
|
# http://www.proftpd.org/docs/contrib/mod_sql_sqlite.html) |
|
# LoadModule mod_sql_sqlite.c |
|
# |
|
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) |
|
# LoadModule mod_quotatab.c |
|
# |
|
# File-specific "driver" for storing quota table information in files |
|
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) |
|
# LoadModule mod_quotatab_file.c |
|
# |
|
# SQL database "driver" for storing quota table information in SQL tables |
|
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) |
|
# LoadModule mod_quotatab_sql.c |
|
# |
|
# LDAP support (requires proftpd-ldap package) |
|
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) |
|
# LoadModule mod_ldap.c |
|
# |
|
# LDAP quota support (requires proftpd-ldap package) |
|
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) |
|
# LoadModule mod_quotatab_ldap.c |
|
# |
|
# Support for authenticating users using the RADIUS protocol |
|
# (http://www.proftpd.org/docs/contrib/mod_radius.html) |
|
# LoadModule mod_radius.c |
|
# |
|
# Retrieve quota limit table information from a RADIUS server |
|
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) |
|
# LoadModule mod_quotatab_radius.c |
|
# |
|
# SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be |
|
# used to copy files/directories from one place to another on the server |
|
# without having to transfer the data to the client and back |
|
# (http://www.castaglia.org/proftpd/modules/mod_copy.html) |
|
# LoadModule mod_copy.c |
|
# |
|
# Administrative control actions for the ftpdctl program |
|
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) |
|
LoadModule mod_ctrls_admin.c |
|
# |
|
# Support for MODE Z commands, which allows FTP clients and servers to |
|
# compress data for transfer |
|
# (http://www.castaglia.org/proftpd/modules/mod_deflate.html) |
|
# LoadModule mod_deflate.c |
|
# |
|
# Execute external programs or scripts at various points in the process |
|
# of handling FTP commands |
|
# (http://www.castaglia.org/proftpd/modules/mod_exec.html) |
|
# LoadModule mod_exec.c |
|
# |
|
# Support for POSIX ACLs |
|
# (http://www.proftpd.org/docs/modules/mod_facl.html) |
|
# LoadModule mod_facl.c |
|
# |
|
# Support for using the GeoIP library to look up geographical information on |
|
# the connecting client and using that to set access controls for the server |
|
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) |
|
# LoadModule mod_geoip.c |
|
# |
|
# Allow for version-specific configuration sections of the proftpd config file, |
|
# useful for using the same proftpd config across multiple servers where |
|
# different proftpd versions may be in use |
|
# (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) |
|
# LoadModule mod_ifversion.c |
|
# |
|
# Configure server availability based on system load |
|
# (http://www.proftpd.org/docs/contrib/mod_load.html) |
|
# LoadModule mod_load.c |
|
# |
|
# Limit downloads to a multiple of upload volume (see README.ratio) |
|
# LoadModule mod_ratio.c |
|
# |
|
# Rewrite FTP commands sent by clients on-the-fly, |
|
# using regular expression matching and substitution |
|
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html) |
|
# LoadModule mod_rewrite.c |
|
# |
|
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over |
|
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) |
|
# LoadModule mod_sftp.c |
|
# |
|
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for |
|
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) |
|
# LoadModule mod_sftp_pam.c |
|
# |
|
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user |
|
# and host based authentication |
|
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) |
|
# LoadModule mod_sftp_sql.c |
|
# |
|
# Provide data transfer rate "shaping" across the entire server |
|
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html) |
|
# LoadModule mod_shaper.c |
|
# |
|
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, |
|
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) |
|
# LoadModule mod_site_misc.c |
|
# |
|
# Provide an external SSL session cache using shared memory |
|
# (contrib/mod_tls_shmcache.html) |
|
# LoadModule mod_tls_shmcache.c |
|
# |
|
# Provide a memcached-based implementation of an external SSL session cache |
|
# (contrib/mod_tls_memcache.html) |
|
# LoadModule mod_tls_memcache.c |
|
# |
|
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny |
|
# files, for IP-based access control |
|
# (http://www.proftpd.org/docs/contrib/mod_wrap.html) |
|
# LoadModule mod_wrap.c |
|
# |
|
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny |
|
# files, as well as SQL-based access rules, for IP-based access control |
|
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html) |
|
# LoadModule mod_wrap2.c |
|
# |
|
# Support module for mod_wrap2 that handles access rules stored in specially |
|
# formatted files on disk |
|
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) |
|
# LoadModule mod_wrap2_file.c |
|
# |
|
# Support module for mod_wrap2 that handles access rules stored in SQL |
|
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) |
|
# LoadModule mod_wrap2_sql.c |
|
# |
|
# Implement a virtual chroot capability that does not require root privileges |
|
# (http://www.castaglia.org/proftpd/modules/mod_vroot.html) |
|
# Using this module rather than the kernel's chroot() system call works |
|
# around issues with PAM and chroot (http://bugzilla.redhat.com/506735) |
|
LoadModule mod_vroot.c |
|
# |
|
# Provide a flexible way of specifying that certain configuration directives |
|
# only apply to certain sessions, based on credentials such as connection |
|
# class, user, or group membership |
|
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html) |
|
# LoadModule mod_ifsession.c |
|
|
|
# Allow only user root to load and unload modules, but allow everyone |
|
# to see which modules have been loaded |
|
# (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs) |
|
ModuleControlsACLs insmod,rmmod allow user root |
|
ModuleControlsACLs lsmod allow user * |
|
|
|
# Enable basic controls via ftpdctl |
|
# (http://www.proftpd.org/docs/modules/mod_ctrls.html) |
|
ControlsEngine on |
|
ControlsACLs all allow user root |
|
ControlsSocketACL allow user * |
|
ControlsLog /var/log/proftpd/controls.log |
|
|
|
# Enable admin controls via ftpdctl |
|
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) |
|
<IfModule mod_ctrls_admin.c> |
|
AdminControlsEngine on |
|
AdminControlsACLs all allow user root |
|
</IfModule> |
|
|
|
# Enable mod_vroot by default for better compatibility with PAM |
|
# (http://bugzilla.redhat.com/506735) |
|
<IfModule mod_vroot.c> |
|
VRootEngine on |
|
</IfModule> |
|
|
|
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) |
|
<IfDefine TLS> |
|
TLSEngine on |
|
TLSRequired off |
|
TLSCertificateChainFile /etc/pki/tls/certs/proftpd-chain.pem |
|
TLSRSACertificateFile /etc/pki/tls/certs/proftpd-cert.pem |
|
TLSRSACertificateKeyFile /etc/pki/tls/private/proftpd-key.pem |
|
TLSCipherSuite PROFILE=SYSTEM |
|
# Relax the requirement that the SSL session be re-used for data transfers |
|
TLSOptions NoSessionReuseRequired |
|
TLSLog /var/log/proftpd/tls.log |
|
<IfModule mod_tls_shmcache.c> |
|
TLSSessionCache shm:/file=/var/run/proftpd/sesscache |
|
</IfModule> |
|
</IfDefine> |
|
|
|
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) |
|
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd |
|
<IfDefine DYNAMIC_BAN_LISTS> |
|
LoadModule mod_ban.c |
|
BanEngine on |
|
BanLog /var/log/proftpd/ban.log |
|
BanTable /var/run/proftpd/ban.tab |
|
|
|
# If the same client reaches the MaxLoginAttempts limit 2 times |
|
# within 10 minutes, automatically add a ban for that client that |
|
# will expire after one hour. |
|
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 |
|
|
|
# Inform the user that it's not worth persisting |
|
BanMessage "Host %a has been banned" |
|
|
|
# Allow the FTP admin to manually add/remove bans |
|
BanControlsACLs all allow user ftpadm |
|
</IfDefine> |
|
|
|
# Set networking-specific "Quality of Service" (QoS) bits on the packets used |
|
# by the server (contrib/mod_qos.html) |
|
<IfDefine QOS> |
|
LoadModule mod_qos.c |
|
# RFC791 TOS parameter compatibility |
|
QoSOptions dataqos throughput ctrlqos lowdelay |
|
# For a DSCP environment (may require tweaking) |
|
#QoSOptions dataqos CS2 ctrlqos AF41 |
|
</IfDefine> |
|
|
|
# Global Config - config common to Server Config and all virtual hosts |
|
# See: http://www.proftpd.org/docs/howto/Vhost.html |
|
<Global> |
|
|
|
# Umask 022 is a good standard umask to prevent new dirs and files |
|
# from being group and world writable |
|
Umask 022 |
|
|
|
# Allow users to overwrite files and change permissions |
|
AllowOverwrite yes |
|
<Limit ALL SITE_CHMOD> |
|
AllowAll |
|
</Limit> |
|
|
|
</Global> |
|
|
|
# A basic anonymous configuration, with an upload directory |
|
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd |
|
<IfDefine ANONYMOUS_FTP> |
|
<Anonymous ~ftp> |
|
User ftp |
|
Group ftp |
|
AccessGrantMsg "Anonymous login ok, restrictions apply." |
|
|
|
# We want clients to be able to login with "anonymous" as well as "ftp" |
|
UserAlias anonymous ftp |
|
|
|
# Limit the maximum number of anonymous logins |
|
MaxClients 10 "Sorry, max %m users -- try again later" |
|
|
|
# Put the user into /pub right after login |
|
#DefaultChdir /pub |
|
|
|
# We want 'welcome.msg' displayed at login, '.message' displayed in |
|
# each newly chdired directory and tell users to read README* files. |
|
DisplayLogin /welcome.msg |
|
DisplayChdir .message |
|
DisplayReadme README* |
|
|
|
# Cosmetic option to make all files appear to be owned by user "ftp" |
|
DirFakeUser on ftp |
|
DirFakeGroup on ftp |
|
|
|
# Limit WRITE everywhere in the anonymous chroot |
|
<Limit WRITE SITE_CHMOD> |
|
DenyAll |
|
</Limit> |
|
|
|
# An upload directory that allows storing files but not retrieving |
|
# or creating directories. |
|
# |
|
# Directory specification is slightly different if mod_vroot is in |
|
# use: see http://sourceforge.net/p/proftp/mailman/message/31728570/ |
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1045922 |
|
<IfModule mod_vroot.c> |
|
<Directory /uploads/*> |
|
AllowOverwrite no |
|
<Limit READ> |
|
DenyAll |
|
</Limit> |
|
|
|
<Limit STOR> |
|
AllowAll |
|
</Limit> |
|
</Directory> |
|
</IfModule> |
|
<IfModule !mod_vroot.c> |
|
<Directory uploads/*> |
|
AllowOverwrite no |
|
<Limit READ> |
|
DenyAll |
|
</Limit> |
|
|
|
<Limit STOR> |
|
AllowAll |
|
</Limit> |
|
</Directory> |
|
</IfModule> |
|
|
|
# Don't write anonymous accesses to the system wtmp file (good idea!) |
|
WtmpLog off |
|
|
|
# Logging for the anonymous transfers |
|
ExtendedLog /var/log/proftpd/access.log WRITE,READ default |
|
ExtendedLog /var/log/proftpd/auth.log AUTH auth |
|
|
|
</Anonymous> |
|
</IfDefine>
|
|
|