当前位置：网站首页>Installation guide for proftpd Secure FTP server with TLS encryption enabled

Installation guide for proftpd Secure FTP server with TLS encryption enabled

2022-07-29 02:22:00 【Machine future】

This is the third of the future of machines 38 An article

The original address ：https://blog.csdn.net/RobotFutures/article/details/126034110

1. summary

This article describes , stay Ubuntu Under the operating system , Installation on TLS Encrypted security FTP Installation and configuration guide of server .

Description of the environment ：

operating system ：Ubuntu-20.04

2. install OpenSSL

2.1 download

Check the system before installing openssl edition , Prevent the inconsistency between the compiled version and the running version at runtime .

openssl version

View the current openssl route

which openssl

download

wget -c https://github.com/openssl/openssl/archive/refs/tags/openssl_1_1_1f.tar.gz

2.2 compile

Compile reference documents :https://github.com/openssl/openssl/blob/master/NOTES-UNIX.md

tar zxvf OpenSSL_1_1_1f.tar.gz
cd openssl-OpenSSL_1_1_1q
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl   '-Wl,-rpath,$(LIBRPATH)'
make
sudo make install

After execution ,openssl Installed to /usr/local/ssl Under the table of contents .

3. install proftpd

3.1. download

github Warehouse ：https://github.com/proftpd

Download address ：https://github.com/proftpd/proftpd/archive/refs/tags/v1.3.8rc4.tar.gz

3.2. Compilation and installation

Compile reference documents :http://www.proftpd.org/docs/howto/Compiling.html

tar zxvf v1.3.8rc4.tar.gz
cd proftpd-1.3.8rc4
./configure --prefix=/usr/local/proftpd --sysconfdir=/etc --enable-autoshadow --localstatedir=/var/run --enable-ctrls --with-modules=mod_tls -enable-nls     --with-includes=/usr/local/ssl/include   --with-libraries=/usr/local/ssl/lib
make
sudo make install

matters needing attention ： If something goes wrong , Remember to compile first make clean Again make

3.3. Add virtual users

Create virtual user root directory

mkdir /home/ftproot/
#  Configure root directory permissions 
chown 2001:200 /home/ftproot/

Create virtual user ftptest

#  establish ftp Virtual user 
/usr/local/proftpd/bin/ftpasswd --file=/etc/proftpd/ftpd.passwd --home=/home/ftproot --shell=/bin/false --name=ftptest --uid=2001 --gid=200 --passwd

#  To configure ftp User group , In the configuration, only group users can log in 
/usr/local/proftpd/bin/ftpasswd --group --file=/etc/proftpd/ftpd.group --gid=200 --name=ftpman --member=ftptest

3.4 Generate Certificate

cd /usr/local/proftpd/
cp /usr/local/ssl/openssl.cnf .
#  only Common Name Need to enter , And it should be consistent with the access address 
openssl req -new -x509 -nodes -config openssl.cnf -out proftpd.crt -keyout proftpd.key

get proftpd.crt 、proftpd.key Two secret key files , Put it in /etc/proftpd/ Under the table of contents

mkdir /etc/proftpd
cp proftpd.crt proftpd.key /etc/proftpd/

3.5. To configure

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD Default Installation"
ServerType			standalone
DefaultServer			on

# Port 21 is the standard FTP port.
Port				21

# Don't use IPv6 support by default.
UseIPv6				off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances			30

# Set the user and group under which the server will run.
User				nobody
Group				nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

#  Must open , Limit users to their own directories 
DefaultRoot                     ~

#  Because there are no virtual users  shell  Of , So open this setting 
RequireValidShell               off

#  use  mod_auth_file.c  Verify login user name and password 
AuthOrder                       mod_auth_file.c

#  A file for storing user names and passwords 
AuthUserFile                    /etc/proftpd/ftpd.passwd
AuthGroupFile 			/etc/proftpd/ftpd.group

#  Allow breakpoint resume during download 
AllowRetrieveRestart on

#  Allow continuous upload at break 
AllowStoreRestart on

#  The server information is not displayed when the client logs in 
ServerIdent off

# Normally, we want files to be overwriteable.
AllowOverwrite		on


TimeoutLogin 120
TimeoutNoTransfer    900 

MaxClientsPerHost 5
PassivePorts 55000 56000

# close DNS Reverse query , Save connection time 
UseReverseDNS        off   
TransferLog          /var/log/xferlog 
SystemLog /var/log/proftpd.log


MaxClients 100
#IdentLookups off
UseReverseDNS off
DeleteAbortedStores on
DirFakeGroup on
DirFakeUser on
DirFakeMode 0600
RequireValidShell off
LangOptions PreferServerEncoding    # Add at compile time  --enable-nls Ability to use 
UseEncoding utf8 gbk                # Add at compile time  --enable-nls Ability to use 

# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>

<Limit LOGIN>
AllowGroup ftpman
DenyAll
</Limit>


#########################ssl/tls############################
# MOD_TLS SETTING
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired ctrl
# Server's certificate
TLSRSACertificateFile /etc/proftpd/proftpd.crt
TLSRSACertificateKeyFile /etc/proftpd/proftpd.key
# Authenticate clients that want to use FTP over TLS
TLSVerifyClient off
#########################ssl/tls############################

<Directory /home/ftproot/down>
	<Limit WRITE>
		DenyGroup ftpman
	</Limit>
#	TransferRate RETR 150 group ftpman
</Directory>

<Directory /home/ftproot/upload>
	<Limit RMD RNFR DELE RETR>
		DenyGroup ftp
	</Limit>
#	TransferRate STOR 150 group ftpman
</Directory>


# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

3.6 start-up proftpd test

sudo /usr/local/proftpd/sbin/proftpd

3.7 Configure boot up

Configure boot script

sudo vim /etc/init.d/proftpd

The contents are as follows ：

#!/bin/sh
# Startup script for ProFTPD
# chkconfig: 345 85 15
# description: ProFTPD is an enhanced FTP server
# processname: proftpd
# config: /etc/proftpd.conf
# Source function library.
#. /etc/rc.d/init.d/functions
. /lib/lsb/init-functions

#if [ -f /etc/sysconfig/proftpd ]; then
#    . /etc/sysconfig/proftpd
#fi
PATH="$PATH:/usr/local/proftpd/sbin"
# See how we were called.
case "$1" in
	start)
		echo -n "Starting proftpd: "
		sudo /usr/local/proftpd/sbin/proftpd
		#daemon proftpd $OPTIONS
		echo
		#touch /var/lock/subsys/proftpd
		;;
	stop)
		echo -n "Shutting down proftpd: "
		sudo kill -9 $(pidof proftpd)
		echo
		rm -f /var/lock/subsys/proftpd
		;;
	status)
		status proftpd
		;;
	restart)
		$0 stop
		$0 start
		;;
	reread)
		echo -n "Re-reading proftpd config: "
		killproc proftpd -HUP
		echo
		;;
	suspend)
		hash ftpshut >/dev/null 2>&1
		if [ $? = 0 ]; then
			if [ $# -gt 1 ]; then
				shift
				echo -n "Suspending with '$*' "
				ftpshut $*
			else
				echo -n "Suspending NOW "
				ftpshut now "Maintanance in progress"
			fi
		else
			echo -n "No way to suspend "
		fi
		echo
		;;
	resume)
		if [ -f /etc/shutmsg ]; then
			echo -n "Allowing sessions again "
			rm -f /etc/shutmsg
		else
			echo -n "Was not suspended "
		fi
		echo
		;;
	*)
		echo -n "Usage: $0 {start|stop|restart|status|reread|resume"
		hash ftpshut
		if [ $? = 1 ]; then
			echo '}'
		else
			echo '|suspend}'
			echo 'suspend accepts additional arguments which are passed to ftpshut(8)'
		fi
	exit 1
esac

if [ $# -gt 1 ]; then
	shift
	$0 $*
fi
exit 0

Link the script to the startup directory ’

ln -sf /etc/rc5.d/S01proftpd /etc/init.d/proftpd

4 summary

Basically build security FTP The process of the server has been run once , Matters to be expanded in the future include ：

Further configure the certificate secret key , Make clients need certificates to access FTP The server .
It will be configured in the future selinux jurisdiction , Further realize the principle of minimum permission .
In embedded Linux Achieve security on proftpd

reference ：