Solved

How to configure ProFTP server...

Posted on 2003-11-25
6
2,490 Views
Last Modified: 2007-12-19
I want to set up an FTP server on my Redhat 9 server.  Looking around, I've seen many posts stating that ProFTP is the way to go.  Correct me if you think differently.  I've installed the ProFTP package via Synaptic and have it running.  I can connect to it with a FTP client, but now I want to configure it to my needs.  However, I'm a bit confused looking through the /etc/proftpd.conf file.  I've installed Webmin and have tried to configure ProFTP through its module, but I'm still a little confused on how best to set this thing up.

1.  I'll probably have 5 - 10 users, with no anonymous access.  Do I have to create Linux user accounts for these accounts, or does ProFTP have its own user database that I can maintain?
2.  Currently when I login with an FTP client with my Linux user account (not root), I see my home directory, including hidden files.  I want the FTP home directory to be on a second drive I've installed (/mnt/datadisk/ftpdata) rather than the Linux users home directory.  And users are LOCKED into this folder, and with no way to access other system files.  Different users will have access to different folders on this drive.  Some will have access to all, and others only have access to one or two.
3.  Security is also a big concern.  From my experience FTP servers are easily hacked, I don't want mine to get hacked!

I'm migrating everything I have from Windows to Linux... help me if you can!
0
Comment
Question by:chadly2
  • 2
  • 2
6 Comments
 
LVL 12

Assisted Solution

by:paullamhkg
paullamhkg earned 100 total points
ID: 9822048
1. yes, you need to create linux user accounts.

2. if you want to fix the users to login to their own home directory and can't access others directory CHROOT will be the solution on this have a check here http://www.tjw.org/chroot-login-HOWTO/

3.  have a look here http://proftpd.linux.co.uk/localsite/Userguide/linked/config_ftpoverssh.html which using the ProFTP over ssh.

you might also thinking of VSFTP instead, which mean very secure FTP, have a check here http://techrepublic.com.com/5100-6261-5034763.html and here http://vsftpd.beasts.org/ for more info abt VSFTP.

Hope this info can help
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9824221
I'll have to disagree disagree with paullamhkg on this...

(1) Yes, ProFTP is capable of having FTP only accounts that don't correspond to Linux accounts. Authentication and user home dir  definition can take place via ProFTP passswd/group files.  This is enabled by including:

AuthUserFile  /etc/proftpd.passwd
AuthGroupFile /etc/proftpd.group

in the global section o the proftpd.conf file. There's a tool for creating ProFTP passwd/group files in the contrib area  of the ProFTP source distribution (and HTML doc's for it).

(2) Including the following directives in the configuration will chroot the FTP user into their home dir then preventing them from seeing anything out side of that area.

DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~

(3) ProFTP has a pretty good record with respect to security vulnerabilities. You do have to keep it up to date, but that's true of it and everyother piece of S/W (including RH 9).
                                                                               
0
 

Author Comment

by:chadly2
ID: 9828359
Okay, I switched to vsftpd for two reasons.
1.  The links that paullamhkg provided showing that vsftpd is very secure, secure enough for the big dogs to use it (Redhat, SuSE, etc...)
2.  Ease of setup.  ProFTP may have more features, but vsftpd seems to be a lot easier to configure.

Here's how I've delt with my original 3 issues so far:

1.  I'm using Linux accounts for my ftp users.  There is an advantage to this in my case since my users will be uploading files, and this looks to be an easy way of keeping track of who uploaded the file and prevent other users from deleting other users files.  However, since usernames/passwords are passed in clear text, I'm wondering if this is a bit of a security issue.  (see item 3 below)

2.  In the /etc/vsftpd/vsftpd.conf file I uncommented out these settings:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
I then created the vsftpd.chroot_list text file with the list of ftp users that should be locked into their home directory (which I've set to /mnt/datadisk/ftp_data).  However, this still poses a security issue.  Non ftp users that have accounts on this machine can connect via ftp if they want to.  It will place them in their home directory with the ability to navigate out of it.  Just wondering if there is a way to only allow a specific group of Linux users the ability to use the ftp service.

3.  Security.  Still not clear on this one.  Sending clear text username/passwords doesn't seem like a good idea.  The data I'm sharing isn't that sensitive, but it should NOT be accessible to hackers clever enough to sniff out username/passwords.  Are there any "easy" solutions to configure vsftpd (or ProFTP) to use SSL connections or at least encrypted passwords (MD4 or MD5).  My next level of security will be to create an access list on my firewall that only allows specific source IP addresses of my FTP users.

Maybe WebDAV is a better way to go?  I'd like to get a WebDAV server set up to share Mozilla Calendars and Mac Calendars anyway.   I've played with it a bit, but I'm a bit stumped.  I'll probably post another question concerning WebDAV today.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 9838974
From what I see that you want to accomplish I believe that vsftp isn't the correct choice. From my reading of its docs (and playing with different configurations of it) I don't see it being capable of doing what ProFTP can do.

Your goals, as I see them, are to protect the server from unauthorized access and to limit each FTP user to only being able to see their own files. Using ProFTP's AuthUserFile directive this is easily done. When that directive is in place only users in the ProFTP password file have access to FTP and they are all chroot'd to the "home dir" as specified in the password file. For security reasons I never create a ProFTP account with the same username & password as a Linux account. In most cases I'll make the UID/GID of each FTP account be nobody/nobody. This means that the exposure of the plain text username and password isn't much of a security issue. The only thing an attacker who has captured this account information can do is to access the FTP account, and they are doing so as nobody.

While there are ways of protecting an FTP transaction by encrypting the session, there are few FTP clients that can do that. If you really nedd to protect the account information and the data you need to ditch FTP and only allow scp/sftp access. The down side of that is that you are back to having to have Linux accounts for each user and there's no easy way to chroot a user. Creating an FTP server where FTP users aren't Linux accounts, like above, is a reasonable compromise.

BTW: The "big dogs" use vsftp more for its speed than for security issues. By and large their FTP servers are set up for download only (read only access). They need to support lots of sessions and transfer lots data, so speed and resource consumption is very important. ProFTP, NcFTP, and vsftp all have excellent records, security wise. It has been the FTP servers based on the old BSD code (wu-ftp, etc) that have created a bad rep for FTP.
0
 

Author Comment

by:chadly2
ID: 9883470
Okay, jlevie you have several valid points...  I have vsftpd running on my Redhat 9 box, so I'm going to leave it as is for the time being.  I'm building a new SuSE 9 Pro machine right now.  (I haven't decided on distribution of choice yet.)  I'm going to configure ProFTP on it.  I'll check back in when I have it running.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now