How to configure ProFTP server...

I want to set up an FTP server on my Redhat 9 server.  Looking around, I've seen many posts stating that ProFTP is the way to go.  Correct me if you think differently.  I've installed the ProFTP package via Synaptic and have it running.  I can connect to it with a FTP client, but now I want to configure it to my needs.  However, I'm a bit confused looking through the /etc/proftpd.conf file.  I've installed Webmin and have tried to configure ProFTP through its module, but I'm still a little confused on how best to set this thing up.

1.  I'll probably have 5 - 10 users, with no anonymous access.  Do I have to create Linux user accounts for these accounts, or does ProFTP have its own user database that I can maintain?
2.  Currently when I login with an FTP client with my Linux user account (not root), I see my home directory, including hidden files.  I want the FTP home directory to be on a second drive I've installed (/mnt/datadisk/ftpdata) rather than the Linux users home directory.  And users are LOCKED into this folder, and with no way to access other system files.  Different users will have access to different folders on this drive.  Some will have access to all, and others only have access to one or two.
3.  Security is also a big concern.  From my experience FTP servers are easily hacked, I don't want mine to get hacked!

I'm migrating everything I have from Windows to Linux... help me if you can!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. yes, you need to create linux user accounts.

2. if you want to fix the users to login to their own home directory and can't access others directory CHROOT will be the solution on this have a check here

3.  have a look here which using the ProFTP over ssh.

you might also thinking of VSFTP instead, which mean very secure FTP, have a check here and here for more info abt VSFTP.

Hope this info can help
I'll have to disagree disagree with paullamhkg on this...

(1) Yes, ProFTP is capable of having FTP only accounts that don't correspond to Linux accounts. Authentication and user home dir  definition can take place via ProFTP passswd/group files.  This is enabled by including:

AuthUserFile  /etc/proftpd.passwd
AuthGroupFile /etc/

in the global section o the proftpd.conf file. There's a tool for creating ProFTP passwd/group files in the contrib area  of the ProFTP source distribution (and HTML doc's for it).

(2) Including the following directives in the configuration will chroot the FTP user into their home dir then preventing them from seeing anything out side of that area.

DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~

(3) ProFTP has a pretty good record with respect to security vulnerabilities. You do have to keep it up to date, but that's true of it and everyother piece of S/W (including RH 9).
chadly2Author Commented:
Okay, I switched to vsftpd for two reasons.
1.  The links that paullamhkg provided showing that vsftpd is very secure, secure enough for the big dogs to use it (Redhat, SuSE, etc...)
2.  Ease of setup.  ProFTP may have more features, but vsftpd seems to be a lot easier to configure.

Here's how I've delt with my original 3 issues so far:

1.  I'm using Linux accounts for my ftp users.  There is an advantage to this in my case since my users will be uploading files, and this looks to be an easy way of keeping track of who uploaded the file and prevent other users from deleting other users files.  However, since usernames/passwords are passed in clear text, I'm wondering if this is a bit of a security issue.  (see item 3 below)

2.  In the /etc/vsftpd/vsftpd.conf file I uncommented out these settings:
I then created the vsftpd.chroot_list text file with the list of ftp users that should be locked into their home directory (which I've set to /mnt/datadisk/ftp_data).  However, this still poses a security issue.  Non ftp users that have accounts on this machine can connect via ftp if they want to.  It will place them in their home directory with the ability to navigate out of it.  Just wondering if there is a way to only allow a specific group of Linux users the ability to use the ftp service.

3.  Security.  Still not clear on this one.  Sending clear text username/passwords doesn't seem like a good idea.  The data I'm sharing isn't that sensitive, but it should NOT be accessible to hackers clever enough to sniff out username/passwords.  Are there any "easy" solutions to configure vsftpd (or ProFTP) to use SSL connections or at least encrypted passwords (MD4 or MD5).  My next level of security will be to create an access list on my firewall that only allows specific source IP addresses of my FTP users.

Maybe WebDAV is a better way to go?  I'd like to get a WebDAV server set up to share Mozilla Calendars and Mac Calendars anyway.   I've played with it a bit, but I'm a bit stumped.  I'll probably post another question concerning WebDAV today.
From what I see that you want to accomplish I believe that vsftp isn't the correct choice. From my reading of its docs (and playing with different configurations of it) I don't see it being capable of doing what ProFTP can do.

Your goals, as I see them, are to protect the server from unauthorized access and to limit each FTP user to only being able to see their own files. Using ProFTP's AuthUserFile directive this is easily done. When that directive is in place only users in the ProFTP password file have access to FTP and they are all chroot'd to the "home dir" as specified in the password file. For security reasons I never create a ProFTP account with the same username & password as a Linux account. In most cases I'll make the UID/GID of each FTP account be nobody/nobody. This means that the exposure of the plain text username and password isn't much of a security issue. The only thing an attacker who has captured this account information can do is to access the FTP account, and they are doing so as nobody.

While there are ways of protecting an FTP transaction by encrypting the session, there are few FTP clients that can do that. If you really nedd to protect the account information and the data you need to ditch FTP and only allow scp/sftp access. The down side of that is that you are back to having to have Linux accounts for each user and there's no easy way to chroot a user. Creating an FTP server where FTP users aren't Linux accounts, like above, is a reasonable compromise.

BTW: The "big dogs" use vsftp more for its speed than for security issues. By and large their FTP servers are set up for download only (read only access). They need to support lots of sessions and transfer lots data, so speed and resource consumption is very important. ProFTP, NcFTP, and vsftp all have excellent records, security wise. It has been the FTP servers based on the old BSD code (wu-ftp, etc) that have created a bad rep for FTP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chadly2Author Commented:
Okay, jlevie you have several valid points...  I have vsftpd running on my Redhat 9 box, so I'm going to leave it as is for the time being.  I'm building a new SuSE 9 Pro machine right now.  (I haven't decided on distribution of choice yet.)  I'm going to configure ProFTP on it.  I'll check back in when I have it running.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.