chadly2
asked on
How to configure ProFTP server...
I want to set up an FTP server on my Redhat 9 server. Looking around, I've seen many posts stating that ProFTP is the way to go. Correct me if you think differently. I've installed the ProFTP package via Synaptic and have it running. I can connect to it with a FTP client, but now I want to configure it to my needs. However, I'm a bit confused looking through the /etc/proftpd.conf file. I've installed Webmin and have tried to configure ProFTP through its module, but I'm still a little confused on how best to set this thing up.
1. I'll probably have 5 - 10 users, with no anonymous access. Do I have to create Linux user accounts for these accounts, or does ProFTP have its own user database that I can maintain?
2. Currently when I login with an FTP client with my Linux user account (not root), I see my home directory, including hidden files. I want the FTP home directory to be on a second drive I've installed (/mnt/datadisk/ftpdata) rather than the Linux users home directory. And users are LOCKED into this folder, and with no way to access other system files. Different users will have access to different folders on this drive. Some will have access to all, and others only have access to one or two.
3. Security is also a big concern. From my experience FTP servers are easily hacked, I don't want mine to get hacked!
I'm migrating everything I have from Windows to Linux... help me if you can!
1. I'll probably have 5 - 10 users, with no anonymous access. Do I have to create Linux user accounts for these accounts, or does ProFTP have its own user database that I can maintain?
2. Currently when I login with an FTP client with my Linux user account (not root), I see my home directory, including hidden files. I want the FTP home directory to be on a second drive I've installed (/mnt/datadisk/ftpdata) rather than the Linux users home directory. And users are LOCKED into this folder, and with no way to access other system files. Different users will have access to different folders on this drive. Some will have access to all, and others only have access to one or two.
3. Security is also a big concern. From my experience FTP servers are easily hacked, I don't want mine to get hacked!
I'm migrating everything I have from Windows to Linux... help me if you can!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I switched to vsftpd for two reasons.
1. The links that paullamhkg provided showing that vsftpd is very secure, secure enough for the big dogs to use it (Redhat, SuSE, etc...)
2. Ease of setup. ProFTP may have more features, but vsftpd seems to be a lot easier to configure.
Here's how I've delt with my original 3 issues so far:
1. I'm using Linux accounts for my ftp users. There is an advantage to this in my case since my users will be uploading files, and this looks to be an easy way of keeping track of who uploaded the file and prevent other users from deleting other users files. However, since usernames/passwords are passed in clear text, I'm wondering if this is a bit of a security issue. (see item 3 below)
2. In the /etc/vsftpd/vsftpd.conf file I uncommented out these settings:
chroot_list_enable=YES
chroot_list_file=/etc/vsft
I then created the vsftpd.chroot_list text file with the list of ftp users that should be locked into their home directory (which I've set to /mnt/datadisk/ftp_data). However, this still poses a security issue. Non ftp users that have accounts on this machine can connect via ftp if they want to. It will place them in their home directory with the ability to navigate out of it. Just wondering if there is a way to only allow a specific group of Linux users the ability to use the ftp service.
3. Security. Still not clear on this one. Sending clear text username/passwords doesn't seem like a good idea. The data I'm sharing isn't that sensitive, but it should NOT be accessible to hackers clever enough to sniff out username/passwords. Are there any "easy" solutions to configure vsftpd (or ProFTP) to use SSL connections or at least encrypted passwords (MD4 or MD5). My next level of security will be to create an access list on my firewall that only allows specific source IP addresses of my FTP users.
Maybe WebDAV is a better way to go? I'd like to get a WebDAV server set up to share Mozilla Calendars and Mac Calendars anyway. I've played with it a bit, but I'm a bit stumped. I'll probably post another question concerning WebDAV today.
1. The links that paullamhkg provided showing that vsftpd is very secure, secure enough for the big dogs to use it (Redhat, SuSE, etc...)
2. Ease of setup. ProFTP may have more features, but vsftpd seems to be a lot easier to configure.
Here's how I've delt with my original 3 issues so far:
1. I'm using Linux accounts for my ftp users. There is an advantage to this in my case since my users will be uploading files, and this looks to be an easy way of keeping track of who uploaded the file and prevent other users from deleting other users files. However, since usernames/passwords are passed in clear text, I'm wondering if this is a bit of a security issue. (see item 3 below)
2. In the /etc/vsftpd/vsftpd.conf file I uncommented out these settings:
chroot_list_enable=YES
chroot_list_file=/etc/vsft
I then created the vsftpd.chroot_list text file with the list of ftp users that should be locked into their home directory (which I've set to /mnt/datadisk/ftp_data). However, this still poses a security issue. Non ftp users that have accounts on this machine can connect via ftp if they want to. It will place them in their home directory with the ability to navigate out of it. Just wondering if there is a way to only allow a specific group of Linux users the ability to use the ftp service.
3. Security. Still not clear on this one. Sending clear text username/passwords doesn't seem like a good idea. The data I'm sharing isn't that sensitive, but it should NOT be accessible to hackers clever enough to sniff out username/passwords. Are there any "easy" solutions to configure vsftpd (or ProFTP) to use SSL connections or at least encrypted passwords (MD4 or MD5). My next level of security will be to create an access list on my firewall that only allows specific source IP addresses of my FTP users.
Maybe WebDAV is a better way to go? I'd like to get a WebDAV server set up to share Mozilla Calendars and Mac Calendars anyway. I've played with it a bit, but I'm a bit stumped. I'll probably post another question concerning WebDAV today.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, jlevie you have several valid points... I have vsftpd running on my Redhat 9 box, so I'm going to leave it as is for the time being. I'm building a new SuSE 9 Pro machine right now. (I haven't decided on distribution of choice yet.) I'm going to configure ProFTP on it. I'll check back in when I have it running.
(1) Yes, ProFTP is capable of having FTP only accounts that don't correspond to Linux accounts. Authentication and user home dir definition can take place via ProFTP passswd/group files. This is enabled by including:
AuthUserFile /etc/proftpd.passwd
AuthGroupFile /etc/proftpd.group
in the global section o the proftpd.conf file. There's a tool for creating ProFTP passwd/group files in the contrib area of the ProFTP source distribution (and HTML doc's for it).
(2) Including the following directives in the configuration will chroot the FTP user into their home dir then preventing them from seeing anything out side of that area.
DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~
(3) ProFTP has a pretty good record with respect to security vulnerabilities. You do have to keep it up to date, but that's true of it and everyother piece of S/W (including RH 9).