Gerrards Cross Computer Club

NAS 4220-B - Configure FTP

Return to support page home

Page updated 21 July 2008

Quick Links

Overview

This page describes how to configure FTP in as secure a manner as possible. By default the FTP server is too open to be safe.

It will be necessary to:

New Script

This my new script

Script Code Description

# Server characteristics

ServerName                "Soroban NAS FTPD"

ServerType                standalone

DefaultServer             on

#

# Port and usage control

Port                      21

PassivePorts              60000 65535

MaxInstances              30

#

# Miscellaneous

Umask                     006

RequireValidShell         off

IdentLookups              off

UseReverseDNS             off

#

# Administration/log file management

ScoreboardFile            /var/run/proftpd.pid

SystemLog                 /var/log/messages

WtmpLog                   off


#

# Character set definition

CharsetLocal              UTF-8

CharsetRemote             CP1252

#

# Daemon user context - Default to invalid values

User                      nobody

Group                     nobody

#

# Unidentified

receivefile               on  ## This parameter is for TSS. You can fill in either "on" or "off". ###

Server section

This section defines some standard settings for the FTP server.

Check umask setting

# Required for FTP behind NAT routers

MasqueradeAddress          sorobansystems.plus.com

#

NAT Rules

Masquerade needed because I am behind a NAT Firewall. Replace with your own EXTERNAL ftp address.

# Download/upload/Overwrite controls

<global>

    AllowOverwrite          on

    AllowRetrieveRestart    on

    AllowStoreRestart       on

</global>

Global Section

This section globakk allows Overwrite of files.

DefaultRoot      /mnt/md1/ftp

DefaultRoot      /mnt/md1/ftp             ftp-admin

DefaultRoot      /mnt/md1/ftp/ftp-read    ftp-read

DefaultRoot      /mnt/md1/ftp/ftp-upload  ftp-upload

#

<Anonymous //mnt/md1/ftp>

    # Daemon user context - over-rides previous

    User                    ftp-admin

    Group                   ftp-admin

    AnonRequirePassword     off

    #

    # Define aliases to internl names

    UserAlias    guest        ftp-read

    UserAlias    upload       ftp-upload

    #

    # Control access to download folder structure

    <Directory /mnt/md1/ftp/ftp-read/*>

        <Limit WRI    <Directory /mnt/md1/ftp/ftp-upload/*TE>

            AllowGroup      ftp-admin

            DenyAll

        </Limit

    </Directory>

    #

    # control access to upload directory structure

    <Directory /mnt/md1/ftp/ftp-upload/*

        <Limit STOR>

            AllowG    <Directory /mnt/md1/ftp/ftp-upload/*    <Directory /mnt/md1/ftp/ftp-upload/*roup      ftp-admin,ftp-upload

            DenyAll

        </Limit>

    </Directory>

    #

    # Control access to FTP Root directory

    <Directory /mnt/md1/ftp/*

        <Limit ALL>

            AllowGroup ftp-admin

            DenyAll

        </Limit>

    </Directory>

<Anonymous>

    

    #UserAlias guest guest-share

    #UserAlias anonymous guest-share

    #UserAlias ftp guest-share

    <Directory *>

        AllowOverwrite on

        <Limit WRITE>

            AllowAll

        </Limit>

    </Directory>

</Anonymous>

Annoymous Section

ListOptions               "-l"
DenyFilter                \*.*/    <Directory /mnt/md1/ftp/ftp-upload/*
#



# Normally, we want files to be overwriteable.
<Directory /*>
   AllowOverwrite on
</Directory>

#### userscript - mod


####


#
<Directory /mnt/md1/lost+found>
    HideNoAccess on
    <Limit ALL>
        DenyAll
    </Limit>
</Directory>
#
<Directory /mnt/md1/admin>
    <Limit DIRS READ WRITE>
        DenyAll/mnt/md1/ftp/ftp-user
    </Limit>
    <Limit DIRS READ WRITE>
        AllowUser admin
    </Limit>
</Directory>
#
<Directory /mnt/md1/guest-share>
    <Limit DIRS READ WRITE>
        DenyAll
    </Limit>
    <Limit DIRS READ WRITE>
        AllowUser guest-share
    </Limit>
    </Directory>
    <Directory /mnt/md1/public>
        <Limit DIRS READ WRITE>
            DenyAll
        </Limit>
        <Limit DIRS READ WRITE>
            AllowUser admin
        </Limit>
</Directory>

Standard Script for userscripts

This is a copy of the ptoftpd.conf.md1 file in userscripts/sample/conf. Lines containing ... show where lines have been removed as not needing explanation. These are typically lines of comment. Note that you need to select the appropriaye file. This script is for a RAID 1 configuration.

A detailed description of the commands can be found here

Script Code Item Description

#### BEWARE!!!!<Directory /mnt/md1/public>

...

#


ServerName "NAS FTPD"

ServerType standalone

DefaultServer on

DefaultRoot /mnt

ServerName The name displayed to a user when they connect to the FTP server. We may want to change this
Servertype The type required for this application is standalone
DefaultServer on ensures that the server is operational
DefaultRoot The default root for the FTP server is /mnt. We will probably want to change this

CharsetLocal UTF-8

CharsetRemote CP1252

CharsetLocal
CharsetRemote
Define the character set supported

SystemLog /var/log/messages

SystemLog
Location for syslog messages

Port 21

Port FTP port number

Umask 006

Umask mask used for setting file and directory permissions see chmod in UNIX documentation for values

User nobody

Group nobody

User
Group
It is recommended that a new user and group are created rather than use the traditional "nobody"

RequireValidShell

offCharsetRemote TBD

#### userscript - mod

# Tuning settings

IdentLookups     off

UseReverseDNS     off

WtmpLog     off

ListOptions     "-l"

DenyFilter     \*.*/
####

IdUserUserentLookups Default is on. Controls whether the ident protocol is used to verify the user. 
UseReverseDNS Default is off. Used to verify user. Off prevents a hang under some cirumstances
WtmpLog Defult is on. Controls logging to host's wtmp log file. 
ListOptions -l will list one file per line.
DenyFilter A filter to deny access to command arguments. There is a corresponding AllowFilter

receivefile on  ## This parameter is for TSS. You can fill in either "on" or "off". ##

receivefile TBD

ScoreboardFile /var/run/proftpd.pid

ScoreboardFile This is file used to hold the PID. This is necessary for some functions to operate correctly

# Normally, we want files to be overwriteable.
<Directory /*>

   AllowOverwrite on

</Directory>

Directory Directory /* selects all files/folders but not the directory itself
AllowOverwrite Permits files to be overwritten

#### userscript - mod

# Downloadresume

<global>

AllowOverwrite      on

AllowRetrieveRestart      on

AllowStoreRestart      on

</global>

####

Global Sets commands that apply globally
AllowOverwrite on permits files to be overwritten globally
AllowRetrieveRestart on allows clients to restart downloads
AllowStoreRestart on allows clients to restart uploads

<Anonymous //mnt/md1/guest-share>

User guest-share

Group guest-share

UserAlias guest guest-share

UserAlias anonymous guest-share

UserAlias ftp guest-share

<Directory *>

AllowOverwrite on

<Limit WRITE>

AllowAll

</Limit>

</Directory>

</Anonymous>

Anonymous Defines the root used for annonymous FTP access
User Username that the daemon will use for annonymous file access
Group The group used for annonlmous access
UserAlias Alias a number of user names to a common guest-share
Directory Wildcard match
Limit WRITE prevents writing to the folder
AllowAll Allows all

<Directory /mnt/md1/lost+found>

HideNoAccess on

<Limit ALL>

DenyAll

</Limit>

</Directory>

Directory /mnt/md1/lost+found
HideNoAccess Hide access to this directory
Limit  ALL will apply to all commands
DenyAll Prevents access to anyone

<Directory /mnt/md1/admin>

<Limit DIRS READ WRITE>

DenyAll

</Limit>

<Limit DIRS READ WRITE>

AllowUser admin

</Limit>

</DiALLrALLectory>

Directory /mnt/md1/admin
Limit DIRS READ WRITE - applies to attempts to read or write directories
DenyAll Denies access
Limit DIRS READ WRITE - applies to attempts to read or write directories
AllowUser admin - enables user admin to override earlier DenyAll and to access onw folder

<Directory /mnt/md1/guest-share>

<Limit DIRS READ WRITE>

DenyAll

</Limit>

<Limit DIRS READ WRITE>

AllowUser guest-share

</Limit>

Directory /mnt/md1/guest-share
Limit DIRS READ WRITE as above
DenyAll as above
Limit DIRS READ WRITE as above
AllowUser guest-share - enable annonymous users (together with aliases) to access the guest share

<Directory /mnt/md1/public>

<Limit DIRS READ WRITE>

DenyAll

</Limit>

<Limit DIRS READ WRITE>

AllowUser admin

</Limit>

</Directory>

Ditto /mnt/md1/public - allow admin to access this folder