cvsextras 59a0b0
# This is the ProFTPD configuration file
f76d2e
#
f76d2e
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
f76d2e
f76d2e
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
f76d2e
# See: http://www.proftpd.org/docs/howto/Vhost.html
cvsextras 59a0b0
cvsextras 59a0b0
ServerName			"ProFTPD server"
cvsextras 59a0b0
ServerIdent			on "FTP Server ready."
cvsextras 59a0b0
ServerAdmin			root@localhost
cvsextras 59a0b0
DefaultServer			on
cvsextras 59a0b0
f76d2e
# Cause every FTP user except adm to be chrooted into their home directory
fca1ac
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
fca1ac
# work at session-end time (http://bugzilla.redhat.com/477120)
fca1ac
VRootEngine			on
cvsextras 59a0b0
DefaultRoot			~ !adm
fca1ac
VRootAlias			etc/security/pam_env.conf /etc/security/pam_env.conf
cvsextras 59a0b0
934196
# Use pam to authenticate (default) and be authoritative
934196
AuthPAMConfig			proftpd
934196
AuthOrder			mod_auth_pam.c* mod_auth_unix.c
f76d2e
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
f76d2e
#PersistentPasswd		off
cvsextras 59a0b0
f76d2e
# Don't do reverse DNS lookups (hangs on DNS problems)
cvsextras 59a0b0
UseReverseDNS			off
cvsextras 59a0b0
f76d2e
# Set the user and group that the server runs as
f76d2e
User				nobody
f76d2e
Group				nobody
cvsextras 59a0b0
cvsextras 59a0b0
# To prevent DoS attacks, set the maximum number of child processes
f76d2e
# to 20.  If you need to allow more than 20 concurrent connections
cvsextras 59a0b0
# at once, simply increase this value.  Note that this ONLY works
f76d2e
# in standalone mode; in inetd mode you should use an inetd server
cvsextras 59a0b0
# that allows you to limit maximum number of processes per service
cvsextras 59a0b0
# (such as xinetd)
cvsextras 59a0b0
MaxInstances			20
cvsextras 59a0b0
6757b5
# Disable sendfile by default since it breaks displaying the download speeds in
6757b5
# ftptop and ftpwho
f76d2e
UseSendfile			off
cvsextras 59a0b0
cvsextras 59a0b0
# Define the log formats
cvsextras 59a0b0
LogFormat			default	"%h %l %u %t \"%r\" %s %b"
cvsextras 59a0b0
LogFormat			auth	"%v [%P] %h %t \"%r\" %s"
cvsextras 59a0b0
f76d2e
# Dynamic Shared Object (DSO) loading
f76d2e
# See README.DSO and howto/DSO.html for more details
f76d2e
#
f76d2e
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
f76d2e
#   LoadModule mod_sql.c
f76d2e
#
f757bc
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
f757bc
# (contrib/mod_sql_passwd.html)
f757bc
#   LoadModule mod_sql_passwd.c
f757bc
#
f76d2e
# Mysql support (requires proftpd-mysql package)
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
f76d2e
#   LoadModule mod_sql_mysql.c
f76d2e
#
f76d2e
# Postgresql support (requires proftpd-postgresql package)
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
f76d2e
#   LoadModule mod_sql_postgres.c
f76d2e
#
f76d2e
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
f76d2e
#   LoadModule mod_quotatab.c
f76d2e
#
f76d2e
# File-specific "driver" for storing quota table information in files
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
f76d2e
#   LoadModule mod_quotatab_file.c
f76d2e
#
f76d2e
# SQL database "driver" for storing quota table information in SQL tables
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
f76d2e
#   LoadModule mod_quotatab_sql.c
f76d2e
#
f76d2e
# LDAP support (requires proftpd-ldap package)
f76d2e
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
f76d2e
#   LoadModule mod_ldap.c
f76d2e
#
f76d2e
# LDAP quota support (requires proftpd-ldap package)
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
f76d2e
#   LoadModule mod_quotatab_ldap.c
f76d2e
#
f76d2e
# Support for authenticating users using the RADIUS protocol
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
f76d2e
#   LoadModule mod_radius.c
f76d2e
#
f76d2e
# Retrieve quota limit table information from a RADIUS server
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
f76d2e
#   LoadModule mod_quotatab_radius.c
f76d2e
#
f76d2e
# Administrative control actions for the ftpdctl program
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
f76d2e
#   LoadModule mod_ctrls_admin.c
f76d2e
#
15b44e
# Execute external programs or scripts at various points in the process
15b44e
# of handling FTP commands
15b44e
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
15b44e
#   LoadModule mod_exec.c
15b44e
#
f76d2e
# Support for POSIX ACLs
f76d2e
# (http://www.proftpd.org/docs/modules/mod_facl.html)
f76d2e
#   LoadModule mod_facl.c
f76d2e
#
b82695
# Support for using the GeoIP library to look up geographical information on
65fdc2
# the connecting client and using that to set access controls for the server
b82695
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
b82695
#   LoadModule mod_geoip.c
b82695
#
f76d2e
# Configure server availability based on system load
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_load.html)
f76d2e
#   LoadModule mod_load.c
f76d2e
#
f76d2e
# Limit downloads to a multiple of upload volume (see README.ratio)
f76d2e
#   LoadModule mod_ratio.c
f76d2e
#
f76d2e
# Rewrite FTP commands sent by clients on-the-fly,
f76d2e
# using regular expression matching and substitution 
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
f76d2e
#   LoadModule mod_rewrite.c
f76d2e
#
f757bc
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
f757bc
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
f757bc
#   LoadModule mod_sftp.c
f757bc
#
f757bc
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
f757bc
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
f757bc
#   LoadModule mod_sftp_pam.c
f757bc
#
f757bc
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
f757bc
# and host based authentication
f757bc
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
f757bc
#   LoadModule mod_sftp_sql.c
f757bc
#
f757bc
# Provide data transfer rate "shaping" across the entire server
f757bc
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
f757bc
#   LoadModule mod_shaper.c
f757bc
#
f76d2e
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
f76d2e
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
f76d2e
#   LoadModule mod_site_misc.c
f76d2e
#
f757bc
# Provide an external SSL session cache using shared memory
f757bc
# (contrib/mod_tls_shmcache.html)
f757bc
#   LoadModule mod_tls_shmcache.c
f757bc
#
f76d2e
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
f76d2e
# files, for IP-based access control
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
f76d2e
#   LoadModule mod_wrap.c
f76d2e
#
f76d2e
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
f76d2e
# files, as well as SQL-based access rules, for IP-based access control
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
f76d2e
#   LoadModule mod_wrap2.c
f76d2e
#
f76d2e
# Support module for mod_wrap2 that handles access rules stored in specially
f76d2e
# formatted files on disk
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
f76d2e
#   LoadModule mod_wrap2_file.c
f76d2e
#
f76d2e
# Support module for mod_wrap2 that handles access rules stored in SQL
f76d2e
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
f76d2e
#   LoadModule mod_wrap2_sql.c
f76d2e
#
f76d2e
# Provide a flexible way of specifying that certain configuration directives
f76d2e
# only apply to certain sessions, based on credentials such as connection
f76d2e
# class, user, or group membership
f76d2e
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
f76d2e
#   LoadModule mod_ifsession.c
f76d2e
f76d2e
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
f76d2e
<IfDefine TLS>
f76d2e
  TLSEngine			on
f76d2e
  TLSRequired			on
f76d2e
  TLSRSACertificateFile		@PKIDIR@/certs/proftpd.pem
f76d2e
  TLSRSACertificateKeyFile	@PKIDIR@/certs/proftpd.pem
f76d2e
  TLSCipherSuite		ALL:!ADH:!DES
f76d2e
  TLSOptions			NoCertRequest
f76d2e
  TLSVerifyClient		off
f76d2e
  #TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
f76d2e
  TLSLog			/var/log/proftpd/tls.log
f757bc
  <IfModule mod_tls_shmcache.c>
f757bc
    TLSSessionCache		shm:/file=/var/run/proftpd/sesscache
f757bc
  </IfModule>
f76d2e
</IfDefine>
f76d2e
f76d2e
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
f76d2e
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
f76d2e
<IfDefine DYNAMIC_BAN_LISTS>
f76d2e
  LoadModule			mod_ban.c
f76d2e
  BanEngine			on
f76d2e
  BanLog			/var/log/proftpd/ban.log
f76d2e
  BanTable			/var/run/proftpd/ban.tab
62fb5f
62fb5f
  # If the same client reaches the MaxLoginAttempts limit 2 times
62fb5f
  # within 10 minutes, automatically add a ban for that client that
62fb5f
  # will expire after one hour.
f76d2e
  BanOnEvent			MaxLoginAttempts 2/00:10:00 01:00:00
62fb5f
62fb5f
  # Allow the FTP admin to manually add/remove bans
f76d2e
  BanControlsACLs		all allow user ftpadm
f76d2e
</IfDefine>
f76d2e
f76d2e
# Global Config - config common to Server Config and all virtual hosts
f76d2e
# See: http://www.proftpd.org/docs/howto/Vhost.html
f76d2e
<Global>
f76d2e
f76d2e
  # Umask 022 is a good standard umask to prevent new dirs and files
f76d2e
  # from being group and world writable
f76d2e
  Umask				022
f76d2e
f76d2e
  # Allow users to overwrite files and change permissions
f76d2e
  AllowOverwrite		yes
f76d2e
  <Limit ALL SITE_CHMOD>
f76d2e
    AllowAll
f76d2e
  </Limit>
f76d2e
f76d2e
</Global>
f76d2e
f76d2e
# A basic anonymous configuration, with an upload directory
f76d2e
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
f76d2e
<IfDefine ANONYMOUS_FTP>
f76d2e
  <Anonymous ~ftp>
f76d2e
    User			ftp
f76d2e
    Group			ftp
f76d2e
    AccessGrantMsg		"Anonymous login ok, restrictions apply."
f76d2e
f76d2e
    # We want clients to be able to login with "anonymous" as well as "ftp"
f76d2e
    UserAlias			anonymous ftp
f76d2e
f76d2e
    # Limit the maximum number of anonymous logins
f76d2e
    MaxClients			10 "Sorry, max %m users -- try again later"
f76d2e
f76d2e
    # Put the user into /pub right after login
f76d2e
    #DefaultChdir		/pub
f76d2e
f76d2e
    # We want 'welcome.msg' displayed at login, '.message' displayed in
f76d2e
    # each newly chdired directory and tell users to read README* files. 
f76d2e
    DisplayLogin		/welcome.msg
f76d2e
    DisplayChdir		.message
f76d2e
    DisplayReadme		README*
f76d2e
f76d2e
    # Cosmetic option to make all files appear to be owned by user "ftp"
f76d2e
    DirFakeUser			on ftp
f76d2e
    DirFakeGroup		on ftp
f76d2e
f76d2e
    # Limit WRITE everywhere in the anonymous chroot
f76d2e
    <Limit WRITE SITE_CHMOD>
f76d2e
      DenyAll
f76d2e
    </Limit>
f76d2e
f76d2e
    # An upload directory that allows storing files but not retrieving
f76d2e
    # or creating directories.
f76d2e
    <Directory uploads/*>
f76d2e
      AllowOverwrite		no
f76d2e
      <Limit READ>
f76d2e
        DenyAll
f76d2e
      </Limit>
f76d2e
f76d2e
      <Limit STOR>
f76d2e
        AllowAll
f76d2e
      </Limit>
f76d2e
    </Directory>
f76d2e
f76d2e
    # Don't write anonymous accesses to the system wtmp file (good idea!)
f76d2e
    WtmpLog			off
f76d2e
f76d2e
    # Logging for the anonymous transfers
f76d2e
    ExtendedLog			/var/log/proftpd/access.log WRITE,READ default
f76d2e
    ExtendedLog			/var/log/proftpd/auth.log AUTH auth
f76d2e
f76d2e
  </Anonymous>
f76d2e
</IfDefine>
62fb5f