|
cvsextras |
59a0b03 |
# This is the ProFTPD configuration file
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
|
cvsextras |
59a0b03 |
|
|
cvsextras |
59a0b03 |
ServerName "ProFTPD server"
|
|
cvsextras |
59a0b03 |
ServerIdent on "FTP Server ready."
|
|
cvsextras |
59a0b03 |
ServerAdmin root@localhost
|
|
cvsextras |
59a0b03 |
DefaultServer on
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Cause every FTP user except adm to be chrooted into their home directory
|
|
|
3ae2436 |
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
|
|
|
3ae2436 |
# work at session-end time (http://bugzilla.redhat.com/477120)
|
|
|
3ae2436 |
VRootEngine on
|
|
cvsextras |
59a0b03 |
DefaultRoot ~ !adm
|
|
|
3ae2436 |
VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
|
|
cvsextras |
59a0b03 |
|
|
|
2b04447 |
# Use pam to authenticate (default) and be authoritative
|
|
|
2b04447 |
AuthPAMConfig proftpd
|
|
|
2b04447 |
AuthOrder mod_auth_pam.c* mod_auth_unix.c
|
|
|
1f47ac5 |
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
|
|
|
1f47ac5 |
#PersistentPasswd off
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Don't do reverse DNS lookups (hangs on DNS problems)
|
|
cvsextras |
59a0b03 |
UseReverseDNS off
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Set the user and group that the server runs as
|
|
|
1f47ac5 |
User nobody
|
|
|
1f47ac5 |
Group nobody
|
|
cvsextras |
59a0b03 |
|
|
cvsextras |
59a0b03 |
# To prevent DoS attacks, set the maximum number of child processes
|
|
|
1f47ac5 |
# to 20. If you need to allow more than 20 concurrent connections
|
|
cvsextras |
59a0b03 |
# at once, simply increase this value. Note that this ONLY works
|
|
|
1f47ac5 |
# in standalone mode; in inetd mode you should use an inetd server
|
|
cvsextras |
59a0b03 |
# that allows you to limit maximum number of processes per service
|
|
cvsextras |
59a0b03 |
# (such as xinetd)
|
|
cvsextras |
59a0b03 |
MaxInstances 20
|
|
cvsextras |
59a0b03 |
|
|
|
c872dfb |
# Disable sendfile by default since it breaks displaying the download speeds in
|
|
|
c872dfb |
# ftptop and ftpwho
|
|
|
1f47ac5 |
UseSendfile off
|
|
cvsextras |
59a0b03 |
|
|
cvsextras |
59a0b03 |
# Define the log formats
|
|
cvsextras |
59a0b03 |
LogFormat default "%h %l %u %t \"%r\" %s %b"
|
|
cvsextras |
59a0b03 |
LogFormat auth "%v [%P] %h %t \"%r\" %s"
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Dynamic Shared Object (DSO) loading
|
|
|
1f47ac5 |
# See README.DSO and howto/DSO.html for more details
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
|
|
1f47ac5 |
# LoadModule mod_sql.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Mysql support (requires proftpd-mysql package)
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
|
|
1f47ac5 |
# LoadModule mod_sql_mysql.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Postgresql support (requires proftpd-postgresql package)
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
|
|
1f47ac5 |
# LoadModule mod_sql_postgres.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
|
|
|
1f47ac5 |
# LoadModule mod_quotatab.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# File-specific "driver" for storing quota table information in files
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
|
|
|
1f47ac5 |
# LoadModule mod_quotatab_file.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# SQL database "driver" for storing quota table information in SQL tables
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
|
|
|
1f47ac5 |
# LoadModule mod_quotatab_sql.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# LDAP support (requires proftpd-ldap package)
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
|
|
|
1f47ac5 |
# LoadModule mod_ldap.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# LDAP quota support (requires proftpd-ldap package)
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
|
|
|
1f47ac5 |
# LoadModule mod_quotatab_ldap.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Support for authenticating users using the RADIUS protocol
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
|
|
|
1f47ac5 |
# LoadModule mod_radius.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Retrieve quota limit table information from a RADIUS server
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
|
|
|
1f47ac5 |
# LoadModule mod_quotatab_radius.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Administrative control actions for the ftpdctl program
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
|
|
|
1f47ac5 |
# LoadModule mod_ctrls_admin.c
|
|
|
1f47ac5 |
#
|
|
|
ef6963d |
# Execute external programs or scripts at various points in the process
|
|
|
ef6963d |
# of handling FTP commands
|
|
|
ef6963d |
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
|
|
|
ef6963d |
# LoadModule mod_exec.c
|
|
|
ef6963d |
#
|
|
|
1f47ac5 |
# Support for POSIX ACLs
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/modules/mod_facl.html)
|
|
|
1f47ac5 |
# LoadModule mod_facl.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Configure server availability based on system load
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_load.html)
|
|
|
1f47ac5 |
# LoadModule mod_load.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Limit downloads to a multiple of upload volume (see README.ratio)
|
|
|
1f47ac5 |
# LoadModule mod_ratio.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Rewrite FTP commands sent by clients on-the-fly,
|
|
|
1f47ac5 |
# using regular expression matching and substitution
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
|
|
|
1f47ac5 |
# LoadModule mod_rewrite.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
|
|
|
1f47ac5 |
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
|
|
|
1f47ac5 |
# LoadModule mod_site_misc.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
|
|
|
1f47ac5 |
# files, for IP-based access control
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
|
|
|
1f47ac5 |
# LoadModule mod_wrap.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
|
|
|
1f47ac5 |
# files, as well as SQL-based access rules, for IP-based access control
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
|
|
|
1f47ac5 |
# LoadModule mod_wrap2.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Support module for mod_wrap2 that handles access rules stored in specially
|
|
|
1f47ac5 |
# formatted files on disk
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
|
|
|
1f47ac5 |
# LoadModule mod_wrap2_file.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Support module for mod_wrap2 that handles access rules stored in SQL
|
|
|
1f47ac5 |
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
|
|
|
1f47ac5 |
# LoadModule mod_wrap2_sql.c
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# Provide a flexible way of specifying that certain configuration directives
|
|
|
1f47ac5 |
# only apply to certain sessions, based on credentials such as connection
|
|
|
1f47ac5 |
# class, user, or group membership
|
|
|
1f47ac5 |
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
|
|
|
1f47ac5 |
# LoadModule mod_ifsession.c
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
|
|
|
1f47ac5 |
<IfDefine TLS>
|
|
|
1f47ac5 |
TLSEngine on
|
|
|
1f47ac5 |
TLSRequired on
|
|
|
1f47ac5 |
TLSRSACertificateFile @PKIDIR@/certs/proftpd.pem
|
|
|
1f47ac5 |
TLSRSACertificateKeyFile @PKIDIR@/certs/proftpd.pem
|
|
|
1f47ac5 |
TLSCipherSuite ALL:!ADH:!DES
|
|
|
1f47ac5 |
TLSOptions NoCertRequest
|
|
|
1f47ac5 |
TLSVerifyClient off
|
|
|
1f47ac5 |
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
|
|
|
1f47ac5 |
TLSLog /var/log/proftpd/tls.log
|
|
|
1f47ac5 |
</IfDefine>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
|
|
|
1f47ac5 |
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
|
|
|
1f47ac5 |
<IfDefine DYNAMIC_BAN_LISTS>
|
|
|
1f47ac5 |
LoadModule mod_ban.c
|
|
|
1f47ac5 |
BanEngine on
|
|
|
1f47ac5 |
BanLog /var/log/proftpd/ban.log
|
|
|
1f47ac5 |
BanTable /var/run/proftpd/ban.tab
|
|
|
6dd6604 |
|
|
|
6dd6604 |
# If the same client reaches the MaxLoginAttempts limit 2 times
|
|
|
6dd6604 |
# within 10 minutes, automatically add a ban for that client that
|
|
|
6dd6604 |
# will expire after one hour.
|
|
|
1f47ac5 |
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
|
|
|
6dd6604 |
|
|
|
6dd6604 |
# Allow the FTP admin to manually add/remove bans
|
|
|
1f47ac5 |
BanControlsACLs all allow user ftpadm
|
|
|
1f47ac5 |
</IfDefine>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Global Config - config common to Server Config and all virtual hosts
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
|
|
1f47ac5 |
<Global>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Umask 022 is a good standard umask to prevent new dirs and files
|
|
|
1f47ac5 |
# from being group and world writable
|
|
|
1f47ac5 |
Umask 022
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Don't do ident queries (hangs when the port is filtered)
|
|
|
1f47ac5 |
IdentLookups off
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Allow users to overwrite files and change permissions
|
|
|
1f47ac5 |
AllowOverwrite yes
|
|
|
1f47ac5 |
<Limit ALL SITE_CHMOD>
|
|
|
1f47ac5 |
AllowAll
|
|
|
1f47ac5 |
</Limit>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
</Global>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# A basic anonymous configuration, with an upload directory
|
|
|
1f47ac5 |
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
|
|
|
1f47ac5 |
<IfDefine ANONYMOUS_FTP>
|
|
|
1f47ac5 |
<Anonymous ~ftp>
|
|
|
1f47ac5 |
User ftp
|
|
|
1f47ac5 |
Group ftp
|
|
|
1f47ac5 |
AccessGrantMsg "Anonymous login ok, restrictions apply."
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# We want clients to be able to login with "anonymous" as well as "ftp"
|
|
|
1f47ac5 |
UserAlias anonymous ftp
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Limit the maximum number of anonymous logins
|
|
|
1f47ac5 |
MaxClients 10 "Sorry, max %m users -- try again later"
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Put the user into /pub right after login
|
|
|
1f47ac5 |
#DefaultChdir /pub
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# We want 'welcome.msg' displayed at login, '.message' displayed in
|
|
|
1f47ac5 |
# each newly chdired directory and tell users to read README* files.
|
|
|
1f47ac5 |
DisplayLogin /welcome.msg
|
|
|
1f47ac5 |
DisplayChdir .message
|
|
|
1f47ac5 |
DisplayReadme README*
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Cosmetic option to make all files appear to be owned by user "ftp"
|
|
|
1f47ac5 |
DirFakeUser on ftp
|
|
|
1f47ac5 |
DirFakeGroup on ftp
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Limit WRITE everywhere in the anonymous chroot
|
|
|
1f47ac5 |
<Limit WRITE SITE_CHMOD>
|
|
|
1f47ac5 |
DenyAll
|
|
|
1f47ac5 |
</Limit>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# An upload directory that allows storing files but not retrieving
|
|
|
1f47ac5 |
# or creating directories.
|
|
|
1f47ac5 |
<Directory uploads/*>
|
|
|
1f47ac5 |
AllowOverwrite no
|
|
|
1f47ac5 |
<Limit READ>
|
|
|
1f47ac5 |
DenyAll
|
|
|
1f47ac5 |
</Limit>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
<Limit STOR>
|
|
|
1f47ac5 |
AllowAll
|
|
|
1f47ac5 |
</Limit>
|
|
|
1f47ac5 |
</Directory>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Don't write anonymous accesses to the system wtmp file (good idea!)
|
|
|
1f47ac5 |
WtmpLog off
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Logging for the anonymous transfers
|
|
|
1f47ac5 |
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
|
|
|
1f47ac5 |
ExtendedLog /var/log/proftpd/auth.log AUTH auth
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
</Anonymous>
|
|
|
1f47ac5 |
</IfDefine>
|
|
|
6dd6604 |
|