|
cvsextras |
59a0b03 |
# This is the ProFTPD configuration file
|
|
|
1f47ac5 |
#
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
|
|
|
1f47ac5 |
|
|
|
8abab90 |
# Security-Enhanced Linux (SELinux) Notes:
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux
|
|
|
8abab90 |
# in order to mitigate the effects of an attacker taking advantage of an
|
|
|
8abab90 |
# unpatched vulnerability and getting control of the ftp server. By default,
|
|
|
8abab90 |
# ProFTPD cannot read or write most files on a system nor connect to many
|
|
|
8abab90 |
# external network services, but these restrictions can be relaxed by
|
|
|
8abab90 |
# setting SELinux booleans as follows:
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_anon_write=1
|
|
|
8abab90 |
# This allows the ftp daemon to write to files and directories labelled
|
|
|
8abab90 |
# with the public_content_rw_t context type; the daemon would only have
|
|
|
8abab90 |
# read access to these files normally. Files to be made available by ftp
|
|
|
8abab90 |
# but not writeable should be labelled public_content_t.
|
|
|
039bf80 |
# On older systems this boolean was called allow_ftpd_anon_write.
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_full_access=1
|
|
|
8abab90 |
# This allows the ftp daemon to read and write all files on the system.
|
|
|
039bf80 |
# On older systems this boolean was called allow_ftpd_full_access, and there
|
|
|
039bf80 |
# was a separate boolean ftp_home_dir to allow the ftp daemon access to
|
|
|
039bf80 |
# files in users' home directories.
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_use_cifs=1
|
|
|
8abab90 |
# This allows the ftp daemon to read and write files on CIFS-mounted
|
|
|
8abab90 |
# filesystems.
|
|
|
039bf80 |
# On older systems this boolean was called allow_ftpd_use_cifs.
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_use_fusefs=1
|
|
|
039bf80 |
# This allows the ftp daemon to read and write files on ntfs/fusefs-mounted
|
|
|
8abab90 |
# filesystems.
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_use_nfs=1
|
|
|
039bf80 |
# This allows the ftp daemon to read and write files on NFS-mounted
|
|
|
039bf80 |
# filesystems.
|
|
|
039bf80 |
# On older systems this boolean was called allow_ftpd_use_nfs.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# setsebool -P ftpd_connect_all_unreserved=1
|
|
|
8abab90 |
# This setting is only available from Fedora 16/RHEL-7 onwards, and is
|
|
|
8abab90 |
# necessary for active-mode ftp transfers to work reliably with non-Linux
|
|
|
8abab90 |
# clients (see http://bugzilla.redhat.com/782177), which may choose to
|
|
|
8abab90 |
# use port numbers outside the "ephemeral port" range of 32768-61000.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# setsebool -P ftpd_connect_db=1
|
|
|
8abab90 |
# This setting allows the ftp daemon to connect to commonly-used database
|
|
|
8abab90 |
# ports over the network, which is necessary if you are using a database
|
|
|
8abab90 |
# back-end for user authentication, etc.
|
|
|
8abab90 |
#
|
|
|
039bf80 |
# setsebool -P ftpd_use_passive_mode=1
|
|
|
039bf80 |
# This setting allows the ftp daemon to bind to all unreserved ports for
|
|
|
039bf80 |
# passive mode.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# All of these booleans are unset by default.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# See also the "ftpd_selinux" manpage.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# Note that the "-P" option to setsebool makes the setting permanent, i.e.
|
|
|
8abab90 |
# it will still be in effect after a reboot; without the "-P" option, the
|
|
|
8abab90 |
# effect only lasts until the next reboot.
|
|
|
8abab90 |
#
|
|
|
8abab90 |
# Restrictions imposed by SELinux are on top of those imposed by ordinary
|
|
|
8abab90 |
# file ownership and access permissions; in normal operation, the ftp daemon
|
|
|
8abab90 |
# will not be able to read and/or write a file unless *all* of the ownership,
|
|
|
8abab90 |
# permission and SELinux restrictions allow it.
|
|
|
8abab90 |
|
|
|
ec486f0 |
# Load DSO modules as required
|
|
|
ec486f0 |
Include /etc/proftpd/modules.conf
|
|
|
ec486f0 |
|
|
|
1f47ac5 |
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
|
cvsextras |
59a0b03 |
|
|
|
8abab90 |
# Trace logging, disabled by default for performance reasons
|
|
|
8abab90 |
# (http://www.proftpd.org/docs/howto/Tracing.html)
|
|
|
8abab90 |
#TraceLog /var/log/proftpd/trace.log
|
|
|
8abab90 |
#Trace DEFAULT:0
|
|
|
8abab90 |
|
|
cvsextras |
59a0b03 |
ServerName "ProFTPD server"
|
|
cvsextras |
59a0b03 |
ServerIdent on "FTP Server ready."
|
|
cvsextras |
59a0b03 |
ServerAdmin root@localhost
|
|
cvsextras |
59a0b03 |
DefaultServer on
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Cause every FTP user except adm to be chrooted into their home directory
|
|
cvsextras |
59a0b03 |
DefaultRoot ~ !adm
|
|
cvsextras |
59a0b03 |
|
|
|
2b04447 |
# Use pam to authenticate (default) and be authoritative
|
|
|
2b04447 |
AuthPAMConfig proftpd
|
|
|
2b04447 |
AuthOrder mod_auth_pam.c* mod_auth_unix.c
|
|
|
1f47ac5 |
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
|
|
|
1f47ac5 |
#PersistentPasswd off
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Don't do reverse DNS lookups (hangs on DNS problems)
|
|
cvsextras |
59a0b03 |
UseReverseDNS off
|
|
cvsextras |
59a0b03 |
|
|
|
1f47ac5 |
# Set the user and group that the server runs as
|
|
|
1f47ac5 |
User nobody
|
|
|
1f47ac5 |
Group nobody
|
|
cvsextras |
59a0b03 |
|
|
cvsextras |
59a0b03 |
# To prevent DoS attacks, set the maximum number of child processes
|
|
|
1f47ac5 |
# to 20. If you need to allow more than 20 concurrent connections
|
|
cvsextras |
59a0b03 |
# at once, simply increase this value. Note that this ONLY works
|
|
|
1f47ac5 |
# in standalone mode; in inetd mode you should use an inetd server
|
|
cvsextras |
59a0b03 |
# that allows you to limit maximum number of processes per service
|
|
cvsextras |
59a0b03 |
# (such as xinetd)
|
|
cvsextras |
59a0b03 |
MaxInstances 20
|
|
cvsextras |
59a0b03 |
|
|
|
c872dfb |
# Disable sendfile by default since it breaks displaying the download speeds in
|
|
|
c872dfb |
# ftptop and ftpwho
|
|
|
1f47ac5 |
UseSendfile off
|
|
cvsextras |
59a0b03 |
|
|
cvsextras |
59a0b03 |
# Define the log formats
|
|
cvsextras |
59a0b03 |
LogFormat default "%h %l %u %t \"%r\" %s %b"
|
|
cvsextras |
59a0b03 |
LogFormat auth "%v [%P] %h %t \"%r\" %s"
|
|
cvsextras |
59a0b03 |
|
|
|
b31aefd |
# Don't log hostname or timestamps because systemd will do that for us
|
|
|
b31aefd |
LogOptions -Timestamp -Hostname +RoleBasedProcessLabels
|
|
|
b31aefd |
|
|
|
8abab90 |
# Enable basic controls via ftpdctl
|
|
|
8abab90 |
# (http://www.proftpd.org/docs/modules/mod_ctrls.html)
|
|
|
8abab90 |
ControlsEngine on
|
|
|
8abab90 |
ControlsACLs all allow user root
|
|
|
8abab90 |
ControlsSocketACL allow user *
|
|
|
8abab90 |
ControlsLog /var/log/proftpd/controls.log
|
|
|
8abab90 |
|
|
|
8abab90 |
# Enable admin controls via ftpdctl
|
|
|
8abab90 |
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
|
|
|
8abab90 |
<IfModule mod_ctrls_admin.c>
|
|
|
8abab90 |
AdminControlsEngine on
|
|
|
8abab90 |
AdminControlsACLs all allow user root
|
|
|
8abab90 |
</IfModule>
|
|
|
8abab90 |
|
|
|
2c3bcca |
# Enable mod_vroot by default for better compatibility with PAM
|
|
|
2c3bcca |
# (http://bugzilla.redhat.com/506735)
|
|
|
2c3bcca |
<IfModule mod_vroot.c>
|
|
|
2c3bcca |
VRootEngine on
|
|
|
2c3bcca |
</IfModule>
|
|
|
2c3bcca |
|
|
|
1f47ac5 |
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
|
|
|
ec486f0 |
# Enable this with PROFTPD_OPTIONS=-DTLS in /etc/sysconfig/proftpd
|
|
|
1f47ac5 |
<IfDefine TLS>
|
|
|
ec486f0 |
Include /etc/proftpd/mod_tls.conf
|
|
|
1f47ac5 |
</IfDefine>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
|
|
|
1f47ac5 |
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
|
|
|
ec486f0 |
<IfModule mod_ban.c>
|
|
|
ec486f0 |
Include /etc/proftpd/mod_ban.conf
|
|
|
ec486f0 |
</IfModule>
|
|
|
1f47ac5 |
|
|
|
060da19 |
# Set networking-specific "Quality of Service" (QoS) bits on the packets used
|
|
|
ec486f0 |
# by the server (http://www.proftpd.org/docs/contrib/mod_qos.html)
|
|
|
ec486f0 |
<IfModule mod_qos.c>
|
|
|
ec486f0 |
Include /etc/proftpd/mod_qos.conf
|
|
|
ec486f0 |
</IfModule>
|
|
|
060da19 |
|
|
|
1f47ac5 |
# Global Config - config common to Server Config and all virtual hosts
|
|
|
1f47ac5 |
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
|
|
1f47ac5 |
<Global>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Umask 022 is a good standard umask to prevent new dirs and files
|
|
|
1f47ac5 |
# from being group and world writable
|
|
|
1f47ac5 |
Umask 022
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# Allow users to overwrite files and change permissions
|
|
|
1f47ac5 |
AllowOverwrite yes
|
|
|
1f47ac5 |
<Limit ALL SITE_CHMOD>
|
|
|
1f47ac5 |
AllowAll
|
|
|
1f47ac5 |
</Limit>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
</Global>
|
|
|
1f47ac5 |
|
|
|
1f47ac5 |
# A basic anonymous configuration, with an upload directory
|
|
|
1f47ac5 |
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
|
|
|
1f47ac5 |
<IfDefine ANONYMOUS_FTP>
|
|
|
ec486f0 |
Include /etc/proftpd/anonftp.conf
|
|
|
1f47ac5 |
</IfDefine>
|
|
|
6dd6604 |
|
|
|
ec486f0 |
# Include other custom configuration files
|
|
|
ec486f0 |
Include /etc/proftpd/conf.d/*.conf
|
|
|
ec486f0 |
|