1. ProFTPD doesn't seem to work, I start it but it
doesn't show up in a
`ps'. What's wrong?
2. My syslog has errors in it such as
"inet_create_connection() failed: Operation not permitted".
I use the shadow password suite. Users cannot login to
ProFTPD.
3. When I try to start proftpd from the command line, all I
see is "Fatal: Socket operation on non-socket", and proftpd does not
start.
4.
I'm having problems with FTP clients behind firewalls, they cannot seem
to get directory listings or transfer files. I've checked and it seems
that proftpd isn't using port 20 as the source port for it's data
connections; can this be changed?
5.
I cannot get Anonymous FTP to work. I've tried all the sample
configuration files, however no matter what I try, every time I attempt to
login to proftpd as 'ftp' or 'anonymous' I get "550 Login
incorrect.".
6.
What should I add or remove from my /etc/inetd.conf in order to run
proftpd from the inetd super-server?
7.
Can I use tcp-wrappers with proftpd?
8.
How do I add another anonymous login or guest account?
9. How do I allow uploads to a specific directory in a secure
fashion? I don't want users downloading or creating sub-directories in
it.
10.
How can I hide a directory from anonymous clients. I only want clients
getting in to it if they know the exact name.
11.
File/Directory hiding isn't working for me! I can still see the file or
directory when performing an anonymous FTP?
12.
I have a hidden directory, but I want to prevent users from accessing it
altogether. How can I do this?
13.
How do I setup a virtual FTP server?
14.
I don't want to let my normal FTP users into my virtual FTP servers using
their usernames/passwords. I only want anonymous FTP to work for a virtual
server. How can I do this?
15.
Can I run an FTP server on another port besides the standard ftp port
(21) without running a separate copy of
ProFTPD?
16.
How does <Limit LOGIN> work, and where should I use
it?
17.
How can I limit one or more user sessions to a particular directory tree?
(chroot jail)
The following questions and answers apply to proftpd version 1.1.3 and
later only! None of these features will work in 1.0.x
versions.
18.
How do I create anonymous FTP sites for my users? Creating a separate
<Anonymous> configuration for each user is too
difficult.
19.
How do I create an Anonymous configuration that runs as a particular
user, but still allow the user to login normally? I don't want to have to
use a separate virtual host.
1. ProFTPD doesn't seem to work, I start it but it
doesn't show up in a `ps'. What's wrong?
Answer: It could be many things, possibly something like not running
proftpd as root (it needs to be run as root initially, but will switch to
a non-privileged user). Regardless, proftpd logs all errors via the
standard syslog mechanism. You need to check your system logs in order to
determine what the problem is.
2. My syslog has errors in it such as
"inet_create_connection() failed: Operation not permitted".
I use the shadow password suite. Users cannot login to
ProFTPD.
Answer: You aren't starting proftpd as root, or you have inetd
configured to run proftpd as a user other than root. The proftpd daemon
must be started as root in order to bind to tcp ports lower than 1024, or
to open your shadow password file when authenticating users. The daemon
switches uid/gids to the user and group specified by the User/Group
directives during normal operation, so a `ps' will show it running as the
user you specified.
3. When I try to start proftpd from the command line,
all I see is "Fatal: Socket operation on non-socket", and proftpd does not
start.
Answer:
You have proftpd configured to run in inetd mode instead of
standalone. In this mode, proftpd expects that it will be run from the
inetd super-server, which implies that stdin/stdout will be sockets
instead of terminals. As a result, socket operations will fail and the
above error will be printed. If you wish to run proftpd from the shell, in
standalone mode, you'll need to modify your proftpd.conf configuration
file and add or edit the ServerType directive to read:
ServerType standalone
4. I'm having problems with FTP clients behind
firewalls, they cannot seem to get directory listings or transfer files.
I've checked and it seems that proftpd isn't using port 20 as the source
port for it's data connections; can this be changed?
Answer: There is a known security problem with ALL unix FTP daemons,
which requires the daemon to retain root privileges even after a client
has fully authenticated. In proftpd versions 1.0.x, we chose to ignore
RFC959's port 20 requirements in the interests of security. Unfortunately,
over time, it became obvious that this was a bad idea. Until the RFC is
"fixed", this problem will continue to plague unix FTP servers.
In proftpd versions 1.1.x and higher, we chose to go the "standard" route,
retaining root at all times, allowing the daemon to bind to port 20 and be
completely RFC959 compliant. The security issue remains, however the code
is carefully structured to handle this in as secure a fashion as
possible.
You have two options for working around this problem:
1. Upgrade to proftpd 1.1.x (development versions).
2. Have your FTP clients use passive mode. Passive mode data connections
originate from the client, and thus do not experience this "port 20"
problem.
5. I cannot get Anonymous FTP to work. I've tried all
the sample configuration files, however no matter what I try, every time I
attempt to login to proftpd as 'ftp' or 'anonymous' I get "550 Login
incorrect.".
Answer: Check the following first:
1. Make sure the user/group you specified inside the <Anonymous> block
actually exists. This must be a real user and group, as it is used to
control whom the daemon runs as and authenticates as.
2. If RequireValidShell is not specifically turned off, make sure that
your "ftp user" (as specified by the User directive inside an
<Anonymous> block), has a valid shell listed in /etc/shells. If you do
not wish to give the user a valid shell, you can always use
"RequireValidShell off" to disable this check.
3. If UseFtpUsers is not specifically turned off, make sure that your "ftp
user" is not listed in /etc/ftpusers.
If all else fails, you should check your syslog. When authentication fails
for any reason, proftpd uses the syslog mechanism to log the reason for
failure; using the AUTH (or AUTHPRIV) facility. If you need further
assistance, you can send email, including related syslog entries and your
configuration file, to the proftpd mailing list at:
proftpd-l@evcom.net.
6. What should I add or remove from my /etc/inetd.conf
in order to run proftpd from the inetd super-server?
Answer: Find the line in /etc/inetd.conf that looks something like
this:
ftp stream tcp nowait root in.ftpd in.ftpd
Replace it with:
ftp stream tcp nowait root in.proftpd in.proftpd
Then, find your inetd process in the process listing and send it the
SIGHUP signal so that it will rehash and reconfigure itself. Example (do
not type the following literally, as pid 189 will mo
kill -1 189
7. Can I use tcp-wrappers with proftpd?
Answer: Sure. Although ProFTPD has built-in IP access control (see the
Deny and Allow directives), many admins choose to consolidate IP access
control in one place via in.tcpd. Just configure proftpd to run from inetd
as any other tcp-wrapper wrapped daemon does:
ftp stream tcp nowait root in.tcpd in.proftpd
8. How do I add another anonymous login or guest
account?
Answer: You should look in the sample-configurations/ directory from
your distribution tarball. Basically, you'll need to create another user
on your system for the guest/anonymous ftp login. For security reasons,
it's very important that you make sure the user account either has a
password or has an "unmatchable" password. The root directory of the
guest/anonymous account doesn't have to be the user's directory, but it
makes sense to do so. After you have created the account, put something
like the following in your /etc/proftpd.conf file (assuming the new
user/group name is private/private):
<Anonymous ~private>
AnonRequirePassword off
User private
Group private
RequireValidShell off
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
This will allow ftp clients to login to your site with the username
'private' and their e-mail address as a password. You can change the
AnonRequirePassword directive to "on" if you want clients to be forced to
transmit the correct password for the 'private' account. This sample
configuration allows clients to change into, list and read all
directories, but denies write access of any kind.
9. How do I allow uploads to a specific directory in a
secure fashion? I don't want users downloading or creating sub-directories
in it.
Answer: The following snippet from a sample configuration file
illustrates how to protect an "upload" directory in such a fashion (which
is a very good idea if you don't want people using your site for
"warez"):
<Anonymous /home/ftp>
User ftp
Group ftp
UserAlias anonymous ftp
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
<Directory incoming>
<Limit STOR>
AllowAll
</Limit>
<Limit READ>
DenyAll
</Limit>
</Directory>
</Anonymous>
This denies all write operations to the anonymous root directory and
sub-directories, except "incoming/" where the permissions are reversed and
the client can store but not read. If you used <Limit WRITE> instead of
<Limit STOR> on <Directory incoming>, ftp clients would be allowed
to perform all write operations to the sub-dir, including deleting,
renaming and creating directories.
10. How can I hide a directory from anonymous clients.
I only want clients getting in to it if they know the exact
name.
Answer: Use the HideUser or HideGroup directive in combination with
the proper user/group ownership on the directive. For example, if you have
the follow directory in your anonymous ftp directory tree:
drwxrwxr-x 3 ftp staff 6144 Apr 21 16:40 private
You can use a directive such as "HideGroup staff" to hide the private
directory from a directory listing. Example:
<Anonymous ~ftp>
...
<Directory Private>
HideGroup staff
</Directory>
...
</Anonymous>
11. File/Directory hiding isn't working for me! I can
still see the file or directory when performing an anonymous
FTP?
Answer: You need to make sure that the group you are hiding isn't the
anonymous ftp user's primary group, or HideGroup won't apply.
12. I have a hidden directory, but I want to prevent
users from accessing it altogether. How can I do this?
Answer: You can either change the permissions on the directory to
prevent the anonymous FTP user from accessing it, or if you want to make
it appear completely invisible (as though there is no such directory), use
the IgnoreHidden directive inside a <Limit> block for one or more
commands that you want to completely ignore the hidden directory entries
(ignore = act as if the directory entry does not exist).
13. How do I setup a virtual FTP server?
Answer: First off, have you read the documentation that came with the
server? If not, do so now. If you still have questions, read on:
You'll need to configure your host to be able to handle multiple IP
addresses. This is often called "aliasing", and can generally be
configured through an IP alias or dummy interface. You need to read your
operating system documentation to figure out how to do this. Once your
have the host configured to accept the additional IP address that you wish
to offer a virtual FTP server on, use the <VirtualHost> configuration
directive to create the virtual server:
<VirtualHost 10.0.0.1>
ServerName "My virtual FTP server"
</VirtualHost>
You can add additional directive blocks into the <VirtualHost> block in
order to create anonymous/guest logins and the like which are only
available on the virtual host.
14. I don't want to let my normal FTP users into my
virtual FTP servers using their usernames/passwords. I only want anonymous
FTP to work for a virtual server. How can I do this?
Answer: Use : <Limit LOGIN> block to deny access at the top-level
of the virtual host, then use <Limit LOGIN> again in your
<Anonymous> block to allow access to the anonymous login. This permits
logins to a virtual anonymous server, but denies to everything else.
Example:
...
<VirtualHost 10.0.0.1>
ServerName "My virtual FTP server"
<Limit LOGIN>
DenyAll
</Limit>
<Anonymous /usr/local/private>
User private
Group private
<Limit LOGIN>
AllowAll
</Limit>
...
</Anonymous>
</VirtualHost>
15. Can I run an FTP server on another port besides
the standard ftp port (21) without running a separate copy of
ProFTPD?
Answer: Yes. Use a <VirtualHost> block with your machine's FQDN
(Fully Qualified Domain Name) or IP address, and a Port directive inside
the <VirtualHost> block. For example, if your host is named
"myhost.mydomain.com" and you want to run an additional FTP server on port
2001, you would:
...
<VirtualHost myhost.mydomain.com>
Port 2001
...
</VirtualHost>
16. How does <Limit LOGIN> work, and where should I
use it?
Answer: The <Limit LOGIN> directive is used to control connection
or login access to a particular context (the directive block which
contains it). When a client initially connects to proftpd, the daemon
searches the configuration tree for <Limit LOGIN> directives, and
attached parameters (such as Allow, Deny, etc). If it determines that
there is no possible way for the client to ever be allowed to login, such
as a "Deny from" matching the client's source address, without an
overriding "Allow from" at a lower level, the client is disconnected
without being offered the opportunity to transmit a user and password.
However, if it is possible for the client to be allowed a login, proftpd
continues as per normal, allowing the client to login only if the proper
<Limit LOGIN> applies. Normally, <Limit> directive blocks are
allowed in the server config, <VirtualHost>, <Anonymous> and
<Directory> contexts. However, <Limit LOGIN> should not be used in a
<Directory> context, as clients do not connect/login to a directory
(and thus it is meaningless).
By way of example, the following configuration snippit illustrates a
<Limit LOGIN> deny which will cause any incoming connections from the
10.1.1.x subnet to be immediately disconnected, without a welcome
message:
...
<Limit LOGIN>
Order deny,allow
Deny from 10.1.1.
Allow from all
</Limit>
...
Next, an example of a configuration using <Limit LOGIN> that will not
immediately disconnect an incoming client, but will return "Login invalid"
for all login attempts except anonymous.
...
<Limit LOGIN>
DenyAll
</Limit>
<Anonymous ~ftp>
...
<Limit LOGIN>
AllowAll
</Limit>
...
17. How can I limit one or more user sessions to a
particular directory tree? (chroot jail)
Answer: You can use an <Anonymous> directive context block,
possibly in combination with a UserPassword/AnonRequirePassword directive.
If you wish to jail an entire group (or groups) of users, you can use the
DefaultRoot directive (available only in 0.99.0pl7 and above). DefaultRoot
lets you specify a root jailed directory (or '~' for the user's home
directory), and an optional group-expression argument which can be used to
control which groups of users the jail will be applied to. For
example:
...
<VirtualHost myhost.mynet.foo>
DefaultRoot ~
...
</VirtualHost>
This creates a configuration where all users who log into myhost.mynet.foo
are jailed into their home directories (cannot chdir into a higher level
directory). Alternatively, you could:
...
<VirtualHost myhost.mynet.foo>
DefaultRoot /u2/public users,!staff
...
</VirtualHost>
In this sample, all users who are members of group 'users', but not
members of group 'staff' are jailed into /u2/public. If a user does not
meet the group-expression requirements, they login as per normal (not
jailed, default directory is their home).
You can use multiple DefaultRoot directives to create multiple jails
inside the same directive context. If two DefaultRoot directives apply to
the same user, proftpd arbitrarily chooses one (based on how the
configuration file was parsed).
The following questions and answers apply to proftpd version 1.1.3 and
later only! None of these features will work in 1.0.x versions.
18. How do I create anonymous FTP sites for my users?
Creating a separate <Anonymous> configuration for each user is too
difficult.
Answer: There are two methods of accomplishing this (possibly more).
First, you can create a directory structure inside your anonymous FTP root
directory, creating a single directory for each user and setting
ownership/permissions as appropriate. Then, either create a symlink from
each user's home directory into the FTP site, or instruct your users on
how to access their directory.
The alternate method (and more versatile) of accomplishing per-user
anonymous FTP is to use AnonymousGroup in combination with the DefaultRoot
directory. You'll probably want to do this inside a <VirtualHost>,
otherwise none of your users will be able to access your system without
being stuck inside their per-user FTP site. Additionally, you'll want to
use a defered <Directory> block to carefully limit outside access to
each user's site.
Step 1: Create a new unix group on your system named `anonftp'. Please
each user who will have per-user anonymous FTP in this group.
Step 2: Create an `anon-ftp' and `anon-ftp/incoming' directory in each
user's home directory.
Step 3: Modify your /etc/proftpd.conf file to look something like this
(you'll probably want to customize this to your needs):
<VirtualHost my.per-user.virtual.host.address>
# the next line limits all logins to this virtualhost, so that only
anonftp users can connect
<Limit LOGIN>
DenyGroup !anonftp
</Limit>
# limit access to each user's anon-ftp directory, we want read-only except
on incoming
<Directory ~/anon-ftp>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
# permit stor access to each user's anon-ftp/incoming directory, but deny
everything else
<Directory ~/anon-ftp/incoming>
<Limit STOR>
AllowAll
</Limit>
<Limit READ WRITE>
DenyAll
</Limit>
</Directory>
# provide a default root for all logins to this virtualhost.
DefaultRoot ~/anon-ftp
# Finally, force all logins to be anonymous for the anonftp group
AnonymousGroup anonftp
</VirtualHost>
19. How do I create an Anonymous configuration that
runs as a particular user, but still allow the user to login normally? I
don't want to have to use a separate virtual host.
Answer: You can use the AuthAliasOnly directive to control how and
where real usernames get authenticated (as opposed to aliased names, via
the UserAlias directive). Note that it is still impossible to have two
identical aliased names login to different anonymous sites; for that you
would need <VirtualHost>.
Example:
...
<Anonymous ~jrluser>
User jrluser
Group jrluser
UserAlias ftp jrluser
UserAlias anonymous jrluser
AuthAliasOnly on
...
</Anonymous>
Here, the <Anonymous> configuration for ~jrluser is set to allow alias
authentication only. Thus, if a client attempts to authenticate as
'jrluser', the anonymous config will be ignored and the client will be
authenticated as if they were a normal user (typically resulting in
`jrluser' logging in normally). However, if the client uses the aliased
username `ftp' or `anonymous', the anonymous block is applied.
Note: If you need more information on ProFTPD
visit http://www.proftpd.org
