install-proftpd-on-ubuntu

Posted on In

编译与安装

1
2
3
4
cd proftpd-1.3.6
./configure --with-modules=mod_quotatab:mod_quotatab_file # 后面参数可选
make
sudo make install # 默认安装在/usr/local/目录下

新增FTP用户

1
2
3
4
sudo mkdir /var/ftproot # 用户指定ftp用户可访问路径
sudo useradd ftpuser -d /var/ftproot/ -s /usr/sbin/nologin # 拒绝login
sudo passwd ftpuser
sudo chown ftpuser:ftpuser /var/ftproot

拒绝FTP用户登录shell

/etc/shells
1
/usr/sbin/nologin # 添加这行,nologin按照实际路径修改

修改proftpd.conf配置

/usr/local/etc/proftpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD Default Installation"
ServerType			standalone
DefaultServer			on

# 绑定的地址 可以是外网地址
#DefaultAddress			"xxx.xxx.xxx.xxx"

# 被动模式 使proftpd随机产生的端口在此范围内
# 内网使用的话无需配置
PassivePorts			65400 65420

# Port 21 is the standard FTP port.
Port				21

# Don't use IPv6 support by default.
UseIPv6				off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances			30

# Set the user and group under which the server will run.
# 与上面创建的用户名要一致
User				ftpuser
Group				nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# 禁止用户登录后逛大街到处跑
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite		on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
#<Anonymous ~ftp>
#  User				ftp
#  Group				ftp
#
#  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias			anonymous ftp
#
#  # Limit the maximum number of anonymous logins
#  MaxClients			10
#
#  # We want 'welcome.msg' displayed at login, and '.message' displayed
#  # in each newly chdired directory.
#  DisplayLogin			welcome.msg
#  DisplayChdir			.message
#
#  # Limit WRITE everywhere in the anonymous chroot
#  <Limit WRITE>
#    DenyAll
#  </Limit>
#</Anonymous>

防火墙配置

如果FTP服务器使用被动模式,则需要配置下面的iptables规则,以供外网访问。

仅仅是内网使用则无需配置,注意端口号与上面proftpd.conf配置的端口号要一致。

1
2
iptables -A INPUT -p tcp --dport 65400:65420 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 65400:65420 -j ACCEPT

启动

sudo service proftpd start 或者 /usr/local/sbin/proftpd

FTP被动模式介绍

http://slacksite.com/other/ftp.html