I'm using ProFTP as a local ftp-server. This means that it's only accessible by hosts that reside on my LAN. I have
no intention nor any use to make it public. As a consequence, it's not really such a topic to secure it all the way
down. Keep in mind that the setup I use is absolutely NOT suitable for a open-wide-public ftp-server.
Maybe one word about the use as a local ftp-server. I use this ftp-server to upload the backup-files I make on
every host. One could say that this can also be done with either Samba or NFS but ftp has the advantage that it's
easily accessible from almost every host, no mather what OS it's running. To upload the files, I use
ncftpput with this syntax (take a look at the man-page for more details) :
ncftpput -u myuploaduser -p verysecret -V -DD ftp.cudeso.be . /var/backup/home.tar.gz
The homepage of ProFTP
Allthough there are some RPM's available, I prefer to install it from source. You can easily download it from the
ProFTP homepage (there's a link in the upper-left corner to the most recent version). Copy the file to the place
where you normally install your packages.
First unpack it with :
tar -zxvf proftp.tar.gz
This will result in a directory proftp. Change to this directory and run the configure script
with --enable-shadow to make sure ProFTP can make use of the shadow-password facility. Afterwards,
run the usual make and make install options.
By default, ProFTP will place it's configuration file in
/usr/local/etc. I really hate this. You can
either start ProFTP with a configurationfile-directive
proftpd -c <my-config-file>
or you just place a link to
(where normally all config-files should be placed). I prefer the 'link'-way, this way you can start ProFTP either
as standalone or from inetd/xinetd. Linking is easy
ln -s /usr/local/etc/proftpd.conf /etc/proftpd.conf
Open up the proftpd.conf with your favorite editor. Below is my config-file.
Example of proftpd.conf
ServerName is quite obvious..not?
ServerName "Cudeso FTP"
# Normally, we want files to be overwriteable.
With ServerType you can specify wether ProFTP runs as standalone or from inetd/xinetd.
When you're running a small site with little connections, I suggest inetd. This way ProFTP doesn't take up
CPU-cycles when nobody's connected to your site. On the other hand, when there's high traffic, it could be
best to use standalone-mode. One major disadvantage from inetd/xinetd is that everytime there's a new connection,
the inetd daemon needs to start another process. This is not the case with standalone. Possible settings for this are
standalone or inetd
SystemLog instructs ProFTP to log to the file
/var/log/proftp. By default, ProFTP will output his logs
to the syslogger.
DefaultServer takes care of all connections not directly for a specified ftp-server
Port, Umask and MaxInstances are obvious. One word maybe about
MaxInstances. Don't make this figure to high otherwise you could find yourself a victim to DOS-attack.
User and Group are the user and group as which ProFTP needs to run (doesn't this make sense..no?)
With RequireValidShell you can allow users to connect without them having a valid shell on the local machine.
I had quite some problems starting ProFTP from xinetd. Finally I got it to work with putting stuff from tftp, wu-ftp and
my inspiration together. This is what came up (and works on my LAN).
example of ProFTP startup file in /etc/xinetd.d
Just place this file in the directory
flags = REUSE
socket_type = stream
instances = 50
wait = no
user = root
server = /usr/local/sbin/proftpd
bind = 192.168.1.1
log_on_success = HOST PID
log_on_failure = HOST RECORD
/etc/xinetd.d and it should start with the restart of xinetd.