it works! thanks.. ive just gedit a wrong file.
Yes, it's easy to use and really powerful
Yes, but i won't use it
No, the GUI has to be improved
it works! thanks.. ive just gedit a wrong file.
Last edited by tk0; May 7th, 2008 at 07:30 AM.
Yes it is possible, virtual users are supposed to work the same way than normal users. Also the way i propose to restrict the access is not the only one.
Good luck.
not to be a lazyass or anything but you think you might be able to point in that direction.. cuz I tried they way you outlined but was unsuccessful unless there are specific directives that need to be in my config..
if you dont mind to just look over my config and see if all is up to snuff, cuz users can connect and all just trying to lock the upload user to just the upload dir while everyone else can have axx to both dirs.
Code:Include /etc/proftpd/modules.conf # /etc/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes reload proftpd after modifications. # AllowOverwrite on AuthAliasOnly off # Choose here the user alias you want !!!! #UserAlias upload userftp ServerAdmin root@localhost AllowForeignAddress on ServerName "kMHFTP" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks off TimeoutNoTransfer 300 TimeoutStalled 600 TimeoutIdle 120 TimeoutLogin 300 #DisplayLogin welcome.msg DisplayFirstChdir .message ListOptions "-l" RequireValidShell off TimeoutLogin 20 RootLogin off # It's better for debug to create log files ;-) ExtendedLog /var/log/ftp.log TransferLog /var/log/xferlog SystemLog /var/log/syslog.log #DenyFilter \*.*/ AuthOrder mod_auth_file.c AuthUserFile /etc/proftpd/passwd #AuthGroupFile /etc/proftpd/ftpd.group # I don't choose to use /etc/ftpusers file (set inside the users you want #to ban, not useful for me) UseFtpUsers off # Allow to restart a download AllowStoreRestart on # Uncomment this if you are using NIS or LDAP to retrieve passwords: PersistentPasswd off # Uncomment this if you would use TLS module: #TLSEngine on # Uncomment this if you would use quota module: #Quotas on # Uncomment this if you would use ratio module: #Ratios on # Port 21 is the standard FTP port, so don't use it for security reasons #(choose here the port you want) Port 31337 #Port 21 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User nobody Group nogroup DirFakeUser on ~ # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. #AllowOverwrite on # Display a message after a successful login AccessGrantMsg "welcome !!!" # This message is displayed for each access good or not ServerIdent on "you're at home" # Set /home/FTP-shared directory as home directory DefaultRoot /home/FTP-shared # Lock all the users in home directory, ***** really important ***** DefaultRoot ~ MaxLoginAttempts 5 #VALID LOGINS <Limit LOGIN> Allow from all #AllowUser upload #AllowUser von DenyALL </Limit> <Directory /home/FTP-shared> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD MACB> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/download/*> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/upload/> Umask 022 022 AllowOverwrite on <Limit READ RMD DELE> DenyAll </Limit> <Limit STOR CWD MKD RETR> AllowAll </Limit> </Directory> # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. #DelayEngine off MasqueradeAddress mysite.dyndns.org # These ports should be safe... PassivePorts 31337 31437 UseReverseDNS off IdentLookups off UseIPv6 off DisplayConnect /etc/welcome.msg
You are not filtering any user in your proftpd.conf so i don't really understand what you tried.
Basically you allow any valid user to login and that's what you FTP server do allowing all users in all the available FTP directories.
To perform a per directory user access you must add <Limit LOGIN> commands in each <Directory ******> section as in the example in the first post.
Thanks a bunch frodon!!! I did the <Limit ALL> for each directory and i commented all lines of the <Limit LOGIN> and was able to keep upload from cdup out of upload/ dir.. not sure if thats right but it worked *shrugs*... and this could also work with groups, in case the user base is bigger than just a few users?
Code:#VALID LOGINS #<Limit LOGIN> #Allow from all #AllowUser upload #AllowUser von #DenyALL #</Limit> <Directory /home/FTP-shared> Umask 022 022 AllowOverwrite off <Limit ALL> Order Allow,Deny AllowUser von Deny ALL </Limit> <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD MACB> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/download/*> Umask 022 022 AllowOverwrite off <Limit ALL> Order Allow,Deny AllowUser von Deny ALL </Limit> <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/upload/> Umask 022 022 AllowOverwrite on <Limit ALL> Order Allow,Deny AllowUser von AllowUser upload Deny ALL </Limit> <Limit READ RMD DELE> DenyAll </Limit> <Limit STOR CWD MKD RETR> AllowAll </Limit> </Directory>
Last edited by tk0; May 7th, 2008 at 10:55 PM.
Great tutorial, but for some reason when I log in using an FTP client it appears to take me to the wrong directory. It shows the directory as just "/" and won't let me do anything. Any help would be appreciated. I've added all of the directories. Here's my config file:
Code:AllowOverwrite on AuthAliasOnly on UserAlias music userftp ServerName "brianserver" ServerType standalone DeferWelcome on MultilineRFC2228 on DefaultServer on ShowSymlinks off TimeoutNoTransfer 600 TimeoutStalled 100 TimeoutIdle 2200 DisplayChdir .message ListOptions "-1" RequireValidShell off TimeoutLogin 20 RootLogin off ExtendedLog /var/log/ftp.log TransferLog /var/log/xfer.log SystemLog /var/log/syslog.log UseFtpUsers off AllowStoreRestart on Port 1980 MaxInstances 8 User nobody Group nogroup Umask 022 022 PersistentPasswd off MaxClients 8 MaxClientsPerHost 8 MaxClientsPerUser 8 MaxHostsPerUser 8 AccessGrantMsg "welcome!!!" ServerIdent on "you're at home" DefaultRoot /home/FTP-shared DefaultRoot ~ MaxLoginAttempts 5 <Limit LOGIN> AllowUser userftp DenyALL </Limit> <Directory /home/FTP-shared> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/download/> Umask 022 022 AllowOverwrite off <Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD> DenyAll </Limit> </Directory> <Directory /home/FTP-shared/upload/> Umask 022 022 AllowOverwrite on <Limit READ RMD DELE> DenyAll </Limit> <Limit STOR CWD MKD> AllowAll </Limit> </Directory>
Hi,frodon
I tried the way you say(Create user through the GUI) but got a 530 login error...I just use the default conf file you provided,and I don't know what is wrong.Could you please give me a hand?Thx a lot.
@tk0, i think it's even more safe to keep also a general <Limit LOGIN> section (the one you had previously before all your <Directory ****> section.
@yawnzzzz, i would say that you user may not have the right home directory, anyway i think keeping only the DefaultRoot /home/FTP-shared line would be enough. Now that i look at it it seems redundant to me as "DefaultRoot ~" says to lock the user connected in his home directory.
@qingrenjyf, In this case i would try to change the password several time and also using CLI (sudo passwd userftp).
The user has the correct home directory. When I connected from a Mac, it didn't show anything, but when I connected from a PC, it showed 'download' and 'upload' as type 'File' instead of being directories. I previously had this config file working correctly, and it showed the 'download' and 'upload' as directories. The only thing I've changed since then is the config file.
I did some more tests by not containing the user in a directory, and it shows every directory as a file type of 'file', which means I can't do anything with it. Any ideas on this?
Last edited by yawnzzzz; May 9th, 2008 at 01:27 PM.
Bookmarks