PDA

View Full Version : HOWTO : Create a FTP server with user access (proftpd)



Pages : [1] 2 3 4 5

frodon
October 20th, 2005, 07:04 PM
There's some support for this guide in the hoary section
Some questions are already answered in the OLD THREAD (http://www.ubuntuforums.org/showthread.php?t=51611) ,if you need support you should read it before posting here.

I created this How to for people who want to share files with friends using FTP protocol, like FTPservU under windows. The way i give you is not the only one, I hope my How to is enough clear.
This FTP server will allow only users with the good password (persons to whom you gave the password and username). So you will be sure that only known persons will access your FTP server.

A- The GUI way (for beginners only)

For those who are new to linux and don't want to use a FTP server without GUI, or just for those who don't use often their FTP server and wish to set it quickly without a high level of security, there is a GTK GUI for proftpd.
Be careful, it's less secure than configuring yourself your server.

1- Install proftpd and gproftpd with synaptic or with this command :
sudo apt-get install proftpd gproftpd2-Play with the GUI and set up quickly your server.
Beware no support is offered here for this tool but it shouldn't be too hard to use.


B- The secure way


1- Install proftpd with synaptic or with this command :
sudo apt-get install proftpd
2- Add this line in /etc/shells file (sudo gedit /etc/shells to open the file) :
/bin/false Create a /home/FTP-shared directory :
cd /home
sudo mkdir FTP-shared Create a user named userftp which will be used only for ftp access. This user don't need a valid shell (more secure) therefore select /bin/false shell for userftp and /home/FTP-shared as home directory (property button in user and group window).
To make this section clearer, i give you the equivalent command line to create the user, but it would be better to use the GUI (System > Administration > User & Group) to create the user since users here often got problems with the user creation and the password (530 error) with the command line, so i really advice to use the GUI :
sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false
sudo passwd userftp In FTP-shared directory create a download and an upload directory :
cd /home/FTP-shared/
sudo mkdir download
sudo mkdir uploadNow we have to set the good permissions for these directories :
cd /home
sudo chmod 755 FTP-shared
cd FTP-shared
sudo chmod 755 download
sudo chmod 777 upload
3- OK, now go to the proftpd configuration file :
sudo gedit /etc/proftpd.confor for edgy eft (ubuntu 6.10) :
sudo gedit /etc/proftpd/proftpd.conf
and edit your proftpd.conf file like that if it fit to your need :

# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias sauron userftp

ServerName "ChezFrodon"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
Ok you have done proftpd configuration. Your server is on port 1980 (in this exemple) and the access parameters are
user : sauron
password : the one you've set for userftp

4- To start/stop/restart your server :
sudo /etc/init.d/proftpd start
sudo /etc/init.d/proftpd stop
sudo /etc/init.d/proftpd restartTo perform a syntax check of your proftpd.conf file :
sudo proftpd -td5To know who is connected on your server in realtime use "ftptop" command (use "t" caracter to swich to rate display), you can also use the "ftpwho" command.
other informations here (http://doc.gwos.org/index.php/DapperGuide#How_to_install_FTP_Server_for_File_Tra nsfer_service)


C- Advanced tricks

1- Enable TLS/SSL encryption (FTPS)
** Inportant note : proftpd versions before 1.3.2-rc2 may not work with latest filezilla versions using TLS encryption. See raymond.szebin's post for details.
(http://ubuntuforums.org/showpost.php?p=8239887&postcount=1081)
The FTP file sharing protocol is an old protocol which was created when internet was still a secure place, therefore the default FTP protocol is not that secure.
For example the password and username for login are transmitted in plain text which obviously isn't secure.
That why, to fit the needs of our generation, encryption solutions were developed and one of them is TLS/SSH encryption.
This will encrypt the username and password and all the data you send, obviously to use it the FTP client must support SFTP protocol.

here are the steps to enable TLS/SSH encryption (FTPS (http://en.wikipedia.org/wiki/FTPS)):

Paste these commands in a terminal :
sudo apt-get install build-essential
sudo apt-get install libssl-dev
cd /etc
sudo mkdir ftpcert
cd ftpcert/
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo openssl genrsa -des3 -out ca.key 1024
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt
** download the sign.sh file (at the bottom of the post) and put it in ftpcert directory **
sudo chmod +x sign.sh
sudo ./sign.sh server.csr

Then add this section to yout proftpd.conf file :
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off

# Server's certificate
TLSRSACertificateFile /etc/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/ftpcert/server.key

# CA the server trusts
TLSCACertificateFile /etc/ftpcert/ca.crt

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>


If you use edgy or proftpd 1.3 in general add this line at the beginning of your proftpd.conf file, it will load all the extra modules like mod_tls.c :

Include /etc/proftpd/modules.conf

Note - Use TLSRequired ON to force the use of TLS. OFF means that the use of TLS is optional.

Optional step:
You will notice that you will be asked for the password you set for the server.key file each time you start/stop/restart the server, it is because the RSA private key is encrypted in the server.key file.
The solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file which is obviously less secure, anyway if you do that make sure that the server.key is readable only by root.
Once you know that it's less secure here are the command lines to remove the encryption of the RSA private key :
cd /etc/ftpcert
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Here are some links to read in case of problems or just to get more informations :
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

To use your TLS encrypted FTP server you will need a FTP client which support it like the latest versions of filezilla (the one present in the feisty repository has the TLS support).
In filezilla the option to use is called FTPES.

Thanks to nix4me for the help he provided and for the instructions.

2- Restrict access for some users
Some of you wish, for different reasons, to create more than one user and give a different access depending on the user.
For example if i create 2 users, one called user1 and the second called user2 and then want to deny access to the download directory for user2, You can do it as following :

First create the 2 users like userftp in the guide and give them alias names if you use aliases. Then allow your 2 users in the general LIMIT LOGIN section :
#VALID LOGINS
<Limit LOGIN>
AllowUser user1
AllowUser user2
DenyALL
</Limit>Once done here is how to modify the directory sections to chose who is able to use which directory :
<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off

<Limit ALL>
Order Allow,Deny
AllowUser user1
Deny ALL
</Limit>

<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on

<Limit ALL>
Order Allow,Deny
AllowUser user1
AllowUser user2
Deny ALL
</Limit>

<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>Note - user2 will see the download directory but will not be able to enter the directory.

That's all


Misc
Best Common Practices - Everyone should read this
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-BCP.html

ProftpTools 1.0.1
ProftpTools is a script I wrote thanks to swoop's feedback. This script allow you to start/stop proftpd, mount/unmount auto/manually directories, show your IP, ... and all of that with a GUI in order to use proftpd in a really easy way !
To install ProftpTools, download ProftpTools-v1.0.2.tar.gz (at the bottom of the page) and untar it where you want and then move the ProftpTools file in /usr/bin :
tar -xzvf ProftpTools-v1.0.2.tar.gz
cd ProftpTools-v1.0.2/
sudo mv ProftpTools /usr/bin/Then add these lines in your .bashrc (it's in your home directory : gedit /home/username/.bashrc) file in order to specify what is the ProftpTools directory path, YOU MUST REMOVE THE "/" CHARACTER at the end of the path. I give you an exemple if your ProftpTools directory is in your home directory :
ProftpTools_dir=/home/username/ProftpTools-v1.0.2
export ProftpTools_dirNow all you have to do is to type ProftpTools in a terminal and .... enjoy :smile:
You need zenity installed to use this script.

Don't hesitate to post in this thread or send me PM to report bugs, ask new features, correct my english, suggest improvement ;-) and thank you to give me feedback about this tool.

useful trick :
This trick is integrated in ProftpTools.
If you don't want (like me ;-) ) to use space in your /home directory, and use space on another hard drive, or if you just want to share a directory from another partition ... you can mount the directory you want in your download or upload directory without changing anything in proftpd.conf file, use these commands :
sudo mount -o bind the_directory_you_want_to_share /home/FTP-shared/download
or
sudo mount -o bind the_directory_you_want_to_use_for_upload /home/FTP-shared/uploadThis command will not overwrite the directory, the idea is just to mount a directory in another one without overwritng anything, so when someone will log in your server he will see and use the mounted directory if you have mounted one. To unmout a directory (download directory for exemple):
sudo umount /home/FTP-shared/downloadPermanent mount :
If you don't want to re-mount your directories after a reboot you can add a line in fstab file like that (sudo gedit /etc/fstab to open the file) :
the_directory_to_mount /home/FTP-shared/download vfat bind 0 0thanks reet ;-)

If you want to create other directories in FTP-shared, think to add it in proftpd.conf file.
Don't hesitate to test yourself your server using gFTP for exemple, it's really helpful to debug your server.

Other stuff/Troubleshooting/FAQ
If you have a router you should read that (http://www.proftpd.org/localsite/Userguide/linked/x862.html), it describe the 2 commands to add in proftpd.conf and why.
If you have a dynamic DNS have a look here (http://doc.gwos.org/index.php/DapperGuide#How_to_assign_Hostname_to_local_machin e_with_dynamic_IP_using_free_DynDNS_service), you can also use ddclient (http://linux.cudeso.be/linuxdoc/ddclient.php)(maybe easier for newbies).
If you have Unbindable port 21 issue please refer to this post (http://ubuntuforums.org/showthread.php?t=79588&page=114) from mustacheride.
Most of informations you're looking for are here (http://www.proftpd.org/)
To get more debug informations : http://www.proftpd.org/localsite/Userguide/linked/x1058.html
You can specify a specific passive port range using PassivePorts (http://www.proftpd.org/localsite/Userguide/linked/config_ref_PassivePorts.html) command, it's very useful when you use a firewall (http://www.proftpd.org/localsite/Userguide/linked/x294.html) in order to know which ports to allow.

For those who have a firewall/router i advice to read this excelent post (http://www.ubuntuforums.org/showpost.php?p=680702&postcount=81) from mssm

Thanks for feedback, and sorry if my english is sometimes really bad :roll:

Don't hesitate to post questions about proftpd in this thread.

anatole
October 22nd, 2005, 10:39 AM
hi,
thanks for the howto, however, i have a problem.
i have a router and the proftpd site is not really informative... well at least not for a noob like me:) so... on the link, it says "First configure your ProFTPD install so that it works right from inside the NAT. There are example configuration files included with the source." now i downloaded the source and had a look on the config files, but i couldn't find anything relevant. any help on this?
also, i'm not sure if i entered the value of 'MasqueradeAddress' correctly. I entered my dyndns domain, so what i get is

attila@nanaki:/home/FTP-shared$ sudo /etc/init.d/proftpd restart
Password:
Restarting ProFTPD ftp daemon.proftpd.
..localhost.localdomain - 127.0.0.1:1980 masquerading as 84.0.161.247
proftpd.
done.
is thÝt what should happen? i'm just asking because i'm not sure :)

i did everything else as the guide said, and my problem is that i get a connection timeout. any help would be appreciated, thanks :)

frodon
October 22nd, 2005, 01:17 PM
I'm not a NAT expert because i have only a software firewall but i think this link (http://www.ubuntuforums.org/showthread.php?t=39566&highlight=proftp+nat) could help you, also in the original thread some users have used these commands with success, try to follow their example or send us a PM, your problem will be quickly solved. :p

anatole
October 22nd, 2005, 04:57 PM
strange, i get the 530 error when i try to log in... i've read the otheer forum but all my setting should match...


attila@nanaki:/home$ la
total 8.0K
drwxr-xr-x 55 attila attila 4.0K 2005-10-22 17:46 attila
drwxr-xr-x 4 userftp root 4.0K 2005-10-22 10:45 FTP-shared
attila@nanaki:/home$ la FTP-shared
total 8.0K
drwxr-xr-x 2 root root 4.0K 2005-10-22 10:45 download
drwxrwxrwx 2 root root 4.0K 2005-10-22 10:45 upload

sorry i'm almost sure i'm being lame but i cannot help it :) so here is my proftpd.conf as well, anyone could help?

frodon
October 22nd, 2005, 06:38 PM
You should comment the 2 last lines of your file because you have 3 active MasqueradeAddress lines in your file, and also try to change the password of the user, i already met persons who've got problems with the user password.
Your settings looks good, did you test the server with your own computer or with a friend ?

anatole
October 22nd, 2005, 07:07 PM
You should comment the 2 last lines of your file because you have 3 active MasqueradeAddress lines in your file, and also try to change the password of the user, i already met persons who've got problems with the user password.
Your settings looks good, did you test the server with your own computer or with a friend ?

changed the password, commented out the last two lines, still error 530. tested on my comp, and on a friend's one. :/

frodon
October 24th, 2005, 09:30 AM
Hmm, have you tested to comment the MasqueradeAddress and PassivePorts lines to see if the problem come from these lines ? Because for me your configuration is ok, are you sure to put the good parameters in gFTP when you attempt to connect yourself to the server ?
Just in case give me the gFTP log and what you enter in the fields but i guess it's ok.
Also if you still have a 530 error it could be interesting to collect more debug infos (http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Debugging.html).

kapetanski
October 26th, 2005, 03:42 PM
Thanx for the howto, it works great! But I think it's strange that the xferlog has been empty two times now since I started to use my ftp server, is it cleared by default? Are there other logfiles aswell that proftpd use? I'am also thinking of using ssh(or some sort of crypto) on the proftpd server, anyone tried this?

frodon
October 26th, 2005, 07:20 PM
What you're looking for is in the mod_tls module of proftpd, you should already have it (use the proftpd -l command to verify it).
There is a reference exemple here (http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html) and i think it's a good start to read this exemple.
If you get SSL/TLS working, send me a PM or post here and i will add this in the GUIDE.

Why do you want to use secure ftp protocol ? i'm just curious

frodon
October 27th, 2005, 10:42 AM
changed the password, commented out the last two lines, still error 530. tested on my comp, and on a friend's one. :/You could try this command line :
sudo passwd userftpand then retype your password, it solve the problem for tspec who give me his feedback.

herot
October 27th, 2005, 06:17 PM
question:
i just did

apt-get install proftpd
then as root i unchecked the proftpd service at startup, so i can just
proftpd -n
whenever i want to (because i only run it sometimes...when i need it). however i did not make many changes to my proftpd.conf file (just made it type=standalone)... i didn't change any permissions or anything... i figure this is secure enough for me since i only start it when i want to move some files and then end it when im finished... is this ok?

atomicski
October 29th, 2005, 11:25 PM
I just installed Breezy Badger and am having some problems running certain services/servers...

when I do
apt-get install proftpd

it says
Couldn't Find Package proftpd

frodon
October 30th, 2005, 04:44 PM
herot, if you want to disable proftpd on startup you could just go in System > Administration > Services, it works well. If your configuration is ok for your need and if you will not use proftpd often and for a long time, it might be enough secure like that.

atomicski, it seems that you haven't enable all the repositories. Open your source.list file :
sudo gedit /etc/apt/sources.listthen check that you have these lines, if not add them :
## Major bug fix updates produced after the final release of the
## distribution.
deb http://archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu breezy-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://archive.ubuntu.com/ubuntu breezy main universe multiverse restricted
deb-src http://archive.ubuntu.com/ubuntu breezy main universe multiverse restricted

deb http://security.ubuntu.com/ubuntu breezy-security main restricted
deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted

deb http://security.ubuntu.com/ubuntu breezy-security universe
deb-src http://security.ubuntu.com/ubuntu breezy-security universe

TokenBad
December 17th, 2005, 03:34 AM
ok I have did like you said...I but I also am behind a router...I set the ports in the router and forward them to proftpd. I set the ports in proftpd.conf...I can ftp in fine and all that..but when try to list a dir I get port error ip already in use....anyone help?

TokenBad

Leaf
December 18th, 2005, 04:14 AM
I am having the same problem as anatole, error 530
Our .conf files are almost exactly the same (no las 2 lines and minor name differences)

I've reset the password too, still 530

The alias part of the conf, I've tied logging in as both the first name and the second, same each time

any suggestions?

frodon
December 19th, 2005, 10:01 AM
Leaf, could you post your proftpd.conf file please, and check the path and the name of the directories because the 530 error is often due to name or path mismatches.

TokenBad this link may help you : http://www.ubuntuforums.org/showthread.php?t=39566

keving79
December 30th, 2005, 12:46 PM
Leaf, could you post your proftpd.conf file please, and check the path and the name of the directories because the 530 error is often due to name or path mismatches.

I'm having the same problem. I followed your tutorial. Attached is my proftpd.conf file. I've tried changing things round, trying different port numbers, changing passwords, etc. No matter what I keep getting the 530 error. PLEASE help! I've been up all night trying to get this blasted thing to work.

Thanks..

jbinc1
December 30th, 2005, 05:41 PM
I took a look at your proftpd.conf file. I noticed a few differences with my own. First, I'm not sure that the way you have your multiple user aliases will work. Take a look at the way I have mine set up. I know it works correctly. I have multiple user logins and a different password for each. I have this same configuration (with the exception of different user aliases and ip's.) running on 2 machines.

I took your proftpd.conf file and tried it in my test machine. Other than changing the UserAlias to make it work and commenting out the Mascarade line, It worked just fine. I am attaching a copy of the proftpd.conf file from my test machine so you can compare it with your own.

Are you behind a router or firewall? And do you have another computer sharing the same connection to test with? If you can get it working within the NAT, it's just a matter of getting your router and or firewall configured correctly.

Let me know how it goes.

Good luck. :)

frodon
January 1st, 2006, 07:45 PM
keving79, like in my guide you use this line at the beginning of the proftpd.conf file :
AuthAliasOnly onso only alias login are allowed and you didn't set an alias for your users and it's the problem here.
jbinc1 gave you a good exemple on how use differents users with an alias for each, you should follow his exemple and your problem should be solved. I use useralias in my guide because it prevent telnet accesses, but if you don't want to use useralias just replace the line "AuthAliasOnly on" by "AuthAliasOnly off" and login your ftp server with the username and the password and it should work too, up to you ;).

You can also define different access levels for each user, for exemple if you don't want a user to see or use a shared directory or if you just want to give him a read access. If some of you here are interrested, tell me and i will provide you some exemples.

steve_250
January 2nd, 2006, 10:39 PM
I used my own and the test .conf file above and got the same results. Error 530 Login incorrect. I have used the password change command and still get 530. After every change in pw and the .conf, I did a restart.
Oh, I did a /home/ftp AND /home/FTP-shared as the example, tried both.
Checked groups in etc and user/group exist.
Where else can I look for the "incorrect" login info? :confused:

Conf file attached....

Thanks,
Steve...

frodon
January 3rd, 2006, 10:41 AM
Hi steve_250,
First you should replace those lines :
# Set the user and group that the server normally runs at.
User root
Group rootby those lines :
# Set the user and group that the server normally runs at.
User nobody
Group nogroupGo in your /home/ftp directory and give us the result of the "ls -lg", and tell me what are the exact parmeters you used to login your ftp server (user, pass, port, address). Try to give us the maximum details, because the 530 error always come from a small mismatch.

steve_250
January 3rd, 2006, 03:23 PM
Hello Frodon, thanks for the reply.
I have replaced the lines and ran the command, here are the results:

steve@ubuntu:/home/ftp$ ls -lg
total 20
drwxrwxrwx 84 root 12288 2006-01-01 17:01 download
drwxrwxrwx 2 root 4096 2005-12-31 15:48 upload
-rw-r--r-- 1 root 166 2005-09-05 13:17 welcome.msg
steve@ubuntu:/home/ftp$

Running Gftp with user steve pass xm3y9sjp port 21:

Looking up 192.168.2.33
Trying 192.168.2.33:21
Connected to 192.168.2.33:21
220 Ubuntu
USER steve

331 Password required for steve.
PASS xxxx
530 Login incorrect.
Disconnecting from site 192.168.2.33

Thanks for helping....
Steve...

frodon
January 3rd, 2006, 03:49 PM
There is another thing i didn't see before, in the "<Directory> /home/ftp/upload/>" field, modify it like that :
<Directory> /home/ftp/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
This will allow you to write in the upload directory.
Now for your login issue, try to login your gnome session with userftp in order to be sure that it's not a user creation problem. Check also that your home/ftp directory have 755 rights.

steve_250
January 3rd, 2006, 04:23 PM
Ok, did all the above and entered pw for ftpuser again.

I gftp in with "steve" and go this far and now it sits there.

230 welcome !!!
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I
PWD

257 "/" is current directory.
Loading directory listing / from server (LC_TIME=en_US.UTF-8)
PASV

227 Entering Passive Mode (138,88,144,129,250,43).

The remote window just says "Receiving file names".
Kind'a stuck there.
Says the application is not responding when I try to close it after a 5 minute wait.

conf attached again.

steve_250
January 3rd, 2006, 04:40 PM
I took a look at the permissions, all is set to 755 starting with "Home".

This is also what I see:

Location Owner Group

HOME Root Root
ftp ftp nogroup

Under ftp:
download Root Root
upload Root Root

I gave 777 to u/l as the first page you wrote said to do.

frodon
January 3rd, 2006, 05:09 PM
Do you attempt to login the ftp server with the same computer which run the server or with another one ?
The first thing to test is to login the ftp server with the same computer which run the ftp server then if it works the problem come from your router.

steve_250
January 3rd, 2006, 05:14 PM
I tried it with the same machine, that's the log I sent ya.
Through another machine I had the same problem.

I also have tried to set the owner/group of all the directories to "steve".
(home/ftp, u/l & d/l)
In doing so, I now get the 530 error again.

What should the dir's be set to for owner/group?
Also chmod them to 774.

My login is steve and the machine will normaly be running under my name login.

frodon
January 3rd, 2006, 06:38 PM
The owner should be root (it is in my case) and 775 rights are needed for your /home/ftp directory.

steve_250
January 3rd, 2006, 09:23 PM
Just to make sure I have it right, owner/group for ALL the mentioned directories are supposed to be root?
I'll do that and make sure it's all 775.
Ok, fixed that.

I commented out the passive mode and masquereding and it works locally now.
Any concern with commenting these out?

I try it through the internet, still hangs at receiving file names.
This is what Gftp reports:

USER steve

331 Password required for steve.
PASS xxxx
230 welcome !!!
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I
PWD

257 "/" is current directory.
Loading directory listing / from server (LC_TIME=en_US.UTF-8)
PASV

227 Entering Passive Mode (192,168,2,33,4,52).
LIST -aL

Disconnecting from site sjp.serveftp.net
Invalid response '

keving79
January 3rd, 2006, 10:03 PM
You can also define different access levels for each user, for exemple if you don't want a user to see or use a shared directory or if you just want to give him a read access. If some of you here are interrested, tell me and i will provide you some exemples.

YEs, I'd be very interested in this. Now that I finally got the FTP working (thanks to your advice), I'd like to setup different access levels for different users. If you could post a tutorial for that, that would be sweet.

Thanks!

t0bb3
January 3rd, 2006, 10:33 PM
I have followed the howto, but when I run "sudo /etc/init.d/proftpd start" I get this message:
ProFTPd warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration.

This is what my proftpd.conf file looks like:

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias upload userftp

ServerName "htpc"
ServerType inetd
DeferWelcome on

MasqueradeAddress my.ip.is.here
PassivePorts 60000 60100 #this is a range, not just two ports

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin on

# It's better for debugging purposes to create log files
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (use it to ban users by
just writing their username in it)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so don't use it for security
reasons (choose here the port you want)
Port 2121

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome to t0bb3's ftp server"
# This message is displayed for each access good or not
ServerIdent on "HTPC ftp server"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory,
# ***** really important *****
DefaultRoot ~

MaxLoginAttempts 3

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off

<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off

<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on

<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
Do you see anything wrong?

frodon
January 3rd, 2006, 10:49 PM
Replace :
ServerType inetdby :
ServerType standaloneand it should work.

By the way the "RootLogin on" option is not really secure, if you don't know why you use it i advice you to put it off.

t0bb3
January 4th, 2006, 08:45 AM
But I choose inetd duing the install of the server. It said inetd would be more resource friendly if I only had a few connections every day, and it's basicly only I that connect to the ftp server. Why should I change to standalone?

I'll change the RootLogin option

frodon
January 4th, 2006, 09:51 AM
Yes it's a little bit more resource friendly but standalone server is easier to use and if you don't have 20 users who use your server at the same time you won't see the difference.

Link : http://www.proftpd.org/localsite/Userguide/linked/config_ref_ServerType.html

t0bb3
January 4th, 2006, 10:10 AM
Thank you, it starts now :)

But why didn't it work with inetd as the servertype?

t0bb3
January 4th, 2006, 11:02 AM
Reading the proftpd manual (http://www.proftpd.org/localsite/Userguide/linked/x430.html) I decided to give inetd another go. They all say inetd is better suited when there aren't that many connections.

When I choose inetd as the server type duing the initial install proftpd made the necessary changes to /etc/inetd.conf. So the server should have been ready for use as soon as I had installed it. I had missunderstood the whole
sudo /etc/init.d/proftpd start
sudo /etc/init.d/proftpd stop
sudo /etc/init.d/proftpd restartthing. It's only for when you run the server in standalone mode! I thought I should do that even when in inetd mode, but that was wrong.

Another nice thing about inetd mode is that you don't have to do anything special when you make changes to proftpd.conf. The server rereads that file for every new connection.

t0bb3
January 4th, 2006, 11:12 AM
You can also define different access levels for each user, for exemple if you don't want a user to see or use a shared directory or if you just want to give him a read access. If some of you here are interrested, tell me and i will provide you some exemples.

YEs, I'd be very interested in this. Now that I finally got the FTP working (thanks to your advice), I'd like to setup different access levels for different users. If you could post a tutorial for that, that would be sweet.

Thanks!
I second this.
And I would also like to know how to set up virtual users

Thanks

frodon
January 4th, 2006, 11:39 AM
This is a small exemple on how avoid user2 to enter in the download directory.
In this case 2 users have been created (userftp and user2) and each one have its own alias.
This exemple will allow userftp to see all the shared directory and avoid user2 to use the dowload directory, (i give you only the directory section) :
#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
AllowUser user2
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
AllowUser user2
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser userftp
AllowUser user2
Deny ALL
</Limit>
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

jbinc1
January 4th, 2006, 10:31 PM
Hello frodon,

My ftp server has been running for a few weeks now thanks to your excellent HOWTO. Now I need some help speeding it up. Inside the nat I get great upload/download speeds. Over the internet I am limited to about 50 kbs. Any ideas? :confused:

frodon
January 5th, 2006, 10:30 AM
It's because when you are inside the NAT the limit is the limit of the local network and when you are outside the NAT the limit is your internet connection speed wich is really lower than the local network speed.
Did you already reach a better upload rate with IRC, msn, or another share protocol ?

frodon
January 5th, 2006, 11:04 AM
I'm thinking about a new howto or an improvement of this one for newbies (and this will be only for newbies !). Because proftpd has a GUI called Gproftpd but i generally don't advice it because you need to run it as root and you can easily break your server configuration or create a unsecure ftp server, however i think newbies will prefer this way (less secure but more userfriendly).

So, please could someone test this GUI and give me his personnal opinion about it in order to help me to know if i should advice it for newbies and create a small guide for it ?

Thanks for helping me to estimate this way to use proftpd.

here are the website link and a screenshot at the bottom of the post :
http://mange.dynalias.org/linux.html

jbinc1
January 6th, 2006, 03:03 PM
Hello frodon,

I'm setting up a fresh install of Ubuntu and I'm going to test the Gproftpd gui. I will see how it goes using the instructions on the Gproftpd web site and give you feedback.

Also, I think my slow connections on my ftp server are possibly due to my router. I still have to do more research on that one. ](*,)
When I connect to other ftp servers, I'm getting excellent speeds. I did some searching and it seems I'm not the only one to have this problem.

Take it easy.

steve_250
January 6th, 2006, 03:04 PM
Sure seems like an easier way for newbies like me.
I installed it and got a text that said it's running. Didn't get the GUI interface or see an icon.
I'll try again today.

Jbinc1, no, you're not the only one with slow speed, going through my Netgear FVS318 is slow to connect too.

I tried the inet install instead of standalone and it won't run at all. How to I reinstall proftpd? I'll switch back to standalone.

jbinc1
January 6th, 2006, 03:10 PM
Hello Steve,

I've done some pretty extensive searching on the slow connection subject and I can't seem to find any solution. If you happen to find anything feel free to pm me and let me know. I really like the easiness of the setup and the way my ftp server is running, but I have the need for speed, if you know what I mean. :)

If you go into the proftpd.conf file where it says "ServerType" you should be able to just change it back to "standalone".

steve_250
January 6th, 2006, 03:15 PM
I also noticed some differences in the inet and standalone. In the inet install, it creates it's own ftp directory under home. It also starts in /init.d instead of inirtd as it wants to (says it can't find it in inirtd).

Jbinc1, I'm going to see if I can buy a splitter to run off my DSL modem to put the server outside the router.
Yep, changed it to standalone in the conf and now it won't run at all. Want to do a re-install. Stuff is in different directories than with the standalone install, at least in MY machine.

frodon
January 6th, 2006, 03:34 PM
Hello frodon,

I'm setting up a fresh install of Ubuntu and I'm going to test the Gproftpd gui. I will see how it goes using the instructions on the Gproftpd web site and give you feedback.

Also, I think my slow connections on my ftp server are possibly due to my router. I still have to do more research on that one. ](*,)
When I connect to other ftp servers, I'm getting excellent speeds. I did some searching and it seems I'm not the only one to have this problem.

Take it easy.Hi jbinc1,

I'm wondering something, when you say that you have a slow connections, do you mean transfert speed ?
Because most of DSL connections have a really poor upload speed compared to the download speed, maybe it's just your internet connection which have a low upload speed and a good download speed. It could explain why you download fast on other FTP server and not with yours.

steve_250
January 6th, 2006, 03:44 PM
Going through my router when I enter the actual internet address and NOT the local net address (192.168.) it is slow to connect and go through the password dialogue.
Going locally, 192.168. it connects right away.
This is all done on the same machine ftp is installed on, using gftp.

Getting this error now when using gftp and the internet address:
As seen in gftp:

230 welcome !!!
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I
CWD /

250 CWD command successful
Loading directory listing / from server (LC_TIME=en_US.UTF-8)
PASV

227 Entering Passive Mode (192,168,2,33,4,12).
LIST -aL

Disconnecting from site sjp.serveftp.net
Invalid response '

What do you thing the "invaild response" could be?

On edit:
I disabled passive xfers in gedit and it works fine now.
Using a standard browser it connects when I put in the local net address (192.168) but times out when putting in the internet address.

jbinc1
January 6th, 2006, 05:57 PM
Steve,

Try this in your proftpd.conf file



UseReverseDNS off
IdentLookups off

jbinc1
January 6th, 2006, 06:12 PM
Hi jbinc1,

I'm wondering something, when you say that you have a slow connections, do you mean transfert speed ?
Because most of DSL connections have a really poor upload speed compared to the download speed, maybe it's just your internet connection which have a low upload speed and a good download speed. It could explain why you download fast on other FTP server and not with yours.

Hi frodon,

I did some more tests and you're right. My conversion from Bps to kbps was wrong (oops). It looks like I'm getting all of the speed I'm going to get. My upload is limited to 312 kbps and I'm I'm averaging about 36000 Bps. I better double check my math next time. Live and learn.

Thanks for all of your help.

steve_250
January 6th, 2006, 08:26 PM
Steve,

Try this in your proftpd.conf file



UseReverseDNS off
IdentLookups off

Thanks, it "seemed" to speed up the pw dialog box but still times out after entering name and pw.

jbinc1
January 6th, 2006, 08:38 PM
Do you have a firewall?

steve_250
January 6th, 2006, 10:02 PM
Do you have a firewall?

Yes, I do but it is ported open. Calls to the Apache server from outside go through.
It's on the same machine.
I'll mess with it more tomorrow.

steve_250
January 9th, 2006, 05:07 PM
I'm still not connecting from a ******* machine using the server's internet address. Using IE I put in the pw and it hangs on "Getting contents of folder".
Times out with "An error occured on the server, make sure you have permission to access that folder". (I know thats a standard Win error format)
I can connect fine using the 192.168 internal though.

More ideas?

frodon
January 9th, 2006, 05:38 PM
Could you post your proftpd.conf, i'd like to see if there isn't something which block the LIST or CWD command, it could come from you configuration file or from wrong system rights in your ftp folder.

Also if you use IE to connect to the ftp server don't forget to specify the port if you don't use port 21, i give you an example corresponding to the guide (which use the port 1980) : ftp:\\sauron@100.12.xx.xxx:1980

steve_250
January 9th, 2006, 06:31 PM
I am currently using port 21 because I haven't yet figured out to make a port change in my Netgear FVS318. It has a dropdown for service but no selection of ports.
Still looking for it....
Thank you Frodon!
Here is my conf file:

# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias steve userftp

ServerName "Ubuntu"
ServerType standalone
DeferWelcome on

UseReverseDNS off
IdentLookups off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 99

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so don't use it for security reasons (choose here the port you want)
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

BlueIce
January 10th, 2006, 02:25 AM
Having a bit of trouble with step 3 "sudo gedit /etc/proftpd.conf" on the first page.

This file does not exist.

What have I done wrong, thanks

I did a search on this file (I think I did the search right) and it does not exist anyware on the system.

steve_250
January 10th, 2006, 02:43 AM
Try it in a new terminal window.
When doing a search, I don't remember if it is a hidden file (don't think so).

BlueIce
January 10th, 2006, 05:19 AM
Try it in a new terminal window.
When doing a search, I don't remember if it is a hidden file (don't think so).

Didn't help when I don't read it carefully

sudo apt-get install proftpd
Reading package lists... Done
Building dependency tree... Done
E: Couldn't find package proftpd

What did I do wrong?
Do I have to add extra repositories?

Thanks

frodon
January 10th, 2006, 10:00 AM
Bluelce, indeed you shouldn't have all the repositories enabled. You could post you /etc/apt/source.list here if you wish otherwise you will find all needed informations about source.list here : http://www.ubuntuforums.org/showthread.php?t=92672.

steve_250, your configuration sounds good for me, so i think the problem should be your Netgear FVS318 configuration, because all your FTP server configuration seems good.

jbinc1
January 10th, 2006, 01:27 PM
steve_250

Take a look at these links from frodon's HOWTO.

Other stuff
If you have a router you should read that (http://www.proftpd.org/localsite/Userguide/linked/x862.html), it describe the 2 commands to add in proftpd.conf and why.
If you have a dynamic DNS have a look here (http://www.frankandjacq.com/ubuntuguide/5.04/index.html#assignhostnametodynamicip), you can also use ddclient (http://linux.cudeso.be/linuxdoc/ddclient.php)(maybe easier for newbies).
Most of informations you're looking for are here (http://www.proftpd.org/)
To get more debug informations : http://www.proftpd.org/localsite/Use...ked/x1058.html (http://www.proftpd.org/localsite/Userguide/linked/x1058.html)
You can specify a specific passive port range using PassivePorts (http://www.proftpd.org/localsite/Userguide/linked/config_ref_PassivePorts.html) command, it's very useful when you use a firewall (http://www.proftpd.org/localsite/Userguide/linked/x294.html) in order to know which ports to allow.

BlueIce
January 10th, 2006, 02:30 PM
Bluelce, indeed you shouldn't have all the repositories enabled. You could post you /etc/apt/source.list here if you wish otherwise you will find all needed informations about source.list here : http://www.ubuntuforums.org/showthread.php?t=92672.

Alright I got it working, prob not how I wanted it to run but here is what I did.

Commented in
deb http://au.archive.ubuntu.com/ubuntu breezy universe
deb-src http://au.archive.ubuntu.com/ubuntu breezy universe
(Not sure if I am supposed to comment out other ones)

Then Installed proftpd, instructions on on first page of this thread.
I then wanted a GUI (I'm very new to linux)

gproftpd is at: http://mange.dynalias.org/linux.html

Not sure if I did the right thing but I downloaded the source.

Needed to compile it and somehow got to this page: http://www.psychocats.net/linux/installingsoftware.php
All beginners should read this, it made it really easy:) REALLY

End up running
sudo apt-get install build-essential

I think I then needed Development files for the GTK
So Installed libgtk2.0-dev (Development files for the GTK+ library) from Synaptic Package Manager. I hope that was the right thing to do.

I think it then compiled OK as I was able to run the GUI.

Problems:
1. Installed gproftpd in Home directory (How do I stop that from happing in the future and how can I fix that now(Copy n paste)?
2. How do I run something as root. Can I add it to the menu.
3. Should I wright commands in the forums with a $ in front of them?
Thanks

frodon
January 10th, 2006, 02:56 PM
1. Generally only the config files are installed in the home directory because it defines specific setting for your user and only your user.
2. To run gproftpd as root, use this command in a terminal :
sudo gproftpd
3. Up to you ;)

But even if you're new to linux you don't inevitably need a GUI, especially if you use often your server. Also if you just want a GUI to see the traffic on your ftp server the "ftptop" command is enough.

However i planed to write a short guide in the next 3 weeks for Gproftpd if it's needed.
So if you finally use Gproftpd and enjoy using it don't forget to tell me.

steve_250
January 10th, 2006, 03:33 PM
Ok, finally found where to change the ftp port number in the router.
I changed it to 1980, it IS supposed to be TCP, oui?
Added the masquereding and passive lines in your page one example.
However, now I get "Connection refused" even when doing it through the same machine using Firefox. Using gftp I see:

230 welcome !!!
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I
PWD

257 "/" is current directory.
Loading directory listing / from server (LC_TIME=en_US.UTF-8)
PORT 192,168,2,33,18,53

500 Illegal PORT command
Invalid response '5' received from server.
Disconnecting from site such.and.such
](*,)

Oh yeah, Frodon, in the nmap usage example, the I (eye) feature is no longer supported.

jbinc1
January 10th, 2006, 03:52 PM
frodon,

I've been doing some testing on gftpd. I had problems installing from source. First, you have to make sure you have a c compiler installed. Next, it seems the the source is broken. I've tried everything I could think of to get it to work. So, I did some searching and was able to find a debian package and installed it. I was able to install but there are some errors in the config out of the box (ie. it looks for a directories that don't exist). I made some changes to the config file, but I continue to get a SecurityLog errror. I did a check on the syntax and everything was good. I had to add the directories it was looking for to stop the error

The interface seems nice, but there is a definite lack of documentation on the sight or in the help file to support the program. I don't know if it would be a help or a hinderence to someone trying to set up their first ftp server.

steve_250
January 10th, 2006, 04:18 PM
Update:
On same machine, switched gftp to passive and it logs on but gets stuck at "Receiving file names".
Tried ascii and also removing the -L option, still stuck.

frodon
January 10th, 2006, 04:55 PM
I don't think the problem come from the the ListOptions (http://www.proftpd.org/localsite/Userguide/linked/config_ref_ListOptions.html) so you should keep the -l option.
I think you should look in your router configuration first, you have to configure your router to link the port 1980 to your PC and also to enable it with the good protocol.

Don't forget to have a look in the proftpd forum, there's a lot of useful informations in, maybe you could find here a user who use the same router as you : http://forums.proftpd.org/phpBB2/

steve_250
January 10th, 2006, 05:01 PM
The link above doesn't work, I'll start at their main page.

I do have the router set to port 1980, changed it back to 21 and got the same error.

I looked at the ftp.log and found the router is passing the request through but the file list isn't coming through.

138.88.144.129 UNKNOWN nobody [10/Jan/2006:10:48:12 -0500] "USER steve" 331 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:48:12 +0000] "PASS (hidden)" 230 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:48:12 +0000] "SYST" 215 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:48:12 +0000] "TYPE I" 200 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:48:12 +0000] "PWD" 257 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:48:12 +0000] "PASV" 227 -
138.88.144.129 UNKNOWN userftp [10/Jan/2006:15:50:13 +0000] "PASV" 227 -

I have the permissions set as you said to set them.

steve_250
January 10th, 2006, 06:54 PM
No progress...
Everything set to port 1980 (router, conf & gftp)
From the router log when attempting to gftp in from same machine:

Tues, 01/10/2006 09:48:17 - UDP packet dropped - Source:221.1.204.254, 45006, WAN - Destination:138.88.144.129, 1027, LAN - 'Suspicious UDP Data'
Tues, 01/10/2006 09:50:23 - TCP connection dropped - Source:138.88.28.18, 2770, WAN - Destination:138.88.144.129, 445, LAN - 'SMB'

From the debug log:
Jan 10 07:36:22 localhost kernel: [4718395.530000] ppdev0: registered pardevice
Jan 10 07:36:22 localhost kernel: [4718395.571000] ppdev0: unregistered pardevice
Jan 10 07:36:22 localhost kernel: [4718395.571000] ppdev1: claim the port first
Jan 10 07:36:22 localhost kernel: [4718395.571000] ppdev2: claim the port first

BlueIce
January 12th, 2006, 11:56 AM
I've been doing some testing on gftpd. I had problems installing from source. First, you have to make sure you have a c compiler installed. Next, it seems the the source is broken. I've tried everything I could think of to get it to work.

I think you might need the Development files for GTK
I Installed libgtk2.0-dev (Development files for the GTK+ library) from Synaptic Package Manager and I was able to install from source.

BlueIce
January 12th, 2006, 12:05 PM
1. Generally only the config files are installed in the home directory because it defines specific setting for your user and only your user.
2. To run gproftpd as root, use this command in a terminal :
sudo gproftpd
3. Up to you ;)

But even if you're new to linux you don't inevitably need a GUI, especially if you use often your server. Also if you just want a GUI to see the traffic on your ftp server the "ftptop" command is enough.

However i planed to write a short guide in the next 3 weeks for Gproftpd if it's needed.
So if you finally use Gproftpd and enjoy using it don't forget to tell me.

1. I am pritty sure it is all installed it in the home directory as the etc and src directors are in there. I used the command $./Autoinstall it listed (http://mange.dynalias.org/linux.html) on the site. What is the correct way to install it, and do I have to uninstall the old one? Dose linux have a registry or am I correct in saying it just uses config files.

2. so that what sudo does:D

3. Umm thanks:)

frodon
January 12th, 2006, 01:41 PM
1What is the correct way to install itFor me the correct way to install it is to follow the instructions of the web site and just replace the final command (sudo make install) by :
sudo checkinstall -D
checkinstall is a tool (you can find it in synaptic) which allow you to create a .deb of the sources and install the software with all the needed informations to see it in synaptic and therefore uninstall it easily.
If you didn't use checkinstall and want to use it i think this command (in the gproftpd source directory) will uninstall gproftpd :
sudo make uninstall

BlueIce
January 12th, 2006, 02:26 PM
It all looks good now.

thank you heaps for your help:D

frodon
January 15th, 2006, 11:45 PM
For those who want to use the proftpd GUI, i updated the HOWTO with some short instructions and a .deb of the latest version.

After some tests, i found that gproftpd is not so bad but a little bit annoying for advanced users because the GUI is able to create directories and system users (you need to run it as root) and it's less secure (it's just my opinion ;) )

hen3rz
January 16th, 2006, 04:27 AM
Is there a way i can manage this server via php on my apache2 server?

kasemodz
January 17th, 2006, 04:06 AM
alright mine is really wierd. I can get proftpd to start. However, when i try to access it from another computer, it asks for my username and password. I put it in and press enter. It searches for something then comes back with the login window, how do i fix this? Here is my proftpd config.

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName "OnDemand"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

DenyFilter \*.*/
DefaultRoot ~

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port.
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User admin


# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

frodon
January 17th, 2006, 09:49 AM
I don't know what you want to do and you didn't use the guide as i see in your conf file so how could someone help you with so few informations ?
So how did you create your proftpd.conf file ? it seems really near from the default one, so what is your aim ?

hen3rz, i searched a little bit yesterday but i didn't find any informations on the topic. Maybe you could post your question in the server talk forum there's some server gurus in ;).

kasemodz
January 18th, 2006, 12:31 AM
hey frodon since i couldn't get ftp working with the guide's conf I used this guide to install it. I just wanted to see if the ftp works by using nearly the default one. Here is the link btw. http://www.ubuntuguide.org/#ftpserver

Btw now that I'm thinking of it, I did install the gui version of ftp this guide talked about but I couldn't uninstall it. Then i installed proftpd. Do you think that could be the problem?

frodon
January 18th, 2006, 10:27 AM
Btw now that I'm thinking of it, I did install the gui version of ftp this guide talked about but I couldn't uninstall it. Then i installed proftpd. Do you think that could be the problem?Gproftpd is only a frontend for proftpd, so you need to have proftpd installed to use gproftpd.
To uninstall gproftpd, use this command if you used the .deb :
sudo dpkg -r gproftpd-8.2.2_8.2.2-1_i386.deb
You should also be able to uninstall it with synaptic.
When i asked you what is your aim, i meant what is your need about ftp server. Do you just want to share some files with friend or with everybody ? do you wish a secure server ?

I ask you that because in your conf file you don't share any directories so i have no idea about what you're trying to do.

kasemodz
January 20th, 2006, 12:35 AM
Gproftpd is only a frontend for proftpd, so you need to have proftpd installed to use gproftpd.
To uninstall gproftpd, use this command if you used the .deb :
sudo dpkg -r gproftpd-8.2.2_8.2.2-1_i386.deb
You should also be able to uninstall it with synaptic.
When i asked you what is your aim, i meant what is your need about ftp server. Do you just want to share some files with friend or with everybody ? do you wish a secure server ?

I ask you that because in your conf file you don't share any directories so i have no idea about what you're trying to do.

um frodon, my aim is just to setup a ftp server so i can access it on my land. I'll be uploading stuff to it and downloading.

linuxfan
January 20th, 2006, 04:59 AM
t0bb3:

Thanks for your additional tip! I too had the same problem and was wondering what was wrong with inetd install type. Will try tonite once I get back from work.

Cheers

mssm
January 25th, 2006, 08:55 PM
I have success at last :)

I can ftp from the machine itself and from another computer inside home on the same network. The actual test whether I can access it from outside, will be done tomorrow. But I am hopeful that I shall succeed. (Update : Now I can access it from outside; see my next post below).

Thanks Frodon and everybody else in this forum. I am a longtime reader of this great howto thread and this my first post. For my research collaboration I made a plan to run a ftp server on my home laptop. Since I using a cable modem(Motorola SBG 900E), I am behind the firewall of the router. I faced all kind of problems similar to Steve_250 of this thread. Initially I had 530 error related to password, I had error 500 for invalid port etc etc. I would like to share how I did overcome all of these problems.

1. I followed Frodon's how-to in toto. I didn't use gproftpd. I just copied and pasted his proftpd.conf with few exceptions, e.g. I put AuthAliasOnly to ``off''. Since I am behind a firewall of the router and my ISP provided me with dynamic IP address, I had to install ddclient first and registered my computer at dyndns.com. Then I had to add two lines related to MasqueradeAddress and PassivePorts, as Frodon mentioned, at the end of the file. Finally, I attached two lines as jinc1 suggested. I attached the copy of my proftpd.conf.

2. Next I added the users from the command line but their passwords were added NOT from the command line but from the tool Ubuntu provided : Kmenu --> System --> User Groups(I'm running Kubuntu. Under Gnome I think it's under System). This is fairly easy to do. I checked that everything is consistent with other commands that Frodon's guide provided, e.g. no users get a shell(/bin/false). If I issue the passwd of the users from command line, somehow all the time I got 530 error.

3. Next thing was to configure my router. First, I made sure that my ISP do not block the ports 1980 and the ports 60000-65535. The former is used by proftpd and the latter are the passive ports. Now the firewall and port forwarding config. of my router looks like this :

Firewall
--------

Port ID : proftpd
Enable : yes(tick)
Allowed Protocol : TCP
Allowed Range : 1980:1980
Allow Inbound : Yes
Allow Outbound : Yes
Protocol # : 0

Similarly I defined another Port ID : proftpd-passive. For this, the allowed range is 60000:65535 and all other parameters remaining exactly the same.

The names of the Port ID can be anything.

Port Forwarding
-----------------

Name : proftpd
Port Start : 1980
Port End : 1980
LAN IP Address : 192.168.0.10
Enable : yes

Similarly, I define another port called profptd-passive for which Port Start =60000 and Port End = 65535, and all other parameters remaining the same.
Here 192.168.0.10 is the internal LAN IP address assigned to my laptop by the router dynamically(using DHCP). Since my laptop remains on all the time I didn't go for a static address, though I recommend others to do so.

That's it. If I don't forward all the ports including the passive one I shall get error 500 or the infinite time loop which Steve_250 experienced. I can access it from a Windows machine within the same network, using WS_FTP.

frodon
January 25th, 2006, 09:57 PM
Hey mssm

A BIG BIG thank you for this post, really useful, i will put a link to this post in the guide.
Thanks for sharing your experience ;)

mssm
January 26th, 2006, 08:50 AM
Hey mssm

A BIG BIG thank you for this post, really useful, i will put a link to this post in the guide.
Thanks for sharing your experience ;)


Thanks Frodon. It's working from browser(e.g. firefox) also. I can also access it from outside.

t0bb3
January 30th, 2006, 11:19 PM
I'm having problems accessing my ftp server from outside the lan. I always get this error: "500 Illegal PORT command".
I have forwarded the neccessary ports in my router. I confirmed this by setting Apache to listen to one of the ports in the interval, and I could access it.

I have also added the MasqueradeAddress, PassivePorts, UseReverseDNS and IdentLookups options to proftpd.conf

What else should I do?

The ftp server works great inside the lan, both in active and in passive mode

mssm
January 31st, 2006, 08:46 PM
I'm having problems accessing my ftp server from outside the lan. I always get this error: "500 Illegal PORT command".
I have forwarded the neccessary ports in my router. I confirmed this by setting Apache to listen to one of the ports in the interval, and I could access it.

I have also added the MasqueradeAddress, PassivePorts, UseReverseDNS and IdentLookups options to proftpd.conf

What else should I do?

The ftp server works great inside the lan, both in active and in passive mode

Hi t0bb3, did you opened all the relevant ports like 1980 and passive ones in your firewall? Allow both incomin and outgoing and the protocol should be TCP. Make sure your ISP do not block any of these ports. Many ISPs block some of them in order that nobody can run server from home.

Did you create password for the user using the GUI ubuntu provide?

Another point : did you put AuthAliasOnly to off, like mine? Can you do one thing? Just back up your copy of proftpd.conf and use mine instead and tell me whether you are getting the same result? I am telling you all these since I got this 500 error:illegal ports infinite number of times before getting it working. Good luck

t0bb3
February 1st, 2006, 08:22 PM
Hi t0bb3, did you opened all the relevant ports like 1980 and passive ones in your firewall?
What is port 1980? Yes, I have all the passive ports open.

Allow both incomin and outgoing and the protocol should be TCP. Make sure your ISP do not block any of these ports. Many ISPs block some of them in order that nobody can run server from home.They are open both ways, and if I run my webserver on one of the ports I can connect to it, so they aren't blocked by my ISP

Did you create password for the user using the GUI ubuntu provide?

Another point : did you put AuthAliasOnly to off, like mine?I don't think there is anything wrong with the passwords. All accounts work when I try them in my lan, and they work if I connect to them in active mode from the outside.
Can you do one thing? Just back up your copy of proftpd.conf and use mine instead and tell me whether you are getting the same result? I am telling you all these since I got this 500 error:illegal ports infinite number of times before getting it working.Yes, I will try that.
Good luckThanks, I will need it :)

t0bb3
February 1st, 2006, 08:47 PM
I saw in your config file that you use port 1980 as your ftp port... I use another port, but yeah, that port is open and forwarded in my router.

I have also tried your config file (with the needed changes). Got the same 500 error :(

mssm
February 2nd, 2006, 11:41 PM
t0bb3, just to make sure :
1) Did you check that your internal IP address didn't change meanwhile?
2) If your ISP provide you with a dynamic IP address, your fwding to some dynamic dns host like dyndns.org by some client and that client is running?
3) Did you try to ftp on the same machine and still you are getting 500 error?
4) If you turn on logging, what do they say?

I am sure this has to do with your router's firewall and port forwarding config.

t0bb3
February 3rd, 2006, 01:00 PM
1) I have static IPs in my lan, so it didn't change
2) Yes, I get a dynamic IP from my ISP, and yes I use dyndns.com. My router has built in support for updating dyndns, so it is always up to date. Everyone can connect to the webserver I've got running on the same machine as the ftp server, so the address isn't a problem
3) What do you mean? I can connect to the ftp server from all computers in my lan, and active connections from internet works.
4) I've got logging on. What should I look for?

First I could only connect to the ftp server from the other computers in my lan using the internal IP, but when I added "AllowForeignAddress on" I could also connect to the server using my dyndns.com address from within my lan. (I used to get the 500 error when I tried that). But other ppl can't connect over the internet. But they don't get error 500 any more, now they get "Unknown error"...

Thanks for helping

t0bb3
February 3rd, 2006, 11:47 PM
A little more info on what is going on now when I try to connect... (I actually got a real error message this time)

ftp> open address port
Connected to address
220 ProFTPD 1.2.10 Server (t0bb3's ftp) [Ip.address]
Name (address:local user): ftp login name
331 Password required for ftp login name.
Password:
230 User ftp login name logged in.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out

Orunitia
February 4th, 2006, 08:37 AM
Real nice, thanks. gproftpd really helped me. I've been looking for something as good as bulletproof, and this is good enough for me.

Stormx
February 5th, 2006, 02:09 AM
Password incorrect, all the time.

I've followed the steps exactly.

Looking up localhost
Trying localhost.localdomain:1980
Connected to localhost:1980
220 you're at home
USER sauron

331 Password required for sauron.
PASS xxxx
530 Login incorrect.
Disconnecting from site localhost

Orunitia
February 5th, 2006, 09:09 AM
Is there any way to make it so that I can let the people logging in put their name for the username, and just have a set password?

frodon
February 5th, 2006, 05:29 PM
Password incorrect, all the time.

I've followed the steps exactly.

Looking up localhost
Trying localhost.localdomain:1980
Connected to localhost:1980
220 you're at home
USER sauron

331 Password required for sauron.
PASS xxxx
530 Login incorrect.
Disconnecting from site localhostRe-create your user with the GUI if you used the command line to create it and check that the name of the directories you use for the FTP server are good in your system and in your config file, the 530 error is just a small configuration problem (wrong path names, password issues, ...). Don't forget to have a look in the hoary thread which contain a lot of support (link at the top of the first post).

makisupa123
February 8th, 2006, 01:00 PM
Great Howto....I've using it for months. I installed gproftpd about a month ago and everything was fine...good for easy admin of the server. Then, all the sudden (noticed it after installing 3ddesk, which i've since removed), gproftpd started segmentation faulting when running it as root. I can run it as a user but that does me little good -- understandandably, you cant do much as a user. I uninstalled everything, wrote a new config file, tried changing theme info for root (its caused problems before), but i cant get it to run as root again. Wierdness...anyone got any ideas? I'm stumped....

Thanks,

Mak

Murmeldjuret
February 8th, 2006, 01:18 PM
I get this error when I try to connect the server.


- getaddrinfo 'ftp://guldkant.mine.nu' error: Name or service not known
- Fatal: Bind: : unable to resolve "ftp://guldkant.mine.nu" on line 6 of '/etc/proftpd.conf'

what have I done wrong?

frodon
February 8th, 2006, 02:17 PM
Could you post your proftpd.conf file ?

It sounds like a domain name problem.

mssm
February 8th, 2006, 03:05 PM
Frodon, I would like to add myself as an ftp user who can browse all directories. What should I do? Thanks in advance

frodon
February 8th, 2006, 03:33 PM
Well, all the security of this guide is based on the FTP-shared directory because all is lock in this directory and therefore you're sure that nobody will go outside this directory.
There are different ways to do that. What i would do if i was you is to add your user or create a new one (maybe better because you will not use you user password which may be the same one than you use for sudo ... up to you).
So just add a line for your user :
#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
AllowUser Your_user
DenyALL
</Limit>Create a directory under FTP-shared called my_root for exemple and give it the good rights (755 for a download only directory and 777 for a download/upload directory).
Then add a section at the end of the file like that for a download only directory :
<Directory /home/FTP-shared/my_root/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser your_user
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>All the ftp users will see this directory but they won't be able to list or access it.
Then all you have to do is to mount in this directory the directory or the partition you want, there's some explainations on how to do it at the end of the guide (you could add a line in fstab if you want to do it on startup).

Murmeldjuret
February 8th, 2006, 03:39 PM
ServerType standalone
DefaultServer on
Umask 022
ServerName "ftp://guldkant.mine.nu"
ServerIdent on "guldkant"
Bind "ftp://guldkant.mine.nu"
ServerAdmin xxxxxxx@hotmail.com
IdentLookups off
UseReverseDNS off
Port 22
PassivePorts 49152 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User oscar
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress on
AllowRetrieveRestart on

frodon
February 8th, 2006, 03:50 PM
Be careful that your server name should be as simple as possible, some characters may create some problems, is it the whole configuration file ?

jackmacokc
February 8th, 2006, 10:37 PM
Hello frodon,

First off - as everyone has pointed out - excellent howto. I at first tried the gproftpd gui option, but wasnt all that impressed and decided to go the other option. After some tinkering, reading, and time - I am successfully connecting to my home box from work right now. My only problem is that I'm having trouble with PASV. I can't seem to get it to work. Is there anything special you've seen to getting PASV to work? I specified PassivePorts 60000 60049 in my proftpd.conf and forwarded those ports to my internal IP on my router. I'm also masquerading my external IP.

Like I said, all works fine in active mode, but I'd like to get passive mode working properly. Any ideas would be much appreciated. Thanks!

trinaryouroboros
February 17th, 2006, 09:52 AM
Be careful that your server name should be as simple as possible, some characters may create some problems, is it the whole configuration file ?

I'm jammed here.

I'll be upfront, I have two dyndns configurations. One which is sub'd off my main web host, and another with gotdns.com just in case.

I'm only using the masqueradeaddress as the one i'm technically using with filezilla, which is only specified as the main web host address.

On the lan, by IP address I don't even need to worry about passive mode, goes right on through. Logs in just the way I want it to for each user.

When trying from the LAN through the web address, I get:

Response: 500 Illegal PORT command
Error: Could not retrieve directory listing

When trying from LAN to web address using PASV:

Response: 200 Type set to A
Command: LIST
Error: Disconnected from server
Error: Could not retrieve directory listing
Error: Timeout detected!

FTP from win32 command prompt results in a 425 error, when going through web address and typing "ls" as usual. So it leads me to believe something is silly with the PASV mode set up. The specified port ranges are opened on the router by the way.

I must have made a mess somewhere, but I'm running out of ideas. I included my proftpd.conf file which I'm sure will seem a bit sloppy.

I'm hoping someone will show me the light here. I really should be able to use the web address to do this, whether inside my LAN or not.

:-k

edit: I've tested inbound works perfectly fine, I guess I'll just deal with the provided setup as is.

Turtle.net
February 18th, 2006, 03:34 PM
Hi,
My FTP server is up and running.
I can access it from outside and I can browse the folders.
I tried to mount a folder in my /home/FTP-shared/download but i've got the error

$ sudo mount -o Photos /home/FTP-shared/download/
mount: can't find /home/FTP-shared/download in /etc/fstab or /etc/mtab Then I created a folder

$ sudo mkdir /home/FTP-shared/download/Photos and I created a permanent entry in my fstab as proposed in this howto.
I can browse this folder, but I'm unable to download a file from my ftp server....

Any help ??

frodon
February 19th, 2006, 02:50 PM
Is it a typo ? the command is :
sudo mount -o bind Photo_directory_path /home/FTP-shared/downloadI think it's not needed to create a Photos directory under download if what you want is only to mount your photo directory in /home/FTP-shared/download.

If you're still not able to download in this directory post your proftpd.conf file and check that you put the good rights on this directory because proftpd won't overwrite the system rights you set on this directory.

darkraver
February 24th, 2006, 04:46 PM
need some help ... :-k

i have 2 diferent users to get in 2 diferent directories

"/home/shared"

and other to

"/online/forum/"

the problem is that both of then enter in the same directory :| ...

user1 i created it like
useradd user1 -p passuser1 -d /home/shared -s /bin/false

and user 2
useradd user2 -p passuser2 -d /online/forum -s /bin/false

config lines:


...
...
...
# Set /home/FTP-shared directory as home directory
# DefaultRoot /home/FTP-shared
DefaultRoot ~

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~
...
...
...
<Directory /home/shared/*>
Umask 022 022
AllowOverwrite on
AllowUser user1
</Directory>

<Directory /online/forum/>
Umask 022 022
AllowOverwrite on
AllowAll
</Directory>


so 1 want 1 user to access both directorys and the other only to 1 ... if possible or each user for each directory ...

can anyone help me ? ;)

frodon
February 24th, 2006, 06:00 PM
The command DefaultRoot ~ define the user home directory as home directory for the FTP, so each user will be locked in his home directory thanks to this command, so the way you use sounds good but i never used it so i don't know if it works but it should.

Add a section like that before setting the directories :
#VALID LOGINS
<Limit LOGIN>
AllowUser user1
AllowUser user2
DenyALL
</Limit>Thus you will be sure to allow only your 2 users to login.
Try to modify your directory section like that :
<Directory /home/shared/*>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser user1
Deny ALL
</Limit>

<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

<Directory /online/forum/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser user2
Deny ALL
</Limit>

<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
</Directory>
I assume that your directories are upload/download directories and therefore you gave 777 rights to them.

However, you can use also the way i gave in this post (http://www.ubuntuforums.org/showpost.php?p=715548&postcount=99) and then keep the guide spirit with the home/FTP-shared home directory for all the users and allow the user you want to enter in the directory you want. After that you can mount the directory you want in home/FTP-shared/upload, create more directories if you need.

Let me know if it works, i'm curious.

darkraver
February 24th, 2006, 06:22 PM
ok so far so good ... i've changed something ... and now directory's work fine each user can enter in diferent directory.

user1 -> directory1
user2 -> directory2

the changes:

the Valid logins section was already there so no changes there



<Directory /home/shared/*>
Umask 022 022
AllowOverwrite on
AllowAll
</Directory>

<Directory /online/forum/>
Umask 022 022
AllowOverwrite on
AllowAll
</Directory>


and now they both enter in diferent directory's :)
1║ move ok \\:D/

now the 2║ fase :P ... i was thinking arround and it seems to be impossible to 1 of those users to access diferent directory's since i've defined when creating them their "home" directory, since in config i'm forcing them to be in their home directory it's gome be a bit hard :| ...

Tichondrius
February 24th, 2006, 06:35 PM
Why not just install SSH server ?

souteneur3190
February 24th, 2006, 11:11 PM
What am i doing wrong

- no such group 'nobody'
- Fatal: Group: Unknown group 'nobody'. on line 20 of '/etc/proftpd.conf'

what group should it be?

Turtle.net
February 27th, 2006, 02:21 AM
First of all thanks for your answers

Is it a typo ?
Yes it is :-?

If you're still not able to download in this directory post your proftpd.conf file and check that you put the good rights on this directory because proftpd won't overwrite the system rights you set on this directory.
You were right :) I changed the permission of each file in the subdirectories I attached and now I am able to download the files without a single problem.

Thanks again for your great howto and support \\:D/

SSamiK
March 8th, 2006, 02:18 PM
How do i add more users? :confused:

frodon
March 8th, 2006, 02:46 PM
Create a new user thanks to the "user & group" windows like for userftp in the guide then add an alias line at the beginning of your proftpd.conf file :
UserAlias aliasname newuserThen add a line in the limit login section :
<Limit LOGIN>
AllowUser userftp
AllowUser newuser
DenyALL
</Limit>By the way, no problem if several friends try to login at the same time with the same user, it's allowed and controlled by this line :
MaxClientsPerUser 8

SSamiK
March 8th, 2006, 04:09 PM
Thanks. :-D
Worked like a charm!
Been really helpfull this thread so once again, thanks! \\:D/

SSamiK
March 10th, 2006, 02:18 PM
While i'm at it... :rolleyes:

Been trying to get Passive to work, since most (?) clients seem to use is by default, and the more unexperienced users who don't know their client can't connect. I've tryed adding the line "PassivePorts 49152 65534" and opened the ports in my router, but still it seems that users who try connect using passive gets disconnected while trying to list the directories.

Any clues? :confused:



EDIT: Got it working after rebooting the router.

zino1
March 22nd, 2006, 12:45 AM
I am new to Ubuntu and I tried to install proftpd and got this;

sudo apt-get install proftpd

"Reading package lists... Done
Building dependency tree... Done
E: Couldn't find package proftpd"

I downloaded it from http://www.proftpd.org/goals.html as a .tar.gz and uncompressed it into my home directory. I ran the install command from my home directory.

What am I doing wron?

Turtle.net
March 22nd, 2006, 02:28 AM
You have to add extra repositories in synaptic to have this kind of software ready to be installed.
Have a look to http://www.psychocats.net/linux/sources.php and http://www.ubuntulinux.nl/source-o-matic for more explanations :)

zino1
March 23rd, 2006, 10:15 PM
I have proftp installed now... I have followed the how to on the first page. all seemed to have gone well.

Yet I am unable to ftp into this box using any ftp program.

I am behind a router. Is there anything I need to do for that?

zino1
March 23rd, 2006, 10:43 PM
I have proftp installed now... I have followed the how to on the first page. all seemed to have gone well.

Yet I am unable to ftp into this box using any ftp program.

I am behind a router. Is there anything I need to do for that?


Here is my proftpd.conf file:



etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName "Zino"
ServerType inetd
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

DenyFilter \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port.
Port 1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# # Limit the maximum number of anonymous logins
MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
#
#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

frodon
March 24th, 2006, 10:03 AM
I strongly advice to run proftpd as standalone so replace the line :
ServerType inetdby :
ServerType standaloneThen if you are behind a router you will need to set MasqueradeAddress and PassivePorts following the link i gave in the misc section : http://www.proftpd.org/localsite/Userguide/linked/x862.html
You will need also to forward the ports you use for the ftp serveur in you router configuration.
You should also read this post : http://www.ubuntuforums.org/showpost.php?p=680702&postcount=81

By the way, I'm wondering if i should add that in the guide itself and not in the misc section because many users have a router and sometimes they don't read the misc section which contain those informations.
So should i add the router things in the guide itself instead of the misc section ?

zino1
March 24th, 2006, 04:26 PM
I By the way, I'm wondering if i should add that in the guide itself and not in the misc section because many users have a router and sometimes they don't read the misc section which contain those informations.
So should i add the router things in the guide itself instead of the misc section ?

As you can tell I am no export in this OS, but I am sure it would help many of us newbie's if it was.

Thank you for you assistance, I will research those links today.

Snugglej
April 4th, 2006, 05:12 PM
Hello,

I'm a real newbie at this stuff. I just started and I decided to use the GUI to set up the FTP for me.

I'm behind a router, I have all the forwarding ports (60000 - 65534) passive and (77) ftp set up. I have set all the folders to what was stated in the begining of this how to.

I go to ftp://myhost:77 and I can log in fine and the gui shows that I have logged in but I don't get a response from the ftp for the files... i have folder in there to test.

The response I get is that it puts me in the current directory "/"
TYPE A
PASV
227 Entering Passive Mode (69,17,133,157,253,50).
Opening Data connection to 69.176.133.157 Port:64818
LIST -aL
A connection attempt failed because the connected party did not respond.
Timeout (40s).
Client Close Connection

Please help me...
I tried what had been said earlier but i got confused
I let the gui set up the proftpd.conf.

frodon
April 4th, 2006, 05:27 PM
If you are really accessing the "/" directory (your ubuntu partition) the LIST command will surely fail because of rights. Indeed you can access and list directories only if you have rights for it.
So my first advice would be to be sure that the directory you access when you login (set a good home directory not "/") the FTP server has the good rights (755 for a download directory).

Snugglej
April 4th, 2006, 11:56 PM
If you are really accessing the "/" directory (your ubuntu partition) the LIST command will surely fail because of rights. Indeed you can access and list directories only if you have rights for it.
So my first advice would be to be sure that the directory you access when you login (set a good home directory not "/") the FTP server has the good rights (755 for a download directory).

I looked at my settings and none of them are set to go to directory "/".

I am going to provide what config my gproftpd-8.2.2 has and maybe you can tell me if it is in there that something is set wrong.
I am using a netgear router, and I have all the ports forwarded as it does connect and verify the password and username.
If there is anything I need to do I will appreciate the help.

ServerType standalone
DefaultServer on
Umask 022
ServerName "192.168.1.4"
ServerIdent on "Richards Server"
Bind "192.168.1.4"
ServerAdmin RichardGiesige@hotmail.com

IdentLookups off
UseReverseDNS off
Port 77
PassivePorts 60000 65534

MasqueradeAddress 69.176.133.157

TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User snugglej
Group adm
DirFakeUser off nobuddy
DirFakeGroup off nogroup
DefaultTransferMode binary
AllowForeignAddress on
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 30
TransferRate STOR 40
TransferRate STOU 40
TransferRate APPE 40

SystemLog /var/log/secure
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_root_path /home/FTP-shared
#gp_useradd_upload_path /upload
#gp_html_path /var/www/ftp.html
#gp_welcome_name welcome.msg
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol TLSv1
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gproftpd/gproftpd.pem
</IfModule>

<Limit LOGIN>
AllowUser snugglej
AllowUser ftp
DenyALL
</Limit>


<Anonymous /home/snugglej>
User snugglej
Group snugglej
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
DisplayFirstChdir .msg
AllowOverwrite off
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit ROOT_DIR_ALLOW RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit ROOT_DIR_DENY DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
DenyAll
</Limit>
<Directory /upload>
AllowOverwrite on
<Limit UPLOAD_DIR_ALLOW LIST NLST STOR STOU APPE RETR MKD XMKD SITE_CHMOD SITE_CHGRP STAT MDTM PWD XPWD SIZE CWD XCWD CDUP XCUP SITE >
AllowAll
</Limit>
<Limit UPLOAD_DIR_DENY RNFR RNTO DELE RMD XRMD >
DenyAll
</Limit>
</Directory>
</Anonymous>

<Anonymous /home/FTP-shared>
User ftp
Group userftp
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
DisplayFirstChdir .msg
AllowOverwrite off
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit ROOT_DIR_ALLOW RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit ROOT_DIR_DENY DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
DenyAll
</Limit>
<Directory /upload>
AllowOverwrite on
<Limit UPLOAD_DIR_ALLOW LIST NLST STOR STOU APPE RETR MKD XMKD STAT MDTM PWD XPWD SIZE CWD XCWD CDUP XCUP SITE >
AllowAll
</Limit>
<Limit UPLOAD_DIR_DENY RNFR RNTO DELE RMD XRMD SITE_CHMOD SITE_CHGRP >
DenyAll
</Limit>
</Directory>
</Anonymous>

Snugglej
April 5th, 2006, 02:00 AM
Okay I finally got it to work, all along it was my fault because I had firestarter running on Ubuntu and it was blocking the ports to the passive mode.

Once I enabled the ports by setting inbound allow traffic for ports 60000 and 65000 it worked like a charm!

so if anybody has this problem where they can't connect because it freezes at the locating files check if you have firestart or some sort of firewall installed on ubuntu.

*NEW PROBLEM*
But now i run into the problem where I try transfer something and I get Transfer Failed.
I'm trying to upload into the upload file but it's not working any ideas??
Rich.

frodon
April 5th, 2006, 08:59 AM
hi Snugglej, glad to know that you solved your first problem.

In which directory do you get this error ?
If it's /home/FTP-shared, run this command :
sudo chmod 777 /home/FTP-sharedYou have to know that proftpd don't overwrite the system rights and therefore if the system rights are too restrictive you won't be able to upload even if you've well set your FTP server.

animesh
April 11th, 2006, 08:02 PM
i was trying to add more user accounts with different usernames and passwords using conf files given in this thread. Also i don't know where to give passwords.....i have been trying to configure proftpd for a long time but could get only one account working that too anonymous...now when i tried again to introduce new users i am stuck........

How do i add more than 1 user with diff username and passwords

Searched the net ......the proftp guide itself is very confusing....put in a lot of fight with no results.....](*,) ](*,) ](*,) ](*,) ](*,) :( :(

Please help me to configure proftpd



#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
AuthAliasOnly on
UserAlias Junta userftp
UserAlias UPLOAD userftp1


ServerName "BATMAN'S DEN"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 40
TimeoutStalled 100
TimeoutIdle 40

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/
DefaultRoot ~

AllowStoreRestart on

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port.
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 10

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

MaxClientsPerUser 5
AccessGrantMsg "Welcome to BATMAN'S DEN"

DefaultRoot /home/ftp

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp userftp1
DenyALL
</Limit>



<Directory /home/ftp/Junta/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/ftp/Upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser userftp1
Deny ALL
</Limit>
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

frodon
April 12th, 2006, 08:48 AM
Your proftpd.conf file looks good, create your new user using the GUI, the password for the user is always the password you set when you created the user, and the username you use to login the FTP server is the alias you set in the proftpd.conf file.
What meassage error do you get with the user who don't work ?

RdM
April 13th, 2006, 12:38 PM
Thanks. This was really useful. I finally got everyting to work.

slapper
April 15th, 2006, 12:24 PM
H all!! this is my firts post here!!

I am trying to set up my proftpd server according to this howto.
Because i am newbie in linux world and espesially in proftpd i have some problems.

I followed the howto everything seems nice but i can not log in to my ftp server,neither from the same machine nor from my win pc.Always the same error
(530 Login incorrect).

i have add two user one is userftp the other is student.I follow the same command(sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false).I dont want to install gui in my server so is it possible to create these users in a other way??
One more i dont understand what is the useralias

Thanks a lot guys!!!!:D :D

AA here is my proftpd.conf file




# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias student userftp

ServerName "Miltos ftp server"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so don't use it for security reasons (choose here the port you want)
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

frodon
April 15th, 2006, 12:41 PM
Hi slapper,

Some users reported me that the useradd command creates sometimes 530 error because of the password, so i advice you to re-create the users using the GUI tools (system > administration > user & group), you could try also this command it worked for some users :
sudo passwd userftpand then type the password you want to set for userftp again and do the same for your other user, it will just re-create the password.

However when i have a look in your proftpd.conf file there is a problem, do you really want 2 different users for your ftp server ? if yes you should modify those lines like that :
# Choose here the user alias you want !!!!
UserAlias user1 userftp
UserAlias user2 student
...
..
.
#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
AllowUser student
DenyALL
</Limit>Why useralias ?
I use useralias in my guide because this tip prevents telnet access to your FTP server and therefore increase the security of your server.
So you always use the alias name to login your server even if the users is called userftp.

Feel free to require more details/help ;)

slapper
April 15th, 2006, 05:31 PM
Frodon thanks for the quick answer!!!!!!!

I tried what you said but nothing happen.The same problem..:-k :-k

Anyway im going to install gnome and create these users from there.
I will keep you inform..:D

Thanks again for the response!!

frodon
April 15th, 2006, 07:18 PM
The 530 error could also come from right problems for directories FTP-shared, FTP-shared/download and FTP-shared/upload. So check that the rights for those directories are good.

splendid
April 17th, 2006, 03:39 AM
I tried installing. Get this message after editing the proftpd.conf file

ProFTPd warning: cannot start neither in standalone nor in inetd/xinetd mode. Ch eck your configuration.

Any suggestions on what I may have done wrong? I am logged in as root, and did follow directions.

Thanks,

frodon
April 17th, 2006, 12:06 PM
Try to re-install proftpd and/or post your proftpd.conf file in your next post, however this could come from the ServerType line in the proftpd.conf file :
ServerType standaloneYou should have this line in your proftpd.conf file.

splendid
April 18th, 2006, 12:36 AM
Attached is my proftpd.conf file

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

ServerName "basement"
ServerType inetd
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

DenyFilter \*.*/

"proftpd.conf" 103L, 2829C 1,1 Top

frodon
April 18th, 2006, 10:12 AM
ok, change :
ServerType inetd by
ServerType standaloneAnd it should be good.

splendid
April 20th, 2006, 02:36 AM
Frodon, Great that worked. I am trying to install the GUI now. Where do I need to edit the .bashrc file. Where should I enter that path with ProfFtpd?


Then add these lines in your .bashrc (it's in your home directory : gedit /home/username/.bashrc) file in order to specify what is the ProftpTools directory path, YOU MUST REMOVE THE "/" CHARACTER at the end of the path. I give you an exemple if your ProftpTools directory is in your home directory :

Thanks so much for your help.

frodon
April 20th, 2006, 11:19 AM
To open the .bashrc file :
cd
gedit .bashrcWhen the file is opened add the lines in like the guide says, for exemple if your PtftpdTools directory is in your home directory the lines to add would be :
ProftpTools_dir=/home/splendid/ProftpTools-v1.0.1
export ProftpTools_dir
I know it's not a really elegant way to install a script, but that's the best solution i found to set my script quickly. If i get time i will try to find an easier way than editing the .bashrc.

Nordoelum
April 21st, 2006, 04:20 PM
How to make it work like a ftp client connect to an web server?

splendid
April 22nd, 2006, 04:13 PM
Frodon,

Attached is my .bashrc file. I think I may have screwed something up because when I enter ProftpTools from a terminal window, nothing happens. I put my entry in Bold (see below).
Thanks So much for your help. I was just able to get my printer working this morning. Took a couple days, but everyone on this forum like yourself has been real helpful.


~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

ProftpTools dir=/etc/ProftpTools-v1.0.1
export ProftpTools_dir

# If not running interactively, don't do anything
[ -z "$PS1" ] && return

# don't put duplicate lines in the history. See bash(1) for more options
#export HISTCONTROL=ignoredups

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" -a -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
".bashrc" 75L, 2291C 1,1 Top

frodon
April 22nd, 2006, 06:21 PM
It looks like a typo, the line :
ProftpTools dir=/etc/ProftpTools-v1.0.1should be
ProftpTools_dir=/etc/ProftpTools-v1.0.1

splendid
April 22nd, 2006, 09:38 PM
Sorry, not sure how I missed that _

Anyway, I fixed the .bashrc and then typed ProftpTools and I get message that say's bash: ProftpTools: command not found

Any ideas?

Thanks!

frodon
April 23rd, 2006, 10:01 PM
Did you put the ProftpTools file in /usr/bin ?
By the way you may have to restart your terminal to get it working.

The only thing that the Proftptools file do is to run the proftpd_tools.bash script with gksudo, so the purpose of the ProftpTools file is just to lauch the proftpd_tools.bash script in a elegant way with sudo rights.

dnlninja
May 8th, 2006, 04:31 AM
i am also getting the same errors as splendid

also ( i have been reading through most of the thread so hopefully this isnt a repeat but sorry if it is)
i know it's a pretty newbie question ( considering this would be my 3rd or 4th ftp i've setup) but i am having trouble getting my ftp visible outside of my private network. my local ip address and networked computers can connect to it (i fixed the 530 errors myself that everyone seems to have gotten), but now my direct ip isnt seeing it.

i've opened the ports and turned off my firewall. i also have the passive/masqeruade on... is there something i am not thinking of?

i have a few things going odd, i edit the conf with gedit and when i gproftpd into the program, it is offline and all the settings are off (such as the port is 0, passive ports are all wrong, download speed is 1, etc) but it recognizes that im using the conf...

apresvoop
May 13th, 2006, 08:50 PM
Okay, I am at my wits end with this thing. I spent the better part of six hours reading forum posts and going through config files to get this thing to work. Finally I'm able to connect and all seems right. I go off to eat, and when I come back, I can no longer log in. Really. I have installed a couple other things, like Conky, AVG Anti-Virus, and dependencies, but that's about it. And even then I'm 99% sure it was working after I did that.

I tried deleting and recreating the userftp account just to make sure that wasnt the issues (it was done in GUI not commandline). Frankly I just don't know what else to do. Nothing has changed in my config since the last time it worked.

It gives me the 530 Login Incorrect error. I know the password is correct, and I know the alias names are correct, and I know the config is correct. Here's my config file. Hopefully someone can tell me what I'm doing wrong.

Does the home directory need to be chmod'ed to a particular access level?

frodon
May 14th, 2006, 07:00 PM
apresvoop, check also the rights on the ftp user home directory because wrong rights there can generate the 530 error, the rights for a download directory shoud be 755 and 777 for an upload directory.
Your config file seems good so i think about a privilege problem on the home directory.

apresvoop
May 15th, 2006, 02:40 AM
Yes, you were right. The permissions were slightly off. Thanks.

NeoGreen
May 26th, 2006, 03:43 AM
Need help, Ive tried to install proftpd by sudo apt-get install proftpd and I get this error message:
root@neoserver1:/# apt-get install proftpd
Reading package lists... Done
Building dependency tree... Done
E: Couldn't find package proftpd

I then tried the wget command (wget http://frodubuntu.free.fr/ubuntu/gproftpd-8.2.2_8.2.2-1_i386.deb
sudo dpkg -i gproftpd-8.2.2_8.2.2-1_i386.deb) and I get this message:

root@neoserver1:/home/admin#
wgethttp://frodubuntu.free.fr/ubuntu/gproftpd-8.2.2_8.2.2-1_i386.deb
--16:39:55-- http://frodubuntu.free.fr/ubuntu/gproftpd-8.2.2_8.2.2-1_i386.deb
=> `gproftpd-8.2.2_8.2.2-1_i386.deb'
Resolving frodubuntu.free.fr... failed: Temporary failure in name resolution.

Is there something I am doing wrong????](*,)

frodon
May 26th, 2006, 12:05 PM
You need proftpd to install gproftpd so without proftpd installed you won't be able to install gproftpd.
I think you don't have all the repositories enabled, see this post to check that you have all the repositories enabled then open synaptic and perform a refresh : http://www.ubuntuforums.org/showthread.php?t=92672

NeoGreen
May 27th, 2006, 04:01 AM
I went into synaptic manager and installed proftpd because it wasn't installed. Will that help? I don't know to much about repositories and last time a messed around with them I had to do a clean install. Is a site of link where I can go to learn about repositories and their functions?:)

mumushi
May 27th, 2006, 04:08 PM
i read your howto on setting up ftp server. thanks alot i did set it up correctly. my problem is how can i test it? its my first time to set up a ftp server. how can my friends access my server? what would e the command? thank you so much in advance.

Griff
May 28th, 2006, 10:07 PM
I installed gproftpd/proftpd a long time ago (few months ago) using your excellent howto. If I open up the gui using sudo the gui just freezes. (I did have a shortcut button using gksudo). As such I was forced to just open the gui without sudo and this doesn't allow me to view the security log file. Guess the big question is:
Why can I no longer open the gui using gksudo?

frodon
May 29th, 2006, 08:58 AM
I installed gproftpd/proftpd a long time ago (few months ago) using your excellent howto. If I open up the gui using sudo the gui just freezes. (I did have a shortcut button using gksudo). As such I was forced to just open the gui without sudo and this doesn't allow me to view the security log file. Guess the big question is:
Why can I no longer open the gui using gksudo?Really strange, did you try with sudo instead of gksudo ? Sorry i have no idea for the moment, anyway you need sudo rights for gproftpd if you want to handle the FTP server.


I went into synaptic manager and installed proftpd because it wasn't installed. Will that help? I don't know to much about repositories and last time a messed around with them I had to do a clean install. Is a site of link where I can go to learn about repositories and their functions?:)Well, if you installed proftpd with synaptic it's ok because synaptic is just a front end for apt-get command lines.
This may help you to understand how to install things on ubuntu :
http://ubuntuforums.org/showthread.php?t=153118


i read your howto on setting up ftp server. thanks alot i did set it up correctly. my problem is how can i test it? its my first time to set up a ftp server. how can my friends access my server? what would e the command? thank you so much in advance.I advice you to test yourself your server to begin, use a FTP client to do that like gFTP, thus you will see if your server works.
Then once it's works with your computer ask a friend to login the FTP server with a FTP client for example (but you can do that with a web browser too).

Griff
May 29th, 2006, 04:44 PM
Really strange, did you try with sudo instead of gksudo ? Sorry i have no idea for the moment, anyway you need sudo rights for gproftpd if you want to handle the FTP server.

Yes. After finding out that my shortcut no longer worked I tried opening it up in the terminal using sudo. It yields the same result. The window comes up, blank, and never loads. Then I have to force quit it.

mumushi
May 29th, 2006, 05:08 PM
i started my ft p server by ht command "sudo /etc/init.d/proftpd start" but got this message:

Starting ProFTPD ftp daemon: Anthony-desktop - mod_delay/0.4: error opening DelayTable '/var/run/proftpd/proftpd.delay': No such file or directory
proftpd.

what seems to be wrong? Thank you so much for the help.

frodon
May 29th, 2006, 05:11 PM
mumushi, i would re-install proftpd in that case, i've never got this kind of error and it looks quite weird, backup your config file somewhere before doing that.

mumushi
May 30th, 2006, 01:04 AM
ok thanks for the tip. i will be doing that now and let you know what happens. ciao!

Griff
May 30th, 2006, 02:31 AM
I installed gproftpd/proftpd a long time ago (few months ago) using your excellent howto. If I open up the gui using sudo the gui just freezes. (I did have a shortcut button using gksudo). As such I was forced to just open the gui without sudo and this doesn't allow me to view the security log file. Guess the big question is:
Why can I no longer open the gui using gksudo?
Ok. I fixed my problem. I'm not sure why this works so maybe someone that knows more about this can explain it. Opening with sudo/gksudo allows gproftpd to read/write to the secure file under /var/log. I went to this file as root in nautilus to take a look at it. I scrolled to the bottom lines (line 47,000+) and the last few entries looked ok. I emptied the contents of the file to a backup file and erased everything in /var/log/secure. Opening gproftpd as sudo now works. I'll print the last few entries of the file if you would like to see it to see if maybe there was an entry that scewed things up.

mumushi
May 31st, 2006, 03:48 AM
i tried reinstalling it but on the process i got this message:

ProFTPd warning: not start neither in standalone nor in inetd/xinetd mode, apparently. Check your configuration.

i followed the howto yet i always get this message. Any idea what's wrong? thanks for the help (^.^)

frodon
May 31st, 2006, 08:38 AM
This sould be an error or typo in the proftpd.conf file, could you post it there ?

mumushi
May 31st, 2006, 02:40 PM
This sould be an error or typo in the proftpd.conf file, could you post it there ?

here is my proftp config file. i hope this helps in determining what went wrong. thanks!

frodon
May 31st, 2006, 02:45 PM
All you need there is to replace this line :
ServerType inetdby :
ServerType standalone

mumushi
May 31st, 2006, 04:52 PM
ok the error is gone now. thanks alot!

Now i would like to ask how to connect to my ftp server using a browser? using my settings you have seen in my config. thanks again for the help. :-D

frodon
May 31st, 2006, 04:58 PM
Open a web browser and put that in the adress bar :
ftp://cych@your_IP:1980I'm not sure about the character ":" maybe it's a space instead.
But it's always better to use a ftp client like Gftp.

mumushi
June 1st, 2006, 09:35 AM
i tried ftp://cych@your_IP:1980 but it doesnt work. i also tried ftp://my_IP:1980 and still doesn't work so i installed gftp instead. my problem is i get confused. What will i put in the host area? my ip address? Please be patient with me its really my first time to set up a ftp server and use gftp :)

frodon
June 1st, 2006, 09:53 AM
No problem mumushi,

In Gftp, for host put your IP address, for user put cych for port 1980 and for the password the one you chose.
Don't forget to paste the Gftp log if you get problems (maybe the 530 error).

red-i
June 1st, 2006, 10:22 AM
Greetings.

I am very new to this and require some help with the fundamentals.

I have set it up so that the server works from within my network.
I can send and receive from another machine on my local network no problems.

I am now trying to get it to work from outside the NAT.
My Service provider has given me the IP of 196.211.152.206 to use to connect with, he is apparently forwarding calls made to this IP to my Ubuntu box who's IP on my local Network is 196.20.20.67 the IP of the router on my network is 196.20.20.1

When I try to connect to 196.211.152.206 using Gftp I get the following response


Looking up 196.211.152.206
Trying 196.211.152.206:21
Cannot connect to 196.211.152.206: Connection refused
Waiting 30 seconds until trying to connect again

When I check my Config file this is the response I get:



If there are no complaints the configuration is ok...
localhost.localdomain - 127.0.0.1:21 masquerading as 196.211.152.206
Check completed.

I dont know where it is getting the above IP 127.0.0.1 from, as it does not apear in the config file ??

here is my config file 10351

IF someone could check my config file and make sure i'm not missing the basics that would be great.
This is starting to take years off my life](*,)

Thanks
Sean.

mumushi
June 1st, 2006, 10:44 AM
No problem mumushi,

In Gftp, for host put your IP address, for user put cych for port 1980 and for the password the one you chose.
Don't forget to paste the Gftp log if you get problems (maybe the 530 error).


I did what you have said and i know i input the correct pass but i got this message:

Looking up 192.168.232.69
Trying 192.168.232.69:1980
Connected to 192.168.232.69:1980
220 you're at home
USER cych

331 Password required for cych.
PASS xxxx
530 Login incorrect.
Disconnecting from site 192.168.232.69

What possibly went wrong? i know i am that close into making this thing work. Thanks again!

frodon
June 1st, 2006, 10:59 AM
Well the 530 error is a common error, it can com from rights problems on the FTP-shared, download or upload directory. I advice you to use the user&group GUI and try to change the password of the user, re-create it if needed but with the GUI.
If it still not working i will read again your config file but it seems ok.

red-i
June 2nd, 2006, 08:52 AM
Any assistance will be golden, I just cant seem to get this to work !

frodon
June 2nd, 2006, 08:55 AM
Did you read this post ?
http://www.ubuntuforums.org/showpost.php?p=680702&postcount=81

Sorry, i can't help you more because i'm not an expert about router things.

Maybe a thread in the server talk sub-forum will provide you the help you need.

LordMerlin
June 2nd, 2006, 10:10 PM
What do I need to change to allow each user to access his home folder?

CameronCalver
June 3rd, 2006, 05:51 AM
I have set up a ftp but when i go to login i dont no the name or password can some1 help me this is my conf

ServerType standalone
DefaultServer on
Umask 022
ServerName cameronsftp
ServerIdent on "My FTPD"
Bind "0.0.0.0"
ServerAdmin suped_up_supra_01@hotmail.com
IdentLookups off
UseReverseDNS off
Port 21
PassivePorts 49152 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
User cameron
Group cameron
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress on
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 30
TransferRate STOR 40
TransferRate STOU 40
TransferRate APPE 40
SystemLog /var/log/secure
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_root_path /home/ftp
#gp_useradd_upload_path /upload
#gp_html_path /var/www/ftp.html
#gp_welcome_name welcome.msg
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol TLSv1
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gproftpd/gproftpd.pem
</IfModule>
<Limit LOGIN>
AllowUser cameroncalver
AllowUser cameron
DenyALL
</Limit>

<Anonymous /home/FTP-shared>
User cameroncalver
Group cameroncalver
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
DisplayFirstChdir .msg
AllowOverwrite off
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit ROOT_DIR_ALLOW RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit ROOT_DIR_DENY DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
DenyAll
</Limit>
<Directory /home/FTP-shared/linux.png/*>
AllowOverwrite on
<Limit UPLOAD_DIR_ALLOW LIST NLST MDTM SIZE SITE STAT APPE RETR STOR STOU MKD XMKD CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit UPLOAD_DIR_DENY DELE SITE_CHMOD SITE_CHGRP RMD XRMD RNFR RNTO>
DenyAll
</Limit>
</Directory>
</Anonymous>

<Anonymous /home/FTP-sharedp>
User cameron
Group cameron
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
DisplayFirstChdir .msg
AllowOverwrite off
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit ROOT_DIR_ALLOW RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit ROOT_DIR_DENY DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
DenyAll
</Limit>
<Directory /home/ftp/upload/*>
AllowOverwrite on
<Limit UPLOAD_DIR_ALLOW LIST NLST MDTM SIZE SITE STAT APPE RETR STOR STOU MKD XMKD CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit UPLOAD_DIR_DENY DELE SITE_CHMOD SITE_CHGRP RMD XRMD RNFR RNTO>
DenyAll
</Limit>
</Directory>
</Anonymous>

cameron@ubuntu:~$

CameronCalver
June 3rd, 2006, 07:29 AM
I fixed the problem

LordMerlin
June 4th, 2006, 11:55 PM
Anyone?

frodon
June 5th, 2006, 08:39 AM
LordMerlin, you want to use several users in your FTP server and you want that each of this user use its own home directory as FTP directory ?
It's not really secure, could you explain me why you want to do that and what you want to do and i will try to find a secure way to do that, if you agree obviously ;)

LordMerlin
June 5th, 2006, 09:06 AM
No, I want each user (normal Linux user) to have access to his folder via FTP, can that be done?

frodon
June 5th, 2006, 09:19 AM
Sure it can be done.
Creates one directory for each home user directory under FTP-shared. Then in your proftpd.conf add a section like that for each directory :
<Directory /home/FTP-shared/user1-homedir/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser user1
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>
Also add each user in the <Limit LOGIN> section and create an alias for each one in the proftpd.conf file.
Then link the home directories in those created in FTP-shared like that :
sudo mount -o bind /home/user1 /home/FTP-shared/user1-homedirIn the example i gave you you will only be able to download in these directories.

frodon
June 6th, 2006, 09:52 AM
By the way, did some tried this guide with dapper ?

Thanks for the feedback.

z-vet
June 6th, 2006, 05:07 PM
By the way, did some tried this guide with dapper ?

Thanks for the feedback.
I did and have no problems with it. Thanks, frodon :)

LordMerlin
June 7th, 2006, 09:34 AM
That's a lot of work just to allow each user FTP access to his home folder!!!

Isn't there any other FTP server I can use which is just plain straight forward?

frodon
June 7th, 2006, 09:40 AM
I gave you a secure way to do it but there are plenty of less secure solutions which are easier to set and this will be true with other FTP servers.

I know it will take you 15min to set it up but you only do it once, as for needed mount commands just put them in a script and it's done.

Anyway other popular servers are pureftp and vsftpd.

duffydack
June 7th, 2006, 01:47 PM
Ive setup proftpd on breezy and it works fine. I installed proftpd in dapper and setup exactly the same and its a lot slower when logging in and navigating folders, generally lot slower..

GlurG
June 10th, 2006, 02:33 PM
Hi,

First post here, yay!:) Glad that I've found a thread which discusses proftpd configs. Anyhow, I have a couple of questions:

1) In the HOWTO-guide (the secure way), why is the DefaultRoot-directive defined twice?


# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~


2) I've followed the HOWTO-guide, but when I connect to the FTP-server from my WinXP comp on the same network, the file list is empty. I was expecting to see the /upload and /download directory when I log in, but I don't.

3) Some of the <Directory path/to/somewhere/*> directives have a star at the end of the path. Why?

4) I will mainly use my FTP-server to upload files to my DocumentRoot for apache. Does anyhow any tips/suggestions regarding how to do this as secure as possible?

5) How do I add encryption to my FTP-connections?

6) Also, it would be nice to know how to create different users with different passwords and different "starting"/jail directories when they log in.

Thanks

frodon
June 10th, 2006, 03:21 PM
1)Indeed one is enough but it tought it would help users who want to customise the config file to understand the principle of this command.

3)Good point, the star is not really needed since there's no sub-directories to include following the guide. You can remove them if you wish, it's up to you.

4) Mount your DocumentRoot directory in the upload directory thanks to a mount -o bind command, there's some examples at the end of the file.

5) I never did that but it's documented on the proftpd site : http://www.proftpd.org/.
You will find examples and support for that in the proftpd forum : http://forums.proftpd.org/phpBB2/

6) The users used by proftpd are the system users and you can add the users you want to allow in this section :
#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>Don't forget to set an aliasname for them, i use this trick to prevent telnet accesses to the server.
If you use only the DefaultRoot ~ each user will access only his home directory when login.

I hope i have given you some of the informations you're looking for.

GlurG
June 10th, 2006, 08:05 PM
Thanks for your response.

I'm still getting an empty directory listing when I login from my other (WinXP) comp. The DefaultRoot on the FTP-server is set to /home/FTP-shared/. I've created the upload and download directories and chmod:ed them. Still, I don't see them when I log in. I also tried to mount my webroot to /home/FTP-shared ... nothing. Why is this?

Offtopic: What does the 'sudo' command do?

frodon
June 12th, 2006, 08:47 AM
Could you post your proftpd.conf file ?

About sudo, you should read that : https://wiki.ubuntu.com/RootSudo

GlurG
June 12th, 2006, 01:11 PM
Finally got it working. I had accidentaly defined ListOptions twice, so I deleted one of them and replaced the other with ListOptions "-A". Anyhow, here is my config file:

# Daemon settings
ServerName "Proftpd Server"
ServerType standalone
DeferWelcome on
AuthAliasOnly on
UserAlias sauron userftp
ListOptions "-A"
RequireValidShell off
AllowOverride off
AllowOverwrite on
MultilineRFC2228 on
DefaultServer on
ShowSymlinks off
ServerIdent off
RootLogin off
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
DenyFilter \*.*/
IdentLookups off
UserReverseDNS off
MaxLoginAttempts 3
AllowStoreRestart on
PersistentPasswd off

# Log
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xfer.log
SystemLog /var/log/syslog.log

MaxClients 10
MaxClientsPerHost 10
MaxClientsPerUser 10
MaxHostsPerUser 10

DefaultRoot /home/FTP-shared/

<Limit LOGIN>
AllowUser userftp
DenyAll
</Limit>

<Directory /home/FTP-shared/>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

elemental666
June 13th, 2006, 10:43 PM
I just setup proftp per this howto, everything work great, except when I connect from my laptop and upload stuff, the file permissions are dropped completly. This mean I can't upload entire directories. When I try to upload a directory with maybe 4 files in it, the directory gets created on the server, without any permisions at all. Then it can't open that directory to start copying files. The files likewise will get no permissions at all.

So how do I get it to copy the same file permissions that exist on the client to stay on the files/dirs when sent to the server?

frodon
June 14th, 2006, 08:47 AM
What's happen if you perform the same attempt after entering in terminal :
umask 022Is the new folder still without any permissions ?

Chuckpaxton
July 1st, 2006, 07:05 PM
This maybe to late to post on here and if it is then forgive me but i'm getting a fatal error
Fatal: AllowUser: directive not allowed in server config text on line 47 of /etc/proftpd.conf

can anyone help?

frodon
July 1st, 2006, 07:07 PM
Could you attach you proftpd.conf file in the next post, i'd like to see it because it sounds like a syntax error.

Chuckpaxton
July 1st, 2006, 07:09 PM
Hopefully this helps..

frodon
July 1st, 2006, 07:13 PM
Try to jump a line and make the limit login part look like that :
<Limit LOGIN>
AllowUser John
AllowUser chuck
DenyALL
</Limit>

Except that, it looks good (i mean no syntax error)

Chuckpaxton
July 1st, 2006, 07:17 PM
That didn't work... actually i got a different message...fatal: unknown configuration directive '<limit' on line 94

Chuckpaxton
July 1st, 2006, 07:47 PM
Ok I'm dumb the thing you told me to do did work. But once i tried to bring it online I got the new error message.

horatiub
July 2nd, 2006, 01:58 AM
Ok, I was able to setup proftpd. I'm able to connect to my download, upload directory. But, how can I get access to my /var/www directories?

I host a site on my server, and the path is in the /var/www. What do I have to add in the proftpd.conf in order to be able to upload my files?

Thanks

frodon
July 2nd, 2006, 04:07 AM
Just mount your /var/www directory in the upload directory :
sudo mount -o bind /var/www /home/FTP-shared/upload

horatiub
July 2nd, 2006, 04:36 AM
ok, thank you.

But if I mount that folder, then all my users are going to have access to it, right? I setup a second user, and I logged in and I saw that he has access to the same /var/www as my own user.

frodon
July 2nd, 2006, 12:38 PM
Ok, if you wish to limit the access to the upload directory to your own user only, modify the directory section like that :
<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser Your_user
Deny ALL
</Limit>
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>Thus other users will see the upload directory but won't be able to enter in and use it.

horatiub
July 2nd, 2006, 06:08 PM
that will work. But here is what I'm trying to accomplish:

I want user1 to have access to the /var/www directory, so I mount this.
Then I want user2 to only have access to /var/www/website1, I don't want him to have access to the other websites as user1 does.

Thank you everybody for your help

frodon
July 2nd, 2006, 10:29 PM
I would create 2 upload directories, mount /var/www in the first and /var/www/website1 in the second then use the "LIMIT" comand as shown in my previous post to control the access.

joncisco
July 4th, 2006, 06:21 AM
Hi, I've gone through all the posts here and I am still lost.
I'm using Ubuntu Server 6.06
I have tried downloading proftpd and get the usual error.
I run this command :

root@server:~# apt-get install proftpd
Reading package lists... Done
Building dependency tree... Done
E: Couldn't find package proftpd
root@server:~#

so my first question is how do I install a program that doesn't appear to be there?

And second is how do I set it up so that the users root and fred have access to the /var/www folder.

I will be installing ispconfig as well after this and want to have ftp access for these two users. I have tried to install through different methods but no luck so far....

frodon
July 4th, 2006, 08:49 AM
You shouldn't have all thhe repositories enabled, have a look here for example to compare your source.list file :
http://www.ubuntuforums.org/showthread.php?t=185758
Once you've modifyed your source.list file run a :
sudo apt-get update
sudo apt-get upgrade
Then retry the command.

To give rights to /var/www for the user root and fred i see 2 ways, allow rights for all (sudo chmod -R 777 /var/www) or add fred to the group "root" and give full rights to the group (sudo chmod -R 774 /var/www).
More details on how manage groups and users there :
http://www.cs.unm.edu/~storm/UNIX.html

joncisco
July 5th, 2006, 12:47 AM
Thanks for your help....how do I set /var/www as the default directory for when I login via ftp?

frodon
July 5th, 2006, 08:55 AM
If you followed my guide, just mount the /var/www directoryin the upload directory otherwise you can create a user with /var/www as home directory, he will login in its home directory.
Post your proftpd.conf file if you need more help.

zasf
July 26th, 2006, 12:31 PM
I can ftp from the machine itself and from another computer inside home on the same network. The actual test whether I can access it from outside, will be done tomorrow. But I am hopeful that I shall succeed. (Update : Now I can access it from outside; see my next post below).

Thanks for your message, it was very helpful.

I'd like to know if when you say

I can ftp from the machine itself and from another computer inside home on the same network

you mean using the command

ftp 192.168.1.X 1980

or using


ftp yourname.homelinux.net 1980

I have a similar configuration to yours, I also have a home server registered with dyndns. What I want to do it to access my ftp server always using the dns name (ie yourname.homelinux.net). How do you achieve that?

Thanks

n00buntu NJ
July 30th, 2006, 01:34 AM
I'm stuck. I have setup proftpd/gproftpd and everything is configured properly from within my LAN. I can access the FTP server, and transfer files up and down.

I have forwarded the port in my router, and configured proftpd/gproftpd so that I can access my ftp server remotely (e.g. [my.ip.addy.here] [port] ). I know I set this part up right, because I can access the server from outside the LAN (from my work). From a windows machine, and from a Mac at my office the results are the same, that I can successfully login, however I don't get a directory listing. ?

I have a feeling that this has to do with my Passive Port settings, and that I need to forward these ports on my router as well, but nothing I have tried has worked... HELP!

nix4me
July 30th, 2006, 02:58 PM
I have a question about multiple users. I would like to have a shared tree of folders with multiple users. The catch is I want different limits placed on each users.

/home/ftp/shared
with the following folders
scripts
code
upload

I want 3 users
download
upload
private

I want the download user to be able to download from any dir but not be able to upload.
I want the upload user to be able to see all dirs but only be able to upload into the upload dir.
I want the private user to be able to download from any dir and upload into upload only.

Is this possible? IF so do you have an example?

nix4me

frodon
July 30th, 2006, 09:21 PM
nix4me, there's some examples in some previous posts of this thread.

nix4me
July 30th, 2006, 09:36 PM
I'm actually becoming more interested in trying mysql to control users with proftpd. Doing some reading now on it.

nix4me

s6dalane
August 4th, 2006, 04:42 PM
New version of gproftpd is out (8.2.8 ). Is it possible to update the .deb in the first post too?

shoot
August 11th, 2006, 12:18 PM
Hello there, I have a problem with my proftpd setup. After installing everything(which went like a charm) I edited the .conf-file to my needs, and now I can upload and download stuff from the ftp. Theres one thing I can't do though - overwrite. It's probably something minor in the .conf I have to change, but I can't find out what, even after reading all the suggestions and confs posted.

I've attached the .conf.

Thank you in advance. Shoot

frodon
August 11th, 2006, 12:31 PM
Maybe there's an option to add in the limit command used in the directory, there :
<Directory /var/www/>
Umask 022 022
AllowOverwrite on
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
AllowAll
</Limit>
</Directory>I never tried to overwrite a file anyway you can delete the file then write it but for sure it's less easy than a simple overwrite.

Here is the official documentation about the limit options if it helps : http://www.proftpd.org/localsite/Userguide/linked/config_ref_Limit.html

Sorry to not help you more.

Good luck ;)

shoot
August 11th, 2006, 02:25 PM
Atleast you tried to help, I appreciate that. Gonna go check that limit documentation through. Thanks

shoot


edit: Hmm, I read it and added some stuff, saved and restarted proftpd, now I get an error (550) when I try to upload anything to the server. I removed the stuff I added and restarted, still get error 550. What's the problem now?:|

BabyBoy
August 13th, 2006, 02:19 PM
I have httpd installed, when i log into ftp with the made username and password it takes me to the website root DIR (WWW) hmmm how secure eh :P lol NOT!
whats up with this then? heres my conf file!


# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias sauron userftp

ServerName "c0ntempt"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers on

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so don't use it for security reasons (choose here the port you want)
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome to c0ntempts ftp, **** around and your banned! !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser userftp
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

jakobc
August 16th, 2006, 01:18 AM
Hi - what do I need to do to send users (when they login with their own username and passwd) to their home dir?

Thanks

Scorpuk
August 21st, 2006, 01:54 PM
Just to say thanks for an excelent HOWTO.

Took me 2 days to get it all working, but that was down to my router and its inbuilt firewall. Just adding the PassivePorts section and including a ranged port allowance on my router and hey-presto it worked. :D

All this done while in another country thanks to putty and ssh :cool:

Cheers,

John.



#
# To really apply changes reload proftpd after modifications.
#

MasqueradeAddress (oops not showing this)
PassivePorts 60000 65535


AllowOverwrite on
AuthAliasOnly on

#Choose here the user alias you want !!!
UserAlias scorpuk userftp


ServerName "HTPC"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

Rootlogin off

#It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

DenyFilter \*.*/

#I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

#Allow to restart a download
AllowStoreRestart on

#Port 21 is the standard FTP port, so don't use it for security reasons
Port 1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 2

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

#Display a message after a successful login
AccessGrantMsg "Welcome !!!"
#This message is displayed for each access good or not
ServerIdent on "Scorpuk FTP Server"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

#Lock all the users in home directory, ****** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off

<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>

</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off

<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>

</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on

<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>

</Directory>

Scorpuk
August 21st, 2006, 02:06 PM
I have httpd installed, when i log into ftp with the made username and password it takes me to the website root DIR (WWW) hmmm how secure eh :P lol NOT!
whats up with this then? heres my conf file!


Just making sure but did you do this in the install sequence?


sudo useradd userftp -p your_password -d /home/FTP-shared -s /bin/false

The above coding forces the home directory for the user to the FTP-shared.

Other than that your config file is similar to mine except the end part for <directory> settings as far as i can tell.

Anywho hope ya get it sorted.

John.

Hawkowl
August 23rd, 2006, 01:23 AM
My setup is a little different from most.
I have a webserver that i want to allow users to update their own webpages on by FTP.

I have installed Proftp as per the early directions but changed some of it in an attempt to get access to a folder called testftp which resides in this folder /var/www/xxxxxxxxx/ftptest

I have set up a test user called fred with a password flintstone in system User and Groups.

this is a copy of my proftp.conf file, does it look ok?
and is this setup of mine the best way to go about this thing?



# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias hawkowl userftp

ServerName "xxxxxxx"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /var/www/downtowncentral/ftptest

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /var/www/downtowncentral/ftptest>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /var/www/downtowncentral/ftptest/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /var/www/downtowncentral/ftptest/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

frodon
August 23rd, 2006, 10:36 AM
It looks all good for me, don't forget to set /var/www/downtowncentral/ftptest as home directory for your user fred and to give the good rights the directory you use for the ftp (755 for a dowload directory and 777 for an upload directory).

Coogan
August 26th, 2006, 04:28 PM
I need some help. I don't know what I did, but as early as this morning I was able to upload to my ftp server with no problem, and now all of a sudden I cannot upload or download to/from it. I've removed and reinstalled proftp using the steps in the 1st post, and removed and recreated the userftp account, but it's still not working.

My conf file was a cut 'n paste straight from the 1st post, with some minor changes (I changed the home dir from FTP-shared to just ftp) and I changed the server name, user alias, and port. I'm 99% sure it's a permissions problem but can't figure out why.

Coog

frodon
August 27th, 2006, 11:08 AM
Be sure to give 755 rights to your ftp directory and dowload directory and 777 rights for your upload directory.
Post your conf file if you changed something, sometimes a typo may be hard to see and it easier if several people have a look to it.

Tavathlon
August 27th, 2006, 11:02 PM
Hello everyone!

I'd like to begin with saying that I'm impressed over your dedication to this thread, rodon! I've just read the whole thread, and people seldom have to wait for long before you give them a good answer - creds to you! :D

However, in spite of reading the whole thread, I still have one question - the same one that made me search this thread.

In the original howto, you refer to a simple way of mounting folders into the folder that my ftp-users may access (which is their own respective home folders). In fstab, this line should be added:

'the_directory_to_mount /home/FTP-shared/download vfat bind 0 0'

I have used this kind of hard linking for about a year, and it works really well! (however I mount the folder into every users home folder instead, since that is the only part of my computer that they may access) However, as it is now, all users have complete access to the folder I mount into their home directory. I want them to have full access to their own Home, but I don't want them to be able to write or delete in the folder I mount into their Home - I only want them to have read access there. I've tried to use the umask function to limit their access in the mounting atself, but without any success. The line in fstab looks like this right now:


'the_directory_to_mount /home/user/name_of_folder vfat bind,umask=777 0 0'

I've also tried umask=000, umask=222 and so on... But the users always have full access anyway.

Am I making the umask thing wrong? Is there any way to achieve the same goal by configuring proftpd.conf?

Unfortunately, I cannot just simply chmod the directory - I don't know why, but I cannot, even if I am root. It just simply doesn't work. On the other hand, it doesn't really matter, because I want _some_ users so have full access to the same folder.

Finally, I do not use gproftpd, and I do not intend to either, mostly because I think it works fine the old way. There is only one function in gproftpd that I would like to have, and that is the logging of what users are online, and what did they download/upload. But nah, that doesn't really matter that much... =P

Hope to get some help with this problem, it would be really nice to have my stored files secured! :)

frodon
August 28th, 2006, 09:16 AM
Hi and thanks for being so kind with me.


There is only one function in gproftpd that I would like to have, and that is the logging of what users are online, and what did they download/upload. But nah, that doesn't really matter that much... =POpen a terminal and type ftptop while your ftp server is running, you will see who is connected on the server in real time and what he's downloading, if you press the character t you will even see the transfert rate.
There also the ftpwho command which gave you the same kind of information but not in real time.

If you want to prevent write and deletion in a folder just modify the section corresponding to this folder in your proftpd.conf file.
For example the download directory on my guide :
<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>The parameters DELE and RMD are denied therefore the users will not be able to delete a file or a directory in the coreesponding folder.

See the limit page on the proftpd site for more details :
http://www.proftpd.org/localsite/Userguide/linked/config_ref_Limit.html

Tavathlon
August 28th, 2006, 04:03 PM
*pointing at the two most recent posts* 10 hours. That _is_ impressive! :D

The commands ftptop and ftpwho were really useful, thanks a lot! Someone told me once that such information was not available in proftpd, but apparently they were wrong. :)

However, the limit configuration did not work =/ (and yes, I did restart the server before I tried it out :p )
I've been looking at the limit configuration before, but didn't really understand how it worked back then. This time, I copied the text in your post straight off, but it didn't work. (I changed the directory, of course.)

I'm not quite sure why the limit does not work, but on the other hand, the umask should have worked too...

frodon
August 28th, 2006, 04:10 PM
Could you post your proftpd.conf file and tell me the name and path of the directories you want to protect from DEL and RMD commands ?
I'll have a look to it and see if something sounds wrong in your config file.

Tavathlon
August 28th, 2006, 07:01 PM
Absolutely. The path to the directory (or rather an example - there are as many as I have ftp-users, but I use this particular one for testing)

Thanks a lot!

Tavathlon
August 29th, 2006, 10:31 AM
By the way, the directory that is linked into user morot's home folder is actually a HD mounted at another spot. I'm not sure whether that might make any difference?

frodon
August 29th, 2006, 10:37 AM
After reading your conf file i don't see anything wrong, i don't understand why users are still able to delete, i use quite the same method in my guide and it works without any problems, it's weird.

Tavathlon
August 30th, 2006, 11:11 AM
Strange indeed. Well, I suppose I'll just put it in the pile of unsolved mysteries, then. :p

I found out today that I am actually able to change the permissions of the folder nowadays - I suppose I haven't tried that since I upgraded to Dapper or something. So it's possible for me to prevent people from deleting files, but the downside of it is that I myself won't be able to do it either without meddling as root. That's a minor problem, though.

Anyway, thanks a lot for the help! :D

(After all, now I know that it's something strange, and not just I that is doing things wrong... :) )

recklessray
August 31st, 2006, 02:40 PM
followed the howto - but when start the server , i get this error.. any ideas anyone? cheers :)

frank:/home/ftp# /etc/init.d/proftpd restart
Stopping ftp server: proftpd.
Starting ftp server: proftpd - IPv6 getaddrinfo 'localhost.localdomain' error: Name or service not known

frodon
August 31st, 2006, 03:46 PM
Did you change anything in the proftpd.conf file given in the guide ? If yes could you post it ?

nix4me
September 3rd, 2006, 05:56 PM
I like the way you have the server setup however I have one question. If I set more aliases to allow more login account names, they all have the same password...the password set for userftp.

Is there a way to still use aliases and have seperate passwords without having to setup system accounts for each user?

nix4me

frodon
September 4th, 2006, 01:02 PM
Without creating new accounts, i would say no but obviously i may be wrong.

BTW, do you (all users) think it would be useful for you if i write a small guide on how set a FTP server with TLS/SSL encryption, that means the authentification and the data are encrypted (SFTP) ?

nix4me
September 4th, 2006, 03:12 PM
Well i figurd out how to do what I wanted from my previous post. I had to abandon the use of alias.

I am using virtual users with the AuthUserFile feature and things are working great.

I also have TLS enabled and working nicely.

Any value added in me documenting the use of virtual users on this forum?

nix4me

frodon
September 4th, 2006, 03:19 PM
Any value added in me documenting the use of virtual users on this forum?

nix4meOf course yes and i would gladly add this documentation to the first post with the due credits.
I would be really interested too if you could also explain the steps you followed to enable TLS.

Thanks a bunch, you rock :KS

nix4me
September 4th, 2006, 09:32 PM
Use the following steps to get TLS working in proftpd:


# sudo apt-get install build-essential
# sudo apt-get install libssl-dev
# cd /etc
# sudo mkdir ftpcert
# cd ftpcert/
# sudo openssl genrsa 1024 > host.key
# sudo chmod 400 host.key
# sudo openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

Answer the questions - Valid answers are not important

Add these lines to the /etc/proftpd.conf


TLSEngine on
TLSLog /var/log/ftpd/tls.log
TLSProtocol TLSv1
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/ftpcert/host.cert
TLSRSACertificateKeyFile /etc/ftpcert/host.key

*Note - Use TLSRequired ON to force the use of TLS. OFF means that the use of TLS is optional.

Let me know if you have problems,

nix4me

emptycs
September 5th, 2006, 06:55 AM
when i type

sudo apt-get install proftpd

I get couldn't find packages proftpd

frodon
September 5th, 2006, 08:43 AM
emptycs, this shoulf be a repository problem, have you enabled the universe and multiverse repositories ?

nix4me, your instructions are really nice, i don't have the time to test them now but will do ASAP. Anyway it should work like a charm because i found the same instructions on the proftpd forum :
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
http://www.castaglia.org/proftpd/modules/mod_tls.html
However i saw you don't use the TLSCACertificateFile, it is explained here :
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca

On the other hand could you confirm that to get the authentification file to work you just created an authentification file and added the AuthUserFile (http://www.proftpd.org/localsite/Userguide/linked/config_ref_AuthUserFile.html) command ?
Could you give us as example your authentification file. Did you try aliases with the authentification file method ?
Thanks a lot

timka1
September 5th, 2006, 11:31 AM
When I get to the following line:


sudo openssl genrsa 1024 > host.key

I get "bash: host.key: Permission denied

How does this happen when using "sudo"?

frodon
September 5th, 2006, 12:25 PM
Check the rights of the file host.key, if it don't have write rights even sudo can't open the file and write it.
To add "write" rights use this command :
sudo chmod +w host.key

timka1
September 5th, 2006, 12:34 PM
[trying the new TCL config from previous page]
I tried sudo chmod +w host.key

As I suspected it said that the file did not exist.

I applied the chmod to the directory (ftpcert) and this worked

I then reran sudo openssl genrsa 1024 > host.key

But still got the Permission denied error.

[general error]

Not sure if this is relevant to the specific TCL config error but when I try to upload to the FTP server connecting via Fetch (Mac GUI) I drag the file into the upload directory and the transfer starts, the file name is created but then it hangs and eventually times out. The file is there but 0 bytes.

frodon
September 5th, 2006, 06:52 PM
Ok, instruction on how enable TLS/SSL are tested and working like a charm.

See the main post for detailed instruction on TLS/SSL enabling.

Again thanks to nix4me ;)

whatalotta
September 5th, 2006, 08:01 PM
Hi folks,

I've followed the howto inclusive of the tls part. Everything works fine. Thanks for taking the time to create a great howto like this one for the community to use.

I want to be able to remotely reboot my box. However, I am concerned that the way the certs are setup, the system will just hang because I will need to input the password, and I don't know how to do so remotely (I use putty/ssh).

Can you advise how to modify or create certs that will allow me to perform an unattended reboot?

Thanks!

whatalotta
September 5th, 2006, 08:28 PM
Okay, this turned out worse than feared. Upon attended reboot, the system just hung. I'm going to play with the configuration of grub to get rid of the fb stuff and try again later.

Note that after hitting Power Off (I hate to admit that), I selected recovery mode from grub, and the system just hung after alsa was restored. Tried putting in the password a couple of times (blind). Didn't work.

I ended up rebooting into Gentoo and chrooting into Kubuntu LTS. I then removed the ftpcert directory and commented out the cert lines from the proftpd.conf.

Upon reboot, all is normal. I'm feeling a bit confused. For right now, I will use proftpd without encryption. However, I really like the idea of having encryption. Please let me know what I need to do to get rid of the requirements for passwords.

Thanks!

nix4me
September 6th, 2006, 02:46 AM
I don't know what your talking about when you say you are having to enter a certificate password. The instructions that i posted work flawlessly.

Another way to create a ssl certificate is to load gproftpd and use it generate a .pem file. Then just load that certificate in the proftpd config with TLSRSACertificateFile. I did that 3 years ago and have had my server up and running for the last 3 years.

Anyway, again, not sure what has happened to you. I don't have a spare machine to try the config that Frodon posted. I will try to test soon.

nix4me

whatalotta
September 6th, 2006, 04:04 AM
I tested it with gproftpd and if works without requiring passwords everytime the proftpd daemon is started and stopped (restarted). I believe the password was for a .key file.

We'll see if someone else comes along with the same problem.

-Whata

frodon
September 6th, 2006, 08:41 AM
Yep, i noticed the password thing too and i confirm that the password is needed to start/restart/stop the server, i will search and see if it's possible to get rid of that.
Anyway having his own certificate file is not mandatory.

EDIT: well, i found the answer there :
http://www.modssl.org/docs/2.7/ssl_faq.html#remove-passphrase

It is because the RSA private key is encrypted in the server.key file, thus the solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file. So for the moment i don't know what to advice.
For sure the most secure solution is to keep the RSA private key encrypted.

Do you think i should document the way to remove RSA private key encryption in the server.key file in the guide as an alternative way to use the certificate file ? Obviously with a warning notifying that it's less secure.