Open Source Software Technical Articles

Want the Best of the Wazi Blogs Delivered Directly to your Inbox?

Subscribe to Wazi by Email

Your email:

Connect with Us!

Current Articles | RSS Feed RSS Feed

Share Files Easily with ProFTPD


Despite the advancements in interoperability between file systems, and the availability of file sharing services nowadays, hosting your own FTP server still offers advantages. FTP is easy to set up and use, and any files transferred via FTP stay securely within your network. With ProFTPD server, you can allow users to share files, and even allow people outside the corporate firewall to send files to you, easily and securely.

As an FTP server, ProFTPD offers several advantages. For starters it's controlled by a single configuration file. If you have configured an Apache web server (and what admin hasn't) you'll be at home with ProFTPD's configuration file. It's also lightweight and modular, meaning you can add extensions to it, for example to encrypt file transfers, or hook it up with a directory server.

The server is available in the official software repositories of all major distributions, including CentOS, Debian, Ubuntu, and Fedora. You can also grab it from its website and compile it atop Mac OS X and several BSDs, such as FreeBSD, NetBSD, OpenBSD.

One of the strengths of ProFTPD is its configuration file. On most distributions you'll find the file under /etc/proftpd/proftpd.conf. Similar to Apache's configuration file, it contains lines of configuration directives grouped by context. Before you start editing the configuration, familiarize yourself with the various configuration directives.

ProFTPD server can run as an xinetd service or as a standalone server. The former is suitable for low-traffic installations, while the latter is designed to handle high traffic. The ServerType directive controls the mode.

The User and Group directives control the identity the FTP daemon switches to after you've started it as root. This is again similar to Apache, which moves to a user www or user apache after it's started by the httpd daemon. By default, the proftpd.conf configuration file passes on the control of the proftpd daemon to user nobody and group nogroup.

To authenticate users, ProFTPD relies on the host's /etc/passwd file. This simplifies things – to add new FTP users all you need to do is create new user accounts. But you can also create FTP-only virtual users that don't have accounts on the system by using ProFTPD's AuthUserFile directive, or you can use authentication modules to fetch login information from sources like LDAP directories or SQL tables.

Finally the and directives give you fine-grained control over access to the directories on your system, and what permissions users have on them.

FTP Server Alternatives

Although the GPL-licensed ProFTPD is the most popular and powerful open source FTP server, it isn't the only one. There's also the BSD-licensed Pure-FTPd server, and for Windows admins, there's the graphical FileZilla server.

Graphical Administration

Although it's good idea to browse the configuration file in your favorite text editor, you can also use a configuration editor that lets you tweak your ProFTPD configuration graphically. The GADMIN-PROFTPD tool lets you set up an FTP server quickly. As with ProFTPD, most distros include the administration tool in their repos, or you can grab it off its website.

To see how it works, we'll use the tool to create two users with different permissions on the same directory: an anonymous user without a password, which can only upload files to the server, and an FTP admin with full access to the uploaded files.

When you launch the tool it will overwrite your existing configuration, but only after backing it up. You can restore your backed up configuration from within the tool with a single click, or back up a working configuration before making any changes.

After launching the tool, make it aware of your network settings. Under the Servers tab, specify the IP address of the machine that's running the ProFTPD server. If it's connected via a NAT router, specify its external IP address in the NAT router field.

Finish up by going over some common administration settings. Specify the admin's email address, the maximum number of simultaneous connections (to prevent DDoS attacks) and the number of failed login attempts before a user is disconnected, and the upload and download speeds alloted to the FTP server (in kilobytes/sec).

Move your mouse over a setting to get details about the behavior it controls. When you're done, click on the Apply button to save the settings.


Add Users and Directories

You can use the Import button under the Servers tab to import users on the system, or you can add users manually from under the users tab. To add a user manually, click on the New user button and input the user's details in the space below. To see how this works, create a user with admin access to a particular directory. In the appropriate marked fields enter the username (admin) and password, and add the user to a group (ftpadmin). Also make sure the Require password checkbox is selected. You can stick with the defaults for the other settings unless you know what you're doing.

At the bottom of the screen there's the option to add and associate a directory with this user. Click on the Add directory button and navigate to the directory you want to associate with the user (/var/ftp/incoming).

You can control the permissions a user has over a directory you're adding by toggling the appropriate checkboxes. Since we are setting up the administrator we'll give the user complete control over the directory by toggling all the checkboxes. When you are done click on the Apply button to add the user.

You can associate a user with multiple directories with different permissions. That means a user who's an administrator of one directory can be restricted to just accessing the files of another directory.

The procedure to add the anonymous user isn't any different; the only difference lies in the permissions. Specify the username and group (anonymous) as you would normally. In the password field, click on the Password button to generate a random password, and make sure to uncheck the Required password box. This lets anyone logging in with anonymous as their username log in without a password.

Since you don't want anonymous users to gain shell access to the server, select /dev/null from the Shell pulldown menu.

When adding the directory to be associated with this user, point to /var/ftp/incoming as you did earlier – but this time make sure you restrict permissions by not toggling any of the checkboxes.

Although your requirements for the anonymous user may vary, it's a good idea to only toggle the Upload checkbox, and prevent anonymous users from even accessing the list of files on the server, or to changing directories, or overwriting existing files.

With all the settings in place, click on the Activate button to activate the server. Now anyone who logs into your FTP server with the anonymous username will not be prompted for a password, and will be able to upload files to the server. When the admin attempts to login, he will be asked to verify his credentials, after which he will be able to download and manipulate files on the server.

Fine-Tune and Enhance the Setup

You now have a basic FTP server, but there's a lot more you can do with ProFTPD and GADMIN-PROFTPD. Once you get familiar with the operation of the FTP server, you can tweak it to your liking.

Before you deploy ProFTPD in a real-world environment you'll want to enable encryption. You can do so from under GADMIN by scrolling down to the Secure communications section under the Servers tab. Here you can generate a signed digital certificate that will automatically be associated with the server.

If you want to use FTP behind your corporate firewall and give all your users the ability to upload and download from the FTP server, you can do so more efficiently if you are using a directory server. The configuration process is well documented and involves several directives, but at the bare minimum you'll need to know the address of the directory server and its distinguishing name (DN) and common name (CN).

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.


Currently, there are no comments. Be the first to post one!
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics