Proftp Configuration

使用proftp配置了一个FTP服务器, 看中的就是它的可配置性比较强.
只有anonymous用户, pub文件夹下只有读权限, uploads文件夹下有上传文件权限但没有读权限和删除仅限.

在Fedora 10下, 如果打开SELinux则不能上传. 我这里直接把SELinux关闭了.

在Fedora 11下，DisplayFirstChdir .message 选项无法使用，这里将它注掉了。

另外在FTP目录中的ln -s是不起作用的, 如果想把另外目录挂到FTP下, 使用mount:

mount -o bind /to/source/dir /destination/dir

以下是我的/etc/proftpd.conf

# This is the ProFTPD configuration file

ServerName                      "Eric's ProFTPD server"
ServerIdent                     on "FTP Server ready."
ServerAdmin                     eric.zq.ma@gmail.com
ServerType                      standalone
#ServerType                     inetd
DefaultServer                   on
AccessGrantMsg                  "User %u logged in."
#DisplayConnect                 /etc/ftpissue
#DisplayLogin                   /etc/ftpmotd
#DisplayGoAway                  /etc/ftpgoaway
DeferWelcome                    off

# Use this to excude users from the chroot
DefaultRoot                     ~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig                   proftpd
AuthOrder                       mod_auth_pam.c* mod_auth_unix.c

# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups                    off
UseReverseDNS                   off

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# Default to show dot files in directory listings
ListOptions                     "-a"

# See Configuration.html for these (here are the default values)
#MultilineRFC2228               off
#RootLogin                      off
#LoginPasswordPrompt            on
#MaxLoginAttempts               3
#MaxClientsPerHost              none
#AllowForeignAddress            off     # For FXP

# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart            on
AllowStoreRestart               on

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    20

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nobody

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile                     no

# This is where we want to put the pid file
ScoreboardFile                  /var/run/proftpd.score

# Normally, we want users to do a few things.
<Global>
  AllowOverwrite                yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
</Global>

# Define the log formats
LogFormat                       default "%h %l %u %t "%r" %s %b"
LogFormat                       auth    "%v [%P] %h %t "%r" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
#TLSEngine                      on
#TLSRequired                    on
#TLSRSACertificateFile          /etc/pki/tls/certs/proftpd.pem
#TLSRSACertificateKeyFile       /etc/pki/tls/certs/proftpd.pem
#TLSCipherSuite                 ALL:!ADH:!DES
#TLSOptions                     NoCertRequest
#TLSVerifyClient                off
##TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
#TLSLog                         /var/log/proftpd/tls.log

# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
#  LoadModule mod_ban.c
#  LoadModule mod_ifsession.c
#  LoadModule mod_quotatab.c
#  LoadModule mod_quotatab_file.c
#  LoadModule mod_sql.c
#  LoadModule mod_sql_mysql.c
#  LoadModule mod_sql_postgres.c
#</IfModule>

# A basic anonymous configuration, with an upload directory.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp
  AccessGrantMsg                "Anonymous login ok, restrictions apply."

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    2 "Sorry, max %m users -- try again later"

  # Put the user into /pub right after login
  #DefaultChdir                 /pub

  # We want 'welcome.msg' displayed at login, '.message' displayed in
  # each newly chdired directory and tell users to read README* files.
  DisplayLogin                  /welcome.msg
#  DisplayFirstChdir             .message
  DisplayReadme                 README*

  # Some more cosmetic and not vital stuff
  DirFakeUser                   on ftp
  DirFakeGroup                  on ftp

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE SITE_CHMOD>
    DenyAll
  </Limit>

  # An upload directory that allows storing files not retrieving
  # or creating directories.
  <Directory uploads/*>
    AllowOverwrite              no
    <Limit READ RMD DELE>
      DenyAll
    </Limit>
    <Limit STOR MKD CWD WRITE>
      AllowAll
    </Limit>
  </Directory>

  # Don't write anonymous accesses to the system wtmp file (good idea!)
  WtmpLog                       off

  # Logging for the anonymous transfers
  ExtendedLog           /var/log/proftpd/access.log WRITE,READ default
  ExtendedLog           /var/log/proftpd/auth.log AUTH auth

</Anonymous>

# Configuration for mod_ban
<IfModule mod_ban.c>
  BanEngine on
  BanLog /var/log/proftpd/ban.log
  BanTable /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs all allow user ftpadm
</IfModule>