ProFTPD 1.3.3 Install (source)


ProFTPD 1.3.3をインストールした時のメモ。

  • Vine Linux 5.0
  • MySQL 5.1.44
  • ProFTPD 1.3.3

まずはProFTPDのサイトからtar玉を落としてくる。

$ tar zxvf proftpd-1.3.3.tar.gz

で、ユーザ管理はMySQLで行うのでメイクファイルに書き込む。

$ cd proftpd-1.3.3
$ ./configure \
--prefix=/usr \
--exec-prefix=/usr \
--mandir=/usr/share/man/man8 \
--sysconfdir=/etc \
--enable-nls \
--disable-auth-pam \
--with-includes=/usr/include/openssl:/usr/include/mysql \
--with-libraries=/usr/lib64:/usr/lib64/mysql \
--with-modules=mod_tls:mod_load:mod_wrap2:mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql

makeして専用ユーザを作成してからインストール。

$ make
$ su
# groupadd proftpd
# useradd -g proftpd -d /dev/null -s /bin/false proftpd
# make install

  • ユーザー管理はMySQLで行う。
  • 接続は暗号化して行う。
  • Anonymousは使用しない。
# vi /etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"FTP Server"
ServerType			standalone
DefaultServer			on
ServerIdent			on "FTP OK"
UseReverseDNS			off
IdentLookups			off

<Limit LOGIN>
  DenyGroup			!users
</Limit>

# Port 21 is the standard FTP port.
Port				21

# Don't use IPv6 support by default.
UseIPv6				off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

TimesGMT			off
SetEnv TZ			JST-9
<IfModule mod_lang.c>
  UseEncoding			UTF-8 CP932
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances			30
<IfModule mod_load.c>
  MaxLoad			10.0 "Server busy, seek elsewhere"
</IfModule>

MaxLoginAttempts		1
MaxClientsPerHost		1
MaxHostsPerUser			1
RootLogin			off
ListOptions			"-a"
RequireValidShell		off

TimeoutIdle			600
TimeoutLogin			300
TimeoutNoTransfer		600
TimeoutSession			none
TimeoutStalled			600
# Set the user and group under which the server will run.
User				nobody
Group				nobody

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite			on
AllowStoreRestart		on
AllowRetrieveRestart		on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

LogFormat			default "%h %l %u %t \"%r\" %s %b"
LogFormat			auth "%v [%P] %h %t \"%r\" %s"
LogFormat			write "%h %l %u %t \"%r\" %s %b"
ExtendedLog			/var/log/proftpd/all.log ALL default
ExtendedLog			/var/log/proftpd/auth_log AUTH auth
ExtendedLog			/var/log/proftpd/access_log WRITE,READ write

<IfModule mod_tls.c>
  TLSEngine			on
  TLSLog			/var/log/proftpd/tls.log
  TLSProtocol			SSLv23
  TLSCipherSuite		ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  TLSRequired			off
  TLSRSACertificateFile		/path/to/certificitate/server.crt
  TLSRSACertificateKeyFile	/path/to/certificitate/server.key
  TLSVerifyClient		off
</IfModule>

<IfModule mod_delay.c>
  DelayEngine			on
</IfModule>
DelayTable			/var/proftpd/proftpd.delay

<IfModule mod_sql_mysql.c>
  AuthOrder			mod_sql.c
  SQLAuthTypes			Plaintext
  SQLAuthenticate		users* groups*
# ScoreboardFile		/var/run/proftpd.scoreboard
  SQLConnectInfo		db_name@localhost:3306 sql_user_name sql_user_pass PERSESSION
  SQLDefaultGID			1001
  SQLDefaultUID			1001
  SQLUserInfo			users userid password uid gid homedir shell
  SQLGroupInfo			groups groupname gid members
</IfModule>

<IfModule mod_quotatab.c>
  QuotaEngine			on
  QuotaLog			/var/log/proftpd/quota.log
  QuotaLimitTable		sql:/get-quota-limit
  QuotaTallyTable		sql:/get-quota-tally/update-quota-tally/insert-quota-tally
  SQLNamedQuery			get-quota-limit SELECT "userid, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM quotalimits WHERE userid = '%{0}' AND quota_type = '%{1}'"
  SQLNamedQuery			get-quota-tally SELECT "userid, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM quotatallies WHERE userid = '%{0}' AND quota_type = '%{1}'"
  SQLNamedQuery			update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE userid = '%{6}' AND quota_type = '%{7}'" quotatallies
  SQLNamedQuery			insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" quotatallies
  QuotaLock			/tmp/proftpd-quota-lock
  QuotaShowQuotas		on
  QuotaDisplayUnits		Mb
  QuotaDirectoryTally		on
</IfModule>
# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
#<Anonymous ~ftp>
#  User				ftp
#  Group				ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
#  UserAlias			anonymous ftp

  # Limit the maximum number of anonymous logins
#  MaxClients			10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
#  DisplayLogin			welcome.msg
#  DisplayChdir			.message

  # Limit WRITE everywhere in the anonymous chroot
#  <Limit WRITE>
#    DenyAll
#  </Limit>
#</Anonymous>

MySQLにユーザー管理データベースを作成する。

# mysqladmin -u root --password='root_pass' create db_name
# mysql -u root -p
> use db_name;

groupテーブルを作成。

> CREATE TABLE `groups` (
> `groupname` varchar(30) NOT NULL,
> `gid` smallint(5) UNSIGNED NOT NULL default 1001,
> `members` varchar(255) default NULL,
> PRIMARY KEY (`groupname`),
> UNIQUE KEY `gid` (`gid`) );

userテーブルを作成

> CREATE TABLE `users` (
> `userid` varchar(30) NOT NULL,
> `password` varchar(30) NOT NULL,
> `uid` smallint(5) UNSIGNED NOT NULL default 10000,
> `gid` smallint(5) UNSIGNED NOT NULL default 1001,
> `homedir` varchar(255) default NULL,
> `shell` varchar(255) default '/bin/false',
> PRIMARY KEY (`userid`),
> UNIQUE KEY `uid` (`uid`) );

quotalimitsテーブルを作成

> CREATE TABLE `quotalimits` (
> `userid` varchar(30) NOT NULL,
> `quota_type` ENUM("user", "group", "class", "all") NOT NULL,
> `per_session` ENUM("false", "true") DEFAULT 'true' NOT NULL,
> `limit_type` ENUM("soft", "hard") DEFAULT 'soft' NOT NULL,
> `bytes_in_avail` FLOAT DEFAULT '0' NOT NULL,
> `bytes_out_avail` FLOAT DEFAULT '0' NOT NULL,
> `bytes_xfer_avail` FLOAT DEFAULT '0' NOT NULL,
> `files_in_avail` INT UNSIGNED DEFAULT '0' NOT NULL,
> `files_out_avail` INT UNSIGNED DEFAULT '0' NOT NULL,
> `files_xfer_avail` INT UNSIGNED DEFAULT '0' NOT NULL );

quotatalliesテーブルを作成。

> CREATE TABLE `quotatallies` (
> `userid` varchar(30) NOT NULL,
> `quota_type` ENUM("user", "group", "class", "all") default 'user' NOT NULL,
> `bytes_in_used` FLOAT default '0' NOT NULL,
> `bytes_out_used` FLOAT default '0' NOT NULL,
> `bytes_xfer_used` FLOAT default '0' NOT NULL,
> `files_in_used` INT UNSIGNED default '0' NOT NULL,
> `files_out_used` INT UNSIGNED default '0' NOT NULL,
> `files_xfer_used` INT UNSIGNED default '0' NOT NULL );

データベースへの権限設定をする。

> GRANT SELECT,UPDATE,INSERT ON db_name.* TO sql_user_name@localhost IDENTIFIED BY 'sql_user_pass';

ユーザーを作成。

> INSERT INTO groups VALUES ('users',1001,'');
> INSERT INTO users VALUES ('user_name',('user_pass'),1001,10000,'/path/to/directory/user_name','/bin/false');
> INSERT INTO quotalimits VALUES ('user_name','users','false','hard', 10737418240,0,0,0,0,0);
> flush privileges;
> \q

必要なフォルダを作成。

# mkdir /var/proftpd
# mkdir /var/log/proftpd
# mkdir -p /path/to/directory/user_name
# chown 10000:1001 /path/to/directory/user_name
# chmod 0700 /path/to/directory/user_name

起動スクリプト。

#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd	This shell script takes care of starting and stopping
#		proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
	echo -n $"Starting $prog: "
	daemon proftpd 2>/dev/null
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
	echo -n $"Shutting down $prog: "
	killproc proftpd
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  status)
	status proftpd
	RETVAL=$?
	;;
  restart)
	stop
	start
	;;
  condrestart)
	if [ -f /var/lock/subsys/proftpd ]; then
	  stop
	  start
	fi
	;;
  reload)
	echo -n $"Re-reading $prog configuration: "
	killproc proftpd -HUP
	RETVAL=$?
	echo
	;;
  *)
	echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
	exit 1
esac

exit $RETVAL

起動設定後、起動する。

# chkconfig --add proftpd
# chkconfig proftpd on
# service proftpd start

Starting ProFTPd:				[  OK  ]

後は実際に接続してテスト。

# cat /var/log/proftpd/proftpd.log

xxx.xxx.xxx.xxx user nobody [4/ 4月/2010:00:42:45 +0900] "USER user" 331 -
xxx.xxx.xxx.xxx user user [4/ 4月/2010:00:42:45 +0900] "PASS (hidden)" 230 -
xxx.xxx.xxx.xxx user user [4/ 4月/2010:00:42:45 +0900] "XPWD" 257 -
xxx.xxx.xxx.xxx user user [4/ 4月/2010:00:42:45 +0900] "TYPE A" 200 -
xxx.xxx.xxx.xxx user user [4/ 4月/2010:00:42:45 +0900] "PORT xxx,xxx,xxx,xxx,207,12" 200 -
xxx.xxx.xxx.xxx user user [4/ 4月/2010:00:42:45 +0900] "LIST" 226 115