Hi all
is there a possibility to change the install script (CentOs 5.6) for installing and using vsftpd instead of proftpd.
vsftpd has the advantage that ftp users are put in their home directory and can not navigate outside.
thx in advance
opaque
Howdy,
You can enable that feature with ProFTPd as well.
To do that, log into Virtualmin, and go into Limits and Validation -> FTP Directory Restrictions, and setup an FTP restriction that restricts users to their home directories.
-Eric
I have setup proFTP now and set the restrictions but a user can still see the other virtual domains inside the home directory!
Virtual Server Admins should only see files inside his own home directory.
thx opaque
Yeah, a user would be able to see all files, directories, and subdirectories within their home dir. They can’t browse “above” their home directory though.
-Eric
I have tried it with ftp protocol which won´t work. No way to connect. With sftp it works and the connected Server Admin can browse higher outside than his own virtual host directory under /home/domain/.
Now i try #root@server: yum reinstall proftpd with your repo. -> no changes!
Confused here!
greetings opaque
Mmm, it sounds like you’re not seeing the expected behavior.
Could you post a screenshot of your Limits and Validation -> FTP Directory Restrictions page?
With that, we can review what’s setup, and why that’s not working as expected.
-Eric
here is my /etc/proftpd.conf
# This is the ProFTPD configuration file
See: http://www.proftpd.org/docs/directives/linked/by-name.html
Server Config - config used for anything outside a or context
See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName “FTP server”
ServerIdent on “FTP Server ready.”
ServerAdmin root@localhost
DefaultServer on
Cause every FTP user except adm to be chrooted into their home directory
Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
DefaultRoot ~ !adm
VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
Don’t do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
Set the user and group that the server runs as
User nobody
Group nobody
To prevent DoS attacks, set the maximum number of child processes
to 20. If you need to allow more than 20 concurrent connections
at once, simply increase this value. Note that this ONLY works
in standalone mode; in inetd mode you should use an inetd server
that allows you to limit maximum number of processes per service
(such as xinetd)
MaxInstances 20
Disable sendfile by default since it breaks displaying the download speeds in
ftptop and ftpwho
UseSendfile off
Define the log formats
LogFormat default “%h %l %u %t “%r” %s %b”
LogFormat auth “%v [%P] %h %t “%r” %s”
Dynamic Shared Object (DSO) loading
See README.DSO and howto/DSO.html for more details
General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql.c
Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
(contrib/mod_sql_passwd.html)
LoadModule mod_sql_passwd.c
Mysql support (requires proftpd-mysql package)
(http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql_mysql.c
Postgresql support (requires proftpd-postgresql package)
(http://www.proftpd.org/docs/contrib/mod_sql.html)
LoadModule mod_sql_postgres.c
Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
LoadModule mod_quotatab.c
File-specific “driver” for storing quota table information in files
(http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
LoadModule mod_quotatab_file.c
SQL database “driver” for storing quota table information in SQL tables
(http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
LoadModule mod_quotatab_sql.c
LDAP support (requires proftpd-ldap package)
(http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
LoadModule mod_ldap.c
LDAP quota support (requires proftpd-ldap package)
(http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
LoadModule mod_quotatab_ldap.c
Support for authenticating users using the RADIUS protocol
(http://www.proftpd.org/docs/contrib/mod_radius.html)
LoadModule mod_radius.c
Retrieve quota limit table information from a RADIUS server
(http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
LoadModule mod_quotatab_radius.c
Administrative control actions for the ftpdctl program
(http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
LoadModule mod_ctrls_admin.c
Execute external programs or scripts at various points in the process
of handling FTP commands
(http://www.castaglia.org/proftpd/modules/mod_exec.html)
LoadModule mod_exec.c
Support for POSIX ACLs
(http://www.proftpd.org/docs/modules/mod_facl.html)
LoadModule mod_facl.c
Support for using the GeoIP library to look up geographical information on
the connecting client and usng that to set access controls for the server
(http://www.castaglia.org/proftpd/modules/mod_geoip.html)
LoadModule mod_geoip.c
Configure server availability based on system load
(http://www.proftpd.org/docs/contrib/mod_load.html)
LoadModule mod_load.c
Limit downloads to a multiple of upload volume (see README.ratio)
LoadModule mod_ratio.c
Rewrite FTP commands sent by clients on-the-fly,
using regular expression matching and substitution
(http://www.proftpd.org/docs/contrib/mod_rewrite.html)
LoadModule mod_rewrite.c
Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
LoadModule mod_sftp.c
Use PAM to provide a ‘keyboard-interactive’ SSH2 authentication method for
mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
LoadModule mod_sftp_pam.c
Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
and host based authentication
(http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
LoadModule mod_sftp_sql.c
Provide data transfer rate “shaping” across the entire server
(http://www.castaglia.org/proftpd/modules/mod_shaper.html)
LoadModule mod_shaper.c
Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
LoadModule mod_site_misc.c
Provide an external SSL session cache using shared memory
(contrib/mod_tls_shmcache.html)
LoadModule mod_tls_shmcache.c
Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
files, for IP-based access control
(http://www.proftpd.org/docs/contrib/mod_wrap.html)
LoadModule mod_wrap.c
Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
files, as well as SQL-based access rules, for IP-based access control
(http://www.proftpd.org/docs/contrib/mod_wrap2.html)
LoadModule mod_wrap2.c
Support module for mod_wrap2 that handles access rules stored in specially
formatted files on disk
(http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
LoadModule mod_wrap2_file.c
Support module for mod_wrap2 that handles access rules stored in SQL
database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
LoadModule mod_wrap2_sql.c
Provide a flexible way of specifying that certain configuration directives
only apply to certain sessions, based on credentials such as connection
class, user, or group membership
(http://www.proftpd.org/docs/contrib/mod_ifsession.html)
LoadModule mod_ifsession.c
TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log TLSSessionCache shm:/file=/var/run/proftpd/sesscacheDynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tabIf the same client reaches the MaxLoginAttempts limit 2 times
within 10 minutes, automatically add a ban for that client that
will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
Global Config - config common to Server Config and all virtual hosts
See: http://www.proftpd.org/docs/howto/Vhost.html
Umask 022 is a good standard umask to prevent new dirs and files
from being group and world writable
Umask 022
Allow users to overwrite files and change permissions
AllowOverwrite yes
AllowAll
DefaultRoot ~
A basic anonymous configuration, with an upload directory
Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
Yeah, that “DefaultRoot ~” line should jail users into their home directories (and the sub-directories thereof).
If that’s not working, you may want to try restarting Proftpd just to make sure that those settings are active.
Try running this command on your server as root:
/etc/init.d/proftpd restart
No changes.
Okay, can you clarify what behavior you’re seeing exactly that you’re trying to change?
Are you saying that, even with the above changes – that all FTP users are able to browse the entire filesystem?
-Eric
all FTP users should not see all vhost folders on the server.
with vsftp it works.
How should the chmod and chown settings for the home directories?
greetings opaque
Well, I’m still not sure I fully understand what specifically you’re trying to change.
But again, the way this works – your FTP users will be able to see their home directory, and every directory under it.
Now, one thing you may want to try is to change the type of FTP user you create.
When creating an FTP user, go into Edit Mail and FTP Users, and create a “Website FTP access” user, the option is over on the right.
That will create an FTP account whose home directory is within the public_html folder (ie, the DocumentRoot).
-Eric
opaque, you wrote: “I have tried it with ftp protocol which won´t work. No way to connect.”
What exactly did you mean with that? Have you been doing all the tests with SFTP (which is basically file management over SSH)? There it is normal behavior that users can browse the whole file system (but are restricted by Linux file system permissions). There is no (feasible) way of changing that, except for some serious SSH hacks which I’m sure you won’t want to do. 
How are you trying to connect with FTP? What error do you get? Can you telnet to the server on port 21? Is ProFTPD running? Is it listening on 0.0.0.0:21? Is a firewall blocking the port? Is the server behind a router or even a NAT (in which case you need to make some special configuration in ProFTPD)?
Just want to mention that users could still see all directories with a simple php script.