团队环境:ProFTPD安装

2017-05-11 阅读: ProFTPD

环境

  • CentOS 7.2
  • proftpd 1.3.6

安装

下载最新稳定版源码:

wget https://github.com/proftpd/proftpd/archive/v1.3.6.tar.gz

解压:

tar -zxvf proftpd-1.3.6.tar.gz

编译:

cd proftpd-1.3.6
./configure --prefix=/usr/local/proftpd

安装:

make
make install

创建运行用户:

useradd -s /sbin/nologin proftpd

修改配置文件/usr/local/proftpd/etc/proftpd.conf:


# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           0000

User               proftpd
Group              proftpd
DefaultRoot        ~
SystemLog          /home/proftpd/proftpd.log
TransferLog        /home/proftpd/proftpd-transfer.log

PathDenyFilter     "\\.ftp)|\\.ht)[a-z]+$"
DenyFilter 		   \*.*/


UseReverseDNS off
IdentLookups off
ServerIdent off
AllowRetrieveRestart on
AllowStoreRestart on

AuthOrder mod_auth_file.c
AuthUserFile /usr/local/proftpd/etc/passwd
AuthGroupFile /usr/local/proftpd/etc/group

<Limit LOGIN>
      AllowGroup admin
      AllowGroup dev
      AllowGroup ops
      DenyAll
</Limit>

<Directory /home/proftpd/ftp>
        AllowOverwrite          on
        HideNoAccess            on
        <Limit DIRS>
                AllowAll
        </Limit>
        <Limit STOR RMD MKD>
               DenyAll
        </Limit>
</Directory>

<Directory /home/proftpd/ftp/dev>
        AllowOverwrite          on
        HideNoAccess            on
        <Limit DIRS>
                AllowGroup dev
                AllowGroup admin
                DenyAll
        </Limit>
</Directory>

<Directory /home/proftpd/ftp/dev/*>
	AllowOverwrite          on
	HideNoAccess            on
	<Limit READ DIRS>
	        AllowGroup dev
	        AllowGroup admin
	        DenyAll
    	</Limit>
	<Limit MKD STOR RMD DELE> 
       		 AllowGroup dev
       		 AllowGroup admin
        		DenyAll
	</Limit>
</Directory>

<Directory /home/proftpd/ftp/ops>
        AllowOverwrite          on
        HideNoAccess            on
        <Limit DIRS>
                AllowGroup ops
                AllowGroup admin
                DenyAll
        </Limit>
</Directory>

<Directory /home/proftpd/ftp/ops/*>
	AllowOverwrite          on
	HideNoAccess            on
	<Limit READ DIRS>
	        AllowGroup ops
	        AllowGroup admin
	        DenyAll
    	</Limit>
	<Limit MKD STOR RMD DELE> 
        		AllowGroup ops
        		AllowGroup admin
        		DenyAll
	</Limit>
</Directory>

  • AuthOrder指定权限检查顺序,这里mod_auth_file.c只使用虚拟用户
  • 注意删除配置文件中的<Anonymous ~ftp>...</Anonymous>
  • 关于配置的umask配置项可以查看Umask
    • umask即权限掩码,系统的umask默认值是0022,可以使用umask命令查看,此时创建的文件的默认权限是644(6-0,6-2,6-2),创建的目录的默认权限是755(7-0,7-2,7-2),umask的作用就是用来设置控制默认权限。
touch /usr/local/proftpd/etc/passwd
chmod o-rwx /usr/local/proftpd/etc/passwd

touch /usr/local/proftpd/etc/group
chmod o-rwx /usr/local/proftpd/etc/group

systemd unit文件/usr/lib/systemd/system/proftpd.service:

[Unit]
Description = ProFTPD FTP Server
After = network.target nss-lookup.target local-fs.target remote-fs.target

[Service]
Type = forking
PIDFile = /usr/local/proftpd/var/proftpd.pid
Environment = PROFTPD_OPTIONS=
EnvironmentFile = -/etc/sysconfig/proftpd
ExecStart = /usr/local/proftpd/sbin/proftpd  -c /usr/local/proftpd/etc/proftpd.conf $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID

[Install]
WantedBy = multi-user.target

启动:

systemctl daemon-reload
systemctl start proftpd
systemctl status proftpd
systemctl enable proftpd

创建虚拟用户

虚拟用户就是说这个用户不是系统的用户,而是ProFTPD自己私有的用户。虚拟用户的信息可以从文件、数据库、LDAP服务器等源头获得,下面先使用从文件获取用户信息。

创建虚拟用户组:

cd /usr/local/proftpd/bin
./ftpasswd --group --name=admin --gid=100 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=dev --gid=101 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=ops --gid=102 --file=/usr/local/proftpd/etc/group

创建虚拟用户:

./ftpasswd --passwd --name=admin --uid=1000 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 
./ftpasswd --passwd --name=dev1 --uid=1001 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 
./ftpasswd --passwd --name=ops2 --uid=1002 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
./ftpasswd --passwd --name=ops3 --uid=1003 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 

将虚拟用户加入用户组:

./ftpasswd --group --name=admin --gid=100 --member=admin --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=dev --gid=101 --member=dev1 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=ops --gid=102 --member=ops2 --member=ops3 --file=/usr/local/proftpd/etc/group

创建ftp数据目录:

mkdir -p /home/proftpd/ftp/dev
mkdir -p /home/proftpd/ftp/ops
chmod -R 0777 /hoem/proftpd/ftp

重启proftpd:

systemctl restart proftpd

接下来就可以使用ftp客户端和前面创建的用户进行测试。

集成OpenLDAP

需要重新编译安装Proftpd,编译时增加mod_ldap模块,mod_ldap需要OpenLDAP的头文件和lib, 因为我们前面是使用yum安装的OpenLDAP,为了避免出现对应的头文件和lib找不到,我们在本地重新编译一下OpenLDAP。

wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
tar -zxvf db-4.6.21.tar.gz
cd db-4.4.21/build_unix/
../dist/configure -prefix=/usr/local/BerkeleyDB
make
make install
export CPPFLAGS="-I/usr/local/BerkeleyDB/include"
export LDFLAGS="-L/usr/local/BerkeleyDB/lib"
export LD_LIBRARY_PATH="/home/proftpd/db-4.6.21/build_unix/.libs"

wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
tar -zxvf openldap-2.4.44.tgz
cd openldap-2.4.44
./configure --prefix=/usr/local/openldap
make
make install

重新编译安装proftpd:

cd proftpd-1.3.6

./configure \
--prefix=/usr/local/proftpd  \
--with-modules=mod_ldap \
--with-includes=/usr/local/openldap/include \
--with-libraries=/usr/local/openldap/lib

make
make install

修改配置文件/usr/local/proftpd/etc/proftpd.conf:

<Global>
DefaultRoot /home/proftpd/ftp
...
# AuthOrder mod_auth_file.c
# AuthUserFile /usr/local/proftpd/etc/passwd
# AuthGroupFile /usr/local/proftpd/etc/group
AuthOrder mod_ldap.c
LDAPServer 192.168.61.100:389
LDAPBindDN cn=Manager,dc=frognew,dc=com dnpass
LDAPUsers ou=People,dc=frognew,dc=com
LDAPGroups ou=Group,dc=frognew,dc=com
LDAPLog /home/proftpd/mod_ldap.log
...
</Global>

重启proftpd服务:

systemctl restart proftpd

在OpenLDAP中创建用户组dev和ops,再创建一个测试用户,设置Primary group为dev,Additional groups为ops,并为用户设置一个密码。 接下来使用ftp客户端进行测试即可。

参考

标题:团队环境:ProFTPD安装
本文链接:https://blog.frognew.com/2017/05/install-proftpd.html
转载请注明出处。

目录