环境

  • CentOS 7.2
  • proftpd 1.3.6

安装

下载最新稳定版源码:

1wget https://github.com/proftpd/proftpd/archive/v1.3.6.tar.gz

解压:

1tar -zxvf proftpd-1.3.6.tar.gz

编译:

1cd proftpd-1.3.6
2./configure --prefix=/usr/local/proftpd

安装:

1make
2make install

创建运行用户:

1useradd -s /sbin/nologin proftpd

修改配置文件/usr/local/proftpd/etc/proftpd.conf:

 1
 2# Umask 022 is a good standard umask to prevent new dirs and files
 3# from being group and world writable.
 4Umask                           0000
 5
 6User               proftpd
 7Group              proftpd
 8DefaultRoot        ~
 9SystemLog          /home/proftpd/proftpd.log
10TransferLog        /home/proftpd/proftpd-transfer.log
11
12PathDenyFilter     "\\.ftp)|\\.ht)[a-z]+$"
13DenyFilter 		   \*.*/
14
15
16UseReverseDNS off
17IdentLookups off
18ServerIdent off
19AllowRetrieveRestart on
20AllowStoreRestart on
21
22AuthOrder mod_auth_file.c
23AuthUserFile /usr/local/proftpd/etc/passwd
24AuthGroupFile /usr/local/proftpd/etc/group
25
26<Limit LOGIN>
27      AllowGroup admin
28      AllowGroup dev
29      AllowGroup ops
30      DenyAll
31</Limit>
32
33<Directory /home/proftpd/ftp>
34        AllowOverwrite          on
35        HideNoAccess            on
36        <Limit DIRS>
37                AllowAll
38        </Limit>
39        <Limit STOR RMD MKD>
40               DenyAll
41        </Limit>
42</Directory>
43
44<Directory /home/proftpd/ftp/dev>
45        AllowOverwrite          on
46        HideNoAccess            on
47        <Limit DIRS>
48                AllowGroup dev
49                AllowGroup admin
50                DenyAll
51        </Limit>
52</Directory>
53
54<Directory /home/proftpd/ftp/dev/*>
55	AllowOverwrite          on
56	HideNoAccess            on
57	<Limit READ DIRS>
58	        AllowGroup dev
59	        AllowGroup admin
60	        DenyAll
61    	</Limit>
62	<Limit MKD STOR RMD DELE> 
63       		 AllowGroup dev
64       		 AllowGroup admin
65        		DenyAll
66	</Limit>
67</Directory>
68
69<Directory /home/proftpd/ftp/ops>
70        AllowOverwrite          on
71        HideNoAccess            on
72        <Limit DIRS>
73                AllowGroup ops
74                AllowGroup admin
75                DenyAll
76        </Limit>
77</Directory>
78
79<Directory /home/proftpd/ftp/ops/*>
80	AllowOverwrite          on
81	HideNoAccess            on
82	<Limit READ DIRS>
83	        AllowGroup ops
84	        AllowGroup admin
85	        DenyAll
86    	</Limit>
87	<Limit MKD STOR RMD DELE> 
88        		AllowGroup ops
89        		AllowGroup admin
90        		DenyAll
91	</Limit>
92</Directory>
  • AuthOrder指定权限检查顺序,这里mod_auth_file.c只使用虚拟用户
  • 注意删除配置文件中的<Anonymous ~ftp>...</Anonymous>
  • 关于配置的umask配置项可以查看Umask
    • umask即权限掩码,系统的umask默认值是0022,可以使用umask命令查看,此时创建的文件的默认权限是644(6-0,6-2,6-2),创建的目录的默认权限是755(7-0,7-2,7-2),umask的作用就是用来设置控制默认权限。
1touch /usr/local/proftpd/etc/passwd
2chmod o-rwx /usr/local/proftpd/etc/passwd
3
4touch /usr/local/proftpd/etc/group
5chmod o-rwx /usr/local/proftpd/etc/group

systemd unit文件/usr/lib/systemd/system/proftpd.service:

 1[Unit]
 2Description = ProFTPD FTP Server
 3After = network.target nss-lookup.target local-fs.target remote-fs.target
 4
 5[Service]
 6Type = forking
 7PIDFile = /usr/local/proftpd/var/proftpd.pid
 8Environment = PROFTPD_OPTIONS=
 9EnvironmentFile = -/etc/sysconfig/proftpd
10ExecStart = /usr/local/proftpd/sbin/proftpd  -c /usr/local/proftpd/etc/proftpd.conf $PROFTPD_OPTIONS
11ExecReload = /bin/kill -HUP $MAINPID
12
13[Install]
14WantedBy = multi-user.target

启动:

1systemctl daemon-reload
2systemctl start proftpd
3systemctl status proftpd
4systemctl enable proftpd

创建虚拟用户

虚拟用户就是说这个用户不是系统的用户,而是ProFTPD自己私有的用户。虚拟用户的信息可以从文件、数据库、LDAP服务器等源头获得,下面先使用从文件获取用户信息。

创建虚拟用户组:

1cd /usr/local/proftpd/bin
2./ftpasswd --group --name=admin --gid=100 --file=/usr/local/proftpd/etc/group
3./ftpasswd --group --name=dev --gid=101 --file=/usr/local/proftpd/etc/group
4./ftpasswd --group --name=ops --gid=102 --file=/usr/local/proftpd/etc/group

创建虚拟用户:

1./ftpasswd --passwd --name=admin --uid=1000 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 
2./ftpasswd --passwd --name=dev1 --uid=1001 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 
3./ftpasswd --passwd --name=ops2 --uid=1002 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
4./ftpasswd --passwd --name=ops3 --uid=1003 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 

将虚拟用户加入用户组:

1./ftpasswd --group --name=admin --gid=100 --member=admin --file=/usr/local/proftpd/etc/group
2./ftpasswd --group --name=dev --gid=101 --member=dev1 --file=/usr/local/proftpd/etc/group
3./ftpasswd --group --name=ops --gid=102 --member=ops2 --member=ops3 --file=/usr/local/proftpd/etc/group

创建ftp数据目录:

1mkdir -p /home/proftpd/ftp/dev
2mkdir -p /home/proftpd/ftp/ops
3chmod -R 0777 /hoem/proftpd/ftp

重启proftpd:

1systemctl restart proftpd

接下来就可以使用ftp客户端和前面创建的用户进行测试。

集成OpenLDAP

需要重新编译安装Proftpd,编译时增加mod_ldap模块,mod_ldap需要OpenLDAP的头文件和lib, 因为我们前面是使用yum安装的OpenLDAP,为了避免出现对应的头文件和lib找不到,我们在本地重新编译一下OpenLDAP。

 1wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
 2tar -zxvf db-4.6.21.tar.gz
 3cd db-4.4.21/build_unix/
 4../dist/configure -prefix=/usr/local/BerkeleyDB
 5make
 6make install
 7export CPPFLAGS="-I/usr/local/BerkeleyDB/include"
 8export LDFLAGS="-L/usr/local/BerkeleyDB/lib"
 9export LD_LIBRARY_PATH="/home/proftpd/db-4.6.21/build_unix/.libs"
10
11wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
12tar -zxvf openldap-2.4.44.tgz
13cd openldap-2.4.44
14./configure --prefix=/usr/local/openldap
15make
16make install

重新编译安装proftpd:

 1cd proftpd-1.3.6
 2
 3./configure \
 4--prefix=/usr/local/proftpd  \
 5--with-modules=mod_ldap \
 6--with-includes=/usr/local/openldap/include \
 7--with-libraries=/usr/local/openldap/lib
 8
 9make
10make install

修改配置文件/usr/local/proftpd/etc/proftpd.conf:

 1<Global>
 2DefaultRoot /home/proftpd/ftp
 3...
 4# AuthOrder mod_auth_file.c
 5# AuthUserFile /usr/local/proftpd/etc/passwd
 6# AuthGroupFile /usr/local/proftpd/etc/group
 7AuthOrder mod_ldap.c
 8LDAPServer 192.168.61.100:389
 9LDAPBindDN cn=Manager,dc=frognew,dc=com dnpass
10LDAPUsers ou=People,dc=frognew,dc=com
11LDAPGroups ou=Group,dc=frognew,dc=com
12LDAPLog /home/proftpd/mod_ldap.log
13...
14</Global>

重启proftpd服务:

1systemctl restart proftpd

在OpenLDAP中创建用户组dev和ops,再创建一个测试用户,设置Primary group为dev,Additional groups为ops,并为用户设置一个密码。 接下来使用ftp客户端进行测试即可。

参考