团队环境:ProFTPD安装
📅 2017-05-11 | 🖱️
环境 #
- CentOS 7.2
- proftpd 1.3.6
安装 #
下载最新稳定版源码:
1wget https://github.com/proftpd/proftpd/archive/v1.3.6.tar.gz
解压:
1tar -zxvf proftpd-1.3.6.tar.gz
编译:
1cd proftpd-1.3.6
2./configure --prefix=/usr/local/proftpd
安装:
1make
2make install
创建运行用户:
1useradd -s /sbin/nologin proftpd
修改配置文件/usr/local/proftpd/etc/proftpd.conf:
1
2# Umask 022 is a good standard umask to prevent new dirs and files
3# from being group and world writable.
4Umask 0000
5
6User proftpd
7Group proftpd
8DefaultRoot ~
9SystemLog /home/proftpd/proftpd.log
10TransferLog /home/proftpd/proftpd-transfer.log
11
12PathDenyFilter "\\.ftp)|\\.ht)[a-z]+$"
13DenyFilter \*.*/
14
15
16UseReverseDNS off
17IdentLookups off
18ServerIdent off
19AllowRetrieveRestart on
20AllowStoreRestart on
21
22AuthOrder mod_auth_file.c
23AuthUserFile /usr/local/proftpd/etc/passwd
24AuthGroupFile /usr/local/proftpd/etc/group
25
26<Limit LOGIN>
27 AllowGroup admin
28 AllowGroup dev
29 AllowGroup ops
30 DenyAll
31</Limit>
32
33<Directory /home/proftpd/ftp>
34 AllowOverwrite on
35 HideNoAccess on
36 <Limit DIRS>
37 AllowAll
38 </Limit>
39 <Limit STOR RMD MKD>
40 DenyAll
41 </Limit>
42</Directory>
43
44<Directory /home/proftpd/ftp/dev>
45 AllowOverwrite on
46 HideNoAccess on
47 <Limit DIRS>
48 AllowGroup dev
49 AllowGroup admin
50 DenyAll
51 </Limit>
52</Directory>
53
54<Directory /home/proftpd/ftp/dev/*>
55 AllowOverwrite on
56 HideNoAccess on
57 <Limit READ DIRS>
58 AllowGroup dev
59 AllowGroup admin
60 DenyAll
61 </Limit>
62 <Limit MKD STOR RMD DELE>
63 AllowGroup dev
64 AllowGroup admin
65 DenyAll
66 </Limit>
67</Directory>
68
69<Directory /home/proftpd/ftp/ops>
70 AllowOverwrite on
71 HideNoAccess on
72 <Limit DIRS>
73 AllowGroup ops
74 AllowGroup admin
75 DenyAll
76 </Limit>
77</Directory>
78
79<Directory /home/proftpd/ftp/ops/*>
80 AllowOverwrite on
81 HideNoAccess on
82 <Limit READ DIRS>
83 AllowGroup ops
84 AllowGroup admin
85 DenyAll
86 </Limit>
87 <Limit MKD STOR RMD DELE>
88 AllowGroup ops
89 AllowGroup admin
90 DenyAll
91 </Limit>
92</Directory>
AuthOrder指定权限检查顺序,这里mod_auth_file.c只使用虚拟用户- 注意删除配置文件中的
<Anonymous ~ftp>...</Anonymous> - 关于配置的umask配置项可以查看Umask
- umask即权限掩码,系统的umask默认值是0022,可以使用umask命令查看,此时创建的文件的默认权限是644(6-0,6-2,6-2),创建的目录的默认权限是755(7-0,7-2,7-2),umask的作用就是用来设置控制默认权限。
1touch /usr/local/proftpd/etc/passwd
2chmod o-rwx /usr/local/proftpd/etc/passwd
3
4touch /usr/local/proftpd/etc/group
5chmod o-rwx /usr/local/proftpd/etc/group
systemd unit文件/usr/lib/systemd/system/proftpd.service:
1[Unit]
2Description = ProFTPD FTP Server
3After = network.target nss-lookup.target local-fs.target remote-fs.target
4
5[Service]
6Type = forking
7PIDFile = /usr/local/proftpd/var/proftpd.pid
8Environment = PROFTPD_OPTIONS=
9EnvironmentFile = -/etc/sysconfig/proftpd
10ExecStart = /usr/local/proftpd/sbin/proftpd -c /usr/local/proftpd/etc/proftpd.conf $PROFTPD_OPTIONS
11ExecReload = /bin/kill -HUP $MAINPID
12
13[Install]
14WantedBy = multi-user.target
启动:
1systemctl daemon-reload
2systemctl start proftpd
3systemctl status proftpd
4systemctl enable proftpd
创建虚拟用户 #
虚拟用户就是说这个用户不是系统的用户,而是ProFTPD自己私有的用户。虚拟用户的信息可以从文件、数据库、LDAP服务器等源头获得,下面先使用从文件获取用户信息。
创建虚拟用户组:
1cd /usr/local/proftpd/bin
2./ftpasswd --group --name=admin --gid=100 --file=/usr/local/proftpd/etc/group
3./ftpasswd --group --name=dev --gid=101 --file=/usr/local/proftpd/etc/group
4./ftpasswd --group --name=ops --gid=102 --file=/usr/local/proftpd/etc/group
创建虚拟用户:
1./ftpasswd --passwd --name=admin --uid=1000 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
2./ftpasswd --passwd --name=dev1 --uid=1001 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
3./ftpasswd --passwd --name=ops2 --uid=1002 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
4./ftpasswd --passwd --name=ops3 --uid=1003 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
将虚拟用户加入用户组:
1./ftpasswd --group --name=admin --gid=100 --member=admin --file=/usr/local/proftpd/etc/group
2./ftpasswd --group --name=dev --gid=101 --member=dev1 --file=/usr/local/proftpd/etc/group
3./ftpasswd --group --name=ops --gid=102 --member=ops2 --member=ops3 --file=/usr/local/proftpd/etc/group
创建ftp数据目录:
1mkdir -p /home/proftpd/ftp/dev
2mkdir -p /home/proftpd/ftp/ops
3chmod -R 0777 /hoem/proftpd/ftp
重启proftpd:
1systemctl restart proftpd
接下来就可以使用ftp客户端和前面创建的用户进行测试。
集成OpenLDAP #
需要重新编译安装Proftpd,编译时增加mod_ldap模块,mod_ldap需要OpenLDAP的头文件和lib,
因为我们前面是使用yum安装的OpenLDAP,为了避免出现对应的头文件和lib找不到,我们在本地重新编译一下OpenLDAP。
1wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
2tar -zxvf db-4.6.21.tar.gz
3cd db-4.4.21/build_unix/
4../dist/configure -prefix=/usr/local/BerkeleyDB
5make
6make install
7export CPPFLAGS="-I/usr/local/BerkeleyDB/include"
8export LDFLAGS="-L/usr/local/BerkeleyDB/lib"
9export LD_LIBRARY_PATH="/home/proftpd/db-4.6.21/build_unix/.libs"
10
11wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
12tar -zxvf openldap-2.4.44.tgz
13cd openldap-2.4.44
14./configure --prefix=/usr/local/openldap
15make
16make install
重新编译安装proftpd:
1cd proftpd-1.3.6
2
3./configure \
4--prefix=/usr/local/proftpd \
5--with-modules=mod_ldap \
6--with-includes=/usr/local/openldap/include \
7--with-libraries=/usr/local/openldap/lib
8
9make
10make install
修改配置文件/usr/local/proftpd/etc/proftpd.conf:
1<Global>
2DefaultRoot /home/proftpd/ftp
3...
4# AuthOrder mod_auth_file.c
5# AuthUserFile /usr/local/proftpd/etc/passwd
6# AuthGroupFile /usr/local/proftpd/etc/group
7AuthOrder mod_ldap.c
8LDAPServer 192.168.61.100:389
9LDAPBindDN cn=Manager,dc=frognew,dc=com dnpass
10LDAPUsers ou=People,dc=frognew,dc=com
11LDAPGroups ou=Group,dc=frognew,dc=com
12LDAPLog /home/proftpd/mod_ldap.log
13...
14</Global>
重启proftpd服务:
1systemctl restart proftpd
在OpenLDAP中创建用户组dev和ops,再创建一个测试用户,设置Primary group为dev,Additional groups为ops,并为用户设置一个密码。 接下来使用ftp客户端进行测试即可。