环境
- CentOS 7.2
- proftpd 1.3.6
安装
下载最新稳定版源码:
wget https://github.com/proftpd/proftpd/archive/v1.3.6.tar.gz解压:
tar -zxvf proftpd-1.3.6.tar.gz编译:
cd proftpd-1.3.6
./configure --prefix=/usr/local/proftpd安装:
make
make install创建运行用户:
useradd -s /sbin/nologin proftpd修改配置文件/usr/local/proftpd/etc/proftpd.conf:
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 0000
User proftpd
Group proftpd
DefaultRoot ~
SystemLog /home/proftpd/proftpd.log
TransferLog /home/proftpd/proftpd-transfer.log
PathDenyFilter "\\.ftp)|\\.ht)[a-z]+$"
DenyFilter \*.*/
UseReverseDNS off
IdentLookups off
ServerIdent off
AllowRetrieveRestart on
AllowStoreRestart on
AuthOrder mod_auth_file.c
AuthUserFile /usr/local/proftpd/etc/passwd
AuthGroupFile /usr/local/proftpd/etc/group
<Limit LOGIN>
AllowGroup admin
AllowGroup dev
AllowGroup ops
DenyAll
</Limit>
<Directory /home/proftpd/ftp>
AllowOverwrite on
HideNoAccess on
<Limit DIRS>
AllowAll
</Limit>
<Limit STOR RMD MKD>
DenyAll
</Limit>
</Directory>
<Directory /home/proftpd/ftp/dev>
AllowOverwrite on
HideNoAccess on
<Limit DIRS>
AllowGroup dev
AllowGroup admin
DenyAll
</Limit>
</Directory>
<Directory /home/proftpd/ftp/dev/*>
AllowOverwrite on
HideNoAccess on
<Limit READ DIRS>
AllowGroup dev
AllowGroup admin
DenyAll
</Limit>
<Limit MKD STOR RMD DELE>
AllowGroup dev
AllowGroup admin
DenyAll
</Limit>
</Directory>
<Directory /home/proftpd/ftp/ops>
AllowOverwrite on
HideNoAccess on
<Limit DIRS>
AllowGroup ops
AllowGroup admin
DenyAll
</Limit>
</Directory>
<Directory /home/proftpd/ftp/ops/*>
AllowOverwrite on
HideNoAccess on
<Limit READ DIRS>
AllowGroup ops
AllowGroup admin
DenyAll
</Limit>
<Limit MKD STOR RMD DELE>
AllowGroup ops
AllowGroup admin
DenyAll
</Limit>
</Directory>AuthOrder指定权限检查顺序,这里mod_auth_file.c只使用虚拟用户- 注意删除配置文件中的
<Anonymous ~ftp>...</Anonymous> - 关于配置的umask配置项可以查看Umask
- umask即权限掩码,系统的umask默认值是0022,可以使用umask命令查看,此时创建的文件的默认权限是644(6-0,6-2,6-2),创建的目录的默认权限是755(7-0,7-2,7-2),umask的作用就是用来设置控制默认权限。
touch /usr/local/proftpd/etc/passwd
chmod o-rwx /usr/local/proftpd/etc/passwd
touch /usr/local/proftpd/etc/group
chmod o-rwx /usr/local/proftpd/etc/groupsystemd unit文件/usr/lib/systemd/system/proftpd.service:
[Unit]
Description = ProFTPD FTP Server
After = network.target nss-lookup.target local-fs.target remote-fs.target
[Service]
Type = forking
PIDFile = /usr/local/proftpd/var/proftpd.pid
Environment = PROFTPD_OPTIONS=
EnvironmentFile = -/etc/sysconfig/proftpd
ExecStart = /usr/local/proftpd/sbin/proftpd -c /usr/local/proftpd/etc/proftpd.conf $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID
[Install]
WantedBy = multi-user.target启动:
systemctl daemon-reload
systemctl start proftpd
systemctl status proftpd
systemctl enable proftpd创建虚拟用户
虚拟用户就是说这个用户不是系统的用户,而是ProFTPD自己私有的用户。虚拟用户的信息可以从文件、数据库、LDAP服务器等源头获得,下面先使用从文件获取用户信息。
创建虚拟用户组:
cd /usr/local/proftpd/bin
./ftpasswd --group --name=admin --gid=100 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=dev --gid=101 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=ops --gid=102 --file=/usr/local/proftpd/etc/group创建虚拟用户:
./ftpasswd --passwd --name=admin --uid=1000 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
./ftpasswd --passwd --name=dev1 --uid=1001 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
./ftpasswd --passwd --name=ops2 --uid=1002 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd
./ftpasswd --passwd --name=ops3 --uid=1003 --home=/home/proftpd/ftp --shell=/sbin/nologin --file=/usr/local/proftpd/etc/passwd 将虚拟用户加入用户组:
./ftpasswd --group --name=admin --gid=100 --member=admin --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=dev --gid=101 --member=dev1 --file=/usr/local/proftpd/etc/group
./ftpasswd --group --name=ops --gid=102 --member=ops2 --member=ops3 --file=/usr/local/proftpd/etc/group创建ftp数据目录:
mkdir -p /home/proftpd/ftp/dev
mkdir -p /home/proftpd/ftp/ops
chmod -R 0777 /hoem/proftpd/ftp重启proftpd:
systemctl restart proftpd接下来就可以使用ftp客户端和前面创建的用户进行测试。
集成OpenLDAP
需要重新编译安装Proftpd,编译时增加mod_ldap模块,mod_ldap需要OpenLDAP的头文件和lib,
因为我们前面是使用yum安装的OpenLDAP,为了避免出现对应的头文件和lib找不到,我们在本地重新编译一下OpenLDAP。
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
tar -zxvf db-4.6.21.tar.gz
cd db-4.4.21/build_unix/
../dist/configure -prefix=/usr/local/BerkeleyDB
make
make install
export CPPFLAGS="-I/usr/local/BerkeleyDB/include"
export LDFLAGS="-L/usr/local/BerkeleyDB/lib"
export LD_LIBRARY_PATH="/home/proftpd/db-4.6.21/build_unix/.libs"
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
tar -zxvf openldap-2.4.44.tgz
cd openldap-2.4.44
./configure --prefix=/usr/local/openldap
make
make install重新编译安装proftpd:
cd proftpd-1.3.6
./configure \
--prefix=/usr/local/proftpd \
--with-modules=mod_ldap \
--with-includes=/usr/local/openldap/include \
--with-libraries=/usr/local/openldap/lib
make
make install修改配置文件/usr/local/proftpd/etc/proftpd.conf:
<Global>
DefaultRoot /home/proftpd/ftp
...
# AuthOrder mod_auth_file.c
# AuthUserFile /usr/local/proftpd/etc/passwd
# AuthGroupFile /usr/local/proftpd/etc/group
AuthOrder mod_ldap.c
LDAPServer 192.168.61.100:389
LDAPBindDN cn=Manager,dc=frognew,dc=com dnpass
LDAPUsers ou=People,dc=frognew,dc=com
LDAPGroups ou=Group,dc=frognew,dc=com
LDAPLog /home/proftpd/mod_ldap.log
...
</Global>重启proftpd服务:
systemctl restart proftpd在OpenLDAP中创建用户组dev和ops,再创建一个测试用户,设置Primary group为dev,Additional groups为ops,并为用户设置一个密码。 接下来使用ftp客户端进行测试即可。