# # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes, reload proftpd after modifications, if # it runs in daemon mode. It is not required in inetd/xinetd mode. # # Includes DSO modules Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 on # If set on you can experience a longer connection delay in many cases. IdentLookups off ServerName "Debian" # Set to inetd only if you would run proftpd by inetd/xinetd. # Read README.Debian for more information on proper configuration. ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes # DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShell off # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. # PassivePorts 49152 65534 # If your host was NATted, this option is useful in order to # allow passive tranfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. # MasqueradeAddress 1.2.3.4 # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours <IfModule mod_dynmasq.c> # DynMasqRefresh 28800 </IfModule> # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: # PersistentPasswd off # This is required to use both PAM-based authentication and local passwords # AuthOrder mod_auth_pam.c* mod_auth_unix.c # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log # Logging onto /var/log/lastlog is enabled but set to off by default #UseLastlog on # In order to keep log file dates consistent after chroot, use timezone info # from /etc/localtime. If this is not set, and proftpd is configured to # chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight # savings timezone regardless of whether DST is in effect. #SetEnv TZ :/etc/localtime <IfModule mod_quotatab.c> QuotaEngine off </IfModule> <IfModule mod_ratio.c> Ratios off </IfModule> # Delay engine reduces impact of the so-called Timing Attack described in # http://www.securityfocus.com/bid/11430/discuss # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine off </IfModule> # # Alternative authentication frameworks # #Include /etc/proftpd/ldap.conf #Include /etc/proftpd/sql.conf # # This is used for FTPS connections # #Include /etc/proftpd/tls.conf # # Useful to keep VirtualHost/VirtualRoot directives separated # #Include /etc/proftpd/virtuals.conf # A basic anonymous configuration, no upload directories. # <Anonymous ~ftp> # User ftp # Group nogroup # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp # # RequireValidShell off # # # Limit the maximum number of anonymous logins # MaxClients 10 # # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayChdir .message # # # Limit WRITE everywhere in the anonymous chroot # <Directory *> # <Limit WRITE> # DenyAll # </Limit> # </Directory> # # # Uncomment this if you're brave. # # <Directory incoming> # # # Umask 022 is a good standard umask to prevent new files and dirs # # # (second parm) from being group and world writable. # # Umask 022 022 # # <Limit READ WRITE> # # DenyAll # # </Limit> # # <Limit STOR> # # AllowAll # # </Limit> # # </Directory> # # </Anonymous> # Include other custom configuration files Include /etc/proftpd/conf.d/
# # This file is used to manage DSO modules and features. # # This is the directory where DSO modules reside ModulePath /usr/lib/proftpd # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * LoadModule mod_ctrls_admin.c LoadModule mod_tls.c # Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other # SQL backend engine to use this module and the required backend. # This module must be mandatory loaded before anyone of # the existent SQL backeds. #LoadModule mod_sql.c # Install proftpd-mod-ldap to use this #LoadModule mod_ldap.c # # 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives # are required to have SQL authorization working. You can also comment out the # unused module here, in alternative. # # Install proftpd-mod-mysql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_mysql.c # Install proftpd-mod-pgsql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_postgres.c # Install proftpd-mod-sqlite and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_sqlite.c # Install proftpd-mod-odbc and decomment the previous # mod_sql.c module to use this #LoadModule mod_sql_odbc.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sql_passwd.c LoadModule mod_radius.c LoadModule mod_quotatab.c LoadModule mod_quotatab_file.c # Install proftpd-mod-ldap to use this #LoadModule mod_quotatab_ldap.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_quotatab_sql.c LoadModule mod_quotatab_radius.c LoadModule mod_wrap.c LoadModule mod_rewrite.c LoadModule mod_load.c LoadModule mod_ban.c LoadModule mod_wrap2.c LoadModule mod_wrap2_file.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_wrap2_sql.c LoadModule mod_dynmasq.c LoadModule mod_exec.c LoadModule mod_shaper.c LoadModule mod_ratio.c LoadModule mod_site_misc.c LoadModule mod_sftp.c LoadModule mod_sftp_pam.c # Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sftp_sql.c LoadModule mod_facl.c LoadModule mod_unique_id.c LoadModule mod_copy.c LoadModule mod_deflate.c LoadModule mod_ifversion.c LoadModule mod_tls_memcache.c # Install proftpd-mod-geoip to use the GeoIP feature #LoadModule mod_geoip.c # keep this module the last one LoadModule mod_ifsession.c
# # Proftpd sample configuration for LDAP authentication. # # (This is not to be used if you prefer a PAM-based LDAP authentication) # <IfModule mod_ldap.c> # # This is used for ordinary LDAP connections, with or without TLS # #LDAPServer ldap://ldap.example.com #LDAPBindDN "cn=admin,dc=example,dc=com" "admin_password" #LDAPUsers dc=users,dc=example,dc=com (uid=%u) (uidNumber=%u) # # To be set on only for LDAP/TLS on ordinary port, for LDAP+SSL see below #LDAPUseTLS on # # # This is used for encrypted LDAPS connections # #LDAPServer ldaps://ldap.example.com #LDAPBindDN "cn=admin,dc=example,dc=com" "admin_password" #LDAPUsers dc=users,dc=example,dc=com (uid=%u) (uidNumber=%u) # </IfModule>
# # Proftpd sample configuration for SQL-based authentication. # # (This is not to be used if you prefer a PAM-based SQL authentication) # <IfModule mod_sql.c> # # Choose a SQL backend among MySQL or PostgreSQL. # Both modules are loaded in default configuration, so you have to specify the backend # or comment out the unused module in /etc/proftpd/modules.conf. # Use 'mysql' or 'postgres' as possible values. # #SQLBackend mysql # #SQLEngine on #SQLAuthenticate on # # Use both a crypted or plaintext password #SQLAuthTypes Crypt Plaintext # # Use a backend-crypted or a crypted password #SQLAuthTypes Backend Crypt # # Connection #SQLConnectInfo proftpd@sql.example.com proftpd_user proftpd_password # # Describes both users/groups tables # #SQLUserInfo users userid passwd uid gid homedir shell #SQLGroupInfo groups groupname gid members # </IfModule>
# # Proftpd sample configuration for FTPS connections. # # Note that FTPS impose some limitations in NAT traversing. # See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html # for more information. # <IfModule mod_tls.c> #TLSEngine on #TLSLog /var/log/proftpd/tls.log #TLSProtocol SSLv23 # # Server SSL certificate. You can generate a self-signed certificate using # a command like: # # openssl req -x509 -newkey rsa:1024 \ # -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ # -nodes -days 365 # # The proftpd.key file must be readable by root only. The other file can be # readable by anyone. # # chmod 0600 /etc/ssl/private/proftpd.key # chmod 0640 /etc/ssl/private/proftpd.key # #TLSRSACertificateFile /etc/ssl/certs/proftpd.crt #TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key # # CA the server trusts... #TLSCACertificateFile /etc/ssl/certs/CA.pem # ...or avoid CA cert and be verbose #TLSOptions NoCertRequest EnableDiags # ... or the same with relaxed session use for some clients (e.g. FireFtp) #TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # #TLSOptions AllowClientRenegotiations # # Authenticate clients that want to use FTP over TLS? # #TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # #TLSRequired on # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off </IfModule>
# # Proftpd sample configuration for Virtual Hosts and Virtual Roots. # # Note that FTP protocol requires IP based virtual host, not name based. # # # A generic sample virtual host. # #<VirtualHost ftp.server.com> #ServerAdmin ftpmaster@server.com #ServerName "Big FTP Archive" #TransferLog /var/log/proftpd/xfer/ftp.server.com #MaxLoginAttempts 3 #RequireValidShell no #DefaultRoot /srv/ftp_root #AllowOverwrite yes #</VirtualHost> # # The vroot module is not required, but can be useful for shared # directories. # <IfModule mod_vroot.c> #VRootEngine on #DefaultRoot ~ #VRootAlias upload /var/ftp/upload # #<VirtualHost a.b.c.d> #VRootEngine on #VRootServerRoot /etc/ftpd/a.b.c.d/ #VRootOptions allowSymlinks #DefaultRoot ~ #</VirtualHost> # </IfModule>