Setting up an FTP server on Debian
Posted by Anonymous on Thu 25 Aug 2005 at 17:29
As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.
FTP is an often overlooked method of storing and giving access to files, in many cases FTP servers have been retired in place of webservers such as Apache.
But there are a lot of cases where offering access via FTP makes sense, even with the limitations of FTP - most notably the difficulty of firewalling and the security risk involved in using plaintext passwords.
There are several different FTP servers packaged within Debian, which you can see via:
apt-cache search ftp-server
One of the most popular servers around is proftpd, and that can be installed upon Debian systems with:
apt-get install proftpd
Once downloaded debconf will ask if you wish to run the server via inetd, or in a standalone fashion. In general you want the latter option.
After the installation the server will be running, and will grant access to all user accounts upon the host.
If you wish to stop the server prior to more configuration you can do so with:
/etc/init.d/proftpd stop
The configuration of proftpd is conducted via the configuration file of /etc/proftpd.conf.
Security OptionsPermitting Anonymous AccessThere are several security options you can enable in proftpd, the most notable is the use of TLS security.
To use TLS you will need to generate a key, and update your server's configuration file to use it.
Generating a key is simple enough with the openssl command, which is contained in the openssl package:
mkdir /etc/proftpd cd /etc/proftpd openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem \ -keyout ftpd-rsa-key.pemWith the files generated you can add the following to your proftpd.conf file:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd-tls.log TLSProtocol TLSv1 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off </IfModule>Other security options include limiting users to particular directories. To limit the user "bob" to the starting directory "/tmp" you can use:
DefaultRoot /tmp bobThe more general approach is to restrict users to their own home directory, which you can accomplish via:
DefaultRoot ~This causes all users to be presented with the contents of their home directory (as specified by /etc/passwd) when they login.
Miscallaneous OptionsTo permit anonymous access to your server you will need to uncomment the configuration options which are already present in the standard /etc/proftpd.conf file.
This is a good starting point:
<Anonymous ~ftp> User ftp Group nogroup # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Cosmetic changes, all files belongs to ftp user DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>This configuration setting allows users to login with either anonymous, or ftp, as username and they will be able to read from /home/ftp.
Thankfully they will be unable to upload new content, or delete existing files. They will be given only read-only access to the server.
There are some other options which you might wish to change, for example the welcome message presented to clients.
The welcome message presented is read from /home/ftp/welcome.msg, editing that file will immediately change the text sent to users.
The hostname of your server is typically displayed to clients when they connect - in the Debian package the greeting only includes the string "Debian" - as you can see from the following session:
user@host:~ ftp localhost Connected to localhost.localdomain. 220 ProFTPD 1.2.10 Server (Debian) [127.0.0.1]To change this update the proftpd.conf file to include:
ServerName "My.host.name"
[ Parent | Reply to this comment ]
[ Send Message | View todsah's Scratchpad ]
Pure-ftpd's configuration is a bit strange at first. Basically, you just add files that represent commandline options to a directory /etc/pureftpd/conf/. For instance, to configure a trusted GID for which no chrooting takes place, pure-ftpd provides the --trustedgid option. To enable this as a configuration option, you create a file named TrustedGID and put the GID in that file.
Even though Pure-ftpd's configuration is unorthodox to say the least, I like it better than proftpd's. For some reason I also had a lot less problems setting up rate-limiting and chrooting (for all users except a few) with pure-ftpd than I did for proftpd.
It seems to me proftpd is a little more advanced and offers more options than proftpd, but so far I haven't found anything I personally use that pure-ftpd doesn't offer and proftpd does. It's worth checking out.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
-Trash
[ Parent | Reply to this comment ]
But right now I'm looking at vsftpd, because pure-ftpd debian package is not supporting files > 2GB
I know, not a lot users need this, but I do (think DVD's)
[ Parent | Reply to this comment ]
This may be newer than your post, but in the pureftp documentation it explains how to transfer files over 2GB:--with-largefile: support downloading of files larger than 2 gigabytes on 32-bit architectures. Transfering so huge files through FTP is a strange idea. And your filesystem has to support it. Your kernel and your libc as well. And of course, the FTP client has to be safe against large files, too. And when this feature is enabled, downloads can be a bit slower (or more cpu-intensive) than without it, due to a limitation of actual Linux kernels. To summarize: don't enable this for fun, just if you are really planning to download files over 2 gigabytes.
[ Parent | Reply to this comment ]
And they talk only about downloading, not about uploading.
I only hit this limit once, so not really big deal now.
[ Parent | Reply to this comment ]
felix
- gingko soft
[ Parent | Reply to this comment ]
I always recommend sftp (ssh subsystem) for all NON-anonymous ftp access because SSH has far fewer security issues than the average ftp server, and its simple configuration.
If you have OpenSSH server installed then just add the following line to /etc/ssh/sshd_config and restart the daemon (/etc/init.d/ssh restart):
Subsystem sftp /usr/lib/openssh/sftp-server
And for the linux users, install the OpenSSH client and have them use sftp to connect instead of ftp.
For windows users, install one of the following:
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I am a big fan of WinSCP for using SCP in a graphical fashion under Windows.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
fish uploads a file called .fishsrv.pl and then implements it's own sftp subsystem, all you need for it to work is a shell on that box.
Just FyI
[ Parent | Reply to this comment ]
Great site btw. About that TLS stuff, I guess this solves the cleartext password problem? Or is only the data transfered that's encrypted?
Thanks
Yan
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I'd use vsftp if I needed a FTP server. It's small and simple, a modern design, and built with security in mind. There is a nice package in Debian with all the bits in, and it even does TLS out of the box.
http://vsftpd.beasts.org/
If Debian, OpenBSD et al., use it as their official FTP server, then it's probably good enough for me too.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
--
Gerald
holl.co.at
[ Parent | Reply to this comment ]
We use proftpd to support virtual users, although I dare say this could be done through PAM, there are other aspects to having a lot of virtual users, like quota management that proftpd does well.
Where we just need vanilla system users to be able to ftp, we use vsftpd.
Never had a problem with either, yes proftpd has a bit of a security history but it provides a lot of features not found elsewhere, and as far as I have ascertained none of the security issues have so far affected a configuration that is 2 years old.
However I think ftp is overrated, it provides very little that you don't get with HTTP, although the HTTP upload via WebDav can get a bit fiddly compared to say setting up vsftpd.
[ Parent | Reply to this comment ]
Insert this lines in your proftpd.conf:
UseReverseDNS off
IdentLookups off
Syneus.
[ Parent | Reply to this comment ]
Personally, I recommend against proftp because of its security history and, last I checked, large memory footprint per connection. When I set up my ftp stuff, pure-ftpd was the only reliable option which supported upload in a safeish way.
If I did not need upload I would use an ftpd which does not implement the feature. If I needed to set up an ftp server with upload now, I would use vsftp, no question.
--JoshuaRodman
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Anyway, my experiance with ftp has mainly been ProFTPD and I do access to vsFTP but havn't really bothered to look at it. I am more then happy with the Quota MySQL management with ProFTP under Debian Sarge/Mandrake(RH Clone)/Red Hat.
The TLS option is something that I am interisted in, but the only thing that I feel a bit lacking in ProFTPD is the ability to prevent certain ftp user logins from an ip range that you do not whish to have access to. (I'll keep on looking for the solution...)
Well, ProFTPD is not that difficult to set up... and if there are upload and download retrictions that I desire then I could limit the file size via Frox, and download rate via TC.
Have a good weekend!
Cheers
[ Parent | Reply to this comment ]
Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero.
The server can run with privilege separation for paranoid security. It can even run 100% non-root, with its built-in chroot() emulation and virtual accounts.
Transmission of cleartext passwords and commands can be avoided : Pure-FTPd has optional support for an SSL/TLS encryption layer using the OpenSSL library.
[ Parent | Reply to this comment ]
well, localy all is fine and a secure connection work but not from outside :-( and i have no idea what this can be!
is there any port which must be opened for TLS?
i can connect, login and then a client get an unknow error! server log reports notthing wrong. :-(
[code]
230 User test logged in.
...
211-AUTH TLS
...
TYPE I
200 Type set to I
REST 0
350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
PWD
257 "/" is current directory.
CWD /
250 CWD command successful
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
PROT P
200 Protection set to Private
PASV
227 Entering Passive Mode (192,168,1,103,129,130).
Opening data connection to 192.168.1.103 Port: 33154
LIST -aL
Timeout (120s).
Active Help: http://www.smartftp.com/support/kb/index.php/74
Client closed the connection.
[/code]
[ Parent | Reply to this comment ]
Config:
DefaultRoot /somedir bob
running
ftp://localhost in konqueror/firefox/nau... works fine
running
ftp my_ip in console works fine (I can ls, cd, etc)
running
ftp://my_ip in konqueror/firefox/nau... almost fails: none folders/files are displayed, coping files fails but I can create a new folder!
Any ideas?
[ Parent | Reply to this comment ]
The control channel is nicely fixed to 21. The default data channel is 20, but it can be just about anything and I believe there may even be multiple data channels in action at any one time - a real pain.
You can create directories because you're connected through the control channel but your inability to transfer files is probably caused by no data channel.
Try opening the default data channel and pray.
I don't know enough about any particular server/client to tell you how to nail down the port numbers available as data channels.
Regards, Max
[ Parent | Reply to this comment ]
Unable to load config info from /usr/lib/ssl/openssl.cnf
when i run,
openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
[ Parent | Reply to this comment ]