$ apt install proftpd-basic
At this point, enter y and press enter to continue.
In this way, the installation of proftpd is completed.
After the installation of proftpd on Ubuntu, the configuration file will be stored in the / etc / proftpd directory. The main profile is called proftpd.conf , other configuration files are created by proftpd.conf In this paper, we introduce the concept of “include”.
The name of the proftpd service is called proftpd. Every time we change the proftpd configuration file, we need to restart the proftpd service.
To restart the proftpd service, you can use the following command:
$ systemctl restart proftpd
After running the restart command, check whether the proftpd service is running correctly through the following command:
$ systemctl status proftpd
As you can see, the proftpd service is running normally.
Test proftpd service
After the installation of proftpd service, you don’t need to configure it. The default configuration can be used well. We can use the existing users in the Ubuntu system to log in to the FTP server.
Add FTP user
Although the existing Ubuntu users can be regarded as FTP users, it is necessary to create a new FTP dedicated user. What we need to do is create new users in the Ubuntu system.
We create a new ftp2 user with the following command:
$ useradd -m ftp2
Now set the password for the new ftp2 user:
$ passwd ftp2
Now, enter the password and enter.
Enter the password again and press enter.
In this way, the password is set.
Ftp2 users can log in to the FTP service.
FTP users are not allowed to access the system through SSH
For security reasons, we usually do not want FTP dedicated users to log in to our server through SSH. However, all new users in our system can log in to the System Using SSH, as shown in the following figure:
To prevent them from Using SSH, we need to replace their default login shell with / bin / false.
First, open the configuration file / etc / shells with a text editor. The command is as follows:
$ ne /etc/shells
Now, add a line / bin / false to the end of the file.
Next, change the login shell of user ftp2 to / bin / false. The command is as follows:
$ usermod -s /bin/false ftp2
In this way, the user ftp2 is forbidden to log in through SSH.
But FTP login is still possible.
Restrict FTP users to see only their home directory
By default, FTP users can browse the system root directory. Although only browsing without modifying permission, it is not a good security policy to expose the root directory of the system to FTP users. At this point, chroot jail comes in handy. This is a built-in feature of proftpd, which is not turned on by default.
To open chroot jar, you need to modify / etc / proftpd/ proftpd.conf For this configuration file, the command is as follows:
$ nano /etc/proftpd/proftpd.conf
As shown in the figure below, find a line like this:
Delete # at the beginning of the line, change it to the figure below, and save the file.
To restart the proftpd service after modifying the configuration file:
$ systemctl restart proftpd
Now, FTP users can only see their home directory.
Creating FTP virtual user
Most of the time, our FTP server serves the web server. For example, there is Apache in the system. We use FTP to upload files to the web directory. At this time, we hope that the owner of the uploaded file should be Apache’s www data. At this time, the role of FTP virtual user appears.
What is virtual user? Very simply, it is a user who does not appear in the system / etc / passwd file. This / etc / passwd is a text file, which stores the information of all users who can log in to the system, including their unique ID and group ID. The virtual user is defined in other files, database or LDAP server.
It’s amazing that a virtual user can have the same uid and GID as an existing user in the system, and also have the same permissions as the same uid user. At this point, you need to proftpd.conf Open the default root ~ configuration to restrict them to their own directory.
To create and manage proftpd virtual users, we need to use ftpasswd, which can store the information of virtual users in / etc / proftpd/ ftpd.passwd And / etc / proftpd/ ftpd.group It’s in the file. These two files correspond to the authuserfile and authgroupfile in the proftpd configuration file.
Suppose we create an FTP virtual user with the same uid as the WWW data user, and first find its uid value
~]$ cat /etc/passwd | grep www-data www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
As you can see, the uid of WWW data is 33, and the GID of group ID is 33.
Create two virtual users: user1 and user2
~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=user1 --uid=33 --gid=33 --home=/var/www/html/user1 --shell=/bin/false ftpasswd: using alternate file: /etc/proftpd/ftpd.passwd ftpasswd: creating passwd entry for user user1 ftpasswd: /bin/false is not among the valid system shells. Use of ftpasswd: "RequireValidShell off" may be required, and the PAM ftpasswd: module configuration may need to be adjusted. Password: Re-type password: ftpasswd: entry created
~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=user2 --uid=33 --gid=33 --home=/var/www/html/user2 --shell=/bin/false ftpasswd: using alternate file: /etc/proftpd/ftpd.passwd ftpasswd: creating passwd entry for user user2 ftpasswd: /bin/false is not among the valid system shells. Use of ftpasswd: "RequireValidShell off" may be required, and the PAM ftpasswd: module configuration may need to be adjusted. Password: Re-type password: ftpasswd: entry created
There is a prompt in the process of creation. Let’s open the configuration item “require valid shell off”. This configuration item can be found in / etc / proftpd/ proftpd.conf Found in the configuration file.
Create a group file as follows:
~]$ ftpasswd --group --name=www-data --file=/etc/proftpd/ftpd.group --gid=33 --member user1,user2 ftpasswd: using alternate file: /etc/proftpd/ftpd.group ftpasswd: updating group entry for group www-data ftpasswd: entry updated
Let’s see what’s in both documents:
~]$ cat ftpd.passwd user1:$1$elbFOuqM$Z0FfP9GhwMLIZza4m27ie.:33:33::/var/www/html/user1:/bin/false user2:$1$RQfV4FlC$dOVVecDeUlSpKkvwUz4dow:33:33::/var/www/html/user2:/bin/false
~]$ cat /etc/proftpd/ftpd.group www-data:x:33:user1,user2
Other uses of ftpasswd tool
The password is encrypted. To change the password, use the ftpasswd tool:
~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --change-password
Ftpasswd locks and unlocks users
~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test2 --lock ~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test2 --unlock
Ftpasswd delete user
~]$ ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --delete-user
After we have the virtual user information, we need to use the / etc / proftpd/ proftpd.conf Make corresponding association with the configuration file and add the following configuration information:
DefaultRoot ~ RequireValidShell off AuthUserFile /etc/proftpd/ftpd.passwd AuthGroupFile /etc/proftpd/ftpd.group AuthOrder mod_auth_file.c
Restart proftpd background service
~] systemctl restart proftpd.service
Encountered 530 login incorrect problem
If you encounter 530 login error when logging in with FTP client, you cannot log in to FTP service. You can open / var / log / proftpd on the server/ proftpd.log Log file, you may see the information of user not found. At this time, you may forget to add author mod to the configuration file_ auth_ File. C is the line of information.