Navigation

Squidge · #1 15th January 2009, 16:59

hello all.

A few things i need help with:

1 . How do i create a user for FTP usage only?
2 . How do I lock that user to /home/"user_name"/?

Your help will be greatly appreciated

falko · #2 16th January 2009, 13:10

Do you want to use system users or virtual users, or does this not matter?

Squidge · #3 16th January 2009, 13:13

Quote:

Originally Posted by falko

Do you want to use system users or virtual users, or does this not matter?

i'd like to create a system user, and lock then to their home folder.

I have my admin ubuntu account which i sue and can access root folders, but i have someone who i want to lock down

falko · #4 17th January 2009, 11:12

Try this:

Code:

useradd -d /home/sample_user -g users sample_user
passwd sample_user

In your proftpd.conf you need the directive

Code:

DefaultRoot ~

Please be aware that all system users can alse receive email (for example if someone sends to <username>@<hostname>). You could set up an alias in /etc/aliases to prevent this:

Code:

sample_user: /dev/null

Run

Code:

newaliases

afterwards and restart Postfix.

Squidge · #5 19th January 2009, 09:33

Quote:

Originally Posted by falko

Try this:

Code:

DefaultRoot ~

I already have this from your Perfect Server Guide, but it doesnt lock to home folder

falko · #6 20th January 2009, 20:02

What's in your proftpd.conf? What's the output of

Code:

netstat -tap

?

Squidge · #7 21st January 2009, 09:51

Quote:

Originally Posted by falko

What's in your proftpd.conf? What's the output of

Code:

netstat -tap

?

This is from netstat -tap:

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:mysql                 *:*                     LISTEN      21129/mysqld
tcp        0      0 *:www                   *:*                     LISTEN      20080/apache2
tcp        0      0 *:ssh                   *:*                     LISTEN      4290/sshd
tcp        0      0 *:smtp                  *:*                     LISTEN      5206/master
tcp        0      0 *:https                 *:*                     LISTEN      20080/apache2
tcp        0    300 server1.yellow-zebr:ssh 207.138.98.253:40303    ESTABLISHED 6046/sshd: administ
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      5088/couriertcpd
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      5126/couriertcpd
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      5104/couriertcpd
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      5061/couriertcpd
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      21010/proftpd: (acc
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      4290/sshd
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      5206/master
root@server1:/home/administrator#

And this is my ProFTPD.conf:

Code:

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

ServerName			"Debian"
ServerType			standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes 
DefaultRoot	~
IdentLookups off
ServerIdent on "FTP Server ready."

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell		off

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			*mod_auth_pam.c mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend 
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend			mysql
#</IfModule>






TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?pag...LSS-2004-10-02
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayFirstChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>