ProFTPD locking users

Discussion in 'Installation/Configuration' started by Squidge, Jan 15, 2009.

  1. Squidge

    Squidge New Member

    hello all.

    A few things i need help with:

    1 . How do i create a user for FTP usage only?
    2 . How do I lock that user to /home/"user_name"/?

    Your help will be greatly appreciated :)
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Do you want to use system users or virtual users, or does this not matter?
     
  3. Squidge

    Squidge New Member

    i'd like to create a system user, and lock then to their home folder.

    I have my admin ubuntu account which i sue and can access root folders, but i have someone who i want to lock down
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Try this:
    Code:
    useradd -d /home/sample_user -g users sample_user
    passwd sample_user
    In your proftpd.conf you need the directive
    Code:
    DefaultRoot ~
    Please be aware that all system users can alse receive email (for example if someone sends to <username>@<hostname>). You could set up an alias in /etc/aliases to prevent this:
    Code:
    sample_user: /dev/null
    Run
    Code:
    newaliases
    afterwards and restart Postfix.
     
  5. Squidge

    Squidge New Member

    I already have this from your Perfect Server Guide, but it doesnt lock to home folder
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What's in your proftpd.conf? What's the output of
    Code:
    netstat -tap
    ?
     
  7. Squidge

    Squidge New Member

    This is from netstat -tap:
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 *:mysql                 *:*                     LISTEN      21129/mysqld
    tcp        0      0 *:www                   *:*                     LISTEN      20080/apache2
    tcp        0      0 *:ssh                   *:*                     LISTEN      4290/sshd
    tcp        0      0 *:smtp                  *:*                     LISTEN      5206/master
    tcp        0      0 *:https                 *:*                     LISTEN      20080/apache2
    tcp        0    300 server1.yellow-zebr:ssh 207.138.98.253:40303    ESTABLISHED 6046/sshd: administ
    tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      5088/couriertcpd
    tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      5126/couriertcpd
    tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      5104/couriertcpd
    tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      5061/couriertcpd
    tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      21010/proftpd: (acc
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      4290/sshd
    tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      5206/master
    [email protected]:/home/administrator#
    
    And this is my ProFTPD.conf:
    Code:
    #
    # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
    # To really apply changes reload proftpd after modifications.
    # 
    
    # Includes DSO modules
    Include /etc/proftpd/modules.conf
    
    # Set off to disable IPv6 support which is annoying on IPv4 only boxes.
    UseIPv6				on
    # If set on you can experience a longer connection delay in many cases.
    IdentLookups			off
    
    ServerName			"Debian"
    ServerType			standalone
    DeferWelcome			off
    
    MultilineRFC2228		on
    DefaultServer			on
    ShowSymlinks			on
    
    TimeoutNoTransfer		600
    TimeoutStalled			600
    TimeoutIdle			1200
    
    DisplayLogin                    welcome.msg
    DisplayChdir               	.message true
    ListOptions                	"-l"
    
    DenyFilter			\*.*/
    
    # Use this to jail all users in their homes 
    DefaultRoot	~
    IdentLookups off
    ServerIdent on "FTP Server ready."
    
    # Users require a valid shell listed in /etc/shells to login.
    # Use this directive to release that constrain.
    # RequireValidShell		off
    
    # Port 21 is the standard FTP port.
    Port				21
    
    # In some cases you have to specify passive ports range to by-pass
    # firewall limitations. Ephemeral ports can be used for that, but
    # feel free to use a more narrow range.
    # PassivePorts                  49152 65534
    
    # If your host was NATted, this option is useful in order to
    # allow passive tranfers to work. You have to use your public
    # address and opening the passive ports used on your firewall as well.
    # MasqueradeAddress		1.2.3.4
    
    # This is useful for masquerading address with dynamic IPs:
    # refresh any configured MasqueradeAddress directives every 8 hours
    <IfModule mod_dynmasq.c>
    # DynMasqRefresh 28800
    </IfModule>
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances			30
    
    # Set the user and group that the server normally runs at.
    User				proftpd
    Group				nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask				022  022
    # Normally, we want files to be overwriteable.
    AllowOverwrite			on
    
    # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
    # PersistentPasswd		off
    
    # This is required to use both PAM-based authentication and local passwords
    # AuthOrder			*mod_auth_pam.c mod_auth_unix.c
    
    # Be warned: use of this directive impacts CPU average load!
    # Uncomment this if you like to see progress and transfer rate with ftpwho
    # in downloads. That is not needed for uploads rates.
    #
    # UseSendFile			off
    
    # Choose a SQL backend among MySQL or PostgreSQL.
    # Both modules are loaded in default configuration, so you have to specify the backend 
    # or comment out the unused module in /etc/proftpd/modules.conf.
    # Use 'mysql' or 'postgres' as possible values.
    #
    #<IfModule mod_sql.c>
    # SQLBackend			mysql
    #</IfModule>
    
    
    
    
    
    
    TransferLog /var/log/proftpd/xferlog
    SystemLog   /var/log/proftpd/proftpd.log
    
    <IfModule mod_quotatab.c>
    QuotaEngine off
    </IfModule>
    
    <IfModule mod_ratio.c>
    Ratios off
    </IfModule>
    
    
    # Delay engine reduces impact of the so-called Timing Attack described in
    # [url]http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02[/url]
    # It is on by default. 
    <IfModule mod_delay.c>
    DelayEngine on
    </IfModule>
    
    <IfModule mod_ctrls.c>
    ControlsEngine        off
    ControlsMaxClients    2
    ControlsLog           /var/log/proftpd/controls.log
    ControlsInterval      5
    ControlsSocket        /var/run/proftpd/proftpd.sock
    </IfModule>
    
    <IfModule mod_ctrls_admin.c>
    AdminControlsEngine off
    </IfModule>
    
    #
    # Alternative authentication frameworks
    #
    #Include /etc/proftpd/ldap.conf
    #Include /etc/proftpd/sql.conf
    
    #
    # This is used for FTPS connections
    #
    Include /etc/proftpd/tls.conf
    
    # A basic anonymous configuration, no upload directories.
    
    # <Anonymous ~ftp>
    #   User				ftp
    #   Group				nogroup
    #   # We want clients to be able to login with "anonymous" as well as "ftp"
    #   UserAlias			anonymous ftp
    #   # Cosmetic changes, all files belongs to ftp user
    #   DirFakeUser	on ftp
    #   DirFakeGroup on ftp
    # 
    #   RequireValidShell		off
    # 
    #   # Limit the maximum number of anonymous logins
    #   MaxClients			10
    # 
    #   # We want 'welcome.msg' displayed at login, and '.message' displayed
    #   # in each newly chdired directory.
    #   DisplayLogin			welcome.msg
    #   DisplayFirstChdir		.message
    # 
    #   # Limit WRITE everywhere in the anonymous chroot
    #   <Directory *>
    #     <Limit WRITE>
    #       DenyAll
    #     </Limit>
    #   </Directory>
    # 
    #   # Uncomment this if you're brave.
    #   # <Directory incoming>
    #   #   # Umask 022 is a good standard umask to prevent new files and dirs
    #   #   # (second parm) from being group and world writable.
    #   #   Umask				022  022
    #   #            <Limit READ WRITE>
    #   #            DenyAll
    #   #            </Limit>
    #   #            <Limit STOR>
    #   #            AllowAll
    #   #            </Limit>
    #   # </Directory>
    # 
    # </Anonymous>
    
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Looks ok. What FTP client do you use? Are you sure you log in via FTP, or is it maybe SFTP or SCP?
     
  9. Squidge

    Squidge New Member

    I am using FileZilla, and logging using SFTP
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Try FTP instead.
     
  11. Squidge

    Squidge New Member

    I have tried FTP, but i get a time out error
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Did you try both active and passive transfers in your FTP client?
    Make sure that the firewall allows FTP.
    Also, are there any errors in the logs?
     

Share This Page