Install ProFTPd:
sudo apt-get install proftpd-mysql
You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/
I assume you already has a MySQL server installed.
Make the following site by creating the file proftpd in /etc/apache2/sites-available.
Listen 666 <VirtualHost *:666> DocumentRoot "/var/www/proftpd_admin" ServerName localhost:666 ServerAdmin you@example.com ErrorLog /var/log/apache2/proftpd_error_log TransferLog /var/log/apache2/proftpd_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key <Directory "/var/www/proftpd_admin"> SSLOptions +StdEnvVars SSLRequireSSL </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/pureftpd_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /var/www/proftpd_admin> AllowOverride AuthConfig Order deny,allow Allow from all </Directory> </VirtualHost>
Now extract proftpd administrator into this directory.
Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server. Alternatively you can protect it with username/password. See howto here
Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:
... ... GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123';
Next import the files by running these commands:
mysql -uroot -p < db_structure.sql mysql -uroot -p < powerdns.sql mysql -uroot -p < upgrade_to_v0.9.sql mysql -uroot -p < vhosts.sql
Now you should have a database called proftpd_admin with a lot of tables in it.
Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.
Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf.
Insert in the first line:
Include /etc/proftpd/modules.conf
Otherwise you will not be loading the needed modules for sql authentication.
Also this part of the config:
... ... <Directory /ftp/*> AllowOverwrite off HideNoAccess off <Limit READ> AllowAll </Limit> <Limit WRITE> DenyGroup !admins </Limit> </Directory> <Directory /ftp/incoming/*> AllowOverwrite on HideNoAccess on <Limit READ> DenyGroup !admins </Limit> <Limit STOR MKD> AllowAll </Limit> </Directory>
As I like to use /var/ftp instead it should look like this:
<Directory /var/ftp/*> AllowOverwrite off HideNoAccess off <Limit READ> AllowAll </Limit> <Limit WRITE> DenyGroup !admins </Limit> </Directory> <Directory /var/ftp/incoming/*> AllowOverwrite on HideNoAccess on <Limit READ> DenyGroup !admins </Limit> <Limit STOR MKD> AllowAll </Limit> </Directory>
If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.
You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.
To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:
# Cmnd alias specification Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh # User privilege specification www-data ALL=(ALL) NOPASSWD: CREATE_USER www-data ALL=(ALL) NOPASSWD: DELETE_USER
What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.
It works and it is a compromise and I don't like it!
To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.
All you have to do is run one command and include a conf file to proftpd.conf.
Use this oneliner to make the certificate:
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt
Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.
Next make a file called tls.conf in /etc/proftpd:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 # # Server's certificate # TLSRSACertificateFile /etc/proftpd/proftpd.crt TLSRSACertificateKeyFile /etc/proftpd/proftpd.key # # CA the server trusts #TLSCACertificateFile /etc/ssl/certs/CA.pem # or avoid CA cert TLSOptions NoCertRequest # # Authenticate clients that want to use FTP over TLS? # TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # TLSRequired off # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off </IfModule>
Insert the statement:
Include /etc/proftpd/tls.conf
at the top of your proftpd.conf file.
Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client.