====== Install software ======
Install ProFTPd:
sudo apt-get install proftpd-mysql
You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/
I assume you already has a MySQL server installed.
====== proFTPd Administrator ======
===== Setup Apache =====
Make the following site by creating the file proftpd in /etc/apache2/sites-available.
Listen 666
DocumentRoot "/var/www/proftpd_admin"
ServerName localhost:666
ServerAdmin you@example.com
ErrorLog /var/log/apache2/proftpd_error_log
TransferLog /var/log/apache2/proftpd_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLOptions +StdEnvVars
SSLRequireSSL
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/pureftpd_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
AllowOverride AuthConfig
Order deny,allow
Allow from all
Now extract proftpd administrator into this directory.
Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server.
Alternatively you can protect it with username/password. See howto [[indexes:digest_authentication|here]]
===== Setup MySQL =====
Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database:
...
...
GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123';
GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123';
GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123';
Next import the files by running these commands:
mysql -uroot -p < db_structure.sql
mysql -uroot -p < powerdns.sql
mysql -uroot -p < upgrade_to_v0.9.sql
mysql -uroot -p < vhosts.sql
Now you should have a database called proftpd_admin with a lot of tables in it.
===== Setup file structure =====
Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder.
===== ProFTPd config =====
Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf.
Insert in the first line:
Include /etc/proftpd/modules.conf
Otherwise you will not be loading the needed modules for sql authentication.
Also this part of the config:
...
...
AllowOverwrite off
HideNoAccess off
AllowAll
DenyGroup !admins
AllowOverwrite on
HideNoAccess on
DenyGroup !admins
AllowAll
As I like to use /var/ftp instead it should look like this:
AllowOverwrite off
HideNoAccess off
AllowAll
DenyGroup !admins
AllowOverwrite on
HideNoAccess on
DenyGroup !admins
AllowAll
If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements.
===== Create/Delete user script =====
You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user.
To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file:
# Cmnd alias specification
Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh
Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh
# User privilege specification
www-data ALL=(ALL) NOPASSWD: CREATE_USER
www-data ALL=(ALL) NOPASSWD: DELETE_USER
What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver.
It works and it is a compromise and I don't like it!
===== Setup TLS/SSL =====
To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not.
All you have to do is run one command and include a conf file to proftpd.conf.
Use this oneliner to make the certificate:
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt
Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server.
Next make a file called tls.conf in /etc/proftpd:
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
#
# Server's certificate
#
TLSRSACertificateFile /etc/proftpd/proftpd.crt
TLSRSACertificateKeyFile /etc/proftpd/proftpd.key
#
# CA the server trusts
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# or avoid CA cert
TLSOptions NoCertRequest
#
# Authenticate clients that want to use FTP over TLS?
#
TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
Insert the statement:
Include /etc/proftpd/tls.conf
at the top of your proftpd.conf file.
Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client.