-
Notifications
You must be signed in to change notification settings - Fork 3
/
proftpd.conf
220 lines (158 loc) · 6.21 KB
/
proftpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
LoadModule mod_sql.c
LoadModule mod_sql_passwd.c
LoadModule mod_sql_mysql.c
LoadModule mod_quotatab_sql.c
LoadModule mod_tls.c
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off
ServerName "%{env:PROFTPD_VISIBLE_HOSTNAME}"
ServerType standalone
DeferWelcome off
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSProtocol TLSv1
# encrypt both data & command stream
#TLSRequired auth+data
# TLS is not required
TLSRequired off
# Full ref: http://www.proftpd.org/docs/directives/linked/config_ref_TLSRequired.html
TLSRSACertificateFile /etc/pki/ftpd.crt
TLSRSACertificateKeyFile /etc/pki/ftpd.key
# Server's EC certificate
# TLSECCertificateFile /etc/ftpd/server-ec.cert.pem
# TLSECCertificateKeyFile /etc/ftpd/server-ec.key.pem
# CA the server trusts
TLSCACertificateFile /etc/pki/ca.crt
TLSVerifyClient off
TLSRenegotiate none
# workaround for old clients bug "client did not reuse SSL session"
# disable if possible
TLSOptions NoSessionReuseRequired
</IfModule>
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 300
TimeoutStalled 90
TimeoutIdle 450
DisplayLogin welcome.msg
DisplayChdir .message
ListOptions "-l"
DenyFilter \*.*/
UseReverseDNS off
# Close users into their home dirs
DefaultRoot ~
#DefaultRoot /
# using only virtual users, no shell required
RequireValidShell off
# disable capabilities
CapabilitiesEngine off
# disable system users
AuthOrder mod_sql.c
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 20020 20080
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
MasqueradeAddress %{env:PROFTPD_SHOW_ADDRESS}
MaxInstances 20
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
<IfModule mod_sql.c>
SQLBackend mysql
SQLEngine on
# only crypted passwords
SQLAuthTypes SHA256 Crypt
SQLAuthenticate users*
SQLConnectInfo %{env:PROFTPD_MYSQL_DB} %{env:PROFTPD_MYSQL_USER} %{env:PROFTPD_MYSQL_PASSWORD}
SQLDefaultUID %{env:PROFTPD_USER_ID}
SQLDefaultGID %{env:PROFTPD_GROUP_ID}
SQLLogFile /var/log/proftpd/sql.log
# configure tables
SQLUserInfo ftpuser username passwd NULL NULL homedir NULL
SQLGroupInfo ftpgroup groupname NULL members
# create homedirs on demand
CreateHome on
# Update count every time user logs in
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE username='%u'" ftpuser
SQLLog PASS updatecount
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE username='%u'" ftpuser
# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas off
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
## send quota messages
SQLNamedQuery gettally SELECT "ROUND((bytes_in_used/1048576),2) FROM ftpquotatallies WHERE name='%u'"
SQLNamedQuery getlimit SELECT "ROUND((bytes_in_avail/1048576),2) FROM ftpquotalimits WHERE name='%u'"
SQLNamedQuery getfree SELECT "ROUND(((ftpquotalimits.bytes_in_avail-ftpquotatallies.bytes_in_used)/1048576),2) FROM ftpquotalimits,ftpquotatallies WHERE ftpquotalimits.name = '%u' AND ftpquotatallies.name = '%u'"
SQLShowInfo LIST "226" "Used %{gettally}MB from %{getlimit}MB. You have %{getfree}MB available space."
### fake users
DirFakeUser on ~
DirFakeGroup on ftp
</IfModule>
AllowLogSymlinks on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
# vim: syntax=apache