Chapter 10. FTP server (ProFTPd)

Most system I have seen use a almost totally open ftp server. I feel comfortable with the ProFTPd server, so that's what is going to be installed.

10.1. Installing ProFTPd

As with everything Debian, we add packages to the system:

apt-get install proftpd-ldap

And that should be it...

10.2. Configuring ProFTPd

I don't need much in the way of configuration. I want my www-users to be restricted to their home directories, and I need to be able to authenticate by an LDAP database.

The limiting users to home directory is done on a "by group" basis. That is to say, if a user is in a specific group, they will be limited to their home directory.

Whenever I add a user that only needs access to do www-uploads and the like, I just add them to the www-users group, and then limit that group.

The limiting is done by adding the following line in /etc/proftpd.conf:

DefaultRoot ~ www-users

And users in the www-users group is now limited to their home directory.

To get ProFTPd to actually look for groups in LDAP, we also need to add the following:

LDAPServer "localhost:389"
LDAPDNInfo "cn=admin,dc=abode,dc=dk"
LDAPDoAuth on "dc=abode,dc=dk"

To enable ProFTPd to authenticate against a LDAP database, the above is not quite enough. You also need to edit ProFTPd's PAM configuration file (/etc/pam.d/proftpd), and add the lines

auth		sufficient
auth		required nullok try_first_pass
account		sufficient
session		sufficient

I have added the "try_first_pass" option to the line with that users do not have to enter the password multiple times if the LDAP authentication fails.

10.3. Opening the firewall

We already have opened for the ftp-port in the firewall, if You have used the script provided here. If that is not the case, then You need to add the ftp port (21) to the list of ports that are to be opened.