Thursday, October 14, 2010

Setting up a FTP server on Linux Debian 5

A simple to use and very popular FTP server is proftpd basic. How to install this FTP server, create an user that has only access via FTP and give him access to a desired directory like /var/www is the context of this article. Although this might work for any kind of Linux like RedHead, Ubuntu, SuSe etc. the instructions are tested for the Linux distribution Debian 5 Lenny.

Install proftpd

Install the proftpd package

To install it on your Debian 5 server the following command from the command line:
sodu apt-get install proftpd-basic

Error: Couldn't find package

If you run into this error message:
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package proftpd-basic
Make sure your sources.list file contains all the necessary source locations.
The sources.list can be found in Debian 5 at /etc/apt/sources.list.

Here are the entries my sources.list contains:
## main & security repositories
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free

Here is a great source list creater tool to fix or update your sources.list in case you don't have the original one anymore.

Important!
After saving any changes to the sources.list run the:
apt-get update
command to update the package list. Now run the install command again.

Run as standalone

When the proftpd installation started successfully you get asked if you want to run the ftp-server under inetd or standalone. Selecting standalone that seems to cause the fewest problem to get the FTP server actually running. You can change this setting later in the proftpd.conf file mentioned below under ServerType.



Create a virtual FTP user and give him access to /var/www

Create a folder for the virtual user

sudo mkdir -p /home/webadmin

Set proftpd user as owner of folder

The proftpd's default user is named proftpd if you didn't changed. Make him the owner of the folder:
sudo chown -R proftpd:nogroup /home/webadmin

Get user proftpd's uid and pid

sudo grep ftp /etc/passwd
Looks like:
proftpd:x:106:65534::/var/run/proftpd:/bin/false

Create the virtual FTP user

sudo ftpasswd --passwd --name=webadmin --uid=106 --gid=65534 --home=/home/webadmin --shell=/bin/false --file=/etc/proftpd/passwd
Response in the CLI:
ftpasswd: using alternate file: /etc/proftpd/passwd
ftpasswd: creating passwd entry for user webadmin

ftpasswd: /bin/false is not among the valid system shells.  Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.

Password:
Re-type password:
After the password was re-typed it says:
ftpasswd: entry created

Install PAM

Then I installed PAM but I am not sure if this is really necessary:
apt-get install libpam-pwdfile

Setup the config file

Now we have to change the proftpd config file:
nano /etc/proftpd/proftpd.conf
Following stuff should be in the file:
DefaultRoot                  ~
RequireValidShell            off
AuthUserFile                 /etc/proftpd/passwd

# VALID LOGINS
<Limit LOGIN>
   AllowUser webadmin
   DenyALL
</Limit>

<Directory /home/webadmin>
   <Limit ALL>
      DenyAll
   </Limit>
   <Limit DIRS READ WRITE>
      AllowUser webadmin
   </Limit>
</Directory>

Don't forget to restart the proftpd - daemon

/etc/init.d/proftpd restart
If you didn't change anything that was in there after the fresh install, this should be sufficient.

Give the FTP user access to /var/www directory

If you want to give this user access to any other directory like /var/www where normally the websites of the Apache2 server are located. You can mount the folder into the /home/webadmin folder.

These are the steps.
Create a new folder:
mkdir /home/webadmin/www
Mount the desired folder to the new folder:
sudo mount --bind -r /var/www /home/webadmin/www
Now you can login to the FTP server from any client computer by using a FTP client like FileZilla for example.

Regulate the access to read access, rather than write access

With this setup a user has read and write access to anything under /home/webadmin. To only give read permission you could change the setting in the config file to:

<Directory /home/webadmin>
   <Limit ALL>
      DenyAll
   </Limit>
   <Limit DIRS READ>
      AllowUser webadmin
   </Limit>
</Directory>

1 comments:

Colin Asquith said...

Hey- thanks so much for this, I have just started to get back to Linux, and everything seems great, but proftpd was defeating me! Followed your advice and everything is working peachy now!

cheers
Colin

Post a Comment