fbpx

installer configurer un serveur Ftp Proftpd

Sur cette article, je vais vous parler de l’installation et configuration serveur ftp proftpd . Il y en a d’autres Serveur Ftp comme Purftpd, etc …

Pré-requis :

– Avoir des connaissances en réseau
– Avoir des connaissances dans la Gestion des droits utilisateurs

Installer Proftpd :

Aller sur votre console, et taper la commande apt-get install qui permet d’installer un paquet.

[code]apt-get install proftpd[/code]

Choisir Indépendament et cliquer sur OK.

protfpd

Une fois que vous avez installé le paquet proftpd se rendre nous dans le dossier /etc/proftpd. Pour y aller, faite un :

[code]cd /etc/proftpd[/code]

Ensuite aller avec minight commander :

[code]mc[/code]

Quand vous êtes dans mc, le fichier de configuration de proftpd est proftpd.conf.

Ouvrir le fichier proftpd et voila ce qu’il contient

[code]

#
# /etc/proftpd/proftpd.conf — This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off

ServerName “Debian”
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions “-l”

DenyFilter \*.*/

# Use this to jail all users in their homes
# DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User proftpd
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with “anonymous” as well as “ftp”
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want ‘welcome.msg’ displayed at login, and ‘.message’ displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you’re brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

[/code]

J’ai modifié le fichier pour le traduire au maximum en français.

[code] #
# /etc/proftpd/proftpd.conf — This is a basic ProFTPD configuration file.

# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#

# Includes DSO modules
#la possibilité d’inclure des modules supplémentaires
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
#un adressage IP version 6
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
#Augmente les performances
IdentLookups off
UseReverseDNS off
#
#Donne un nom à votre serveur
#la possibilité de redéfinir le nom de votre serveur
ServerName “cla”
#
#de pouvoir modifier le mode de démarrage du serveur
#ServerType standalone (démarrage en même temps que la machine)
#ou inetd (par le démon xinet, à la demande)
ServerType standalone
#
#de ne donner aucune information relative au serveur utilisé
DeferWelcome off

#enlevez le # devant la ligne pour la décommentez si vous voulez utiliser les quotas
#Quotas on
#AllowUser test2
#
#Permet la reprise des download et upload
#de permettre la reprise, après interruption, du transfert de fichiers vers le serveur
AllowStoreRestart on
AllowRetrieveRestart on
#
#d’étendre le canal de contrôle pour pouvoir recevoir certaines réponses sur plusieurs lignes
MultilineRFC2228 on
DefaultServer on
#
#de voir les liens symboliques
ShowSymlinks off
#
#de définir un temps maxi d’inactivité avant de déconnecter = 10 mn
TimeoutNoTransfer 600
#de définir un temps maxi sans recevoir de données en data = 10 mn
TimeoutStalled 600
#de définir un temps maxi sans recevoir de données ni en data, ni en control = 20 mn
TimeoutIdle 1200
#
#d’afficher un message lorsqu’un client se connecte
DisplayLogin welcome.msg
#
#d’afficher un message lorsqu’un client change de répertoire
DisplayChdir .message true
#
#d’afficher un fichier par ligne, pour le contenu des répertoires
ListOptions “-l”

DenyFilter \*.*/

# Use this to jail all users in their homes
#de permettre de cantonner les utilisateurs dans leur répertoire, en modifiant la ligne
#DefaultRoot ~
DefaultRoot /var/www/cla

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
#Permet de pouvoir creer des utilisateurs ftp sans qu’ils aient forcement accés au shell
# RequireValidShell off
RequireValidShell off

# Port 21 is the standard FTP port.
Port 210

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
#permettre de spécifier la plage de ports passifs que ProFTPd utilisera
#pour répondre aux clients, en modifiant la ligne
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
#
#de limiter le nombre d’instances, pour éviter les attaques dos
MaxInstances 2

# Set the user and group that the server normally runs at.
#de définir sous quelle identité est lancé le serveur
User proftpd
Group www-data

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
#d’éviter que les fichiers ou répertoires créés puissent être modifiés par le monde entier
Umask 022 022
# Normally, we want files to be overwriteable.
#d’autoriser le remplacement des anciens fichiers par des nouveaux
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
#de permettre de maintenir le mot de passe durant toute une session cantonnée
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
#de permettre de désactiver une fonction qui optimise l’envoi de fichiers au client
# UseSendFile off
#
#de permettre de gérer la journalisation
ControlsLog /var/log/proftpd/controls.log
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#

# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
#——————————————————————
#DIRECTIVES ANONYMES =>FACULTATIVES
#——————————————————————
# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# <Anonymous /var/www/>
# User ftp
# Group www-data
# # We want clients to be able to login with “anonymous” as well as “ftp”
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 2
#
# # We want ‘welcome.msg’ displayed at login, and ‘.message’ displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you’re brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d/
#
#Franciser les messages d’accueil
AccessGrantMsg ” — Accès autorisé pour %u –”
AccessDenyMsg ” !-!! ACCÈS REFUSÉ !!-! VOUS NE SEMBLEZ PAS Y ÊTRE AUTORISÉS !!”
#
#
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
[/code]

Une fois que vous avez bien compris le fichier proftpd.conf et fait les modifications.

Créer le répertoire virtuels

Pour ne pas créer un utilisateur système, on lui indique que l’utilisateur sera virtuel.

[code]echo /bin/false >> /etc/shells[/code]

Il vous reste juste à créer les utilisateurs virtuels.

Créer les utilisateurs virtuels

Pour créer les utilisateurs virtuels, allez sur la console et utilisez la commande ftpasswd :

[code] ftpasswd –passwd –name=testftp –uid=33 –gid=33 –home=/var/www/nomdusite –shell=/bin/false[/code]

Ici l’utilisateur ira directement dans le répertoire /var/www/nomdusite.

name : est le nom de l’utilisateur ou login
Uid :
Gid : est dans le groupe www-data
shell=/bin/false : On ne créer pas de répertoire système pour cette utilisateur.

Ensuite il va vous demander d’entrer deux fois un mot de passe.

Créer les groupes virtuels

[code]ftpasswd –group –name=www-data –gid=22 –member=testftp[/code]

Redémarrer le serveur :

[code]service proftpd restart[/code]

Normalement vous avez un message :

[….] Starting ftp server: proftpdosn proftpd[12498]: mod_tls_memcache/0.1: notice: unable to register ‘memcache’ SSL session cache: Memcache support not enabled
. ok

Pour enlever ce message aller dans /etc/proftpd/modules.conf et vers la fin du fichiers décommenter la ligne mod_tls_memcache avec le #.

Rémarrer le serveur :

[code]service proftpd restart[/code]

Gestion des droits sur le répertoire /var/www/

Pour la gestion des droits, j’utilise apache-mpm-itk.

Il faut l’installer :

[code]apt-get install apache2-mpm-itk[/code]

Aller dans /etc/apache2/site-available/default/ et insérer :

[code]

<IfModule mpm_itk_module> AssignUserId testftp www-data </IfModule>[/code]

Redémarrer le serveur apache.

[code]service apache2 restart[/code]

Remerciement :

http://www.proftpd.org

doc.ubuntu-fr.org/proftpd