Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This is the ProFTPD configuration file
- #
- # See: http://www.proftpd.org/docs/directives/linked/by-name.html
- # Server Config - config used for anything outside a <VirtualHost> or <Global> context
- # See: http://www.proftpd.org/docs/howto/Vhost.html
- ServerName "My Server"
- ServerIdent on "Welcome to My FTP."
- ServerAdmin [email protected]
- DefaultServer on
- ServerType standalone
- # Cause every FTP user except adm to be chrooted into their home directory
- # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
- # work at session-end time (http://bugzilla.redhat.com/477120)
- VRootEngine on
- DefaultRoot /srv/protected
- VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
- # Use pam to authenticate (default) and be authoritative
- AuthPAMConfig proftpd
- AuthOrder mod_auth_pam.c* mod_auth_unix.c
- # If you use NIS/YP/LDAP you may need to disable PersistentPasswd
- #PersistentPasswd off
- # Don't do reverse DNS lookups (hangs on DNS problems)
- UseReverseDNS off
- # Set the user and group that the server runs as
- User apache
- Group apache
- # To prevent DoS attacks, set the maximum number of child processes
- # to 20. If you need to allow more than 20 concurrent connections
- # at once, simply increase this value. Note that this ONLY works
- # in standalone mode; in inetd mode you should use an inetd server
- # that allows you to limit maximum number of processes per service
- # (such as xinetd)
- MaxInstances 20
- # Disable sendfile by default since it breaks displaying the download speeds in
- # ftptop and ftpwho
- UseSendfile off
- # Define the log formats
- LogFormat default "%h %l %u %t \"%r\" %s %b"
- LogFormat auth "%v [%P] %h %t \"%r\" %s"
- # Dynamic Shared Object (DSO) loading
- # See README.DSO and howto/DSO.html for more details
- #
- # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
- # LoadModule mod_sql.c
- #
- # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
- # (contrib/mod_sql_passwd.html)
- # LoadModule mod_sql_passwd.c
- #
- # Mysql support (requires proftpd-mysql package)
- # (http://www.proftpd.org/docs/contrib/mod_sql.html)
- # LoadModule mod_sql_mysql.c
- #
- # Postgresql support (requires proftpd-postgresql package)
- # (http://www.proftpd.org/docs/contrib/mod_sql.html)
- # LoadModule mod_sql_postgres.c
- #
- # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
- # LoadModule mod_quotatab.c
- #
- # File-specific "driver" for storing quota table information in files
- # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
- # LoadModule mod_quotatab_file.c
- #
- # SQL database "driver" for storing quota table information in SQL tables
- # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
- # LoadModule mod_quotatab_sql.c
- #
- # LDAP support (requires proftpd-ldap package)
- # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
- # LoadModule mod_ldap.c
- #
- # LDAP quota support (requires proftpd-ldap package)
- # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
- # LoadModule mod_quotatab_ldap.c
- #
- # Support for authenticating users using the RADIUS protocol
- # (http://www.proftpd.org/docs/contrib/mod_radius.html)
- # LoadModule mod_radius.c
- #
- # Retrieve quota limit table information from a RADIUS server
- # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
- # LoadModule mod_quotatab_radius.c
- #
- # Administrative control actions for the ftpdctl program
- # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
- # LoadModule mod_ctrls_admin.c
- #
- # Execute external programs or scripts at various points in the process
- # of handling FTP commands
- # (http://www.castaglia.org/proftpd/modules/mod_exec.html)
- # LoadModule mod_exec.c
- #
- # Support for POSIX ACLs
- # (http://www.proftpd.org/docs/modules/mod_facl.html)
- # LoadModule mod_facl.c
- #
- # Support for using the GeoIP library to look up geographical information on
- # the connecting client and using that to set access controls for the server
- # (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
- # LoadModule mod_geoip.c
- #
- # Configure server availability based on system load
- # (http://www.proftpd.org/docs/contrib/mod_load.html)
- # LoadModule mod_load.c
- #
- # Limit downloads to a multiple of upload volume (see README.ratio)
- # LoadModule mod_ratio.c
- #
- # Rewrite FTP commands sent by clients on-the-fly,
- # using regular expression matching and substitution
- # (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
- # LoadModule mod_rewrite.c
- #
- # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
- # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
- # LoadModule mod_sftp.c
- #
- # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
- # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
- # LoadModule mod_sftp_pam.c
- #
- # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
- # and host based authentication
- # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
- # LoadModule mod_sftp_sql.c
- #
- # Provide data transfer rate "shaping" across the entire server
- # (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
- # LoadModule mod_shaper.c
- #
- # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
- # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
- # LoadModule mod_site_misc.c
- #
- # Provide an external SSL session cache using shared memory
- # (contrib/mod_tls_shmcache.html)
- # LoadModule mod_tls_shmcache.c
- #
- # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
- # files, for IP-based access control
- # (http://www.proftpd.org/docs/contrib/mod_wrap.html)
- # LoadModule mod_wrap.c
- #
- # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
- # files, as well as SQL-based access rules, for IP-based access control
- # (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
- # LoadModule mod_wrap2.c
- #
- # Support module for mod_wrap2 that handles access rules stored in specially
- # formatted files on disk
- # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
- # LoadModule mod_wrap2_file.c
- #
- # Support module for mod_wrap2 that handles access rules stored in SQL
- # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
- # LoadModule mod_wrap2_sql.c
- #
- # Provide a flexible way of specifying that certain configuration directives
- # only apply to certain sessions, based on credentials such as connection
- # class, user, or group membership
- # (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
- # LoadModule mod_ifsession.c
- # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
- <IfDefine TLS>
- TLSEngine on
- TLSRequired on
- TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
- TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
- TLSCipherSuite ALL:!ADH:!DES
- TLSOptions NoCertRequest
- TLSVerifyClient off
- #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
- TLSLog /var/log/proftpd/tls.log
- <IfModule mod_tls_shmcache.c>
- TLSSessionCache shm:/file=/var/run/proftpd/sesscache
- </IfModule>
- </IfDefine>
- # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
- # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
- <IfDefine DYNAMIC_BAN_LISTS>
- LoadModule mod_ban.c
- BanEngine on
- BanLog /var/log/proftpd/ban.log
- BanTable /var/run/proftpd/ban.tab
- # If the same client reaches the MaxLoginAttempts limit 2 times
- # within 10 minutes, automatically add a ban for that client that
- # will expire after one hour.
- BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
- # Allow the FTP admin to manually add/remove bans
- BanControlsACLs all allow user ftpadm
- </IfDefine>
- # Global Config - config common to Server Config and all virtual hosts
- # See: http://www.proftpd.org/docs/howto/Vhost.html
- <Global>
- # Umask 022 is a good standard umask to prevent new dirs and files
- # from being group and world writable
- Umask 022
- # Allow users to overwrite files and change permissions
- AllowOverwrite yes
- <Limit ALL SITE_CHMOD>
- AllowAll
- </Limit>
- </Global>
- # A basic anonymous configuration, with an upload directory
- # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
- <IfDefine ANONYMOUS_FTP>
- <Anonymous ~ftp>
- User ftp
- Group ftp
- AccessGrantMsg "Anonymous login ok, restrictions apply."
- # We want clients to be able to login with "anonymous" as well as "ftp"
- UserAlias anonymous ftp
- # Limit the maximum number of anonymous logins
- MaxClients 10 "Sorry, max %m users -- try again later"
- # Put the user into /pub right after login
- #DefaultChdir /pub
- # We want 'welcome.msg' displayed at login, '.message' displayed in
- # each newly chdired directory and tell users to read README* files.
- DisplayLogin /welcome.msg
- DisplayChdir .message
- DisplayReadme README*
- # Cosmetic option to make all files appear to be owned by user "ftp"
- DirFakeUser on ftp
- DirFakeGroup on ftp
- # Limit WRITE everywhere in the anonymous chroot
- <Limit WRITE SITE_CHMOD>
- DenyAll
- </Limit>
- # An upload directory that allows storing files but not retrieving
- # or creating directories.
- <Directory uploads/*>
- AllowOverwrite no
- <Limit READ>
- DenyAll
- </Limit>
- <Limit STOR>
- AllowAll
- </Limit>
- </Directory>
- # Don't write anonymous accesses to the system wtmp file (good idea!)
- WtmpLog off
- # Logging for the anonymous transfers
- ExtendedLog /var/log/proftpd/access.log WRITE,READ default
- ExtendedLog /var/log/proftpd/auth.log AUTH auth
- </Anonymous>
- </IfDefine>
- PassivePorts 50000 51000
- <IfModule mod_cap.c>
- CapabilitiesEngine on
- CapabilitiesSet +CAP_CHOWN
- </IfModule>
- <Directory /srv/protected>
- UserOwner apache
- GroupOwner apache
- </Directory>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
