/etc/proftpd.conf

1. # This is the ProFTPD configuration file
2. #
3. # See: http://www.proftpd.org/docs/directives/linked/by-name.html
4.  
5. # Server Config - config used for anything outside a <VirtualHost> or <Global> context
6. # See: http://www.proftpd.org/docs/howto/Vhost.html
7.  
8. ServerName "ProFTPD server"
9. ServerIdent on "FTP Server ready."
10. ServerAdmin root@localhost
11. DefaultServer on
12.  
13. # Cause every FTP user except adm to be chrooted into their home directory
14. # Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
15. # work at session-end time (http://bugzilla.redhat.com/477120)
16. VRootEngine on
17. DefaultRoot ~ !adm
18. VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf
19.  
20. # Use pam to authenticate (default) and be authoritative
21. AuthPAMConfig proftpd
22. AuthOrder mod_auth_pam.c* mod_auth_unix.c
23. # If you use NIS/YP/LDAP you may need to disable PersistentPasswd
24. #PersistentPasswd off
25.  
26. # Don't do reverse DNS lookups (hangs on DNS problems)
27. UseReverseDNS off
28.  
29. # Set the user and group that the server runs as
30. User nobody
31. Group nobody
32.  
33. # To prevent DoS attacks, set the maximum number of child processes
34. # to 20. If you need to allow more than 20 concurrent connections
35. # at once, simply increase this value. Note that this ONLY works
36. # in standalone mode; in inetd mode you should use an inetd server
37. # that allows you to limit maximum number of processes per service
38. # (such as xinetd)
39. MaxInstances 20
40.  
41. # Disable sendfile by default since it breaks displaying the download speeds in
42. # ftptop and ftpwho
43.  
44.  
45. UseSendfile off
46.  
47. # Define the log formats
48. LogFormat default "%h %l %u %t \"%r\" %s %b"
49. LogFormat auth "%v [%P] %h %t \"%r\" %s"
50.  
51. # Dynamic Shared Object (DSO) loading
52. # See README.DSO and howto/DSO.html for more details
53. #
54. # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
55. # LoadModule mod_sql.c
56. #
57. # Mysql support (requires proftpd-mysql package)
58. # (http://www.proftpd.org/docs/contrib/mod_sql.html)
59. # LoadModule mod_sql_mysql.c
60. #
61. # Postgresql support (requires proftpd-postgresql package)
62. # (http://www.proftpd.org/docs/contrib/mod_sql.html)
63. # LoadModule mod_sql_postgres.c
64. #
65. # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
66. # LoadModule mod_quotatab.c
67. #
68. # File-specific "driver" for storing quota table information in files
69. # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
70. # LoadModule mod_quotatab_file.c
71. #
72. # SQL database "driver" for storing quota table information in SQL tables
73. # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
74. # LoadModule mod_quotatab_sql.c
75. #
76. # LDAP support (requires proftpd-ldap package)
77. # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
78. # LoadModule mod_ldap.c
79. #
80. # LDAP quota support (requires proftpd-ldap package)
81. # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
82. # LoadModule mod_quotatab_ldap.c
83. #
84. # Support for authenticating users using the RADIUS protocol
85. # (http://www.proftpd.org/docs/contrib/mod_radius.html)
86.  
87.  
88. # LoadModule mod_radius.c
89. #
90. # Retrieve quota limit table information from a RADIUS server
91. # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
92. # LoadModule mod_quotatab_radius.c
93. #
94. # Administrative control actions for the ftpdctl program
95. # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
96. # LoadModule mod_ctrls_admin.c
97. #
98. # Execute external programs or scripts at various points in the process
99. # of handling FTP commands
100. # (http://www.castaglia.org/proftpd/modules/mod_exec.html)
101. # LoadModule mod_exec.c
102. #
103. # Support for POSIX ACLs
104. # (http://www.proftpd.org/docs/modules/mod_facl.html)
105. # LoadModule mod_facl.c
106. #
107. # Configure server availability based on system load
108. # (http://www.proftpd.org/docs/contrib/mod_load.html)
109. # LoadModule mod_load.c
110. #
111. # Limit downloads to a multiple of upload volume (see README.ratio)
112. # LoadModule mod_ratio.c
113. #
114. # Rewrite FTP commands sent by clients on-the-fly,
115. # using regular expression matching and substitution
116. # (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
117. # LoadModule mod_rewrite.c
118. #
119. # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
120. # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
121. # LoadModule mod_site_misc.c
122. #
123. # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
124. # files, for IP-based access control
125. # (http://www.proftpd.org/docs/contrib/mod_wrap.html)
126. # LoadModule mod_wrap.c
127. #
128. # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
129.  
130.  
131. # files, as well as SQL-based access rules, for IP-based access control
132. # (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
133. # LoadModule mod_wrap2.c
134. #
135. # Support module for mod_wrap2 that handles access rules stored in specially
136. # formatted files on disk
137. # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
138. # LoadModule mod_wrap2_file.c
139. #
140. # Support module for mod_wrap2 that handles access rules stored in SQL
141. # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
142. # LoadModule mod_wrap2_sql.c
143. #
144. # Provide a flexible way of specifying that certain configuration directives
145. # only apply to certain sessions, based on credentials such as connection
146. # class, user, or group membership
147. # (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
148. # LoadModule mod_ifsession.c
149.  
150. # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
151. <IfDefine TLS>
152. TLSEngine on
153. TLSRequired on
154. TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
155. TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
156. TLSCipherSuite ALL:!ADH:!DES
157. TLSOptions NoCertRequest
158. TLSVerifyClient off
159. #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
160. TLSLog /var/log/proftpd/tls.log
161. </IfDefine>
162.  
163. # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
164. # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
165. <IfDefine DYNAMIC_BAN_LISTS>
166. LoadModule mod_ban.c
167. BanEngine on
168. BanLog /var/log/proftpd/ban.log
169. BanTable /var/run/proftpd/ban.tab
170.  
171. # If the same client reaches the MaxLoginAttempts limit 2 times
172.  
173. # within 10 minutes, automatically add a ban for that client that
174. # will expire after one hour.
175. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
176.  
177. # Allow the FTP admin to manually add/remove bans
178. BanControlsACLs all allow user ftpadm
179. </IfDefine>
180.  
181. # Global Config - config common to Server Config and all virtual hosts
182. # See: http://www.proftpd.org/docs/howto/Vhost.html
183. <Global>
184.  
185. # Umask 022 is a good standard umask to prevent new dirs and files
186. # from being group and world writable
187. Umask 022
188.  
189. # Don't do ident queries (hangs when the port is filtered)
190. IdentLookups off
191. ListOptions "-a"
192. # Allow users to overwrite files and change permissions
193. AllowOverwrite yes
194. <Limit ALL SITE_CHMOD>
195. AllowAll
196. </Limit>
197.  
198. </Global>
199.  
200. # A basic anonymous configuration, with an upload directory
201. # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
202. <IfDefine ANONYMOUS_FTP>
203. <Anonymous ~ftp>
204. User ftp
205. Group ftp
206. AccessGrantMsg "Anonymous login ok, restrictions apply."
207.  
208. # We want clients to be able to login with "anonymous" as well as "ftp"
209. UserAlias anonymous ftp
210.  
211. # Limit the maximum number of anonymous logins
212. MaxClients 10 "Sorry, max %m users -- try again later"
213.  
214. # Put the user into /pub right after login
215. #DefaultChdir /pub
216.  
217. # We want 'welcome.msg' displayed at login, '.message' displayed in
218. # each newly chdired directory and tell users to read README* files.
219. DisplayLogin /welcome.msg
220. DisplayChdir .message
221. DisplayReadme README*
222.  
223. # Cosmetic option to make all files appear to be owned by user "ftp"
224. DirFakeUser on ftp
225. DirFakeGroup on ftp
226.  
227. # Limit WRITE everywhere in the anonymous chroot
228. <Limit WRITE SITE_CHMOD>
229. DenyAll
230. </Limit>
231.  
232. # An upload directory that allows storing files but not retrieving
233. # or creating directories.
234. <Directory uploads/*>
235. AllowOverwrite no
236. <Limit READ>
237. DenyAll
238. </Limit>
239.  
240. <Limit STOR>
241. AllowAll
242. </Limit>
243. </Directory>
244.  
245. # Don't write anonymous accesses to the system wtmp file (good idea!)
246. WtmpLog off
247.  
248. # Logging for the anonymous transfers
249. ExtendedLog /var/log/proftpd/access.log WRITE,READ default
250. ExtendedLog /var/log/proftpd/auth.log AUTH auth
251.  
252. </Anonymous>
253. </IfDefine>