Using the ProFTPD configuration file
The proftpd.conf file is made up of different settings known as directives. You can configure or reconfigure the proftpd.conf file by changing the value of one or more directives. You can open the proftpd.conf file and change the value of a directive using a text editor. Once you set the value of a directive, you can change it at any time. For example, you can set the maximum number of simultaneous connections by FTP clients by setting the MaxInstances directive. If you set this directive to 20, only 20 FTP clients can connect to the FTP server at once. You can reconfigure this directive by changing the value.
You can set security settings in the proftpd.conf file. You can restrict the FTP commands that the FTP client can use. For example, you can restrict use of the delete command by setting the Limit directive. For information about FTP commands, see "File Transfer Protocol." You can reconfigure security settings in the proftpd.conf file after you set them. You must restart the FTP server for any changes to take effect. For information about restarting the FTP server, see "Starting and stopping the FTP server." Listed below are some of the directives that are contained in the proftpd.conf file.
ServerName
The ServerName directive lets you specify the name of the server. In the following example, the name of the FTP server is "ProFTPD Corel Server."
ServerName "ProFTPD Corel Server"
Note
Because this value is a string value, you must put the value within quotes.
ServerType
You can set the FTP ServerType directive to standalone or inetd. If you set the ServerType directive to standalone, the FTP server waits for connections on the specified port. If you set this directive to inetd, the FTP server runs from the inetd server and new connections are passed from inetd to ProFTPD where the FTP server processes them. In the following example, the ServerType directive is set to standalone.
ServerType standalone
Note
It is recommended that users set this directive to standalone until they are more familiar with configuring FTP servers.
DefaultServer
You can set the DefaultServer directive to on. In this case, all connections with a unknown destination are serviced by the default server. In the following example, the DefaultServer directive is set to on.
DefaultServer on
Port
You can specify the TCP port where the FTP server waits for connections. The FTP server waits for connections while in standalone mode. The standard TCP port value for FTP is 21. In the following example, the Port directive is set to 21.
Port 21
Port 21 is the default. It is strongly recommended that you use the default value.
MaxInstances
You can set the maximum number of simultaneous connections. A connection attempt that exceeds this value will be prohibited. This directive can safeguard against an FTP client that repeatedly tries to connect causing the FTP server to crash. In the following example, the MaxInstances directive is set to 30.
MaxInstances 30
User and Group
You can specify the user that the FTP server runs as. By default, the FTP server runs as root. A root user has many privileges that should be not be exposed to all FTP clients. As a root user, the FTP client has access to system files. Changing certain system files might irreparably damage the system. You should set the User and Group directives to a valid user and group. This ensures the FTP server runs as the user and not as root. It is recommended that you set up a new user and group specifically for running the FTP server. For information about setting up a user on Corel LINUX, see the Corel LINUX User Guide. If the User or Group directives are defined within an anonymous tag, the FTP server will establish an anonymous login. You should set an authorized FTP server to a valid user. In the following example, the User and Group directives are set to Frankj.
User Frankj
Group Frankj
Notes
For information about anonymous users, see "Creating an Anonymous FTP server."
Frankj is a valid user on the FTP server.
AllowOverwrite
By default, FTP clients cannot overwrite files. Setting the AllowOverwrite directive to on lets the FTP client overwrite files in a specified directory. However, you still need permission to write to the specific directory. If you do not have write privileges in the specified directory, then the FTP client is not able to overwrite a file located in the specified directory. For information about write permissions, see the Corel LINUX User Guide. In the following example, FTP clients are able to overwrite files located in the /var/www/ directory.
<Directory /var/www/>
AllowOverwrite on
</Directory>
Note
For information about the Directory directive, see the Directory directive located later in this overview.
Limit
You can use the Limit directive to restrict an FTP client from using specified FTP commands. For example, you can restrict an FTP client from changing the working directory. The FTP command to change the working directory is CWD. You must enclose the FTP command in opening and closing tags. In the opening tag, you must specify the FTP command that you want to restrict. Inside the tags you can use the Deny directive to create the limitation. For information about the Deny directive, see the Deny directive located later in this overview. In the following example, the FTP client is restricted from using the CWD command.
<Limit CWD>
DenyAll
</Limit>
In the following example, the FTP client is restricted from using the DELE command.
<Limit DELE>
DenyAll
</Limit>
Note
For information about FTP commands, see "File Transfer Protocol."
Order
You can use the order directive to specify the order in which the Allow and Deny directives are evaluated. Both the Allow and Deny directives affect which FTP clients can access a directory. You must place the Order directive within an opening and closing directory tag. You must specify the directory in the opening directory tag. For information about the Directory directive, see the Directory directive located later in this overview. You can set the Order directive to one of the following:
deny,allowevaluates the Deny directives before the Allow directives
allow,denyevaluates the Allow directives before the Deny directives
In the following example, the Allow directive is evaluated before the Deny directive. The FTP clients from the following IP addresses: 120.150.8.43, 120.150.106.6, and 120.150.4.65, are not able to change the working directory to /var/, or any of its subdirectories.
<Directory /var/>
<Limit CWD>
Order allow,deny
allowAll
deny from 120.150.8.43
deny from 120.150.106.6
deny from 120.150.4.65
</Limit>
</Directory>
Allow
You can set the Allow directive to let an FTP client use a specific FTP command. You must place the Allow directive within an opening and closing Limit tag. You can set the Allow directive to be one of the following:
alllets all FTP clients use the specified FTP command, for example: AllowAll
An IP addresslets FTP clients with the specific IP address use the specified FTP command, for example: allow from 120.52.17.13
In the following example, the allow directive is set to all. All FTP clients can use the CWD command to access the /var/ directory except for FTP clients with the following IP addresses: 120.150.8.43, 120.150.106.6, and 120.150.4.65.
<Directory /var/>
<Limit CWD>
Order allow,deny
allowall
deny from 120.150.8.43
deny from 120.150.106.6
deny from 120.150.4.65
</Limit>
</Directory>
Deny
You can set the Deny directive to prohibit an FTP client from using a specified FTP command. You must place the Deny directive within an opening and closing Limit tag. You can set the Deny directive to be one of the following:
alldenies all FTP clients from using the specified FTP command, for example: DenyAll
An IP addressdenies FTP clients with the specific IP address from using the specified FTP command, for example: deny from 120.52.17.13
In the following example, three IP addresses are prohibited from changing the working directory to the /var/ directory. There is no limit to the number of IP addresses you can limit.
<Directory /var/>
<Limit CWD>
deny from 120.150.8.43
deny from 120.150.106.6
deny from 120.150.4.65
</Limit>
</Directory>
Directory
You can use the Directory directive to apply a series of directives to a directory. You must indicate the directory in the opening tag. You must end this directive with a closing tag. Using a slash and wildcard (/*) in the opening tag specifies that all directories apply.
The following example lets the FTP client overwrite files located in the /var/www/ directory.
<Directory /var/www/>
AllowOverwrite on
</Directory>
The following example prohibits FTP clients from being able to change the working directory. Note the use of the slash and wildcard in the opening directory tag.
<Directory /*>
<Limit CWD>
deny from 120.150.106.6
deny from 120.150.4.65
</Limit>
</Directory>
Note
You can place one or more Limit directives within the Directory tags.
Anonymous
You can create an anonymous FTP server by setting the Anonymous directive. An anonymous server is for users who do not have an authorized user account on the local computer. You must use an opening and closing Anonymous tag. You can specify the default directory in the opening Anonymous tag. For example, the /home/anon/ directory is used in the example below. You should restrict the privileges of an anonymous user. You can use the Limit directive to restrict the privileges of an anonymous user.
In the following example, an anonymous FTP server is created. The anonymous user cannot change directories, overwrite, or delete files. The anonymous user can only download files located in the /home/anon/ directory.
<Anonymous /home/anon/>
User anon
Group anon
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# Create the default directory
<Directory /home/anon/>
# Restrict ability to overwrite files in the working directory
<Limit WRITE>
DenyAll
</Limit>
# Restrict ability to change the working directory
<Limit CWD>
DenyAll
</Limit>
# Restrict ability to delete files in the working directory
<Limit DELE>
DenyAll
</Limit>
</Directory>
</Anonymous>
Note
The anonymous FTP server runs under the anon user, which is a valid user on the FTP server. For information about creating an anonymous FTP server, see "Creating an Anonymous FTP server."