http://www.debian-administration.org/articles/228
As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.
FTP is an often overlooked method of storing and giving access to files, in many cases FTP servers have been retired in place of webservers such as Apache.
But there are a lot of cases where offering access via FTP makes sense, even with the limitations of FTP - most notably the difficulty of firewalling and the security risk involved in using plaintext passwords.
There are several different FTP servers packaged within Debian, which you can see via:
apt-cache search ftp-server
One of the most popular servers around is
proftpd, and that can be installed upon Debian systems with:
apt-get install proftpd
Once downloaded debconf will ask if you wish to
run the server via inetd, or in a standalone fashion. In general you want the
latter option.
After the installation the server will be running, and will grant access to all user accounts upon the host.
If you wish to stop the server prior to more configuration you can do so with:
/etc/init.d/proftpd stop
The configuration of proftpd is conducted via the
configuration file of /etc/proftpd.conf.
Security Options
There are several security options you can enable in
proftpd, the most notable is the use of TLS security.
To use TLS you will need to generate a key, and update your server‘s configuration file to use it.
Generating a key is simple enough with the openssl command, which is contained in the openssl package:
mkdir /etc/proftpd
cd /etc/proftpd
openssl req -new -x509 -days 365
-nodes -out ftpd-rsa.pem \
-keyout ftpd-rsa-key.pem
With the files
generated you can add the following to your proftpd.conf file:
<IfModule mod_tls.c>
TLSEngine on
TLSLog
/var/log/proftpd-tls.log
TLSProtocol TLSv1
# Are clients required to use FTP over TLS when talking to this
server?
TLSRequired off
TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem
TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
# Authenticate
clients that want to use FTP over TLS?
TLSVerifyClient
off
</IfModule>
Other security options include limiting users to
particular directories. To limit the user "bob" to the starting directory "/tmp"
you can use:
DefaultRoot /tmp bob
The more general approach is to restrict users to
their own home directory, which you can accomplish via:
DefaultRoot ~
This causes all users to be presented with the contents of
their home directory (as specified by /etc/passwd) when they login.
Permitting Anonymous Access
To permit anonymous access to your server you
will need to uncomment the configuration options which are already present in
the standard /etc/proftpd.conf file.
This is a good starting point:
<Anonymous ~ftp>
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as
"ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on
ftp
DirFakeGroup on ftp
RequireValidShell off
# Limit
the maximum number of anonymous logins
MaxClients 10
# We want
‘welcome.msg‘ displayed at login, and ‘.message‘ displayed
# in each newly
chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous
chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
This configuration setting allows
users to login with either anonymous, or ftp, as username and they will be able
to read from /home/ftp.
Thankfully they will be unable to upload new content, or delete existing files. They will be given only read-only access to the server.
Miscallaneous Options
There are some other options which you might wish to
change, for example the welcome message presented to clients.
The welcome message presented is read from /home/ftp/welcome.msg, editing that file will immediately change the text sent to users.
The hostname of your server is typically displayed to clients when they connect - in the Debian package the greeting only includes the string "Debian" - as you can see from the following session:
user@host:~ ftp localhost
Connected to localhost.localdomain.
220
ProFTPD 1.2.10 Server (Debian) [127.0.0.1]
To change this update the
proftpd.conf file to include:
ServerName "My.host.name"