软件

本文使用的软件：

• Debian Wheezy
• ProFTPD 1.3.4a
• OpenSSL 1.0.1e

安装前注意事项

注意1：我们的服务器位于NAT之后，因此我们将使用被动FTP模式从外部进行连接。
提供了Mikrotik路由器的NAT配置（SSH方法）。

注意2：我们将使用mod_auth_file进行FTP身份验证。

注意3：我们将使用“ DefaultServer on”，而无需其他VirtualHosts。

安装

安装openssl和proftpd（选择独立版本）：

# apt-get update && apt-get install proftpd openssl
[...]
Run proftpd: standalone
[...]

配置

我们将为FTP上传创建一个新目录。
我们还将防止其他用户删除或者重命名目录中的文件，除非他们拥有该文件或者目录：

# mkdir -m 1777 /ftp

仔细检查权限：

# ls -ld /ftp
drwxrwxrwt 2 root root 4096 Jan 25 21:36 /ftp/

导航到proftpd安装目录：

# cd /etc/proftpd

首先备份默认配置文件：

# cp ./proftpd.conf ./proftpd.conf.$(date +%F)
# cp ./tls.conf ./tls.conf.$(date +%F)
# cp ./virtuals.conf ./virtuals.conf.$(date +%F)

创建一个新文件夹来存储FTP身份验证文件，并阻止世界对其进行访问：

# mkdir -m 0770 ./auth
# chown proftpd ./auth

检查权限：

# ls -ld ./auth
drwxrwx--- 2 proftpd root 4096 Jan 26 18:14 ./auth/

列出已使用的五个最大的UID：

# cat /etc/passwd | cut -d: -f3 | sort -n | tail -n 5
1001
1002
1003
1004
65534

为桑迪创建一个新的FTP用户，UID为1100（未使用）：

# ftpasswd --passwd --file=/etc/proftpd/auth/users.passwd --name=sandy --home=/ftp \
--shell=/bin/false --uid=1100 --gid=1100

如果需要，请参考ftpasswd的手册页以获取更多信息。

让我们看看认证文件的内容：

# cat ./auth/users.passwd
sandy:$a3lD4ThisIsNotARealPassword6m5Z2:1100:1100::/ftp:/bin/false

使文件对proftpd用户可读：

# chown proftpd /etc/proftpd/auth/users.passwd

创建一个新文件夹来存储SSL证书：

# mkdir /etc/proftpd/ssl

为FTPS生成SSL证书：

# openssl req -new -x509 -days 1825 -sha256 -nodes -out ./ssl/server.crt \
-keyout ./ssl/server.key
Generating a 2048 bit RSA private key
...........+++
.................................................................................+++
writing new private key to './server.key'
----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Outer Space
Locality Name (eg, city) []:Nibiru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ftp.example.com
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ftp.example.com
Email Address []:Hyman@theitroad

将SSL证书设置为全球不可读：

# chmod 0440 ./ssl/*

proftpd.conf

这是我们的“ proftpd.conf”配置：

# cat ./proftpd.conf
#/etc/profptd/proftpd.conf# Server Config

#Include			/etc/proftpd/modules.conf
Include 		/etc/proftpd/tls.conf
ServerName		"Private FTP Server"
ServerType		standalone
ServerAdmin		Hyman@theitroad
DefaultServer		on
AccessGrantMsg		"User %u logged in."
# keep the required auth module only
AuthOrder		mod_auth_file.c
UseReverseDNS		off
RequireValidShell

off
# we want the main server instance to listen on a specific IP
DefaultAddress

localhost
Port			21
PassivePorts

64000 65000
# never ever run as root
User			proftpd
Group			nogroup
# pid file
ScoreboardFile		/var/run/proftpd.score
# for DOS prevention, only works in standalone mode
MaxInstances		20
# for passive FTP mode
MasqueradeAddress	54.X.Y.Z
MultilineRFC2228	on
ShowSymlinks		off
UseIPv6			off
DefaultTransferMode	binary
# DebugLevel only applies to SystemLog files
DebugLevel

0 
TransferLog		/var/log/proftpd/xferlog
SystemLog		/var/log/proftpd/proftpd.log
WtmpLog

off# Global Config

#<Global>
 RootLogin		off
 AuthPAM

off
 AuthUserFile

/etc/proftpd/auth/users.passwd
 # jailing
 DefaultRoot		/ftp
 #DefaultChdir		/ftp/shared
 # give out minimal information
 ServerIdent		on "Private FTP Server"
 IdentLookups		off
 # no welcome message until user has authenticated
 DeferWelcome

off
 DisplayLogin		/etc/proftpd/welcome.msg
 DisplayConnect

/etc/issue.net
 TimeoutLogin		120
 TimeoutNoTransfer	300
 TimeoutStalled		3600
 TimeoutIdle		600
 MaxClients 		5 "Sorry, ftp server has reached its maximum user limit (%m)"
 MaxClientsPerUser 	5 "Sorry, no more than %m connections per user."
 # restrict sandy's uploads to 1 gigabyte per file
 MaxStoreFileSize

1 Gb user sandy 
 # allow unlimited upload and download size for everyone else
 MaxStoreFileSize

*
 MaxRetrieveFileSize    *
 MaxLoginAttempts	3
 DenyFilter		\*.*/
 Umask			022 
 AllowOverwrite		on
 AllowOverride		off
 # allow to resume not only the downloads, but the uploads too
 AllowRetrieveRestart	on
 AllowStoreRestart	on
 RequireValidShell	off
</Global>
# Delay engine reduces impact of the so-called Timing Attack
<IfModule mod_delay.c>
 DelayEngine on
</IfModule>
<Limit SITE_CHMOD>
 DenyAll
</Limit># VirtualHosts ## for future use
Include /etc/proftpd/virtuals.conf

tls.conf

这是我们的“ tls.conf”配置：

# cat ./tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSRequired on
TLSProtocol TLSv1
TLSRSACertificateFile /etc/proftpd/ssl/server.crt
TLSRSACertificateKeyFile /etc/proftpd/ssl/server.key
TLSVerifyClient off
TLSOptions AllowClientRenegotiations NoSessionReuseRequired
TLSLog /var/log/proftpd/tls.log
</IfModule>

virtuals.conf

“ virtuals.conf”文件不包含虚拟主机：

# cat ./virtuals.conf
# this file is empty

welcome.msg

这是我们的“ welcome.msg”配置：

# cat ./welcome.msg
Welcome %U from %R.
You are user number %N of %M allowed.
This is a private FTP system - no anonymous logins. 
You will be disconnected after 10 minutes of inactivity.

重新启动ProFTPD守护程序

# service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[....] Starting ftp server: proftpdlocal proftpd[5395] 127.0.0.1: 127.0.0.1:21 masquerading as 54.X.Y.Z
. ok

在Mikrotik RouterOS上配置NAT

需要在Mikrotik路由器（以及在iptables防火墙上打开）上转发TCP端口21和64000-65000，以进行公共访问。
通过SSH执行：

[Hyman@theitroad] > ip firewall nat

[Hyman@theitroad] /ip firewall nat> add chain=dstnat dst-address=54.X.Y.Z protocol=tcp dst-port=21 action=dst-nat to-addresses=10.X.Y.Z to-ports=21

[Hyman@theitroad] /ip firewall nat> add chain=dstnat dst-address=54.X.Y.Z protocol=tcp dst-port=64000-65000 action=dst-nat to-addresses=10.X.Y.Z to-ports=64000-65000

从公共网络连接FileZilla客户端

连接详细信息：
'主机：ftpes：//ftp.example.com
用户名：sandy
密码：**
端口：21'

我们将被要求接受自签名SSL证书：

FileZilla客户端日志：

Status: Resolving address of ftp.example.com
Status: Connecting to 54.X.Y.Z:21...
Status: Connection established, waiting for welcome message...
Response: 220 Private FTP Server
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER sandy
Status: TLS/SSL connection established.
Response: 331 Password required for sandy
Command: PASS 
Response: 230-Welcome sandy from 91.X.Y.Z.
Response: 230-You are user number 1 of 10 allowed.
Response: 230-This is a private FTP system - no anonymous logins. 
Response: 230-You will be disconnected after 10 minutes of inactivity.
Response: 230 User sandy logged in.
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Status: Directory listing successful

Bug

在Ubuntu 14.04上安装ProFTPD时，我们可能会注意到cron运行logrotate时该服务被终止：

ProFTPD killed (signal 15)
ProFTPD 1.3.5rc3 standalone mode SHUTDOWN

解决方法是打开“ /etc/init.d/proftpd”文件并更改以下行：

start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"

至：

start-stop-daemon --stop --signal $SIGNAL --retry 1 --quiet --pidfile "$PIDFILE"

我们可以通过运行以下命令来测试logFTP旋转后ProFTPD是否正常工作：

# logrotate -vf /etc/logrotate.conf