6/8/2015

ProFTPD Server - Webmin Documentation

ProFTPDServer
DariWebminDocumentation
ThispageexplainstheFTPprotocol,andthendescribeshowtosetuptheProFTPDserverandhowtoconfigureitforvariouspurposes.
Note:AsmodernFTPclientssupportSSH,considertouseanSSHServerinsteadofanFTPServer,for(much)moresecuritythananyFTPservercanpromise

Daftarisi
1IntroductiontoFTPandProFTPD
2TheProFTPDServerModule
3RunningProFTPDfrominetdorxinetd
4UsingtheProFTPDServermodule
5Creatingvirtualservers
6SettingupanonymousFTP
7Restrictinguserstotheirhomedirectories
8Limitingwhocanlogin
9Settingdirectorylistingoptions
10Messageandreadmefiles
11Settingperdirectoryoptions
12RestrictingaccesstoFTPcommands
13Configuringlogging
14Limitingconcurrentlogins
15RestrictingclientsbyIPaddress
16Limitinguploads
17Manuallyeditingdirectives

IntroductiontoFTPandProFTPD
FTPstandsforfiletransferprotocol,andalongwithtelnetandSMTPisoneoftheoldestprotocolsstillincommonuseontheInternet.FTPis
designedtoallowclientprogramstoread,writeanddeletefilesonaremoteserver,regardlessoftheoperatingsystemthattheserverisrunning.
Essentially,itisafilesharingprotocol,butunlikethemorecommonNFSandSMBprotocols,itisbettersuitedtouseoverasloworhighlatency
network.
Typically,FTPisusedtotransferfilesfromonesystemtoanother.SometimesthosefilesareLinuxdistributionCDimagesorRPMpackages,
downloadedbyvariousclientshostsontheInternetfromalargeserversystemthathoststhemforeveryonetoaccess.Othertimesthefilesarepages
forawebsite,uploadedbyanFTPclientrunbythesitesownertoasystemthatrunsboththewebserverandanFTPserver.
EventhoughtheFTPprotocolhasbeenmostlyreplacedbyHTTPasamethodofdownloadingfiles,itstillhasmanyadvantages.Thebiggestisthe
abilityofclientstouploadfilestotheserver,assumingthatishasbeenconfiguredtoallowthem.Anotherisasemistandarddirectorylistingformat,
whichclientscanusetofetchalistoffilesinadirectoryfromtheserver.
WhenanFTPclientconnectstoaserver,itmustfirstauthenticateitselfbeforeanyfiletransferscantakeplace.Oftenclientswillloginasthespecial
anonymoususer,whichrequiresnopasswordandisusuallyconfiguredtobeonlyabletodownloadfiles.OnUnixsystems,mostFTPserversallow
anylocalusertologinwiththesameusernameandpasswordthathewouldusefortelnetorSSH,andgivehisclientaccesstothesamefileswiththe
samepermissions.
AnotheruniquefeatureoftheFTPprotocolisitssupportfortranslatingfilesbetweenthedataformatusedontheclientandthatusedontheserver.
ThemostcommonuseofthisistheconversionoftextfilesbetweentheUnix,WindowsandMacOSformats,eachofwhichusesdifferentcharacters
torepresenttheendofaline.Thisfeaturecanbedisabledforthetransferofbinaryfilessuchasimages,executablesandISOs,asitcorruptsnontext
data.
ManydifferentFTPclientprogramsexist,fromthebasicUnixftpcommandtobrowserslikeIEandMozilla.Everymodernoperatingsystemhasat
leastone,andalmostallincludeaclientofsomekindasstandard.FTPserversarealsoplentiful,butthischapterfocusesononlyoneProFTPD,
whichinmyopinionisthemostflexibleserveravailableforUnixoperatingsystems.
EventhoughallvarietiesofUnixshipwithanFTPserverasstandard,thesuppliedserverisusuallyeitherverybasicandlackinginfeatures,orthe
morepowerfulWUFTPd.Althoughthelatterhasmanyconfigurableoptions,butisnotascapableasProFTPDwhenitcomestovirtualhosting,
directoryrestrictionsandlockingusersintotheirhomedirectories.
ProFTPDgenerallyusesasingleconfigurationfile,foundat/etc/proftpd.conf.Thisfileismadeupofdirectives,eachofwhichusuallyoccupiesa
singlelineandhasanameandvalue.Eachdirectivesetsasingleconfigurableoption,suchasthenameofahiddenfileorthepathtoawelcome
message.Therearealsospecialcontainerdirectivesforgroupingotherdirectivesthatapplyonlytoasinglevirtualserverordirectory,whichspan
multiplelines.

TheProFTPDServerModule
TheProFTPDServermoduleiconcanbefoundinWebminundertheServerstabonthemainmenu.Whenyouclickonit,themodule'smainpageas
shownintheimagebelowwillappear,assumingthatyouactuallyhavetheserverinstalled.
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

1/10

6/8/2015

ProFTPD Server - Webmin Documentation

TheProFTPDServermodule
Ifthemainpageinsteaddisplaysanerrormessagelike*TheProFTPDserver/usr/sbin/proftpdcouldnotbefoundonyoursystem*,thentheserveris
probablynotinstalledandthusthemodulecannotbeused.MostLinuxdistributionsincludeaProFTPDpackageontheirCDorwebsite,sousethe
SoftwarePackagesmodule(coveredinchapter12)toinstallit.Ifnopackageexists,downloadthesourcecodefromwww.proftpd.org,compileand
installit.
IfyoualreadyhavesomeotherFTPserverinstalled,itshouldberemovedfirstsothattheydonotclash.
Anothererrorthatthemainpagemightdisplayis*Theprogram/usr/sbin/ftpddoesnotappeartobetheProFTPDserver*.ThiswilloccurifWebmin
detectsthatsomeotherFTPserverisinstalledinsteadifso,youwillneedtoremoveitandinstallProFTPD.
ProFTPDcanberunintwodifferentmodeseitherasastandalonedaemonprocessthatlistensforFTPconnections,orfromasuperserverlike
inetdorxinetd.Theformeracceptsconnectionsfaster,butatthecostofmorememorybeingusedupbyaprocessthatisrunningallthetime.The
latterisbetterforsystemsthatdonotexpecttoreceivealotofFTPtraffic,astheProFTPDprogramonlygetsrunwhenitisneeded.
Becausethestandalonemodeiseasiertosetupandbecausememoryisplentifulonmostsystems,thischapterassumesthatyouwillberunningitin
thatmode.TostarttheProFTPDserverprocess,followthesesteps:
1. IntheInternetServicesandProtocolsmodule(coveredonInternetServicesAndProtocols),makesurethatanyexistingservicenamedftphas
ProgramdisabledorNoprogramassignedselected.ThisensuresthatnoFTPservicewillberunbyinetd.Ifyoudisableaservice,make
suretohittheApplyChangesbuttononthatmodule'smainpagetoactivateyourchanges.
2. IntheExtendedInternetServicesmodule,makesurethatanyserviceswithftpintheirnames(suchaswuftpd,proftpd,orvsftpd)havetheir
Serviceenabled?fieldsettoNo.Again,youwillneedtohitthemodulesApplyChangestoactivateanychanges.
3. BackintheProFTPDServermodule,clickontheNetworkingOptionsicon.
4. SelectStandalonedaemonfromtheServertypemenu.
5. ClicktheSavebuttonatthebottomofthepage.
6. Backonthemodule'smainpage,abuttonlabeledStartServershouldappearatthebottom.HitittostarttheProFTPDdaemon.
7. Ifyouwantthedaemontoberestartedatboottime,usetheBootupandShutdownmoduletocreateanactioncalledproftpdthatrunsthe
command/usr/sbin/proftpdatboottime.Theactualpathmaybe/usr/local/sbin/proftpdor/usr/sbin/in.proftpddependingonwhichLinux
distributionyouarerunningorifyoucompiledandinstalledtheprogramyourselfinsteadofusingapackage.Also,someProFTPDpackages
mayincludeabootupscriptlikethisalready,whichyoumayjusthavetoenable.
OnceProFTPDhasbeenstarted,youcantestitbyusingthecommandlineUnixFTPclienttoconnecttoyourownsystem.Justrunftplocalhost,
andmakesurethatyoucanloginassomeuserotherthanroot.YoucanverifythattheserverreallyisProFTPDbycheckingtheversiondisplayedby
theftpcommandjustbeforeitpromptsforausername,unlessithasbeenconfiguredbydefaultnottodisplayversioninformation.

RunningProFTPDfrominetdorxinetd
SettingupProFTPDtorunfromasuperserverisn'ttoohardeither,andmaybeagoodideaifyoursystemislowonmemoryorhardlyeverreceives
FTPconnections.Beforeyoucandothis,youmustkillanyexistingproftpdserverprocess(easilydonewithRunningProcessesmodule),anddisable
ordeleteanyactionthatstartsitatboottime.
Ifyoursystemusesthesuperiorxinetd,followtheseinstructionstosetuptheFTPservice.Becausemanypackagesincludean/etc/xinetd.d
configurationfilefortheserver,someofthefieldsexplainedbelowmaybealreadyfilledincorrectly.
1. GotoWebmin'sNetworkingcategoryandclickonthe*ExtendedInternetServices*icon.Ifitdoesnotexist,xinetdisnotinstalledandyou
willneedtosetuptheserverusinginetdinstead.
2. Onthemodule'smainpage,checkforanexistingservicenamedftporproftp.Ifoneexists,clickonitotherwise,followtheCreateanew
internetservicelinkaboveorbelowthetable.
3. IntheServicenamefield,enterftp(unlessithasalreadybeenfilledin).
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

2/10

6/8/2015

ProFTPD Server - Webmin Documentation

4. MakesuretheYesoptionisselectedintheServiceenabled?field.
5. LeavetheBindtoaddressfieldsettoAll,andthe*Portnumber*toStandardor21.
6. SelectStreamfromtheSockettypemenu,andDefaultorTCPfromtheProtocollist.
7. IntheServicehandledbyfield,selecttheServerprogramoptionandenterthepathtotheproftpdexecutable(suchas/usr/sbin/proftpd)into
theadjacenttextbox.Thepathdependsonwhetheryouinstalledtheprogramfromapackageorcompileditfromthesourcecode.
8. IntheRunasuserfield,enterroot.
9. SelectNofortheWaituntilcomplete?field.
10. Leavealltheotherfieldssettotheirdefaults,andhittheSaveorCreatebuttonatthebottomoftheform.
11. Backonthemodule'smainpage,clicktheApplyChangesbuttonbelowthelistofservices.
Alternately,tosetupaninetdserviceforProFTPDusingtheInternetServicesandProtocolsmodule,followthesesteps:
1. GotoWebmin'sNetworkingcategoryandclickonthe*InternetServicesandProtocols*icon.Ifitdoesnotexist,yoursystemisprobably
usingxinetdinsteadseethestepsinthepreviousparagraphforinstructionsonhowtoconfigureit.
2. Onthemodule'smainpage,clickonftpinthe*InternetServices*table.Ifitisnotvisible,enterftpintothe*Editservice*fieldandhitthe
button.Eitherway,thesamepageforeditingtheFTPprotocolservicewillbedisplayed.
3. IntheServerProgramsection,selectProgramenabled.
4. IntheProgramfield,selecttheCommandoptionandenterthefullpathtotheProFTPDserverexecutableintothefieldnexttoit,suchas
/usr/sbin/proftpd.IntheArgsfield,enterjustproftpd.Thepathdependsonwhetheryouinstalledtheprogramfromapackageorcompiledit
fromthesourcecode.
5. SettheWaitmodetoDon'twait,andenterrootintheExecuteasUserfield.Allotherscanbeleftunchanged.
6. ClicktheSavebutton,andthenbackonthemodule'smainpagehitApplyChanges.
OnceProFTPDhasbeensetuptorunfrominetdorxinetd,youcantestitbyusingthecommandlineUnixFTPclienttoconnecttoyourownsystem.
Justrunftplocalhost,andmakesurethatyoucanloginassomeuserotherthanroot.IfyourtestconnectionfailswithanerrorlikeServicenot
available,themostlikelycauseisthatProFTPDisconfiguredtorunasastandaloneserver.Thiscanbeeasilyfixedbyfollowingthesesteps:
1. GototheProFTPDServermoduleandclickonthe*NetworkingOptions*icononthemainpage.
2. FromtheServertypemenuintheformthatappears,selectRunfromInetd.
3. HittheSavebuttonatthebottomofthepage.
TheinstructionsintherestofthischapterwillworkfinenomatterwhichmodeProFTPDisrunningin.TheonlydifferenceisthattheApply
Changesbuttonwillnotappearonthemainpage,asthereisnoneedtorestartaserverprocessforanyconfigurationchangestotakeeffect.Instead,
changeswillapplytothenextFTPsessionthatisstarted.

UsingtheProFTPDServermodule
ProFTPDusesaverysimilarconfigurationfileformattoApache,andsotheuserinterfaceforthismoduleisthesameinmanywaysastheApache
Configurationmodule.Atthehighestlevelintheconfigurationareglobalsettingsthateffecttheentireserver.Belowthemarevirtualservers,and
thenanonymousFTPoptions,perdirectoryoptionsandoptionsthatapplyonlytocertainFTPcommands.
TheoptionsthatapplytoeachconnectionorFTPcommandaredeterminedbythevirtualserverconnectedto,thetypeoflogin,thedirectorythe
requestedfileisinandthespecificFTPcommandused.Optionssetbyobjectslowerinthehierarchyoverridethoseatupperlevels,sothatyoucan
preventuploadingtoaserver,butallowitforadirectory.Similarly,optionsforamorespecificdirectory(like/usr/local/upload)overridethoseforits
parents(suchas/usr/local).
Aspecialcaseisthedefaultserver,whichdefinessettingsforclientsthatdonotconnecttoanyspecificvirtualserver.UnlikeApache,optionssetin
thedefaultserverdonoteffectvirtualservers.Insteadifyouwanttospecifysomesettingthateffectsallofthemitmustbeinthespecialglobal
sectionoftheProFTPDconfiguration.ThisappliestodirectoryandFTPcommandspecificoptionsaswell.
Themodulehasapageforeditingoptionsforeachobjectinthetree,whichcontainsiconslinkingtoobjectsfurtherdown.Forexample,onthe
virtualserveroptionspageareiconsforthevariouscategoriesofoptionsthatapplytothatserver(suchaslogging,anduserandgroup),alongwith
iconsforanydirectoriesorFTPcommandsthathavetheirownoptionswithinthevirtualserver.Thereisalsoaniconforoptionsspecificto
anonymousFTPconnections.
Oneachpageinthehierarchyareformsforaddingobjects(suchasadirectoryorgroupofFTPcommands)underit,andaConfigureiconfor
changingordeletingthecurrentobject.EverypagealsocontainsanEditDirectivesiconallowingyoutoviewandmanuallychangetheProFTPD
directivesforthedirectory,virtualserverorwhateveritisthatthepagerepresents.Theexceptionisthedefaultserverpage,whichhasnosuchicons
becauseitcannotbechangedordeletedandbecauseitsdirectivescannotbeseparatedfromtherestoftheconfigurationfile.
Atfirstglance,someoftheformsinthemodulemayappeardauntingastheydisplayfieldsforalmostalloftheavailableProFTPDoptionsinsome
categoryrelatedtoanobject.However,manyoftheseoptionsareextremelyspecializedandcanbeignoremostofthetime.Thestepsinthevarious
sectionsofthischapterexplainwhichonesyourneedtomodifytoachievesomeresulttheotherscanbeleftalone,astheirdefaultsareusually
adequate.
BecauseeachnewversionofProFTPDthatisreleasedsupportsnewdirectives,thismodulecandetecttheversionthatyouarerunningandadjustits
userinterfacetodisplayonlythosefieldsthatarevalidforyourversion.Thismeansthattheformsmaynotlookexactlythesameonallsystems,and
thatsomepartsoftheinstructionsinthischaptermaynotbevalidforyourFTPserverifyourarerunninganolderrelease.

Creatingvirtualservers
ProbablyProFTPD'smostusefulfeatureisitssupportforvirtualFTPservers.Thisallowsyoutodefineatotallydifferentsetofoptionsthatapplyto
clientsconnectingtoaparticularIPaddress.Inmostways,theyaresimilartoApache'sIPbasedvirtualservers,whichmostwebsiteadministrators
shouldbefamiliarwith.

http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

3/10

6/8/2015

ProFTPD Server - Webmin Documentation

VirtualserversareonlyreallyusefulifyoursystemhasmultipleIPaddresses.Typically,thisisdonebyaddingadditionalvirtualIPaddressesto
yourInternetconnectednetworkinterface,asexplainedontheNetworkConfigurationpage.Asusual,anyextraIPaddressesmustbeproperly
routedtoyoursystemifyouareconnectedtoanISPandassignedonlyasinglestaticaddress,youcannotjustaddadditionalvirtualinterfacesand
expectthemtowork.UnlikeApache,ProFTPDdoesnotsupportnamebasedvirtualserversbecausethereisnoprovisionintheFTPprotocolfor
them.Clientsnevertelltheserverthehostnamethattheyareconnectingto,sotheFTPservercanonlyusetheIPaddressthataconnectionwas
receivedontodeterminewhichvirtualservertheclientwants.
WhenyoursystemreceivesanFTPconnection,ProFTPDwillcomparetheconnectedaddresswiththoseofallconfiguredvirtualservers.Thefirst
onetomatchdefinestheoptionsthatapplytotheconnection.Ifnomatchisfound,thedefaultserverisusedinstead.
ToaddanewvirtualFTPservertoyoursystem,thestepstofolloware:
1. IntheNetworkConfigurationmodule,addanewvirtualIPaddresstotheexternalnetworkinterfaceonyoursystem.Makesurethatitwillbe
activatedatboottimeandisactivenow.
2. BackintheProFTPDServermodule,scrolldowntothe*Createvirtualserver*formatthebottomofthemainpage.
3. IntheAddressfield,entertheIPaddressthatyoujustassigned.Itshouldnotbeusedbyanyothervirtualserveralreadydefined.
4. LeavethePortfieldsettoDefault.
5. IntheServernamefield,selectthesecondradiobuttonandenteranameforthisserverthatwillbedisplayedtoconnectingclients.For
example,youcouldenter_ExampleCorporation'sFTPserver_.IfDefaultisselected,clientswillseeamessagelikeProFTPD1.2.2rc2Server
instead.
6. HittheCreatebuttontoaddtheserver.Onceithasbeencreated,youwillbetakentothenewserver'soptionspage.
7. Returntothemodule'smainpageandclicktheApplyChangesbuttontomakeitactive.
Onceavirtualserverhasbeencreated,youcansetoptionsthatapplytoitbyclickingonitsicononthemainpage,thenononeofthecategoryicons.
Someoftheseareexplainedinmoredetaillaterinthechapter.Itisalsopossibletochangetheattributesofavirtualserverbyclickingonthe
ConfigureVirtualServericon,editingthefieldsontheform(whichhavethesamemeaningsasthoseonthecreationform)andclickingSave.Or
youcanremoveitaltogetherbyhittingtheDeletevirtualserverbuttonontheconfigurationform.

SettingupanonymousFTP
Initsdefaultconfiguration,ProFTPDwillgenerallyallowallUnixuserstologinwiththeirnormalpasswordsandaccessallfilesonthesystemwith
thesamepermissionsthattheywouldhaveifloggedinviatelnetorSSH.SomepackagesalsohaveanonymousFTPenabledforthedefaultserveras
well,sothatanyonecanconnectastheanonymoususerandviewfilesinaspecificdirectory.TosetupanonymousFTPforanewvirtualserver,
configurewhatclientscandoandwhichdirectoriestheycanaccess,followthesesteps:
1. Onthemodule'smainpage,clickontheiconforthedefaultorvirtualserverthatyouwanttoconfigureanonymousFTPfor.
2. Onthevirtualserveroptionspage,clickonthe*AnonymousFTP*icon.Ifthisisthefirsttimethatithasbeensetupforthisserver,asmall
formwillappearforenteringanonymousFTPsettings.
3. IntheLimittodirectoryfield,enterthedirectorythatanonymousclientsshouldberestrictedto,suchas/home/example.com/anonftp.
4. IntheAccessfilesasuseroption,selectthesecondradiobuttonandenterthenameofanunprivilegedUnixusersuchasftpornobody.Clients
willnotonlyberestrictedtothechosendirectory,butwillalsobeonlyabletoaccessfileswiththepermissionsofthatUnixuser.Naturally,
youshouldmakesurethatitcanactuallyreadandlistthedirectoryandfilesthatitcontains.ThisusermustnotbeinProFTPD'sdeniedlist,or
haveaninvalidshell.SeetheLimitingwhocanloginsectionlaterinthechapterformoreinformationoneditingthislistandallowingusers
withanyshell.
5. Ifyouarehappyforclientstousethegrouppermissionsoftheusersetinthepreviousfield,leavethe*Accessfilesasgroup*fieldsetto
Default.Otherwise,selectthesecondradiobuttonandenteragroupnameintoitsfield.
6. HittheCreatebuttontosetuptheinitialanonymousFTPconfiguration.Assumingitissuccessful,thebrowserwillberedirectedtothe
anonymousFTPoptionspageonwhichareiconsforthevariouscategoriesofconfigurableoptionsthatrelatetoanonymousFTPconnections.
7. ClickonAuthenticationandintheUsernamealiasestableenteranonymousunderLoginusername,andthenameoftheuserthatyouchose
instep4underRealusername.ThistellsProFTPDthatclientslogginginasanonymousshouldbegiventhepermissionsofthatuser.
8. ClicktheSavebuttontoreturntotheanonymousFTPoptionspage.
9. IntheFTPcommandsfield,enterWRITEandhittheCreatebuttontostarttheprocessofdefiningoptionsthatapplytoFTPcommandsthat
modifydataontheserver.Youwillbetakentothepercommandoptionspage.
10. ClickontheAccessControlicon,andselectDenyallclientsintheAccesscontrolpolicyfield.ThistellsProFTPDtoblockattemptsby
anonymousclientstoupload,deleteorrenamefiles.
11. ClicktheSavebutton.
12. Returntothemodule'smainpage,andhitApplyChanges.Tomakesurethateverythingisworking,tryloggingintothevirtualserverasthe
anonymoususeranddownloadingsomefiles.
IfyouareusingyoursystemtohostmultiplewebandFTPsitesfordifferentcustomers,eachcanbegivenhisownvirtualanonymousservertomake
filesavailabletopeopleviaFTP.Browsersassumethatftp://URLsrequireananonymousloginandmostdon'tdealwellwithFTPserversthat
requireauthentication.

Restrictinguserstotheirhomedirectories
Bydefault,clientsthatlogintoProFTPDasavalidUnixuser(notanonymous)canbrowseryoursystem'sentirefilesystem,justastheycouldifthe
userloggedinviaSSHortelnet.However,thisisnotalwaysdesirableonasystemthathasmultipleuntrusteduserswhomyouwanttoprevent
seeingeachothersfiles.EventhoughUnixpermissionscanbeusedtostopuserslistingeachothers'directories,theycauseproblemsifyouarealso
runningawebserverandneeditshttpdusertohaveaccesstoeveryone'sfiles.
Fortunately,ProFTPDmakesiteasytorestrictuserstotheirhomedirectoriesortosomeotherdirectory.BecausethisonlyappliestoFTP
connections,itisprettyuselessifthosesameuserscantelnetorSSHin.However,itiseasytoallowausertoconnectonlyviaFTPbygivinghima
shelllike/bin/false.Onavirtualhostingserver,usersonlyreallyneedtouploadfilesfortheirwebsitesanddonotneedUnixshellaccessatall.Just
makesurethat/bin/falseorwhatevernonfunctionalshellthatyouchooseisincludedinthe/etc/shellsfilesothatProFTPDdoesnotdenytheusers
access.
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

4/10

6/8/2015

ProFTPD Server - Webmin Documentation

TorestrictthedirectoriesthatFTPclientscanaccess,followthesesteps:
1. Ifyouwanttorestrictiontoapplytoonlyasinglevirtualserver,clickonitsicononthemodule'smainpageandthenontheFilesand
Directoriesicononthevirtualserveroptionspage.However,thisisnotadvisableasitmayallowuserstoavoidtherestrictionbyconnecting
toanothervirtualserver.Instead,youshouldjusthittheFilesandDirectoriesiconintheGlobalConfigurationsectiononthemainpage
anyrestrictionsdefinedonitwillapplytoallservers.Eitherway,thepageforconfiguringhowtheserverlistsdirectoriesandwhichonesare
available(showninthescreenshotbelow)willappear.
2. TheLimituserstodirectoriesfieldisactuallyatablethatallowsyoutoenteronedirectorylimitationatatime.Itwillalwayshaveoneblank
row,andifthisisthefirstsuchrestrictionyouhavecreatedthatisallitwillcontain.IntheDirectorycolumn,selectHomedirectorytoifthat
iswhereyouwantuserstoberestrictedto.Alternately,youcanselectthethirdradiobuttonandenterapathlike/homeor/var/wwwtoconfine
userstothatdirectory.Itisalsopossibletoenterapathrelativetotheusers'homedirectories,suchas~/public_html.IntheUnixgroups
column,eitherselectEveryonetohavetherestrictionapplytoallusers,orselectthesecondradiobuttonandenteragroupnametohaveit
applyonlytothemembersofthatgroup.Multiplegroupscanbeenteredbyseparatingtheirnameswithcommas,likeusers,staff.
3. ClicktheSavebuttontoreturntothevirtualserveroptionspage.Ifyouwanttoaddanotherrestriction(suchasforadifferentgroupand
directory),clickonFilesandDirectoriesagainandfillinthenewblankrowinthetable.
4. Whendone,returntothemodule'smainpageandhitthe*ApplyChanges*buttontomaketherestrictionsactive.

Thefilesanddirectoriesform
Fromnowonwhenrestrictedusersconnect,theywillbeunabletoseefilesoutsidethespecifieddirectoryorevenworkoutwhichdirectorythey
havebeenlimitedto.UnlikesomeotherFTPserversthatsupportthiskindofrestriction,thereisnoneedtocopyanyfilesorlibrarieslike/bin/lsinto
thedirectory,asProFTPDdoesnotdependonanyexternalprograms.

Limitingwhocanlogin
ProFTPDdoesnotalloweveryUnixusertologin,eveniftheyhavevalidusernamesandpasswords.Theseparate/etc/ftpusersfilelistsuserswhoare
notallowedtoauthenticate,whichtypicallyincludesystemaccountssuchasbin,daemonanduucp.Inaddition,thereisaseparateconfiguration
optionthatcontrolswhethertherootuserisallowedtologinornot.Bydefaultitisnot,becausepasswordssentbytheFTPprotocolarenot
encryptedandthusallowingroottoauthenticatecouldbeamajorsecurityrisk.
ProFTPDalsobydefaultpreventsuserswithoutavalidshellfromloggingin.Avalidshellisonelistedinthe/etc/shellsfile.Thisfeaturecanbe
usefulforpreventingalargegroupofusersfromloggingin,suchasthosethataresupposedtobeonlyabletoconnectedtoaPOP3serverto
downloadtheiremail.However,itcanbeturnedoffifnecessary.
Toeditthelistofdeniedusersandotherloginrestrictions,followthesesteps:
1. Onthemodule'smainpage,clickontheDeniedFTPUsersicon.IntheformthatappearsisatextboxlistingallblockedUnixusers.Edititto
addorremoveanythatshouldn'torshouldbeallowedtologin,andhittheSavebutton.
2. Toallowtherootusertoconnect,clickontheAuthenticationiconandchangetheAllowloginbyroot?fieldtoYes.
3. Toallowuserswithunlistedshellstologin,changethe*Onlyallowloginbyuserswithvalidshell?*fieldtoYesaswell.
4. HittheSavebuttontoreturntothemainpage,thenclickApplyChangestomakethenewrestrictionsactive.

http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

5/10

6/8/2015

ProFTPD Server - Webmin Documentation

Theoptionsforallowingtherootuseranduserswithinvalidshellstologincanalsobesetonapervirtualserverbasisaswell,underthe
Authenticationicononthevirtualserveroptionspage.However,itisnotgenerallyusefulfromasecuritypointofviewtoallowclientsofjusta
singleservertologin,asuserscanchooseanyservertoconnectto.

Settingdirectorylistingoptions
Normally,whenanFTPclientrequestsadirectorylistingProFTPDwillreturnacompleteaccuratelistintheformatproducedbythelslcommand.
Sometimesthoughthisgivesawaytoomuchinformationaboutyoursystem,suchasthenamesofusersandgroupsorsymboliclinkdestinations.
OftenitcanbeusefultohidecertainfilesthatarenotrelevanttoclientsbymustbekeptinanFTPaccessibledirectoryforotherreasons.Thiskindof
informationhidingisbestappliedtoanonymousFTPusers,astheyshouldnotbeabletodiscoveranythingaboutyoursystemthattheydonotneed
toknow.
Tochangetheformatofdirectorylistings,followthesesteps:
1. Onthemodule'smainpage,clickontheiconforthedefaultorvirtualserverthatyouwanttochangedirectorylistingsfortobringupits
optionspage.
2. Assumingthatyouwanttoonlychangethelistedinformationforanonymousclients,clickontheAnonymousFTPicontogotothe
anonymousFTPoptionspage.OtherwisenormalUnixuserswillbeeffectedaswell.
3. ClickontheFilesandDirectoriesicontobringupaformsimilartotheoneinFigure403forsettingthevariouslistingoptions.
4. Tohidefileswithcertaingroupowners,enteroneormoregroupnamesseparatedbyspacesintothe*Hidefilesownedbygroups*field.Be
awarethatfileshiddeninthiswaycanstillbedownloaded,renamedordeletedunlessUnixpermissionsortheserver'sconfigurationprevents
it.
5. Similarly,tohidefileswithcertainuserownership,fillintheHidefilesownedbyusersfieldwithalistofUnixusernames.
6. TohidefilesthattheanonymousFTPuserwouldnotbeabletoread,changetheHidefilesthatcannotbeaccessed?fieldtoYes.
7. TohaveProFTPDconvertsymboliclinksinlistingstotheirtargetfilepermissionsandsize,changethe*Showsymboliclinks?*fieldtoYes.
Normallyboththelinkandtargetnameareshown,andthedisplayedpermissionsandownershiparethoseofthelink.However,evenwiththis
featureenabledthelinktargetmuststillbewithintheanonymousFTPdirectory.
8. Normally,directorylistingsincludetherealuserandgroupownersoffiles.Tochangethis,setthe*Fakegroupindirectorylistings?*fieldto
Yes,asgroup.Thenfromtheboxbelowselecteitherftptoforcethegroupownertobealwaysshownasftp,orthethirdradiobuttontohave
itshownaswhatevergroupyouenteredintotheadjacenttextbox.The*Connectedgroup*optiononlyreallymakessensefornonanonymous
clients,asitmakesfilesappeartobeownedbytheprimarygroupoftheconnecteduser.
9. Similarly,youcanchangetheUnixuserowneroffileswiththeFakeuserindirectorylistings?field.If*Connecteduser*ischosen,files
willappeartobeownedbytheusercurrentlyloggedintotheFTPserver.
10. Bydefault,ProFTPDwillshowrealUnixfilepermissionsinlistings.Toforcethedisplayoffakesinstead,selectthesecondoptionintheFake
permissionsindirectorylistingsfieldandenteranoctalnumberlike0644ofthekindusedbythechmodcommand.Thishasnoeffectonthe
actualpermissionsthatapplyifaclienttriestodownloadoruploadafileofcourse.
11. Tohidedotfileslike.loginand.profileinlistings(asthelscommandusuallydoes),setthe*Showfilesstartingwith.inlistings?*fieldto
Yes.
12. Finally,hittheSavebuttonatthebottomofthepagetoupdatetheProFTPDconfigurationfile.
13. Returntothemodule'smainpageandpresstheApplyChangesbuttontomakethesettingsactive.
Aswellashidingcertainfiles(asexplainedinsteps4and5),youcanalsopreventclientsfromreadingorwritingthosefilesaltogether.Thiscanbe
doneusingtheMakehiddenfilesinaccessible?field,explainedintheRestrictingaccesstoFTPcommandssectionlaterinthechapter.

Messageandreadmefiles
ProFTPDcanbeconfiguredtodisplaymessagestoclientswhentheyloginorentercertaindirectories.Thiscanbeusefulfornotifyingusersof
possiblemirrorsites,thelocationsofvariouscommonfilesontheserver,andthedetailsofthecontentsofadirectory.
Tosetthemessagesthataredisplayedtoclients,followthesesteps:
1. Ifyouwantthemessagestobeusedbyallvirtualservers,clickontheAuthenticationicononthemodule'smainpage.Tosetmessagesfora
specificvirtualserver,clickonitsiconandthenonAuthenticationontheserveroptionspage.Eitherway,thesameformwillbedisplayed.It
isalsopossibletosetmostofthemessagefileoptionsbelowforonlyanonymousclientsbyclickingontheAnonymousFTPicononthe
virtualserverpageandthenonAuthentication.Naturally,youcannotsetthepreloginmessagebecausetheserverdoesnotknowifaclientis
anonymousornotatthatstage.
2. InthePreloginmessagefilefield,enterthefullpathtoafilewhosecontentsshouldbesenttoclientsassoonastheyconnect.Ifyoudon't
wantanymessagefiletobeusedatall,selectNoneinstead.
3. InthePostloginmessagefilefield,enterthepathtoatextfilewhosecontentswillbesenttoclientsaftertheyhavebeenproperly
authenticated.Iftheclientislimitedtoadirectory(becauseitloggedinanonymouslyorhasahomedirectoryrestrictioninforce),thefilemust
bewithinandrelativetothatdirectory.Ifthefilenameisrelative(likewelcome.txt),itwillbesearchedforinthedirectorythattheclientis
initiallyplacedin.
4. Tosetamessagesenttoclientswhentheyrequesttodisconnect,fillintheLogoutmessagefilefield.Again,thismustberelativetoandunder
anydirectorythattheclientisrestrictedto.
5. Ifyouhavearestrictiononthemaximumnumberofsimultaneousloginsinforce,youcansetthemessagesenttoclientsblockedbyitby
fillingintheToomanyconnectionsmessagefilefield.Youshouldenterafullpath,whichcanbeanywhereonyoursystem.Seethe
Limitingconcurrentloginssectionformoredetails.#HittheSavebuttonatthebottomofthepagetogobacktotheglobal,virtualserveror
anonymousFTPoptionspage.
6. ClickontheFilesandDirectoriesicononthesamepage.
7. IntheDirectoryREADMEfilenamefield,enterarelativenamelikereadme.txtthatwillbesearchedforineachdirectorythatacliententers.
Ifthisisthefirsttimetheclienthasenteredthedirectoryinthissession(orifthefilehaschangedsincethelasttime),itscontentswillbesent
totheFTPclient.
8. Tohavetheserversendamessagetoclientssuggestingthataparticularfileshouldberead,fillinthe*Notifyuserofreadmefilesmatching*
field.Iffilesinthedirectorymatchingthespecifiedregularexpression(likeREADME.*)exist,ashortmessagecontainingtheirnamesand
modificationtimeswillbesent.
9. ClicktheSavebuttononthisform,thenreturntothemodule'smainpage.FinallyclicktheApplyChangesbuttontoactivatethenewmessage
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

6/10

6/8/2015

ProFTPD Server - Webmin Documentation

filesettings.
Thefilessenttotheclientbytheoptionscoveredabovecancontaincertainspecialcookiesthatstartwitha%,whicharereplacedbyProFTPDwith
textdeterminedatthetimeofsending.AccordingtotheProFTPDdocumentation,thecurrentlysupportedcookiesare:
Notallmaymakesenseinallsituationsthoughforexample,%Uwillnotbesetinthepreloginmessagefile.

Settingperdirectoryoptions
TheProFTPDmoduleallowsyoutosetoptionsthatapplyonlytoaspecificdirectory,ratherthangloballyortoanentirevirtualserver.Thisallows
youtodothingslikehideadirectoryfromclients,allowuploadsbyanonymousclientsinjustonelocation,orsettheuserandgroupownershipof
filesaddedtoadirectory.
Tocreateanewsetofperdirectoryoptions,followthesesteps:
1. Ifyouwanttheoptionstoapplytoallvirtualservers,enterthedirectoryintotheDirectorypathfieldinthe*Addperdirectoryoptionsfor*
formonthemodule'smainpageandhittheCreatebutton.Alternately,youcanlimitthemtoaparticularvirtualserverbyclickingonitsicon
andusingthesameformonthevirtualserveroptionspage.Oryoucandefineoptionsthatonlyapplytoanonymousclientsbyhittingthe
AnonymousFTPiconforavirtualserverandusingitsdirectoryoptionscreationform.Inallcases,thedirectoryshouldbeenteredasan
absolutepathlike/usr/local.Itisalsopossibletospecifyapathrelativetotheconnectinguser'shomedirectory,like~/public_html.Youcan
evenenterapathinaparticularuser'shomedirectory,like~jcameron/www.Normally,theoptionswillapplytothedirectoryandallits
contentsandsubdirectories.Tohavethemapplytoonlythecontentsandnotthedirectoryitself,add/*totheendofthepaththatyouenter,
like/usr/local/*.
2. AfterhittingCreate,youwillbetakentoapageofoptioncategoryiconsforthedirectoryasshowninFigure404.Asusual,clickingonthese
iconswilltakeyoutoformsforconfiguringvarioussettingsthatapplyonlytorequestsforandlistingsofthatdirectory.
3. Tototallydenyaccesstoclients,clickonAccessControlandchangetheAccesscontrolpolicyfieldtoDenyallclients,thenclickSave.
4. Normally,filesuploadedbyclientswillendupownedbytheUnixuserthattheclientloggedinas.Tochangethis,clickontheUserand
Groupiconandenterausernameforthe*Ownerofuploadedfiles*field.Uploadedfiles'groupwillbetheprimarygroupofthespecified
user,unlessyoufillintheGroupownerofuploadedfilesfieldaswell.Again,clickSaveaftermakinganychangestoreturntotheper
directoryoptionspage.
5. Tolimitonlytheuploadingordownloadingoffilesinthisdirectory,youwillneedtocreateasetofpercommandoptionsunderit.The
RestrictingaccesstoFTPcommandssectionexplainshow.
6. Toactivateyourchangesforthisdirectory,returntothemodule'smainpageandhittheApplyChangesbutton.

Theperdirectoryoptionspage
YoucanalsoremoveadirectoryoptionsobjectfromtheProFTPDconfigurationentirelybyclickingonConfigureDirectoryandthenhittingthe
Deletedirectoryconfigbutton.AllsettingsandpercommandoptionsforthedirectorywillbeimmediatelyandpermanentlydeletedfromtheFTP
server'sconfiguration.
Ifyoudefineoptionsforbothadirectoryandoneofitschildren(suchas/usr/localand/usr/local/bin),ProFTPDwillalwaysgiveprecedencetothe
mostspecificdirectorywhendecidingwhichoptionstoapplytoaparticularclientrequest.Thismeansthatasettingmadefor/usr/localwillapplyto
adownloadof/usr/local/bin/foo,unlessitisoverriddenbyasettingfor/usr/local/bin.

RestrictingaccesstoFTPcommands
Whenaclientwantstodownloadoruploadafile,listadirectoryorperformanyotheroperationitsendsacommandtotheserver.ProFTPDcanbe
configuredtorestrictwhichcommandsaclientcanuseforaparticularvirtualserverordirectory,orwhenloggedinanonymously.However,before
youcandothisyouneedtohaveabasicunderstandingofwhichFTPcommandsexistandwhattheydo.Thetablebelowliststheonesthatare
relevantforaccesscontrolpurposes:
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

7/10

6/8/2015

ProFTPD Server - Webmin Documentation

ProFTPDallowsyoutodefineoptionsthatonlyapplytoparticularclientcommandsorgroupsofcommands.Typically,thisisusedtodenyaccessto
certainoperations,suchasuploadingbyanonymousFTPusers.ItisalsopossibletoallowordenyonlycertainUnixusers,oronlyclientsconnecting
fromcertainaddresses.
Tocreateanewsetofpercommandoptions,followthesesteps:
1. Firstdecideiftheoptionsshouldapplytocommandsonlyinaparticulardirectory,onlytoclientsofavirtualserver,onlytoanonymousclients
ortoallusersofyourFTPserver.Ontheperdirectory,virtualserver,anonymousFTPandmainpagesisaformtitledAddpercommand
optionsfor.IntheFTPcommandsfield,enteroneormorecommandsfromthelistabove,separatedbyspaces.WhenyouhittheCreate
button,yourbrowserwillbetakentothepageshowninFigure405.
2. ClickontheAccessControlicontobringupaformforrestrictingwhocanusethesecommands.
3. Tocompletelydenyaccesstoeveryone,changethe*Accesscontrolpolicy*fieldtoDenyallclients.Conversely,toallowaccessselectAllow
allclientsinstead.Thisismostusefulifyouareeditingoptionsforcommandswithinadirectoryandthereisasetofoptionsforthesame
commandsatahigherlevel(suchasforthevirtualserveroranonymousFTP)thatdeniesaccess.Forexample,typicallyanonymousclients
cannotusetheWRITEcommands,butyoumaywanttoallowitforaparticulardirectory.
4. ToonlyallowcertainUnixusersormembersofcertaingroupaccesstothecommands,fillintheOnlyallowusersandOnlyallowgroup
fields.Multipleuserorgroupnamesmustbeenteredseparatedbyspaces.
5. Similarly,todenycertainusersandgroupswhileallowingeveryoneelseaccesstotheFTPcommands,fillinthe*Denyusers*andDeny
groupsfields.
6. TheRestrictaccesstablecanbeusedtoblockclientsfromcertainIPaddressesbyenteringaseriesofrules.Thethreeradiobuttonsatthetop
controltheorderinwhichentriesinthetableareevaluated.IfDenythenallowisselected,anyclientthatmatchesaDenyroworwhichdoes
notmatchanAllowrowwillbeblocked.Conversely,ifAllowthendenyischosenonlyclientsthatmatchaDenyrowanddonotmatchan
Allowwillbepreventedfromusingthecommands.Thismodeisalsothedefault.Thetablewillalwayshaveoneemptyrowforaddinganew
rule,andbecausethisisanewsetofpercommandsoptionsthatisallitwillcontain.IntheemptyrowselecteitherAlloworDenyfromthe
Actionmenu.ThenfromtheConditionmenuchooseoneofthefollowingtodeterminewhichclientsmatchandthusareallowedordenied.
*All*Allclientsmatch,nomatterwheretheyarefrom.*None*Noclientsmatchtherule.*IPaddress*OnlyclientsfromtheIPaddress
enteredintheadjacenttextfieldmatch.*Network*OnlyclientsfromtheIPnetworkenteredmatch.ThenetworkaddressmustbeapartialIP
withatrailingdot,like192.168.1..*Hostname*OnlyclientswhoseIPaddressreverseresolvestotheenterednamematch.Youcanspecifyan
entiredomainbyputtingadotatthefront,like.example.com.Ifyouwanttoaddmorethanonerule,youwillneedtoreenterthispageafter
savingsothatanewblankrowappears.Todeletearule,selecttheblankoptionfromtheActionmenu.
7. WhenyouaredonechoosingwhocanusetheFTPcommands,hittheSavebutton.Thenreturntothemodule'smainpageandclickApply
Changestomaketherestrictionsactive.

Thepercommandoptionspage

Configuringlogging
Bydefault,ProFTPDlogsalltransferstothefile/var/log/xferloginthestandardFTPloggingformat(unlessadifferentpathhasbeenselectedat
compiletime).However,youcanconfiguretheservertologtransferstoandfromeachvirtualserverdifferently,andanonymousFTPtrafficaswell.
Thisismostusefulinavirtualhostingenvironment,inwhichyoursystemhostsFTPsitesformanydifferentcustomers.
Itisalsopossibletodefineadditionallogfilesthatusedifferentformats,andoptionallyincludeonlyasubsetofFTPcommands.Thiscanbeusefulif
youonlycareaboutuploads,anddon'twantyourlogfilescloggedupwithuselessinformation.
Toconfigurewhereandhowlogsarewrittengloballyorforanindividualvirtualserver,thestepstofolloware:
1. Ifyouwanttochangethelocationofthegloballogfilethatisusedforalltransfers(unlessoverriddenbyavirtualserver),clickonthe
Loggingicononthemainpage.Alternately,ifyouwanttoconfigureaspecificvirtualservertouseadifferentlogfile,clickonitsiconand
thenonLoggingonthevirtualserveroptionspage.Tochangetheloggingsettingsforanonymousclientsonly,clickonavirtualservericon,
thenonAnonymousFTPandfinallyontheLoggingiconontheanonymousFTPoptionspage.
2. Ontheresultingloggingoptionsform,the*FTPtransferslogfile*fieldcontrolswherelogsarewrittento.Tospecifyafile,selectthelast
optionandenterafullpathlike/var/log/example.com.xfersintotheadjacenttextfield.Toturnoffloggingaltogether,selectLoggingdisabled.
Tousetheglobaldefault,selecttheDefaultoption(ifyouareeditingthegloballoggingsettings,ProFTPDwillusethecompiledindefault
logfile/var/log/xferlog).
3. TheCustomlogfilestablecanbeusedtodefineadditionallogsforspecificcommandsandwitharbitraryformats.Asusual,itwillalways
haveoneemptyrowforaddinganewcustomlogfile.Toaddone,fillinthefieldsundertheseheadings:*Logfile*Thefullpathtothelog
file,suchas/home/example.com/ftplog.ForFTPcommands*If*Allisselected,allFTPcommandswillbelogged.However,ifyouchoose
thesecondoptiononlythosecommandclassesintheadjacenttextboxwillbeincluded.RecognizedclassesareNONE(nocommands),ALL
(allcommands),INFO(informationrequests),DIRS(directorynavigation),READ(filedownload),WRITE(fileuploadanddirectory
creation),SITE(nonstandardcommandslikeCHMOD)andMISC(othermiscellaneouscommands).Multipleclassesmustbeseparatedby
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

8/10

6/8/2015

ProFTPD Server - Webmin Documentation

commas,likeREAD,WRITE.YoucannotusethenamesdocumentedintheRestrictingaccesstoFTPcommandssection.*LogformatIf
*Defaultisselected,thestandardFTPlogformatwillbeused.Butifthesecondoptionischosen,youmustenterarecognizedlogformat
nameintothetextbox.Thenextparagraphexplainshowtosetupnamedlogformats.Becauseonlyoneemptyrowappearsinthetable,you
canonlyaddonecustomlogatatime.Toaddmore,clickontheLoggingiconagainaftersavingandfillinthenewblankrow.Todeletea
customlog,justclearoutitsfieldintheLogfilecolumn.
4. HittheSavebuttontosavethenewsettings,andthen*ApplyChanges*onthemainpagetoactivatethem.
Ifyouwanttouseyourowncustomformatsforlogfiles,theymustfirstbedefinedglobally.Thestepstocreateaformatare:
1. Onthemodule'smainpage,clickontheLoggingicontobringupthegloballogfileoptionspage.
2. TheCustomlogformatstableisfordefiningyourownformats.InthefirstblankfieldunderFormatname,enterashortnameforyournew
formatsuchasfilesonly.InthefieldnexttoitunderFormatstring,entertextcontainingthelogcodesrecognizedbyProFTPD,like
Downloaded%fat%t.Thespecialcodesinthestringstartingwith%arereplacedbytheserverwithinformationaboutthecommand,as
explainedinthetablebelow.Asusual,youcanaddmorethanonecustomformatbyreenteringthepageaftersavingsothatanewblankrow
appears.AformatcanbedeletedbyjustclearingoutitsFormatnamefield.
3. ClicktheSavebuttontoreturntothemainpage,andthenclickApplyChanges.Thenewformatcannowbeusedincustomlogfiles.

Limitingconcurrentlogins
IfyoursystemisconfiguredtoallowanonymousFTPloginsandyouexpecttoreceivealotoftraffic,itmakessensetolimitthenumberof
connectionsthatcanbeopentotheFTPserveratanyonetime.ThisputsaceilingonthenetworkandCPUloadthatFTPtransferscangenerate,
whichisimportantifthesystemisbeingusedforsomeotherpurpose(suchasrunningawebserver).
Thislimitcanbesetglobally,onapervirtualserverbasisorjustforanonymousclients.Thismeansthatyoucansetalimitthatappliestoall
servers,andthenincreaseordecreaseitforaparticularvirtualhost.Oryoucansetalowerlimitforanonymousclientsversusthosethathavevalid
logins.
ProFTPDcanalsobeconfiguredtolimitthenumberofconcurrentconnectionsthatasingleclienthostcanhave.Thisisusefulifyouwanttostop
peopledownloadingmorethanonefileatatimefromyourserver,andthustakingmorethantheirfairshareofbandwidth.
Tosetaconnectionlimitforyourserver,followthesesteps:
1. Ifyouwanttosetagloballimit,clickonthe*NetworkingOptions*icononthemodule'smainpage.Tosetalimitforasinglevirtualserver,
clickonitsiconandthenon*NetworkingOptions*.Todefinealimitthatappliesonlytoanonymousclients,clickontheiconforavirtual
server,thenon*AnonymousFTP*andfinallyontheNetworkingOptionsiconontheanonymousFTPoptionspage.
2. Ontheformthatappears,findtheMaximumconcurrentloginsfield.Tosetalimit,selectthethirdradiobuttonandenteranumberinthe
textboxnexttoit.Alternately,youcanselectUnlimitedtoturnoffanyrestrictionthatappliestothisvirtualserverthathasbeensetglobally.
3. Todefineanerrormessagesenttoclientsthattrytoconnectwhenthelimithasbeenreached,enteritintothe*Loginerrormessage*boxin
theMaximumconcurrentloginsfield.Ifthemessagecontainsthespecialcode%mitwillbereplacedwiththemaximumallowednumber.
4. Tosettheperclienthostlimit,fillinthe*Maximumconcurrentloginsperhost*fieldinthesameway.Italsohasa*Loginerrormessage*
boxthatcanbeusedtosetamessagesenttoFTPclientsthatexceedthelimit.
5. Ifyouareeditingtheglobalnetworkingoptions,youcanalsosetalimitonthetotalnumberofProFTPDsubprocessesthatcanbeactiveat
anyonetime.Thisisusefulforprotectingyoursystemfromdenialofserviceusinghundredsofuselessconnections.Justselectthesecond
optionforthe*Maximumconcurrentsessions*fieldandenteranumberintoitsadjacenttextbox.IfDefaultisselected,nolimitwillbe
enforced.Ifyouarerunningtheserverfromasuperserverlikeinetdorxinetd,thislimitwillhavenoeffect.Fortunately,boththoseservers
haveconfigurationoptionsthatcanbeusedtoachievethesameresult.
6. Whenyouaredoneeditingclientrestrictions,hitthe*Save*buttonatthebottomoftheformtoupdatetheProFTPDconfiguration,andthen
theApplyChangesbuttonbackonthemainpage.

RestrictingclientsbyIPaddress
Bydefault,ProFTPDwillallowclientstoconnectfromanyIPaddress.However,likeeverythingelsethisisconfigurablesothatyoucanrestrict
accesstosystemsonyourownnetwork,eithergloballyorforparticularvirtualservers.ThiscomesinhandyifyouaresettingupanFTPserverthat
isforinternaluseonly,eventhoughthesystemitisrunningonisaccessiblefromtheInternet.
Torestrictclientsbyaddress,followthesesteps:
1. Tocreateaglobalrestrictionthatwillapplytoallvirtualservers,enterLOGINintotheFTPcommandsfieldoftheAddpercommand
optionsforformonthemodule'smainpage,thenclickCreate.Ifyouonlywanttolimitwhocanconnecttoaparticularvirtualserver,click
onitsiconbeforeenteringLOGINintothesameformonthevirtualserveroptionspage.
2. Regardlessofwhatleveltherestrictionisbeingdefinedat,youwillbetakentothepercommandoptionspageshownabove.Clickonthe
AccessControlicontogototheaptlynamedaccesscontrolform.
3. TheRestrictaccesstablecanbeusedtoblockclientsfromcertainIPaddressesbyenteringaseriesofrules.Thethreeradiobuttonsatthetop
controltheorderinwhichentriesinthetableareevaluated.IfDenythenallowisselected,anyclientthatmatchesaDenyroworwhichdoes
notmatchanAllowrowwillbeblocked.Conversely,ifAllowthendenyischosenonlyclientsthatmatchaDenyrowanddonotmatchan
Allowwillbepreventedfromloggingin.Thismodeisalsothedefault.Thetablewillalwayshaveoneemptyrowforaddinganewrule,and
becausethisisanewsetofpercommandsoptionsthatisallitwillinitiallycontain.IntheemptyrowselecteitherAlloworDenyfromthe
Actionmenu.ThenfromtheConditionmenuchooseoneofthefollowingtodeterminewhichclientsmatchandthusareallowedordenied.
All
Allclientsmatch,nomatterwheretheyarefrom.*None*Noclientsmatchtherule.
IPaddress
OnlyclientsfromtheIPaddressenteredintheadjacenttextfieldmatch.
Network
OnlyclientsfromtheIPnetworkenteredmatch.ThenetworkaddressmustbeapartialIPwithatrailingdot,like192.168.1..
Hostname
OnlyclientswhoseIPaddressreverseresolvestotheenterednamematch.Youcanspecifyanentiredomainbyputtingadotatthe
http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

9/10

6/8/2015

ProFTPD Server - Webmin Documentation

front,like.example.com.Ifyouwanttoaddmorethanonerule,youwillneedtoreenterthispageaftersavingsothatanewblankrow
appears.Todeletearule,selecttheblankoptionfromtheActionmenu.
1. Whenyouarefinishedenteringclientrestrictions,hittheSavebuttonatthebottomoftheform.ThenreturntothemainpageandclickSave
andApplytoactivatethem.
Commonly,youwillwanttogiveonlyclientsonasinglenetworkaccess.Todothis,selecttheDenythenallowoption,chooseAllowfromthe
Actionmenu,NetworkfromtheConditionmenuandenterthenetworkaddresswithatrailingdot(like10.254.1.)intotheconditiontextbox.

Limitinguploads
Ifclientsareallowedtouploadfilestoyourserver,theywillbeabletochooseanynamethattheywishforuploadedfiles.Sometimesthisisnot
desirablethoughyoumaywanttoallowthestoringofonlyimagefileswhosenamesendwith.gifor.jpg,orpreventtheuploadingofWindows
executableswithfilenamesendingin.exeor.com.Fortunately,ProFTPDhasconfigurationoptionsthatallowyoutosetthisup.
Therearealsoseveralothersettingsthatapplytouploads,whichcontrolwhetherclientsareallowedtooverwritefilesandifpartiallytransferredfiles
arevisible.Allcanbesetglobally,forasinglevirtualserverorforanonymousclientsonly.Thestepstosettheseoptionsare:
1. Ifyouwanttothesettingstobeglobal,clickonthe*FilesandDirectories*icononthemodule'smainpage.Tohavethemapplytojusta
singlevirtualserver,clickonitsiconandthenonFilesandDirectories.Ortoeffectjustclientsthatloginanonymously,clickonavirtual
servericon,thenonAnonymousFTPandfinallyonFilesandDirectoriesicononthevirtualserveroptionspage.Nomatterwhich
configurationobjectyouchose,thefilesanddirectoriesformthatappearswillbealmostidentical.
2. Tohidefilesthatareintheprocessofbeinguploaded,changetheHidefilesduringupload?fieldtoYes.ThistellsProFTPDtousea
temporaryfilewhosenamestartswith.in.fortransferreddata,whichisonlyrenamedtotherealfilenamewhentheuploadiscomplete.This
preventsincompletepartialuploads,andstopsfilesbeingdownloadedoraccessedwhiletheyarestillbeingsent.
3. TohaveProFTPDdeleteuploadedfilesthatarenotfullytransferred,selectYesfortheDeleteaborteduploads?field.Again,thisprevents
corruptpartiallyuploadedfilesfrombeingcreatedonyoursystem.
4. Toallowuserstoonlycreatefileswhoserelativenamesmatchacertainpattern,fillinthe*Alloweduploadedfilenameregex*fieldwithaPerl
regularexpression.Forexample,toonlyallowGIFfilesyoumightenter^.*\.gif$.Becauseclientsarenormallyallowedtorenamefiles,this
optionaloneisnotenoughtostopthecreationofinvalidfilenames.YouwillalsoneedtoblockaccesstotheRNFRcommand,asexplainedin
theRestrictingaccesstoFTPcommandssection.
5. Alternately,youcanblocktheuseofcertainfilenamesbyfillingintheDenieduploadedfilenameregexfieldwitharegularexpressionlike
^.*\.exe$.Ifboththisandthepreviousfieldareset,onlyfilesthatmatchtheallowexpressionbutnotthisdenyexpressionwillbepermitted.
Anothercommonuseofthisoptionisblockingtheuploadof.ftpaccessor.htaccessfiles,whichsetperdirectoryProFTPDandApache
options.
6. HittheSavebuttonatthebottomofthepage.
7. Ifyouwanttostopclientsoverwritingfileswithnewuploads,clickontheAccessControliconandchangethe*Allowoverwritingoffiles?*
fieldtoNo.Thiscanbeusefulonanserverthatallowsanonymoususerstouploadtoaparticulardirectory,perhapsforincomingfilesofsome
kind.Don'tforgettoclickSaveifyoumakethischange.
8. Returntothemodule'smainpageandhittheApplyChangesbuttontoactivateyournewfilenamerestrictions.

Manuallyeditingdirectives
IfyouprefertomanuallyedityourProFTPDconfigurationfileinsomecasesorjustwanttoseewhichdirectivesanactioninWebminhasset,you
candosousingthismodule.Exceptforthedefaultserver,everyobject'soptionspage(virtualserver,perdirectoryandpercommand)hasanicon
labeledEditDirectives.Whenclickedonitwilltakeyoutoaformcontainingalargetextboxshowingthelinesfromtheconfigurationfileinthe
sectionrelatedtotheobject.Youcaneditthemtoyourheart'scontent,thenclicktheSavebuttontoupdatetheactualfile.Beawarethoughthatno
validationofyourinputisdone.Also,youwillneedtousetheApplyChangesbuttononthemodule'smainpagetoactivateanychanges,asusual.
ToviewandedittheentireProFTPDconfiguration,usethe*EditConfigFiles*icononthemodule'smainpage.Thiswillbringupasimilarform,
butshowingandallowingtheeditingofacompleteconfigurationfileatonce.BecauseProFTPDcanreadmultipleconfigurationfiles(thoughthe
useofIncludedirectives),atthetopoftheformisabuttonlabeledEditDirectivesinFilewithamenuoffilenamesnexttoit.Toswitchtheviewto
adifferentfile,justselecttheoneyouwantandhitthebutton.Normallythoughonlyasingleproftpd.conffilewillbeused.
Diperolehdari"http://doxfer.webmin.com/mediawiki/index.php?title=ProFTPD_Server&oldid=3442"
Kategori: Servers
Halamaniniterakhirdiubahpada16.21,1April2015.
Halamaninitelahdiaksessebanyak27.828kali.

http://doxfer.webmin.com/Webmin/ProFTPD_Server#Manually_editing_directives

10/10