Áàçîâàÿ íàñòðîéêà ProFtpD

[Unlimited]

 proftpd-1.3.2 îôèöèàëüíî âñòðîèëè âîçìîæíîñòü ïåðåêîäèðîâêè! Ïî-ìîåìó òàê îäèí èç ëó÷øèõ ôòï ñåðâåðîâ.

[SpIInner]

Ñêîìïèëèðîâàë proftpd v1.3.2rc3 ñ ìîäóëåì mod_lang ïîä wl500gp. LangEngine ðàáîòàåò. Òîëüêî ïðè çàïóñêå ñ LangEngine "on" ïîÿâëÿåòñÿ ñîîáùåíèå:

Code:

# proftpd
SpIInnerGW - mod_lang/0.9: unable to bind to text domain 'proftpd' using locale path '/opt/share/locale': Invalid argument

Êîíôèã ïîêà ïðàêòè÷åñêè ïî-óìîë÷àíèþ. LangPath äîáàâèë ñàì.  óêàçàííîì êàòàëîãå êàê ðàç è åñòü locale ñî ñòðóêòóðîé êàòàëîãîâ ïî ÿçûêàì.
proftpd.conf:

Code:

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD Default Installation"
ServerType			standalone
DefaultServer			on
WtmpLog                         off
LangPath			/opt/share/locale

# Port 21 is the standard FTP port.
Port				21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances			10

LangEngine on
UseEncoding UTF-8 CP1251

<Global>
  RootLogin On
  RequireValidShell off
  AuthUserFile /etc/passwd
  AllowStoreRestart on
#  TransferRate RETR 25
#  TransferRate APPE,STOR 100:2048
</Global>


# Set the user and group under which the server will run.
User				nobody
Group				nobody

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite		on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User				ftp
  Group				ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias			anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients			5

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin			welcome.msg
  DisplayChdir			.message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

Ìîæåò êîìïèëèðîâàòü íàäî áûëî ñ êàêèì-òî îñîáåííûì ïàðàìåòðîì?

Ïðèêëàäûâàþ ipk, êîìó-íèáóäü ïðèãîäèòñÿ.

[retom]

Ñòîèò íà ðîóòåðå webalizer õî÷ó ÷òî áû îí ðàç â ñóòêè çàïóñêàëñÿ.
Êàê ïðàâèëüíî ïðîïèñàòü àâòîçàïóñê â crontab?

crontab Âûãëÿäèò òàê:
# cat crontab
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/sbin:/opt/bin
MAILTO=""
HOME=/
# ---------- ---------- Default is Empty ---------- ---------- #

åñòü äèðåêòîðèÿ cron.d
ñ îäíèì ôàéëîì updatedb-daily

âîïðîñ íîìåð äâà êàê ïðàâèëüíî è ïðîùå ñäåëàòü ðîòàöèþ ëîãîâ?

[Snarpix]

Ïîñëåäíèé âîïðîñ: êàêèå ïðàâà íóæíî óñòàíîâèòü íà äèðåêòîðèþ ÷òîáû åå íå áûëî âèäíî â ñïèñêå, ïðè çàõîäå íà ôòï ñåðâåð, íèêîìó êðîìå åå âëàäåëüöà? ß ïîñòàâèë drwx------ íî åå âèäíî, õîòÿ çàéòè íåëüçÿ.

[tempik]

Ïîñëåäíèé âîïðîñ: êàêèå ïðàâà íóæíî óñòàíîâèòü íà äèðåêòîðèþ ÷òîáû åå íå áûëî âèäíî â ñïèñêå, ïðè çàõîäå íà ôòï ñåðâåð, íèêîìó êðîìå åå âëàäåëüöà? ß ïîñòàâèë drwx------ íî åå âèäíî, õîòÿ çàéòè íåëüçÿ.

Òàêèõ ïðàâ *NIX íå ïðåäóñìàòðèâàåò òîëüêî ÷òåíèå-çàïèñü/èñïðàâëåíèå-èñïîëíåíèå êîäà/÷òåíèå ñîäåðæèìîãî ïàïêè... À çà÷åì? çàéòè íå ìîæåò è ëàäíî ... ïîäðîáíåå http://linuxopen.ru/2007/12/08/prava...y-v-linux.html

[Snarpix]

Òàêèõ ïðàâ *NIX íå ïðåäóñìàòðèâàåò òîëüêî ÷òåíèå-çàïèñü/èñïðàâëåíèå-èñïîëíåíèå êîäà/÷òåíèå ñîäåðæèìîãî ïàïêè... À çà÷åì? çàéòè íå ìîæåò è ëàäíî ... ïîäðîáíåå http://linuxopen.ru/2007/12/08/prava...y-v-linux.html

À êàê æå ýòî ðåàëèçîâàíî â ðîäíîé ïðîøèâêå?

P.S. Ïðî÷èòàë ïðî ëèïêèé áèò. Ïîïðîáóþ ðåàëèçîâàòü ñ ïîìîùüþ åãî.

[tempik]

À êàê æå ýòî ðåàëèçîâàíî â ðîäíîé ïðîøèâêå?

P.S. Ïðî÷èòàë ïðî ëèïêèé áèò. Ïîïðîáóþ ðåàëèçîâàòü ñ ïîìîùüþ åãî.

Íå çíàþ êàê â ðîäíîé ïðîøèâêå (íè ðàçó íå âèäåë åå...) íî åñòü âîçìîæíîñòü çàäàâàòü äîìàøíèé êàòàëîã ïîëüçîâàòåëÿ è çïðåòèòü âûõîäèòü çà åãî ïðåäåëû íî ýòî íàðóøàåò çàäàííîå óñëîâèå
"íåîáõîäèìî áûëî ÷òîáû êàæäûé þçåð âèäåë ñâîþ ëè÷íóþ + îáùóþ äèðåêòîðèè"
Ç.Û. "ëèïêèé áèò" íå ïðî ýòî...

[Snarpix]

Óæå ïîíÿë ÷òî íå òî. Ëàäíî ñïàñèáî çà ïîìîùü, ïîäóìàþ íà äîñóãå êàê ðåàëèçîâàòü, âäðóã ïðèäóìàþ

[tempik]

Óæå ïîíÿë ÷òî íå òî. Ëàäíî ñïàñèáî çà ïîìîùü, ïîäóìàþ íà äîñóãå êàê ðåàëèçîâàòü, âäðóã ïðèäóìàþ

â ProFTPD åñòü íàñòðîéêè HideUser è HideGroup ...vsftpd ÈÌÕÎ ïîäîáíîãî íå èìååò ...

[necrom]

Èñêàë íîðìàëüíûé ìàíóàë ïî óñòàíîâêå è íàñòðîéêå proftpd, òàê è íå íàø¸ë â èòîãå ðåøèë ñîáðàòü èç âñåõ íàéäåííûõ â îäèí íîðìàëüíûé.
Ìàíóàë äåëàë ïî àíàëîãèè ñ ïðèìåðîì

Óñòàíàâëèâàåì íåîáõîäèìûå ïàêåòû.

Code:

ipkg install proftpd adduser

Ñîçäà¸ì ïîëüçîâàòåëåé. Äëÿ ïðèìåðà îäíîãî àíîíèìíîãî, äðóãîãî àäìèíèñòðàòîðà.

Àíîíèìíûé ïîëüçîâàòåëü

Code:

adduser userftp -d /opt/ftp/ -s /bin/false
adduser adminftp -d /opt/ftp/admin -s /bin/false

Ñîçäà¸ì ôàéë rîíôèãóðàöèè äëÿ Ftp.

Code:

nano /opt/etc/proftpd.config

Code:

ServerName                      "Necrom Station"
ServerType                      standalone
DefaultServer                   on
UseReverseDNS                   off
IdentLookups                    off

# Port 21 is the standard FTP port.
Port                            21
UseIPv6                         off
AllowForeignAddress             on
MasqueradeAddress               192.168.1.1

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022 022
MaxInstances                    8
MaxLoginAttempts                3

# Íå çàáûâàåì ïðî ëîãèðîâàíèå:
ExtendedLog                     /opt/var/log/proftpd/extend.log
TransferLog                     /opt/var/log/proftpd/transfer.log
SystemLog                       /opt/var/log/proftpd/syslog.log
ScoreboardFile                  /opt/var/run/proftpd.scoreboard

# Ìû íå áóäåì èñïîëüçîâàòü ôàéë /etc/ftpusers
UseFtpUsers                     off

PersistentPasswd                off
MultilineRFC2228                on

# "òàéìàóòû", ïî èñòå÷åíèþ êîòîðûõ ñåðâåð áóäåò çàêðûâàòü ñîåäèíåíèå
TimeoutLogin                    120
TimeoutNoTransfer               900
TimeoutStalled                  100
TimeoutIdle                     2200

<Global>
  RootLogin                       Off
  AuthUserFile                    /etc/passwd
  AllowStoreRestart               on
  ShowSymlinks                    on
  AllowOverwrite                  on
  DisplayChdir                    .message
  ListOptions                     .-l.
  RequireValidShell               off

#  TransferRate RETR 25
#  TransferRate APPE,STOR 100:2048
</Global>

<Limit ALL>
   DenyAll
</Limit>

# Set the user and group under which the server will run.
User                            nobody
Group                           nobody
DefaultRoot                     ~

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous /opt/ftp>
  User                          userftp
  Group                         ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous userftp
  AuthAliasOnly                 on

  # Limit the maximum number of anonymous logins
  MaxClients                    5

  # Îòêëþ÷àåì òðåáîâàíèÿ âàëèäíîãî øåëëà ïîëüçîâàòåëÿ
  # ïîçâîëÿåò "ïóñêàòü" â ñèñòåìó þçåðîì áåç äîñòóïà ïî SSH (nologin)
  RequireValidShell             on

  # Ñêðûâàòü ôàéëû è ïàïêè ïîëüçîâàòåëÿ root
  HideUser                     adminftp

  # Ðàçðåøàåì àâòîðèçàöèþ, ÷òåíèå ôàéëîâ è ïåðåìåùåíèå ïî ïàïêàì
  <Limit LOGIN READ DIRS>
         AllowAll
  </Limit>

  DisplayLogin                  welcome.msg
  #DisplayFirstChdir            .message

  # Ðàçðåøàåì çàïèñü
  <Directory upload/*>
        <Limit WRITE>
              AllowAll
        </Limit>
  </Directory>
</Anonymous>


# Îáúÿâëÿåì àíîíèìíûé ñåðâåð ñ êîðíåì â äîìàøåì êàòàëîãå ïîëüçîâàòåëÿ adminftp
<Anonymous ~adminftp>
		# Îò êîãî áóäåò ðàáîòàòü äåìîí
        User                    adminftp
        Group                   adminftp
       
        # Óñòàíîâêà âëàäåëüöà íà íîâûå ôàéëû    
        UserOwner               adminftp
        GroupOwner              adminftp
       
        # Âêëþ÷àåì çàïðîñ ïàðîëÿ
        AnonRequirePassword     on
  
        # Ðàçðåøàåì âñå äëÿ íàøåãî ïîëüçîâàòåëÿ
        <Limit ALL>
            Order Allow, Deny
            AllowUser		adminftp
        </Limit>
</Anonymous>

Äîáàâëÿåì ôàéë /etc/paswwd â àâòîçàãðóçêó

Code:

echo "/etc/passwd
/etc/group" >> /usr/local/.files
flashfs save && flashfs commit && flashfs enable

Ñîçäà¸ì ñêðèïò àâòîçàïóñêàÿ.

Code:

nano /opt/etc/init.d/S90proftpd
chmod +x /opt/etc/init.d/S90proftpd

Code:

#!/bin/sh

prefix="/opt"
PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=proftpd
DAEMON=${prefix}/sbin/${NAME}
DAEMON_OPTS="-c ${prefix}/etc/proftpd.conf"

test -x $DAEMON || exit 0

if [ -z "$1" ] ; then
    case `echo "$0" | sed 's:^.*/\(.*\):\1:g'` in
        S??*) rc="start" ;;
        K??*) rc="stop" ;;
        *) rc="usage" ;;
    esac
else
    rc="$1"
fi

case "$rc" in
    start)
        echo "Starting ftp server: $NAME"
        $DAEMON $DAEMON_OPTS
        ;;
    stop)
        if [ -n "`pidof $NAME`" ]; then
            echo "Stopping ftp server: $NAME"
            killall $NAME 2> /dev/null
        fi
        ;;
    restart)
        "$0" stop
        sleep 1
        "$0" start
        ;;
    *)
        echo "Usage: $0 (start|stop|restart|usage)"
        ;;
esac

exit 0

Âîò â ïðèíöèïå è âñ¸.

P.s Äëÿ òîãî ÷òîáû áûëî âèäíî âî âíåøíåì ìèðå íóæíî äîáàâèòü 2 ïðàâèëà. È ïðîâåðèòü öåïî÷êó INPUT. Èíîãäà áûâàåò íå â ïîïàä ñòîèò ïðàâèëî DROP.

Code:

iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 20 -j ACCEPT 
iptables -A INPUT -j DROP

Åñëè íå ïîëó÷èòñÿ ìîæíî ïîïðîáûâàòü âîò òàê

Code:

iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --dport 20 -j ACCEPT

×òîá óäàëèòü iptables ïðàâèëî ïî íîìåðó

Code:

iptables -L INPUT --line-numbers
iptables -D INPUT íîìåð

×òîá ïðîòåñòèðîâàòü ñîåäèíåíèå íà ñòîðîíå ñåðâåðà ìîæíî èñïîëüçîâàòü êîìàíäó

Code:

tcpdump -npi vlan1 port 21 and host 10.1.1.1(âíåøíèé_ip)

È ïîïðîñèòü â ñåòè, êîãî íèòü ïðîâåðèòü ÷åðåç êîíñîëü ftp 10.1.1.1

Ïðèìåðíûé âèä äîëæåí áûòü ñëåäóþùèé.
iptables -nvL INPUT

Code:

Chain INPUT (policy ACCEPT 37 packets, 3796 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
86375 8817K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   18  1440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
  270 22017 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
   83  2496 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp dpt:!1900 
  126 14317 SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1         tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Åñëè âîîáùå íå õî÷åò ðàáîòàòü, òî óáèâàéòå ïî 1 ïðàâèëó èç öåïî÷êè INPUT èëè âñ¸ öåïî÷êó äëÿ òåñòèðîâàíèÿ è ñìîòðèòå ãäå çàòîð. (Óáèòü âñå ïðàâèëà iptables -F INPUT)
Ïðàâèëà ÷àñòè÷íî ïîçàèìñòâîâàë ñ ýòèõ ïîñòîâ
15 è 167

Åù¸ ÷èòàë ÷òî áûâàþò ïðîáëåìû ñ UPnP. Âçÿòî îòñþäà

UPnP íå ïîä÷èùàåò çà ñîáîé port mappings è îñòàâëÿåò çàïèñè â nvram. Ïîñìîòðåòü ýòè çàïèñè ìîæíî òàê:

nvram show | grep "forward_port"

forward_port0=9999-9999>192.168.1.1:9999-9999,udp,on,Azureus UPnP 9999 UDP
forward_port1=9999-9999>192.168.1.1:9999-9999,tcp,on,Azureus UPnP 9999 TCP
forward_port2=49001-49001>192.168.1.1:49001-49001,udp,on,Azureus UPnP 49001 UDP
forward_port3=3000-3000>192.168.1.1:3000-3000,tcp,on,EiskaltDC++ 3000 (TCP)
forward_port4=3031-3031>192.168.1.1:3031-3031,tcp,on,EiskaltDC++ 3031 (TCP)
forward_port5=3000-3000>192.168.1.1:3000-3000,udp,on,EiskaltDC++ 3000 (UDP)

Ïîñëå ïåðåçàãðóçêè ýòè çàïèñè ïîïàäàþò â iptables è ìîãóò ïîðòèòü íàñòðîéêè NAT.

iptables -t nat -L -nv

Óäàëèòü çàïèñè èç nvram ìîæíî êîìàíäîé "nvram unset XXX"

Î÷èñòèòü âñå çàïèñè ìîæíî ñêðèïòîì:

for a in `nvram show | grep "forward_port" | sed "s/=.*//"` ; do nvram unset $a ; done

[Ryav]

Íå âèäèò ðîóòåð èçâíå, ïðîáðîñ íå ïîìîãàåò
Äàâíåíüêî íàñòðàèâàë äëÿ ñåðâåðà vsftpd, äåëàë ïðîáðîñ è âñå íîðìàëüíî ðàáîòàëî, ñåé÷àñ âîò ñ proftpd íà ñàìîì ðîóòåðå íèêàê. À ïîäíèìàëñÿ ôòï êàê ðàç ñ öåëüþ, ÷òîáû íàðóæó.