2009-11-23 09:51:49

在众多的FTP服务器中PROFTPD由于它的配置灵活，安装简便。近年来一直受到人们的喜爱。通常情况下FTP包括认证过程，传输是明文传输的，在传输一些敏感数据时总是不能让人放心。今天我在网上找了一些零散的资料结合自己的实作写了个帖子贡献给大家。

下载最新的软件版本：

# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0rc3.tar.gz

首先创建ROFTPD运行的用户和组：

# groupadd nogroup

# useradd –g nogroup –d /dev/null –s /sbin/nologin nobody

首先创建上传下载的用户和组：

# groupadd ftp

# useradd –g ftp –d /home/down –s /sbin/nologin down

# useradd –g ftp –d /home/upload –s /sbin/nologin upload

用户密码设置略

编译安装PROFRPD:

# tar –zxvf proftpd-1.3.0rc3.tar.gz

# cd proftpd-1.3.0rc3

# ./configure

--prefix=/usr/local/proftpd

--sysconfdir=/etc

--enable-autoshadow

--localstatedir=/var/run

--enable-ctrls

--with-modules=mod_tls

# make

# make install

配置PROFTPD服务器：

# vi /etc/proftpd.conf

================+================+=================

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName                                      "llzqq"

ServerType                                      standalone

DefaultServer                                   on

AllowRetrieveRestart                            on

AllowStoreRestart                               on

ServerType                                      standalone

ServerIdent                                     on

SystemLog                                       /var/log/proftpd.log

UseReverseDNS                                   off

IdentLookups                                    off

RequireValidShell                               off

# Port 21 is the standard FTP port.

Port                                            21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                                           022

MaxInstances                                    100

# Set the user and group under which the server will run.

User                                            nobody

Group                                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home

# directory, uncomment this line.

DefaultRoot ~

# Normally, we want files to be overwriteable.

<Directory />

AllowOverwrite                                  on

</Directory>

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin                                    .welcome

DisplayFirstChdir                               .message

# Limit User of being enbled login ftp server

<Limit LOGIN>

AllowGroup ftp

DenyAll

</Limit>

#########################ssl/tls############################

# MOD_TLS SETTING

<IfModule mod_tls.c>

TLSEngine on

TLSLog /var/log/proftpd-tls.log

TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?

TLSRequired ctrl

# Server's certificate

TLSRSACertificateFile /etc/proftpd.crt

TLSRSACertificateKeyFile /etc/proftpd.key

# Authenticate clients that want to use FTP over TLS

TLSVerifyClient off

#########################ssl/tls############################

<Directory /home/down>

<Limit WRITE>

DenyGroup ftp

</Limit>

TransferRate RETR 150 group ftp

</Directory>

<Directory /home/upload>

<Limit RMD RNFR DELE RETR>

DenyGroup ftp

</Limit>

TransferRate STOR 150 group ftp

</Directory>

MaxClientsPerHost 200

PassivePorts 55000 56000

================+================+=================

创建PROFTPD的日志文件：

# touch /var/log/proftpd.log

# touch /var/log/proftpd-tls.log

# chown nobody:nogroup /var/log/proftpd.log /var/log/proftpd-tls.log

创建SSL传输的证书和密匙：

# cp /usr/share/ssl/openssl.cnf ./

# openssl req -new -x509 -nodes -config openssl.cnf -out proftpd.crt –keyout  proftpd.key

这里安装提示需要输入证书信息略

把证书和密匙复制到指定目录：

# cp proftpd.crt proftpd.key /etc/

最后创建PROFTPD启动教本：

# vi /etc/init.d/proftpd

================+================+=================

#!/bin/sh

# Startup script for ProFTPD

# chkconfig: 345 85 15

# description: ProFTPD is an enhanced FTP server

# processname: proftpd

# config: /etc/proftpd.conf

# Source function library.

. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/proftpd ]; then

. /etc/sysconfig/proftpd

fi

PATH="$PATH:/usr/local/proftpd/sbin"

# See how we were called.

case "$1" in

start)

echo -n "Starting proftpd: "

daemon proftpd $OPTIONS

echo

touch /var/lock/subsys/proftpd

;;

stop)

echo -n "Shutting down proftpd: "

killproc proftpd

echo

rm -f /var/lock/subsys/proftpd

;;

status)

status proftpd

;;

restart)

$0 stop

$0 start

;;

reread)

echo -n "Re-reading proftpd config: "

killproc proftpd -HUP

echo

;;

suspend)

hash ftpshut >/dev/null 2>&1

if [ $? = 0 ]; then

if [ $# -gt 1 ]; then

shift

echo -n "Suspending with '$*' "

ftpshut $*

else

echo -n "Suspending NOW "

ftpshut now "Maintanance in progress"

fi

else

echo -n "No way to suspend "

fi

echo

;;

resume)

if [ -f /etc/shutmsg ]; then

echo -n "Allowing sessions again "

rm -f /etc/shutmsg

else

echo -n "Was not suspended "

fi

echo

;;

*)

echo -n "Usage: $0 {start|stop|restart|status|reread|resume"

hash ftpshut

if [ $? = 1 ]; then

echo '}'

else

echo '|suspend}'

echo 'suspend accepts additional arguments which are passed to ftpshut(8)'

fi

exit 1

esac

if [ $# -gt 1 ]; then

shift

$0 $*

fi

exit 0

================+================+=================

# chomd 755 /etc/init.d/proftpd

# chkconfig –-add proftpd

# chkconfig proftpd on

到这里ftp服务器端安装设置完毕，登陆服务器的客户端我用了完全免费的FileZilla（前两天网上看到说FileZilla支持SSL不错）。FileZilla的设置也比较简单。本服务器支持两种客户端加密连接方式：

1. FTP over ssl (显示加密)方式连接。

2. FTP over tls (显示加密) 方式连接

如下图所示：