-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproftpdfaq-linuxdoc.sgml
executable file
·1813 lines (1382 loc) · 62.7 KB
/
proftpdfaq-linuxdoc.sgml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype linuxdoc system>
<article>
<!-- Title Information -->
<TITLE>Professional FTP Daemon FAQ
<author>Mark Lowes <tt/<[email protected]>/
<date>v0.9.0, 05 January 2002
<abstract>$Id$
This document sets out many of the FAQs related to the installation,
functioning and configuration of ProFTPD. It also provides some guidance
on policy and security issues.</abstract>
<toc>
<!-- the document proper -->
<sect>Introduction to ProFTPD
<P>
<sect1>What is ProFTPD
<P>
ProFTPD is a ftp server primarily written for the various unix
variants though it will now compile under win32. It has been designed
to be much like Apache in concept taking many of the ideas
(configuration format, modular design, etc) from it.
<sect1>What is the current version?
<p>
<itemize>
<item>Stable: 1.2.4
<item>Release Candidate: 1.2.5rc1
<item>Unstable: 1.3.x
</itemize>
<sect1>Version numbering scheme
<P>At the moment there is a little irrationality in the numbering scheme however it can be summarised as follows
<sect2>1.0.x
<P>This is the previous stable version.
<sect2>1.1.x
<P>Development code
<sect2>1.2.0prex
<P>Pre-release testing versions, development code.
<sect2>1.2.0rcx
<P>Release candidate code, these releases are pretty much bug free and are testing releases prior to the final stable code.
<sect2>1.2.x
<P>This will be the stable cycle with the final .x being the incremental patches to fix bugs discovered after the release version is issued.
<sect2>1.3.x
<P>1.3.x is in development, nightly tarballs from the CVS tree are
available from ftp.proftpd.org and it"s mirror sites.
<sect1>Website & documentation
<P>http://www.proftpd.org/ is now online and contains copies of this
FAQ, other documentation resources and information on the project.
The documentation is being brought back into shape at the moment, the
configuration on the website is now approaching where it should be but
more work is required and is ongoing. There are a number of
geographic mirror sites, see http://www.proftpd.org/ for details or
try www.<isocode>.proftpd.org (ie www.uk.proftpd.org).
<sect2>Helping with documentation
<P>Writing documentation is time consuming and requires some
work but it"s not actually difficult. Get the source code from CVS,
run "ShowUndocumented" in the doc directory. This will list what
needs work. Grep through the code in the looking for something like
<tscreen>
<code>
CHECK_CONF(cmd,CONF_ROOT|CONF_VIRTUAL|CONF_ANON|CONF_GLOBAL)
</code>
</tscreen>
<P>to figure out where the directive is valid (server config,
<VirtualHost>, <Anonymous>, <Global> for the above example). Once you
think you understand what it does, test, play, break (if possible).
Then copy the format in Configuration.html and add the new documentation.
<P>Once the documentation is complete run
<tscreen><verb>
cvs diff -uw Configuration.html > Configuration.html.patch
</verb></tscreen>
<P>and submit it via the bug reporting system.
<sect1>Bug reporting?
<P>Bug reports should be made via http://bugs.proftpd.org/ which uses
the bugzilla tracking system. Patches should be mailed to the
ProFTPD-Devel mailing list or MacGyver directly.
<sect1>I've found a security hole
<P>Please report all security problems with the code to
[email protected] before releasing the information into the public
domain. It would be appreciated if you give the core team a few days
to put together a patch and/or new release to address the issue.
<P>Please adhere to the proceedures and timescales given in the RF
Policy document http://www.wiretrip.net/rfp/policy.html, this will give
the core development team a chance to get a fix or workaround in place
before the problem becomes fully public domain.
<sect1>Downloading
<P>There are two main methods of getting the software. Downloading a
compressed tarball or rpm (there is also a Debian package available in
the main distribution) from proftpd.org or from a mirror site,
alternatively if you wish to run the latest bleeding edge code then
collecting from the cvs server is the best method.
<sect2>Mirror sites
<P>There is a complete and maintained list of ftp mirror sites available
from http://www.proftpd.org/download.html
<sect2>CVS
<P>CVS:
cvs -d :pserver:[email protected]:/cvsroot/proftp login
(Hit Enter when prompted for a password.)
Then do:
cvs -d :pserver:[email protected]:/cvsroot/proftp -z3
co proftpd
<P>To obtain the latest/greatest updates, just hop into the
proftpd directory and do: cvs update
<P>A couple of sites generate downloadable tarballs of the latest CVS
code to make obtaining the test code easier.
<sect1>Mailing lists
<P>
There are three lists for ProFTPD
<sect2>Announce
<P>
<P>This is a very low traffic list where only ProFTPD announcements/changes
will be announced.
<P>Subscribe by sending a message to [email protected] with
"subscribe" in the subject.
<p>Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-announce
<sect2>Users
<P>
<P>This is intended to the the user support channel for the software,
in most likelihood this is going to be a high traffic list and
slightly chatty. Please read the FAQ, the documentation and the list
archives before posting a question.
<P>Subscribe by sending a message to [email protected] with
"subscribe" in the subject.
<p>Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-user
<sect2>Development
<P>
<P>This list is intended for discussion of development-related issues
of ProFTPD, and feature design. It is NOT intended to be a "user
help" group.
<P>Subscribe by sending a message to [email protected]
with "subscribe" in the subject.
<p>Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-devel
<sect2>Archives
<P>The mailing list archives can be found at
http://www.proftpd.org/proftpd-l-archive/
http://www.proftpd.org/proftpd-devel-archive/
<sect3>Unsubscribing
<p>Before posting to any of the lists or mailing the list admins
please try and remove yourself first. Either by emailing
<listname>[email protected] with the subject "unsubscribe" or
visiting the web interface and unsubscribing from there.
<sect4>I've (lost / never had) a password to the interface <p>Easy,
enter the address you are subscribed to the list as into the form and
hit the "email me my password" button.
<sect1>Copyright Issues
<P>
The software is currently distributed under the GNU General Public License
(version 2 or later) as published by the Free Software Foundation.
Copyright is held by Public Flood Software.
<sect>Compilation and installing
<P>
<!-- Basic hints on untaring, rpm"s ./configure etc etc -->
<sect1>What platforms will it compile on?
<P>
There have been reports of ProFTPD compiling on all the following
platforms (and versions).
<itemize>
<item>Linux 2.0.x & 2.2.x (glibc 2.x only) & 2.4.x
<item>BSDI 3.1 & 4.0
<item>IRIX 6.2, 6.3, 6.4, 6.5
<item>Solaris 2.5.1, 2.6, 2.7, 8 (Sparc)
<item>AIX 3.2 & 4.2
<item>OpenBSD 2.2/2.3
<item>FreeBSD 2.2.7
<item>Digital UNIX 4.0A
<item>DEC OFS/1
</itemize>
<sect2>Why not libc5 on Linux?
<P>There are several known problems with libc5-based systems,
including improperly implemented library routines (vsprintf and
vsnprintf are examples). There are known problems with the resolver
library. For these reasons and others lib5 is not being supported at
all, the latest versions of the major distributions (inc Debian,
Redhat and Suse) are all glibc.
<sect1>CVS
<P>CVS (Concurrent Versions System), is a version control system which
allows multiple developers (scattered across the same room or across
the world) to maintain a single codebase and keep a record of all
changes to the work.
<P>The CVS repository for ProFTPD is available for non-developers in
read-only mode, however this code is right on the bleeding edge and is
not guaranteed to even compile let alone work. Access to CVS is given
to allow important security patches out into the wild and to allow
users and interested users to test out the latest changes on real
systems.
<sect2>Recommended ~/.cvsrc settings
<P>
<tscreen>
<verb>
cvs -z 3
update -Pd
diff -u
</verb>
</tscreen>
<sect2>Where can I get information on cvs?
<P>CVS is produced by Cyclic Software (http://www.cyclic.com/) and
details on CVS can be found on their website. The CVS documentation
is clear, detailed and above all heavy when printed. I'd recommend
reading it if you"re planning on using CVS a lot.
<sect1>How do I get debug output
<P>The easiest way is to fire up proftpd manually from the command
line with the debug level cranked up.
<tscreen>
<verb>
/usr/local/sbin/proftpd -d9 -n
</verb>
</tscreen>
<P>This will result in maximal debug output direct to the
console. Warning, this can get messy on a busy server, for testing I
would suggest copying the config and altering the port the server
binds to and then testing.
<sect1>Patches
<P>Any patches should be submitted in Universal format, this makes
integrating them into the main cvs source a lot easier. When
generating a diff against the current cvs source use "cvs diff -uw" to
generate the patch.
<tscreen><verb>
cvs diff -u filename > filename.patch
or
cvs diff -u > bigger.patch
</verb></tscreen>
<P>Patches that add configuration directives without proper
documentation. Will be rejected. New features without documentation
are less than useless to the community at large.
<sect1>Using non-default modules
<P>Simply configure ProFTPD with
<tscreen>
<verb>
./configure --with-modules=mod_module1:mod_module2:mod_module3
make
make install
</verb>
</tscreen>
<sect1>Plans for next version (1.3.x)
<P>The new development series will be 1.3.x, using the same number
scheme as the linux kernel developers. The targets/goals are:
<itemize>
<item>refining/redefining the module API to make it more extensible and useful.
<item>dynamic modules
<item>security APIs and implementations
<item>mod_ls rewrite
<item>Implementing some security-related RFCs
<item>Creating a web and GUI configuration interface to ProFTPD.
</itemize>
<P>2.0.x will be the production release of the 1.3.x development set.
<sect1>NT Support
<P>If/when a port is undertaken for NT, it will only be after a near
complete rethinking of ProFTPD. This is planned for 2.0 and onwards.
<sect1>New features/modules
<P>While anything new is welcomed it"s probably better to at least
float the idea first on the devel mailing list to ensure that someone
else isn"t already hacking on it. Also when submitting the patch or
module for inclusion into the ProFTPD source full documentation is
needed.
<sect2>Suggestions made for future development
<P>
<itemize>
<item>GUI based configuration tool
</itemize>
<!-- NEW SECTION -->
<sect>Compatibility and Integration
<sect1>SQL
<P>ProFTPD has support for authentication and logging via SQL
databases using the mod_sql module as supplied in the main
distribution.
<sect1>SSH
<P>There is a mini-HOWTO at http://www.castaglia.org/proftpd/
detailing how to tunnel ftp connections over ssh.
<sect1>sendfile()
<P>sendfile() is a system call which streamlines the copying of data
between the disk and the tcp socket. The call copied from the page
cache directly rather than requiring a kernel -> user space -> kernel
space copy for every read() and write() call. Generally the
advantages are only felt on heavily loaded servers. The call is
supported in ProFTPD for Linux and FreeBSD.
<sect2>Linux 2.0.x
<P>sendfile is not supported under 2.0.x, this is not an issue when
compiling for 2.0.x on a 2.0.x system. However when compiling on a
2.2.x system for use on 2.0.x use the --disable-sendfile flag.
<sect2>Runtime detection of sendfile()
<P>There are two patches available for runtime detection of
sendfile() which gets round the 2.0.x problems.
<P>Johnie Ingram (aka netgod)"s:
http://www.proftpd.org/proftpd-devel-archive/99-10/msg00073.html
<P>John Pierce <[email protected]>
http://www.proftpd.org/proftpd-devel-archive/99-10/msg00112.html
<sect1>IPv6
<P>IPv6 support first appeared in the 1.2.9rc2 release. To enable
IPv6 support, use the --enable-ipv6 configure option.
<sect1>Filename case sensitivity
<P>ProFTPD is utterly dependant on the underlying OS to handle
filename case sensitivity. If the underlying OS is case sensitive
then ProFTPD will be, there are currently no plans for a module to
handle this.
<sect1>FXP
<P>FXP is capable of bouncing data between websites. There have been
a number of reports of problems in configuring ProFTPD to function
cleanly with this program (http://flashfxp.skuz.net/).
<P>To support FXP when connecting as a user place "AllowForeignAddress
on" in the Global or VirtualHost context.
<P>To support FXP when connecting as anon "AllowForeignAddress on"
must be placed in the Anonymous context.
<P>The config will happily support "AllowForeignAddress on" in
multiple places within the config.
<!-- NEW SECTION -->
<sect>Common Running problems
<sect1>ProFTPD doesn"t seem to work.
<P>Starting ProFTPD in standalone mode it doesn"t show in "ps" It
could be many things, possibly something like not running ProFTPD as
root (it needs to be run as root initially, but will switch to a
non-privileged user). Regardless, ProFTPD logs all errors via the
standard syslog mechanism. You need to check your system logs in order
to determine what the problem is.
<sect2>It doesn"t work!
<P>There are many times when there"s a completely random problem which
appears to be insoluble. The best place to ask for help is definately
the mailing list (proftpd-l) but it"s not productive to ask for help
without giving enough information for intelligent debugging.
<P>Have you?
<itemize>
<item>Checked your logs
<item>Tried the server in debug mode
<item>Read the FAQ?
<item>Checked the mailing list archive?
<item>Are you running the latest version?
</itemize>
<P>When posting try giving enough information, this might include but
not be limited to.
<itemize>
<item>OS and server version (proftpd -vv)
<item>List of included modules (proftpd -l)
<item>Appropriate log extracts
<item>Output fom debug mode
<item>Configration fragments
</itemize>
<sect1>"inet_create_connection() failed: Operation not permitted".
<P>You aren"t starting ProFTPD as root, or you have inetd configured
to run ProFTPD as a user other than root. The ProFTPD daemon must be
started as root in order to bind to tcp ports lower than 1024, or to
open your shadow password file when authenticating users. The daemon
switches uid/gids to the user and group specified by the User/Group
directives during normal operation, so a `ps" will show it running as
the user you specified.
<sect1>Unable to bind to port/Address already in use
<P>0.0.0.0 is INADDR_ANY, which means to bind to any interface. The
"address in use" will normally mean that something has already bound
to that address.
<p>Under linux it is possible to run
<code>fuser -n tcp 21</code>
<p>to get the PID of the process currently bound to port ProFTPD is
configured to run as.
<P>The most common cause is that ProFTPD is configured standalone and
inetd is still configured for port 21. Comment out the line starting
"ftp" in /etc/inetd.conf and restart (killall -HUP inetd or something
similar should do the trick) and try again.
<sect1>"Fatal: Socket operation on non-socket"
<P>You have ProFTPD configured to run in inetd mode rather than
standalone. In this mode, ProFTPD expects that it will be run from the
inetd super-server, which implies that stdin/stdout will be sockets
instead of terminals. As a result, socket operations will fail and the
above error will be printed. If you wish to run ProFTPD from the
shell, in standalone mode, you"ll need to modify your proftpd.conf
configuration file and add or edit the ServerType directive to read:
<tscreen><verb>
ServerType standalone
</verb></tscreen>
<sect1>"Fatal: unable to determine IP address of "hostname""
<P>The hosting machine has a poorly configured hostname setup to the
point where the resolver library cannot determine the IP from the
name. Solutions include, fixing the DNS for the domain, fixing the
hostname, fixing the /etc/hosts file. Which one works for you will
largely depend on your OS and exactly what is wrong.
<sect1>I'm having problems with FTP clients behind firewalls
<P>The FTP Specification defines that two sockets should be used for
all communications. The first runs over port 21 and is the control
channel over which all commands and response codes are sent. Whenever
data is required to be transfered, for example for a file download, a
directory listing etc etc. A second channel is created on demand,
this socket can take one of two forms.
<sect2>non-Passive
<P>The server end of the data socket uses port 20. This is nice and
easy to work into a firewall configuration.
<sect2>Passive
<P>The port at either end is dynamically allocated. This is virtually
impossible to cater for in a firewall configuration given that the
port mapping will be different for every data connection.
<P>The solution is to force the users to configure their clients to
use the non-passive mode (ie port 20)
<sect1>Can I run more that one VirtualHost on a single IP?
<P>No, or at least not in the HTTP/1.1 manner of virtual hosting.
This is an inbuilt limitation of the current FTP RFC., unlike the
HTTP/1.1 spec there is no mechanism comparable to the "Host:
foo.bar.com" HTTP header for specifying which host the connection is
for. Therefore the only method for determining which VirtualHost the
connection is destined for is by the destination IP.
<P>The one exception to this is if you host multiple servers on the same
IP but using different ports, however this requires that the connecting
client uses a non-standard port and therefore is probably not a good
solution for mass hosting.
<sect2>Is there anything in the pipeline to fix this?
<P>There is a draft standard <url
url="http://search.ietf.org/internet-drafts/draft-ietf-ftpext-mlst-12.txt" name="draft standard"> with the IETF which extends and improves on the
FTP specification including support for a HOST command. However given
that the IP crunch is coming from websites and not virtual ftp servers
this is unlikely to be pushed through any time soon.
<sect1>How do I run ProFTPD from inetd?
<P>Find the line in /etc/inetd.conf that looks something like this:
<quote> ftp stream tcp nowait root in.ftpd in.ftpd</quote>
<P>Replace it with:
<quote> ftp stream tcp nowait root in.proftpd in.proftpd</quote>
<P>Then, find your inetd process in the process listing and send it
the SIGHUP signal so that it will rehash and reconfigure itself. You
may also need to add in.ProFTPD to hosts.allow on your system.
<sect1>Can I use tcp-wrappers with ProFTPD?
<P>
Yup. Although ProFTPD has built-in IP access control (see the Deny
and Allow directives), many admins choose to consolidate IP access
control in one place via in.tcpd. Just configure ProFTPD to run from
inetd as any other tcp-wrapper wrapped daemon and add the
appropriate lines to hosts.allow/deny files.
<P>
If running ProFTPD in standalone mode, mod_wrap can be used to direct the
server to use the normal hosts.allow/deny files.
<sect1>Can I run an FTP server on a non-standard port?
<P>Yes. Use a <VirtualHost> block with your machine"s FQDN
(Fully Qualified Domain Name) or IP address, and a Port directive
inside the <VirtualHost> block. For example, if your host is
named "myhost.mydomain.com" and you want to run an additional FTP
server on port 2001, you would:
<tscreen>
<code>
...
<VirtualHost myhost.mydomain.com>
Port 2001
...
</VirtualHost>
</code>
</tscreen>
<sect1>Can control upload/download ratios?
<P>Yes the mod_ratio module provides for doing just this.
<P>The ratio directives take four numbers: file ratio, initial file
credit, byte ratio, and initial byte credit. Setting either ratio
to 0 disables that check.
<P>The directives are HostRatio (matches FQDN, wildcards allowed),
AnonRatio (matches password entered at login), UserRatio (accepts "*"
for "any user"), and GroupRatio.
<tscreen>
<code>
Ratios on # enable module
UserRatio ftp 0 0 0 0
HostRatio master.debian.org 0 0 0 0 # leech access (default)
GroupRatio proftpd 100 10 5 100000 # 100:1 files, 10 file cred
5:1 bytes, 100k byte cred
AnonRatio [email protected] 1 0 1 0 # 1:1 ratio, no credits
UserRatio * 5 5 5 50000 # special default case
</code>
</tscreen>
<P>This example is for someone who (1) has downloaded 1 file of 82k,
(2) has uploaded nothing, (3) has a ratio of 5:1 files and 5:1
bytes, (4) has 4 files and 17k credit remaining, and (5) is now
changing directory to /art/nudes/young/carla. The initial credit,
not shown, was 5 files and 100k (UserRatio * 5 5 5 100000).
<P>Version 2.0 and above of this module integrate with mod_sql.
<sect2>Limitations of mod_ratio
<P>It appears that the ratio limits in mod_ratio are only maintained
on a per session basis and there is no ongoing tracking of usage.
<sect1>Slow logins
<P>This is probably caused by a firewall or DNS timeout. By default
ProFTPD will try to do both DNS and ident lookups against the incoming
connection. If these are blocked or excessively delayed a slower than
normal login will result. To turn off DNS and ident use:
<tscreen>
<code>
UseReverseDNS off
IdentLookups off
</code>
</tscreen>
<sect2>IdentLookups and tcpwrappers
***
<sect1>Lots of "FTP session closed" messages
<P>
<tscreen>
<verb>
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
Oct 7 12:30:48 salvage2 proftpd[8874]: FTP session closed.
</verb>
</tscreen>
<P>The above log extract is likely to be caused by a local monitoring
system or a particularly aggressive DoS attack. Most service
monitoring systems try opening the ftp port on the target server to
detect whether it is active and running. Most of the time these tests
are followed by an immediate "QUIT" or disconnection.
<P>TCPdump/TCPshow on the server in question should show which machine
on your network is is generating these connections.
<sect1>How do I see who is connected?
<P>The ftpwho command lists the state of each ftp connection to the
server and what it"s current activity is. However this does not
detail the connection information on a virtual by virtual basis.
<sect1>Can I force ProFTPD to listen on only one IP?
<P>Sort, of it"s not quite as clean as the socket binding under Apache
but the principle works something like this.
<sect2>Standalone mode
<P>
<descrip>
<tag>To listen on the primary IP of a host</tag>
Use the SocketBindTight directive
<tag/To listen on a interfaces which are not the primary host interface/
Use the SocketBindTight directive, place your server configuration in
a <VirtualHost ftp.mydomain.com> block and use "Port 0" for the
main host configuration and and "Port 21" inside the VirtualHost
block.
</descrip>
<sect2>inetd
<P>There are two approaches possible, the first is to use the patch
from Daniel Roesen <[email protected]> (check
the mailing list archives).
<P>The second method is to run ProFTPD from xinetd
(http://synack.net/xinetd/), a more advanced replacement of inetd. An
entry for this in xinetd.conf would be something like this:
<tscreen>
<code>
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/proftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
#bind = [IP to bind to]
}
</code>
</tscreen>
<sect1>"FTP server shut down ... please try again later."
<P>Check for /etc/shutmsg and delete it.
<sect1>How do I shutdown the server without killing proftpd?
<P>ftpshut, allows the server to disallow connections with a message
without actually taking down the service. The shutdown can be
scheduled for a point in the future or right now, existing connections
can be allowed to finish, or be terminated now. Re-enabling is done
by removing the /etc/shutmsg file.
<sect1>Is is possible to shutdown a single VirtualHost?
<P>No, the shutmsg file works at a daemon level not at a virtual host
level.
<sect1>Error 421
<P>This appears to be a general catch all error code meaning "something
nasty has gone wrong".
<itemize>
<item>Connection has timed out
<item>The DefaultRoot specified doesn"t exist
<item>The parent server has been killed
<item>Check /etc/services
<item>Wrong permissions on the DefaultRoot
</itemize>
<P>You get the idea...
<sect1>proftpd doesn't show in the processlist
<P>Two possible reasons, first that it is simply not running, try
proftpd -n -d2 to run in debug mode and see what happens. The other
is that it"s running from inetd and there are no active sessions at
the moment.
<sect1>How do I restart/reload the server?
<P>This depends on the mode you are running the server in.
<sect2>Inetd
<P>Unless you"re making a configuration change to inetd itself nothing
needs doing. The server reloads the configuration everytime a new
connection is made.
<sect2>Standalone
<P>Either stop and start the server completely (a little aggressive
for most admin"s tastes) or send a SIGHUP to the master daemon
process.
<sect1>Fatal: unable to determine IP address of
<P>Proftpd was unable to work out what IP is associated with the
hostname in the VirtualHost block. Normally caused by a problem
with the DNS resolution of the host, check the resolv.conf file
and that your chosen nameservers are functional.
<sect1>451 append/restart not permitted, try again
<P>AllowStoreRestart is disabled by default because it will allow any
writable file to be corrupted by a malicious user. It is recommended
that this option is only used with authenticated users and then only
in certain directories.
<sect1>501 REST not compatible with server configuration
<P>As mentioned in the description of the HiddenStores configuration directive,
use of that directive is incompatible with the FTP command REST. Either
disable use of REST with the AllowRetrieveRestart and AllowStoreRestart
directives, or do not use HiddenStores.
<sect1>The time being displayed is wrong
<P>The default behaviour for ProFTPD is to display all times relative
to GMT. To use local time set "TimesGMT off" in the server section of
the config. There is a known issue with Redhat 7, with regard to time
handling.
http://www.redhat.com/support/errata/rh7-errata-bugfixes.html
<sect1>Authentication is taking too long
<P>Make sure that ReverseDNS is disabled, turn off ident lookups.
Additionally check the size of your /etc/passwd (or shadow) file, if
it is large then the only solution may be to move to another
authentication scheme.
<sect1>Corrupted files
<P>There appear to be some problems with both the use of sendfile()
in ProFTPD and with the implementation within certain operating systems.
<sect1>Can I upgrade ProFTPD without terminating the current sessions?
<P>Short answer, no. Longer answer is no, but you can minimise the
effects. The cleanest approach on servers which have significant
amounts of traffic appears to be to use ftpshut to block new
connections and terminate existing ones after a pre-determined time
period and then to upgrade and restart. This approach limits the
number of downloads which are terminated part way through.
<sect1>No such group "nogroup"
<p>The default ProFTPD configuration file uses the user "nouser" and
the group "nogroup", some systems / distributions do not have the
group "nogroup" defined. The solution is to either add the group
"nogroup" to /etc/groups or to change the "nogroup" entry in the
proftpd.conf to a group which does exist.
<sect1>Why do I see "unable to set groups: Invalid argument"?
<p>The setting of the group privileges for a process uses the setgroups(2)
system call. This call will fail with the above error message for
one of two reasons: there is a negative GID value for one of the
groups, or the maximum number of groups for a single user has been
exceeded.
<p>Ideally, all IDs, both UID and GID, will be positive. Unfortunately,
it is common on many systems to use -1 or -2, especially for such
users as 'nobody', or group 'nogroup'. Use of these values uses C's
treatment of data types to make the actual numeric value very high;
some functions, like setgroups(), do not like this, though. In
general, always use positive ID numbers.
<p>The other limitation is the number of supplemental groups for a user
(eg non-primary groups, the ones configured in /etc/group). The
maximum number of supplemental groups to which a user may belong
is defined by the operating system constant NGROUPS_MAX. On
some operating systems, such as Solaris, this limitation may be
tunable.
<p>Some other applications may not encounter this error if they use the
initgroups(3) function, which reads the /etc/group file for a user's
supplemental group memberships, and sets those groups. This function,
however, silently ignores any supplemental groups for user greater than
NGROUPS_MAX, unlike setgroups(2), which complains.
If this is the cause of your error message, any solution will most
likely involve reducing the number of groups your users are members of,
or tuning the NGROUPS_MAX value, if your operating system allows it.
<sect1>Why do I see PAM error messages like these when I logout?
<p>
<tscreen>
<code>PAM(exit): Permission denied.,
open_module: stat(/usr/lib/security/pam_unix.so.1) failed: No such
file or directory
load_modules: can not open module /usr/lib/security/pam_unix.so.1
PAM(exit): Dlopen failure.
</code>
</tscreen>
<p>These messages appear when the DefaultRoot configuration directive is
in effect. This directive causes a user to be confined using the
chroot(2) system call. This call, however, affects other system
utilities, such as PAM. In this case, PAM's configuration is causing
the PAM library to attempt to open PAM modules using a path that is
no longer valid, thus the errors. This happens on logout because the
chroot has already happened by that point; on login, the PAM modules
are successfully found and loaded before the chroot, so no errors.
These are merely cosmetic reporting errors, and do not really affect
the functionality or security of the server.
<!-- -------------------- -->
<!-- Configuration Issues -->
<!-- -------------------- -->
<sect>Configuration problems
<P>Problems encountered in trying to make the server behave
exactly as required after compilation and installation are
complete and the server is running.
<sect1>How do I add another anonymous login or guest account?
<P>
You should look in the sample-configurations/ directory from
your distribution tarball. Basically, you"ll need to create another
user on your system for the guest/anonymous ftp login. For security
reasons, it"s very important that you make sure the user account
either has a password or has an "unmatchable" password. The root
directory of the guest/anonymous account doesn"t have to be the user"s
directory, but it makes sense to do so. After you have created the
account, put something like the following in your /etc/proftpd.conf
file (assuming the new user/group name is private/private):
<tscreen><code>
<Anonymous ~private>
AnonRequirePassword off
User private
Group private
RequireValidShell off
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
</code></tscreen>
<P>This will allow ftp clients to login to your site with the username
"private" and their e-mail address as a password. You can change the
AnonRequirePassword directive to "on" if you want clients to be
forced to transmit the correct password for the "private" account.
This sample configuration allows clients to change into, list and read
all directories, but denies write access of any kind.
<sect1>How do I ftp as root?
<P>First off this is a <bf>bad idea</bf> ftping as root is insecure,
there are better more secure ways of shifting files as root.
<P>To enable root ftp ensure that the directive "RootLogin on" is
included in your configuration.
<sect1>How do I provide a secure upload facility?
<P>
The following snippet from a sample configuration file
illustrates how to protect an "upload" directory in such a fashion
(which is a very good idea if you don"t want people using your site
for "warez"):
<tscreen><code>
<Anonymous /home/ftp>
# All files uploaded are set to username.usergroup ownership
User username
Group usergroup
UserAlias ftp username
RequireValidShell off
<Limit WRITE>
DenyAll
</Limit>
<Directory pub/incoming/>
<Limit STOR CWD>
AllowAll
</Limit>
<Limit READ RMD DELE MKD>
DenyAll
</Limit>
</Directory>
</Anonymous>
</code></tscreen>
<P>This denies all write operations to the anonymous root directory
and sub-directories, except "incoming/" where the permissions are
reversed and the client can store but not read. If you used <Limit
WRITE> instead of <Limit STOR> on <Directory incoming>,
ftp clients would be allowed to perform all write operations to the
sub-dir, including deleting, renaming and creating directories.
<sect1>How can I stop my users from using their space as a warez repository
<P>The above fragment will control anonymous users however if a local
user with a full account with up and download capability is abusing
their space then the technical measures which can be taken are
limited. Applying a sane system quota is a good start, using the
mod_quota and mod_ratio modules may control the rates of
upload/download making it less useful as a warez repository. In the
end it comes down to system monitoring and good site AUP"s and
enforcement.
<sect1>Can I rotate files out of an upload directory after upload?
<P>Yes. You"ll need to write a script which either checks the
contents of the directory regularly and moves once it"s detected no
size change in a file for xyz seconds. Or a script which monitors an
upload log. There is no automatic method for doing this.
<sect1>How can I hide a directory from anonymous clients.
<P>Use the HideUser or HideGroup directive in combination with the
proper user/group ownership on the directive. For example, if you
have the follow directory in your anonymous ftp directory tree:
<tscreen><verb>
drwxrwxr-x 3 ftp staff 6144 Apr 21 16:40 private
</verb></tscreen>
<P>You can use a directive such as "HideGroup staff" to hide the private
directory from a directory listing. For example:
<tscreen><code>
<Anonymous ~ftp>
...
<Directory Private>