#global也可不要,后面如设置多个虚拟站点清晰
IdentLookups off #连接快些 还有后面的 UseReverseDNS
RequireValidShell off #匿名的一般需要加上这个
MaxLoginAttempts 1 #匿名的话1就可以了,最大密码验证次数
WtmpLog NONE #不记log到wtmp
DenyFilter \*.*/.ftpaccess #DenyFilter做一些过滤,正则表达式
#DenyFilter ~!`\**/?,$@ # 根据自己需要写吧,上面的好烂:P
#LsDefaultOptions "-l" #ls参数
#AllowForeignAddress on #要允许 FXP 写成 on
CommandBufferSize 128 #最大命令长度
DirFakeUser On FTP #不显示给用户真实的用户、组
DirFakeGroup On FTP
DeferWelcome on #显示欢迎信息
PathDenyFilter "(^\.ftpaccess$)" #同DenyFilter 过滤用
User nobody #proftpd 以哪个用户、组的身份运行
Group nobody
TimesGMT off #时间
DenyAll
#出于某些考虑,开始禁掉,后面需要再打开。READ也可加过来...
#也可以这里设置允许连接的网段 Login,或者后面,建议用防火墙
IgnoreHidden on
HideNoAccess on
AllowOverwrite off #禁止重写覆盖,后面打开允许续传
#AllowRetrieveRestart默认是on 也可以写进来
ServerName "FTP server"
ServerType standalone #运行方式 还可以用 inetd xinetd
ServerIdent on "Welcome to FTP" #身份验证前显示给用户的,也可用文件,这里略
DefaultServer on
UseReverseDNS off #加快连接速度
Port 21 #FTP端口
Umask 022 #掩码 为了便于管理 用 002
PassivePorts 20000 30000 #被动模式端口段
SystemLog /var/proftpd/syslog #log 注意自己加上 logrotate 配置
MaxInstances 250 #最大
TimeoutLogin 30 #身份验证超时
TimeoutIdle 120 #发呆超时
TimeoutNoTransfer 300 #无数据传输超时
#TimeoutStalled 300
#log一些自定义格式,根据需要调整或者用默认
LogFormat myxfer "%h %u %t \"%r\" %s %b"
LogFormat default "%h %a %u %t \"%r\" %s %b $$ \'%F\'"
LogFormat auth "%h %a %t \"%r\" %s"
LogFormat write "%h %a %t \"%r\" %s %b"
#匿名的根目录 记得设置相应目录权限,ftp 用户应至少有 r x 权限
User ftp
Group ftpadmin
Umask 002
UserAlias anonymous ftp
MaxClients 50 "客满(%m)" #人多时的提示信息,可以用一些变量
#RateReadBPS 500000 #限速用
MaxClientsPerHost 2 "连接数多" #一个IP的连接数
TransferLog NONE #log
ExtendedLog /var/proftpd/upload.log write myxfer #log
ExtendedLog /var/proftpd/download.log read myxfer #log
DisplayLogin etc/welcome #欢迎文件,可以用一些变量
DisplayFirstChdir .message #改变目录时显示的消息
AuthAliasOnly on #只允许 UserAlias 过的 这里只允许 anonymous 不允许ftp
AllowAll
#打开允许连接,可以这是允许访问的网段,建议防火墙
AllowStoreRestart on #允许上传目录,可以续传,不能覆盖
AllowAll
#如果不想让下载,只让上载 可以加上
#
DenyAll
#到这差不多就完了,每个目录可以写 .ftpaccess 设置权限
#后面这两个可以参考根据需要
#在FTP根目录又不让看的,上面把欢迎信息放里面了,当然可以放别的
DenyAll
#限制特定IP段能看的,也可在目录的.ftpaccess里面设置
Order deny,allow
Allow from 166.111.
#到这匿名的就完了
#加帐号密码可以用多种方式,密码文件,数据库等
#如果用系统的帐号,可以用 DefaultRoot 限制活动目录,比如把TA堵在家里 ~
#还有别的很多 根据需要自己看文档吧 比如打开MultilineRFC2228等
#
#记得设置相应目录权限,r x 一个都不能少
#记得设置文件权限(chmod/chown) 配置 .ftpaccess
#应该了解 ls rm chmod chown find xargs crontab 等命令以便进行简单管理
#kill/killall -HUP 或者用脚本 ftpshut ftpwho
#rm -f /etc/shutmsg
#相应的辅助工具还有很多,也可以自己写脚本
an english document for infomation
=======================================================
Configuring <Limit>s
ProFTPD's <Limit> configuration sections allow for powerful fine-grained control over who is allowed to use which FTP commands. This power comes at the price of complexity, however. This document describes some of the things to keep in mind when writing <Limit> sections.
Precedence
Perhaps the hardest part of using <Limit> is understanding its rules of precedence, which dictate which <Limit>'s restrictions apply when. Precedence is discussed in the directive documentation, and will be mentioned here. First, there are three types of parameters in a <Limit> directive: "raw" FTP commands, FTP command groups, and the ALL keyword.
"Raw" FTP commands are listed here, including the RFC-mandated X-variant FTP commands, which are often missing from a thorough <Limit> configuration.
The FTP command groups are:
- ALL
Covering: all FTP commands
- DIRS
Covering: CDUP, CWD, LIST, MDTM, NLST, PWD, RNFR, STAT, XCUP, XCWD, XPWD
- LOGIN
Covering: client logins
- READ
Covering: RETR, SIZE
- WRITE
Covering: APPE, DELE, MKD, RMD, RNTO, STOR, STOU, XMKD, XRMD
<Limit>s that use "raw" FTP commands have the highest precedence, followed by <Limit>s that use the command groups, and, having the lowest precedence, the ALL keyword. If a <Limit> has both "raw" commands and command groups, then it boils down to the order of appearance of <Limit> sections in proftpd.conf that use the "raw" command in question.
SITE Commands
To apply a <Limit> to a SITE command, combine "SITE" and the command (e.g. "CHMOD") by an underscore ("_"), like so:
<Limit SITE_command>
Thus, in order to place a limit on
SITE CHMOD, one would have:
<Limit SITE_CHMOD>
DenyAll
</Limit>
Inheritance
Most <Limit> sections appear within <Directory> sections in proftpd.conf. This means that, like the other <Directory> configuration effects, the <Limit>s will be inherited by all subdirectories that appear in the <Directory> path, unless explicitly overridden by a "closer" <Limit> section. This means that one could configure a <Limit> section denying all FTP commands for all directories, and then explicitly allow the READ or WRITE FTP command groups in appropriate subdirectories (e.g. pub/ or incoming/ directories).
Using AllowUser
There is a catch to using the AllowUser configuration directive that causes confusion, primarily when a single AllowUser directive is being used to allow access to some FTP commands only to certain users. ProFTPD uses the same function for parsing the AllowUser and AllowGroup (and other) directives. This function parses the list of names for such directives as a Boolean AND list, which means that each name on the list must evaluate to TRUE (must match) for the current user in order for the directive to apply. For AllowGroup, this makes sense, and allows a great deal of flexibility. However, it does not make sense for AllowUser, because a user may not be multiple users at the same time. This is a known issue, and a proper, thorough solution is being developed. In the meantime, however, there is a workaround for allowing multiple users via the AllowUser directive. Rather than listing the users using a single AllowUser, using a separate AllowUser for each user. For example, instead of:
AllowUser bob,dave,wendy
try using:
AllowUser bob
AllowUser dave
AllowUser wendy
Using Order
One thing that sometimes trips up some administrators is the difference between ProFTPD's and Apache's Order configuration directives. For Apache, an Order of "Allow,Deny" means that access is denied by default, unless an Allow directive explicitly allows access; an Order of "Deny,Allow" means that access is allowed by default, unless a Deny directive explicitly denies access. This is different from ProFTPD, where an Order of "Allow,Deny" allows access by default, unless denied by a Deny directive; "Deny,Allow" denies access by default, unless explicitly granted by an Allow directive. The developers of ProFTPD felt their interpretation to be the more "common sense" interpretation, even though it does not match Apache's interpretation.
Examples
Here are examples to help illustrate the use of <Limit>. First, a common configuration: an upload-only directory.
<Directory /path/to/uploads>
<Limit ALL>
DenyAll
</Limit>
<Limit CDUP CWD XCWD XCUP>
AllowAll
</Limit>
<Limit STOR STOU>
AllowAll
</Limit>
</Directory>
The first
<Limit ALL> section blocks use of
all FTP commands within the
/path/to/uploads directory. Having denied use of all commands, we then proceed to define which commands
can be used. The
CDUP and
CWD commands (and their X variants) should be allowed so that clients can change into and out of the directory. Next,
STOR and
STOU are allowed, so that clients can actually upload files into the directory (assuming that the filesystem permissions allow for the client to write files in the directory as well). The
WRITE command group might have been used, but that also allows things like creating and deleting subdirectories, which is usually not wanted in an upload-only configuration.
This next example shows a "blind" directory, where clients can upload and download files from the directory, but they cannot see what is in the directory:
<Directory /path/to/dir>
<Limit LIST NLST>
DenyAll
</Limit>
</Directory>
That's it. By default, all commands are allowed in a directory. By blocking the two FTP commands used to list a directory's contents (
i.e. LIST and
NLST), we have effectively blocked the client from seeing anything in the directory.
Cautious system administrators may want only a few select system users to be able to connect to their proftpd server--all other users are to be denied access. The LOGIN command group is designed for just this scenario:
<Limit LOGIN>
AllowUser barb
AllowUser dave
AllowGroup ftpuser
DenyAll
</Limit>
This allows the users
barb and
dave, as well as any user in the
ftpuser group, to login. All other users will be denied.
What if a site wished to allow only anonymous access? This would be configured using the LOGIN command group, as above:
<Limit LOGIN>
DenyAll
</Limit>
<Anonymous ~ftp>
<Limit LOGIN>
AllowAll
</Limit>
...
</Anonymous>
The
<Limit> section outside of the
<Anonymous> section denies logins to everyone. However, the
<Anonymous> section has a
<Limit> that allows everyone to login; anonymous logins are allowed, and non-anonymous logins are denied.
Another related question often asked is "How can I limit a user to only being able to login from a specific range of IP addresses?" The <Limit LOGIN> can be used, in conjunction with the mod_ifsession module and a Class, to configure this:
<Class friends>
From 1.2.3.4/8
</Class>
<IfUser dave>
<Limit LOGIN>
AllowClass friends
DenyAll
</Limit>
</IfUser>
Note that the same effect can be achieved by using the
mod_wrap module to configure user-specific allow/deny files.
One situation that often arises is one where the administrator would like to give users the ability to upload and dowload files from a given directory, but not to be able to delete files from that directory. This cannot be accomplished using normal Unix filesystem permissions, for if a user has write permission on a directory (necessary for uploading files to that directory) they also have delete permissions. In Unix, a directory file serves as a sort of "table of contents", tracking the files in the directory. Adding or removing a file are thus changes on the directory file, and do not involve checking the permissions on the file being added or removed. This is also how a non-root user can delete files that are owned by root and only have user-write permissions. So how then can a site be configured to allow writes but not deletes? By using a configuration similar to the following:
<Directory /path/to/dir>
<Limit DELE>
AllowUser ftpadm
DenyAll
</Limit>
</Directory>
This will allow the user 'ftpadm' to delete files in the
/path/to/dir, but no other users.
The FTP protocol has two types of data transfers: active and passive. In some configurations, only one type of transfer is allowed by the network (e.g. active transfers should be denied because clients are sending the wrong IP addresses). The ability to place a <Limit> on the FTP commands response for active and passive data transfers was added to ProFTPD in 1.2.10rc1. If you are using that version or later, you can use the following to block active transfers:
<Limit PORT>
DenyAll
</Limit>
Or, conversely, to block passive data transfers:
<Limit PASV>
DenyAll
</Limit>
2010-03 
简
