Created
January 12, 2015 22:41
-
-
Save tuxfight3r/b62dc3351732615f9e86 to your computer and use it in GitHub Desktop.
PROFTPD - SFTP CONFIGURATION
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the ProFTPD configuration file | |
# | |
# See: http://www.proftpd.org/docs/directives/linked/by-name.html | |
# Server Config - config used for anything outside a <VirtualHost> or <Global> context | |
# See: http://www.proftpd.org/docs/howto/Vhost.html | |
# Trace logging, disabled by default for performance reasons | |
# (http://www.proftpd.org/docs/howto/Tracing.html) | |
#TraceLog /var/log/proftpd/trace.log | |
#Trace DEFAULT:0 | |
ServerType standalone | |
ServerName "TEST SFTPD server" | |
ServerIdent on "OpenSSH_5.3" | |
#ServerIdent off | |
ServerAdmin admin@test.com | |
DefaultServer on | |
# Use pam to authenticate (default) and be authoritative | |
AuthPAM off | |
AuthPAMConfig proftpd | |
#AuthOrder mod_auth_pam.c* mod_auth_unix.c | |
AuthOrder mod_auth_file.c | |
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd | |
#PersistentPasswd off | |
# Don't do reverse DNS lookups (hangs on DNS problems) | |
UseReverseDNS off | |
UseIPv6 off | |
# Set the user and group that the server runs as | |
User proftpd | |
Group ftpgroup | |
# To prevent DoS attacks, set the maximum number of child processes | |
# to 20. If you need to allow more than 20 concurrent connections | |
# at once, simply increase this value. Note that this ONLY works | |
# in standalone mode; in inetd mode you should use an inetd server | |
# that allows you to limit maximum number of processes per service | |
# (such as xinetd) | |
MaxInstances 20 | |
# Disable sendfile by default since it breaks displaying the download speeds in | |
# ftptop and ftpwho | |
UseSendfile off | |
# Define the log formats | |
LogFormat default "%h %l %u %t \"%r\" %s %b" | |
LogFormat auth "%v [%P] %h %t \"%r\" %s" | |
LogFormat write "%h %l %u %t \"%r\" %s %b" | |
# Dynamic Shared Object (DSO) loading | |
# See README.DSO and howto/DSO.html for more details | |
# | |
# | |
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) | |
# LoadModule mod_quotatab.c | |
# | |
# File-specific "driver" for storing quota table information in files | |
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) | |
# LoadModule mod_quotatab_file.c | |
# | |
# | |
# SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be | |
# used to copy files/directories from one place to another on the server | |
# without having to transfer the data to the client and back | |
# (http://www.castaglia.org/proftpd/modules/mod_copy.html) | |
# LoadModule mod_copy.c | |
# | |
# Administrative control actions for the ftpdctl program | |
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) | |
LoadModule mod_ctrls_admin.c | |
# | |
# Support for MODE Z commands, which allows FTP clients and servers to | |
# compress data for transfer | |
# (http://www.castaglia.org/proftpd/modules/mod_deflate.html) | |
# LoadModule mod_deflate.c | |
# | |
# Execute external programs or scripts at various points in the process | |
# of handling FTP commands | |
# (http://www.castaglia.org/proftpd/modules/mod_exec.html) | |
# LoadModule mod_exec.c | |
# | |
# Support for POSIX ACLs | |
# (http://www.proftpd.org/docs/modules/mod_facl.html) | |
# (note that mod_facl support is disabled on many distributions: | |
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154146 | |
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173047 | |
# See also README.facl) | |
# LoadModule mod_facl.c | |
# | |
# Support for using the GeoIP library to look up geographical information on | |
# the connecting client and using that to set access controls for the server | |
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) | |
# LoadModule mod_geoip.c | |
# | |
# Allow for version-specific configuration sections of the proftpd config file, | |
# useful for using the same proftpd config across multiple servers where | |
# different proftpd versions may be in use | |
# (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) | |
# LoadModule mod_ifversion.c | |
# | |
# Configure server availability based on system load | |
# (http://www.proftpd.org/docs/contrib/mod_load.html) | |
# LoadModule mod_load.c | |
# | |
# Limit downloads to a multiple of upload volume (see README.ratio) | |
# LoadModule mod_ratio.c | |
# | |
# Rewrite FTP commands sent by clients on-the-fly, | |
# using regular expression matching and substitution | |
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html) | |
# LoadModule mod_rewrite.c | |
# | |
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over | |
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) | |
LoadModule mod_sftp.c | |
# | |
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for | |
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) | |
# LoadModule mod_sftp_pam.c | |
# | |
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user | |
# and host based authentication | |
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) | |
# LoadModule mod_sftp_sql.c | |
# | |
# Provide data transfer rate "shaping" across the entire server | |
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html) | |
# LoadModule mod_shaper.c | |
# | |
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, | |
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) | |
LoadModule mod_site_misc.c | |
# | |
# Provide an external SSL session cache using shared memory | |
# (contrib/mod_tls_shmcache.html) | |
# LoadModule mod_tls_shmcache.c | |
# | |
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny | |
# files, for IP-based access control | |
# (http://www.proftpd.org/docs/contrib/mod_wrap.html) | |
# LoadModule mod_wrap.c | |
# | |
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny | |
# files, as well as SQL-based access rules, for IP-based access control | |
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html) | |
# LoadModule mod_wrap2.c | |
# | |
# Support module for mod_wrap2 that handles access rules stored in specially | |
# formatted files on disk | |
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) | |
# LoadModule mod_wrap2_file.c | |
# | |
# Support module for mod_wrap2 that handles access rules stored in SQL | |
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) | |
# LoadModule mod_wrap2_sql.c | |
# | |
# Implement a virtual chroot capability that does not require root privileges | |
# (http://www.castaglia.org/proftpd/modules/mod_vroot.html) | |
# Using this module rather than the kernel's chroot() system call works | |
# around issues with PAM and chroot (http://bugzilla.redhat.com/506735) | |
LoadModule mod_vroot.c | |
# | |
# Provide a flexible way of specifying that certain configuration directives | |
# only apply to certain sessions, based on credentials such as connection | |
# class, user, or group membership | |
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html) | |
# LoadModule mod_ifsession.c | |
# Allow only user root to load and unload modules, but allow everyone | |
# to see which modules have been loaded | |
# (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs) | |
ModuleControlsACLs insmod,rmmod allow user root | |
ModuleControlsACLs lsmod allow user * | |
# Enable basic controls via ftpdctl | |
# (http://www.proftpd.org/docs/modules/mod_ctrls.html) | |
ControlsEngine on | |
ControlsACLs all allow user proftpd,root | |
ControlsSocketACL allow user proftpd,root | |
ControlsLog /var/log/proftpd/controls.log | |
ControlsSocketOwner root root | |
# Enable admin controls via ftpdctl | |
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) | |
<IfModule mod_ctrls_admin.c> | |
AdminControlsEngine on | |
AdminControlsACLs all allow user proftpd,root | |
</IfModule> | |
# Enable mod_vroot by default for better compatibility with PAM | |
# (http://bugzilla.redhat.com/506735) | |
<IfModule mod_vroot.c> | |
VRootEngine on | |
</IfModule> | |
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) | |
<IfDefine TLS> | |
TLSEngine on | |
TLSRequired on | |
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem | |
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem | |
TLSCipherSuite ALL:!ADH:!DES | |
TLSOptions NoCertRequest | |
TLSVerifyClient off | |
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 | |
TLSLog /var/log/proftpd/tls.log | |
<IfModule mod_tls_shmcache.c> | |
TLSSessionCache shm:/file=/var/run/proftpd/sesscache | |
</IfModule> | |
</IfDefine> | |
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) | |
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd | |
<IfDefine DYNAMIC_BAN_LISTS> | |
LoadModule mod_ban.c | |
BanEngine on | |
BanLog /var/log/proftpd/ban.log | |
BanTable /var/run/proftpd/ban.tab | |
# If the same client reaches the MaxLoginAttempts limit 2 times | |
# within 10 minutes, automatically add a ban for that client that | |
# will expire after one hour. | |
#BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 | |
#Ban for 30mins | |
BanOnEvent MaxLoginAttempts 2/00:10:00 00:30:00 | |
# Inform the user that it's not worth persisting | |
BanMessage "Host %a has been banned" | |
# Allow the FTP admin to manually add/remove bans | |
BanControlsACLs all allow user ftpadm root | |
</IfDefine> | |
# Set networking-specific "Quality of Service" (QoS) bits on the packets used | |
# by the server (contrib/mod_qos.html) | |
<IfDefine QOS> | |
LoadModule mod_qos.c | |
# RFC791 TOS parameter compatibility | |
QoSOptions dataqos throughput ctrlqos lowdelay | |
# For a DSCP environment (may require tweaking) | |
#QoSOptions dataqos CS2 ctrlqos AF41 | |
</IfDefine> | |
# Global Config - config common to Server Config and all virtual hosts | |
# See: http://www.proftpd.org/docs/howto/Vhost.html | |
<Global> | |
# Umask 022 is a good standard umask to prevent new dirs and files | |
# from being group and world writable | |
Umask 022 | |
# Allow users to overwrite files and change permissions | |
AllowOverwrite yes | |
<Limit ALL SITE_CHMOD> | |
AllowAll | |
</Limit> | |
ExtendedLog /var/log/proftpd/auth.log AUTH auth | |
ExtendedLog /var/log/proftpd/proftpd-access.log WRITE,READ write | |
RequireValidShell off | |
</Global> | |
#Listen on Both interfaces - Directory Limits are not respected without VirtualHost Tag | |
<VirtualHost 192.168.0.10> | |
<IfModule mod_sftp.c> | |
SFTPEngine on | |
SFTPDisplayBanner /etc/issue.net | |
Port 2222 | |
SFTPLog /var/log/proftpd/sftp.log | |
TransferLog /var/log/proftpd/sftp-xferlog | |
# Host Keys | |
SFTPHostKey /etc/ssh/ssh_host_rsa_key | |
SFTPHostKey /etc/ssh/ssh_host_dsa_key | |
# Auth methods | |
SFTPAuthMethods publickey password | |
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u | |
AuthUserFile /etc/proftpd/sftpd.passwd | |
AuthGroupFile /etc/proftpd/sftpd.group | |
DirFakeGroup on nobody | |
SFTPCiphers aes128-ctr aes192-ctr aes256-ctr | |
SFTPDigests hmac-sha1 hmac-ripemd160 umac-64@openssh.com | |
SFTPOptions IgnoreSFTPUploadPerms | |
SFTPCompression delayed | |
MaxLoginAttempts 5 | |
# SFTP folder configuration | |
#RMP Home Folder | |
DefaultRoot /sftp/home/rmp_inbound rmp_intgrp,rmp_extgrp | |
#Everyone Else | |
DefaultRoot ~ !adm | |
# allow to resume uploads | |
AllowStoreRestart on | |
#LOAD CLIENT FOLDER PERMISSION FROM EXTERNAL CONF FILES | |
Include /etc/proftpd/clients/*.conf | |
</IfModule> | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment