[CentOS] wu-ftpd, proftpd, or vsftpd!

Mon May 1 17:00:07 UTC 2006
Troy Engel <tengel at fluid.com>

Rodrigo Barbosa wrote:
> 
> If that is all your users will have to do on the server, I recommend
> using proftpd with virtual users.

I concur, and do just such here to run our FTP server. It's basically 
this simple:

1) Install a RPM, here's mine compiled with a MySQL auth bugfix for 
RHEL4/CentOS4 (ProFTPd bug #2644):
ftp://falsehope.com/home/tengel/centos/4/te/i386/RPMS/proftpd-1.2.10-10_mysql.te.i386.rpm

2) Edit /etc/proftpd.conf to not use system logins, and instead use a 
set of files on the system (you can also use MySQL or another method, 
just giving the easy way here):

   AuthPAMAuthoritative  off
   AuthPam               off
   AuthUserFile          /opt/etc/passwd.ftp
   AuthGroupFile         /opt/etc/group.ftp

3) Create /opt/etc/group.ftp with one (or two) lines in it:

   ftp::50:
   nobody::99:

4) Add login users to /opt/etc/passwd.ftp, using an encrypted password 
(such as those created by "htpasswd" that comes with Apache). Make one 
that you never use for the user "ftp" (or for anon logins), then one for 
your actual login people:

   ftp:XXXXXXX:14:50::/var/ftp:/sbin/nologin
   someuser:XXXXXX:14:50::/var/www/html:/sbin/nologin

5) Change the permissions of your /var/www/html tree to allow UID 14 (or 
GID 50) to write to it.

You can further increase security by making a third group with a unique 
GID and have the user have it's own unique UID as well, but I'll leave 
that up to you to figure out. There's a lot of room for play in the 
above steps, they're meant as a guideline.

NOTE: if you use MySQL as your authenticator and do *not* want to fall 
back to system auth (PAM), then you need to set two more options in 
/etc/proftpd.conf:

   PersistentPasswd  off
   AuthOrder         mod_sql.c mod_auth_file.c

FYI only.

-te

-- 
Troy Engel | Systems Engineer
Fluid, Inc | http://www.fluid.com