[Proftpd] Reject anonymous logins

Discussion in 'Linux Networking' started by becco, Jan 30, 2004.

  1. becco

    becco Guest

    Hi, I'm trying to setup the proftpd server to reject anonymous
    connections, and allow only users with a valid username/passwd.

    I can't figure out why my proftpd.conf doesn't work: authenticated
    users AND anonymous users are allowed to login, while I'd like the
    anonymous ones to be rejected.

    Can anyone help me?

    Here is my proftpd.conf:
    --------------------------------
    # This is a basic ProFTPD configuration file (rename it to
    # 'proftpd.conf' for actual use. It establishes a single server
    # and a single anonymous login. It assumes that you have a user/group
    # "nobody" and "ftp" for normal operation and anon.

    ServerName "Animal FTP Server"
    #ServerType inetd
    Servertype standalone
    DeferWelcome off

    ShowSymlinks off
    MultilineRFC2228 on
    DefaultServer on
    AllowOverwrite on

    TimeoutNoTransfer 600
    TimeoutStalled 600
    TimeoutIdle 1200

    DisplayLogin welcome.msg
    DisplayFirstChdir .message
    #LsDefaultOptions "-l"

    DenyFilter \*.*/

    # Uncomment this if you are using NIS or LDAP to retrieve passwords:
    #PersistentPasswd off

    # Port 21 is the standard FTP port.
    Port 21

    # To prevent DoS attacks, set the maximum number of child processes
    # to 30. If you need to allow more than 30 concurrent connections
    # at once, simply increase this value. Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances 30

    # Set the user and group that the server normally runs at.
    User proftpd
    Group proftpd

    # Normally, we want files to be overwriteable.
    <Directory /*>
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask 022 022

    AllowOverwrite on
    </Directory>

    # here are my improvements
    # chroot for all users of the group ftpuser
    DefaultRoot ~ ftp

    # grant login only for members of the group
    <Limit LOGIN>
    DenyGroup !ftp
    </Limit>

    # disable root login and require a valid shell (from /etc/shells)
    <Global>
    RootLogin off
    RequireValidShell on
    </Global>

    # increase
    UseReverseDNS off
    IdentLookups off

    # Logging formats
    LogFormat default "%h %l %u %t \"%r\" %s %b"
    LogFormat auth "%v [%P] %h %t \"%r\" %s"
    LogFormat write "%h %l %u %t \"%r\" %s %b"


    # activate logging

    # every login
    ExtendedLog /var/log/ftp_auth.log AUTH auth

    # file/dir access
    ExtendedLog /var/log/ftp_access.log WRITE,READ write

    # forr paranoid (big logfiles!)
    #ExtendedLog /var/log/ftp_paranoid.log ALL default
     
    becco, Jan 30, 2004
    #1
    1. Advertisements

  2. becco

    becco Guest

    Yes, I did!

    Thank you
    Marcello
     
    becco, Jan 30, 2004
    #2
    1. Advertisements

  3. becco

    XXL PapaBear Guest

    On 30 Jan 2004 04:49:30 -0800
    It doesn't show in our description, this could seem to be a very dumb question, but did you restart the service after altering your conf file?


    \\\\||//
    ------------oooO---PapaBear----Oooo------------

    Jesus is alive! I spoke with Him this morning.
     
    XXL PapaBear, Jan 30, 2004
    #3
  4. becco

    Cameron Kerr Guest

    Remove the user "ftp" in the file /etc/ftpusers and restart the ftp
    service, as this is the file that lists users prohibited from accessing
    via FTP, and the user "ftp" is the anonymous/guest user.
     
    Cameron Kerr, Jan 31, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.