yum install -y proftpd
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
ServerName "ProFTPD server"
ㄴ 유저가 접속하였을때에 보여주는 서버이름
ServerIdent on "FTP Server ready."
ㄴ 서버 접속하였을때에 보여주는 message
ServerAdmin root@localhost
ㄴ 해당 FTP 서버 관리자 이메일 주소
DefaultServer on
ㄴ 기본이 되는 FTP서버 설정(proftpd 서버는 가상호스트가 지원됨)
# Cause every FTP user except adm to be chrooted into their home directory
# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to
# work at session-end time (http://bugzilla.redhat.com/477120)
VRootEngine on
ㄴ pam 관련 설정인듯하나, 정확한것 모르겠음
DefaultRoot ~ !adm
ㄴ chroot 기본 디렉토리
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
ㄴ vroot 관련된 파일 설정
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
ㄴ pam을 사용할시에 보여주는 이름
AuthOrder mod_auth_pam.c* mod_auth_unix.c
ㄴ 인증관련되서 사용하는 모듈 설정
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
ㄴ /etc/shadow, passwd, group 사용여부
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
ㄴ 역방향 DNS로 proftp를 조회하는것에 관련된 설정
# Set the user and group that the server runs as
User nobody
Group nobody
ㄴ proftpd가 standalone으로 (daemon)으로 운영될때 사용되는 유저랑, 그룹
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
ㄴ 자식 프로세스 최대 갯수
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
ㄴ ftptop? ftpwho? 파일 다운로드속도 모니터링? 정확한건 모르겠음
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ㄴ 로그포멧 관련 설정
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
ㄴ SSL 인증서 관련 모듈 설정
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times
# within 10 minutes, automatically add a ban for that client that
# will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfDefine>
ㄴ Proftp ACL관련 모듈 설정
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
ㄴ ftp 전체 설정내용
ㄴ Umask -> 파일생성시 Umask값
ㄴ 파일 권한변경 관련 설정
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
#DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
# Cosmetic option to make all files appear to be owned by user "ftp"
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# Don't write anonymous accesses to the system wtmp file (good idea!)
WtmpLog off
# Logging for the anonymous transfers
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous>
</IfDefine>
ㄴ Proftp 익명 접속 관련 설정
Yum으로 proftp 설치시에 기본 설정 파일 내용