Managing FTP in Plesk

FTP

To provide an FTP service, Plesk uses the ProFTPD FTP server. Plesk includes the following two packages:

psa-proftpd which contains the main component.
psa-proftpd-xinetd which contains patches and configurations to work with xinetd.

FTP Startup

The ProFTPD is started by the xinetd every time the server receives an FTP request. In the case of authorized access, the FTP service is started on behalf of the user whose request is to be processed. For anonymous users, the service is started with the UID of the psaftp user. FTP Users

The FTP server allows for document access of authenticated users that are listed in the /etc/passwd and /etc/shadow files. The first one defines the user name, group membership, home directory, and active access method. The second one stores password hash values. Let us look at FTP users created during the virtual hosting setup procedure. The following are some /etc/passwd lines defining FTP user parameters.

# grep ftp /etc/passwd

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

psaftp:x:2524:2522:anonftp psa user:/:/bin/false

ftpuser:x:10006:10001::/var/www/vhosts/domain.tst:/bin/false

ftpuser55:x:10010:10001::/var/www/vhosts/domainXX.tst:/bin/false

The first two lines are default FTP users. The psaftp is the user on behalf of whom the FTP service is started when the Plesk server receives an anonymous FTP request.

The last two lines define typical FTP users. The group ID 10001 refers to the psacln group that contains FTP users. The psacln is added to the /etc/ftpchroot file. For every FTP user logged into the Plesk, a “chroot” procedure is executed, which ensures the user cannot see files owned by other users.

Plesk stores all FTP user accounts in a single database; therefore, FTP users cannot have the same names even if they are created for different virtual hosts. Besides, since the FTP service cannot be name based, only one virtual host on each IP address can provide anonymous FTP access. FTP Configuration

The FTP server configuration parameters are stored in the /etc/proftpd.conf file. Here are some of the parameters. A sample of the proftpd.conf file is displayed below:

DefaultServer on

<Global>

DefaultRoot ~ psacln

AllowOverwrite on

</Global>

DefaultTransferMode binary

UseFtpUsers on

TimesGMT off

SetEnv TZ :/etc/localtime

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 022

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd)

MaxInstances 30

#Following part of this config file were generate by PSA automatically

#Any changes in this part will be overwritten by next manipulation

#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations

#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>

GroupOwner psacln

</Directory>

# Enable PAM authentication

AuthPAM on

AuthPAMConfig proftpd

IdentLookups off

UseReverseDNS off

AuthGroupFile /etc/group

Include /etc/proftpd.include

Each virtual host FTP configuration is stored in the /etc/proftpd.include file. The configurations consist of two sections:

The general section configures FTP for authorized users. It configures the following:

• Virtual server name to IP address binding.
• Log file path.
• Write permission.

Login access allowed only to the psacln group.

Below is a sample of the general section:

<VirtualHost 192.168.37.101>
ServerName "ftp.swtrn.com"
TransferLog /usr/local/psa/var/log/xferlog
AllowOverwrite on
<Limit LOGIN>
Order allow, deny
AllowGroup psacln
Deny from all
</Limit>

The Anonymous section configures FTP for anonymous users. It configures: An alias for the psaftp user account. anon_ftp as the home directory that is inside the domain directory opened for the authorized domain user. A log file for anonymous FTP access. User and group for anonymous FTP access. Login access and read-only rights for everyone

Below is a sample of this section:

UserAlias anonymous psaftp
<Anonymous /var/www/vhosts/domain.tst/anon_ftp>
TransferLog /var/www/vhosts/domain.tst/statistics/logs/xferlog
PathDenyFilter "^\.quota$"
RequireValidShell off
TransferRate RETR 0.000
User psaftp
Group psaftp

<Limit LOGIN>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>

<Directory incoming>
UserOwner ftpuser
Umask 022 002
<Limit STOR>
DenyAll
</Limit>

<Limit WRITE>
DenyAll
</Limit>

<Limit READ>
DenyAll
</Limit>

<Limit MKD XMKD>
DenyAll
</Limit>

</Directory>
</Anonymous>

For more information on the ProFTPD configuration, please refer to the www.proftpd.org. FTP Logs and Statistics

For each domain, the ProFTPD service writes statistics for both anonymous and authorized access to log files located in the /var/www/vhosts/[HTML_REMOVED]/statistics/logs/ directory. Once a day, Plesk processes the logs with the statistics utility and separates the statistical data into two parts:

Anonymous access information stored in the statistics/anon_ftpstat subdirectory of the virtual host directory.

Authorized access information stored in the statistics/ftpstat/subdirectory.

In addition, the statistics utility writes the statistical data to the psa database and calls the log rotation utility logrotate. For more information on statistics processing and log rotation, refer to the chapter Statistics and Logs. Switching On Implicit FTPS

By default Plesk FTP server supports explicit FTPS only. To turn on implicit FTPS, follow these instructions:

Run the following commands in the shell:

touch /etc/xinetd.d/ftps_psa

chmod 0644 /etc/xinetd.d/ftps_psa

Paste the following into the /etc/xinetd.d/ftps_psa file:

service ftps

{

   flags       = IPv6

        disable         = no

        socket_type     = stream

        protocol        = tcp

        wait            = no

        user            = root

        instances       = UNLIMITED

        server          = /usr/sbin/in.proftpd

        server_args     = -c /etc/proftpd.conf

}

Edit the /etc/proftpd.conf file to insert the following section after the [HTML_REMOVED] closing tag:

<IfModule mod_tls.c>

<VirtualHost 0.0.0.0>

    Port                                    990

    TLSEngine                               on

    TLSOptions                              UseImplicitSSL

</VirtualHost>

</IfModule>

DefaultTransferMode     binary

UseFtpUsers                     on

DefaultTransferMode     binary

UseFtpUsers                     on

Run the service xinetd restart command.