FTP
To provide an FTP service, Plesk uses the ProFTPD FTP server. Plesk includes the following two packages:
psa-proftpd which contains the main component.
psa-proftpd-xinetd which contains patches and configurations to work with xinetd.
FTP Startup
The ProFTPD is started by the xinetd every time the server receives an FTP request. In the case of authorized access, the FTP service is started on behalf of the user whose request is to be processed. For anonymous users, the service is started with the UID of the psaftp user. FTP Users
The FTP server allows for document access of authenticated users that are listed in the /etc/passwd and /etc/shadow files. The first one defines the user name, group membership, home directory, and active access method. The second one stores password hash values. Let us look at FTP users created during the virtual hosting setup procedure. The following are some /etc/passwd lines defining FTP user parameters.
# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
psaftp:x:2524:2522:anonftp psa user:/:/bin/false
ftpuser:x:10006:10001::/var/www/vhosts/domain.tst:/bin/false
ftpuser55:x:10010:10001::/var/www/vhosts/domainXX.tst:/bin/false
The first two lines are default FTP users. The psaftp is the user on behalf of whom the FTP service is started when the Plesk server receives an anonymous FTP request.
The last two lines define typical FTP users. The group ID 10001 refers to the psacln group that contains FTP users. The psacln is added to the /etc/ftpchroot file. For every FTP user logged into the Plesk, a “chroot” procedure is executed, which ensures the user cannot see files owned by other users.
Plesk stores all FTP user accounts in a single database; therefore, FTP users cannot have the same names even if they are created for different virtual hosts. Besides, since the FTP service cannot be name based, only one virtual host on each IP address can provide anonymous FTP access. FTP Configuration
The FTP server configuration parameters are stored in the /etc/proftpd.conf file. Here are some of the parameters. A sample of the proftpd.conf file is displayed below:
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd/scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /usr/local/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
IdentLookups off
UseReverseDNS off
AuthGroupFile /etc/group
Include /etc/proftpd.include
Each virtual host FTP configuration is stored in the /etc/proftpd.include file. The configurations consist of two sections:
The general section configures FTP for authorized users. It configures the following:
- Virtual server name to IP address binding.
- Log file path.
- Write permission.
Login access allowed only to the psacln group.
Below is a sample of the general section:
<VirtualHost 192.168.37.101>
ServerName "ftp.swtrn.com"
TransferLog /usr/local/psa/var/log/xferlog
AllowOverwrite on
<Limit LOGIN>
Order allow, deny
AllowGroup psacln
Deny from all
</Limit>
The Anonymous section configures FTP for anonymous users. It configures: An alias for the psaftp user account. anon_ftp as the home directory that is inside the domain directory opened for the authorized domain user. A log file for anonymous FTP access. User and group for anonymous FTP access. Login access and read-only rights for everyone
Below is a sample of this section:
UserAlias anonymous psaftp
<Anonymous /var/www/vhosts/domain.tst/anon_ftp>
TransferLog /var/www/vhosts/domain.tst/statistics/logs/xferlog
PathDenyFilter "^\.quota$"
RequireValidShell off
TransferRate RETR 0.000
User psaftp
Group psaftp
<Limit LOGIN>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
<Directory incoming>
UserOwner ftpuser
Umask 022 002
<Limit STOR>
DenyAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
<Limit READ>
DenyAll
</Limit>
<Limit MKD XMKD>
DenyAll
</Limit>
</Directory>
</Anonymous>
For more information on the ProFTPD configuration, please refer to the www.proftpd.org. FTP Logs and Statistics
For each domain, the ProFTPD service writes statistics for both anonymous and authorized access to log files located in the /var/www/vhosts/[HTML_REMOVED]/statistics/logs/ directory. Once a day, Plesk processes the logs with the statistics utility and separates the statistical data into two parts:
Anonymous access information stored in the statistics/anon_ftpstat subdirectory of the virtual host directory.
Authorized access information stored in the statistics/ftpstat/subdirectory.
In addition, the statistics utility writes the statistical data to the psa database and calls the log rotation utility logrotate. For more information on statistics processing and log rotation, refer to the chapter Statistics and Logs. Switching On Implicit FTPS
By default Plesk FTP server supports explicit FTPS only. To turn on implicit FTPS, follow these instructions:
Run the following commands in the shell:
touch /etc/xinetd.d/ftps_psa
chmod 0644 /etc/xinetd.d/ftps_psa
Paste the following into the /etc/xinetd.d/ftps_psa file:
service ftps
{
flags = IPv6
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
instances = UNLIMITED
server = /usr/sbin/in.proftpd
server_args = -c /etc/proftpd.conf
}
Edit the /etc/proftpd.conf file to insert the following section after the [HTML_REMOVED] closing tag:
<IfModule mod_tls.c>
<VirtualHost 0.0.0.0>
Port 990
TLSEngine on
TLSOptions UseImplicitSSL
</VirtualHost>
</IfModule>
DefaultTransferMode binary
UseFtpUsers on
DefaultTransferMode binary
UseFtpUsers on
Run the service xinetd restart command.
0 Comments
Please log in to leave a comment.