yum install proftpd

chkconfig proftpd on

1添加用户 proftp (该用户无法登录系统,没有宿主目录)
useradd proftp -s /sbin/nologin -M

2设置ftp目录权限
chmod 777 /ftp/jlc_oa

3配置 /etc/proftpd.conf

ServerName “test.com”
ServerIdent on “FTP Server ready.”
ServerAdmin root@315i.com
DefaultServer on
UseEncoding UTF-8 CP936 #设置中文编码格式
Port 21 #设置21端口
AllowRetrieveRestart on #允许断点继传(上传)
AllowStoreRestart on #允许断点继传(下载)
UseIPv6 off #禁用ipv6
VRootEngine on
DefaultRoot ~ !adm
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf

AuthPAMConfig proftpd
# 用 mod_auth_file.c 验证登录用户名和密码
AuthOrder mod_auth_file.c #mod_auth_pam.c* mod_auth_unix.c

PersistentPasswd off
UseReverseDNS off
User proftp #设置启动用户
Group proftp #设置启动用户组
DefaultRoot /qdb/www/information/storage/app/ftp #共享根目录
PidFile /var/run/proftpd/proftpd.pid
MaxInstances 20
UseSendfile off

Define the log formats
LogFormat default “%h %l %u %t \”%r\” %s %b”
LogFormat auth “%v [%P] %h %t \”%r\” %s”

PassivePorts 10021 10025 #设置允许端口10021-10025
RequireValidShell off
AuthUserFile /etc/ftpd.passwd #设置虚拟用户名密码文件


TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log

TLSSessionCache shm:/file=/var/run/proftpd/sesscache

Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd

LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab

BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm

Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html

Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022

Allow users to overwrite files and change permissions
AllowOverwrite yes

AllowAll

A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd


User ftp
Group ftp
AccessGrantMsg “Anonymous login ok, restrictions apply.”

  1. # We want clients to be able to login with "anonymous" as well as "ftp"<br /> UserAlias anonymous ftp
  2. # Limit the maximum number of anonymous logins<br /> MaxClients 10 "Sorry, max %m users -- try again later"
  3. # Put the user into /pub right after login<br /> #DefaultChdir /pub
  4. # We want 'welcome.msg' displayed at login, '.message' displayed in<br /> # each newly chdired directory and tell users to read README* files. <br /> DisplayLogin /welcome.msg<br /> DisplayChdir .message<br /> DisplayReadme README*
  5. # Cosmetic option to make all files appear to be owned by user "ftp"<br /> DirFakeUser on ftp<br /> DirFakeGroup on ftp
  6. # Limit WRITE everywhere in the anonymous chroot<br /> <Limit WRITE SITE_CHMOD><br /> DenyAll<br /> </Limit>
  7. # An upload directory that allows storing files but not retrieving<br /> # or creating directories.<br /> <Directory uploads/*><br /> AllowOverwrite no<br /> <Limit READ><br /> DenyAll<br /> </Limit>
  8. <Limit STOR><br /> AllowAll<br /> </Limit><br /> </Directory>
  9. # Don't write anonymous accesses to the system wtmp file (good idea!)<br /> WtmpLog off
  10. # Logging for the anonymous transfers<br /> ExtendedLog /var/log/proftpd/access.log WRITE,READ default<br /> ExtendedLog /var/log/proftpd/auth.log AUTH auth





AllowAll




DenyAll


DenyAll


AllowUser jlc_oa

4安装ftpasswd
cd /usr/sbin/
wget http://www.castaglia.org/proftpd/contrib/ftpasswd
chmod +x ftpasswd

5创建虚拟用户jlc_oa
ftpasswd —passwd —name jlc_oa —file /etc/ftpd.passwd —uid 5000 —gid 5000 —home /qdb/www/information/storage/app/ftp/jlc_oa/ —shell /bin/false

6配置iptables
vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state —state NEW -m tcp —dport 21 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 10021 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 10022 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 10023 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 10024 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 10025 -j ACCEPT

7重启proftpd并查看端口
service proftpd restart
lsof -i:21