Added RHEL 7 configfiles
This commit is contained in:
Ante
@@ -0,0 +1,448 @@
|
||||
# This is the ProFTPD configuration file
|
||||
#
|
||||
# See: http://www.proftpd.org/docs/directives/linked/by-name.html
|
||||
|
||||
# Security-Enhanced Linux (SELinux) Notes:
|
||||
#
|
||||
# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux
|
||||
# in order to mitigate the effects of an attacker taking advantage of an
|
||||
# unpatched vulnerability and getting control of the ftp server. By default,
|
||||
# ProFTPD cannot read or write most files on a system nor connect to many
|
||||
# external network services, but these restrictions can be relaxed by
|
||||
# setting SELinux booleans as follows:
|
||||
#
|
||||
# setsebool -P allow_ftpd_anon_write=1
|
||||
# This allows the ftp daemon to write to files and directories labelled
|
||||
# with the public_content_rw_t context type; the daemon would only have
|
||||
# read access to these files normally. Files to be made available by ftp
|
||||
# but not writeable should be labelled public_content_t.
|
||||
#
|
||||
# setsebool -P allow_ftpd_full_access=1
|
||||
# This allows the ftp daemon to read and write all files on the system.
|
||||
#
|
||||
# setsebool -P allow_ftpd_use_cifs=1
|
||||
# This allows the ftp daemon to read and write files on CIFS-mounted
|
||||
# filesystems.
|
||||
#
|
||||
# setsebool -P allow_ftpd_use_nfs=1
|
||||
# This allows the ftp daemon to read and write files on NFS-mounted
|
||||
# filesystems.
|
||||
#
|
||||
# setsebool -P ftp_home_dir=1
|
||||
# This allows the ftp daemon to read and write files in users' home
|
||||
# directories.
|
||||
#
|
||||
# setsebool -P ftpd_connect_all_unreserved=1
|
||||
# This setting is only available from Fedora 16/RHEL-7 onwards, and is
|
||||
# necessary for active-mode ftp transfers to work reliably with non-Linux
|
||||
# clients (see http://bugzilla.redhat.com/782177), which may choose to
|
||||
# use port numbers outside the "ephemeral port" range of 32768-61000.
|
||||
#
|
||||
# setsebool -P ftpd_connect_db=1
|
||||
# This setting allows the ftp daemon to connect to commonly-used database
|
||||
# ports over the network, which is necessary if you are using a database
|
||||
# back-end for user authentication, etc.
|
||||
#
|
||||
# setsebool -P ftpd_is_daemon=1
|
||||
# This setting is available only in Fedora releases 4 to 6 and Red Hat
|
||||
# Enterprise Linux 5. It should be set if ProFTPD is running in standalone
|
||||
# mode, and unset if running in inetd mode.
|
||||
#
|
||||
# setsebool -P ftpd_disable_trans=1
|
||||
# This setting is available only in Fedora releases 4 to 6 and Red Hat
|
||||
# Enterprise Linux 5, and when set it removes the SELinux confinement of the
|
||||
# ftp daemon. Needless to say, its use is not recommended.
|
||||
#
|
||||
# All of these booleans are unset by default.
|
||||
#
|
||||
# See also the "ftpd_selinux" manpage.
|
||||
#
|
||||
# Note that the "-P" option to setsebool makes the setting permanent, i.e.
|
||||
# it will still be in effect after a reboot; without the "-P" option, the
|
||||
# effect only lasts until the next reboot.
|
||||
#
|
||||
# Restrictions imposed by SELinux are on top of those imposed by ordinary
|
||||
# file ownership and access permissions; in normal operation, the ftp daemon
|
||||
# will not be able to read and/or write a file unless *all* of the ownership,
|
||||
# permission and SELinux restrictions allow it.
|
||||
|
||||
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
|
||||
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
||||
|
||||
# Trace logging, disabled by default for performance reasons
|
||||
# (http://www.proftpd.org/docs/howto/Tracing.html)
|
||||
#TraceLog /var/log/proftpd/trace.log
|
||||
#Trace DEFAULT:0
|
||||
|
||||
ServerName "<SERVERNAME> FTP server"
|
||||
ServerIdent on "FTP Server ready."
|
||||
ServerAdmin root@<SERVERNAME>
|
||||
DefaultServer on
|
||||
|
||||
# The DebugLevel directive configures the debugging level the server will use when logging.
|
||||
# The level parameter must be between 0 and 9.
|
||||
# This configuration directive will take precedence over any command-line debugging options used.
|
||||
DebugLevel 9
|
||||
|
||||
# Cause every FTP user except adm to be chrooted into their home directory
|
||||
DefaultRoot ~ !adm
|
||||
|
||||
# Use pam to authenticate (default) and be authoritative
|
||||
AuthPAMConfig proftpd
|
||||
AuthOrder mod_sql.c
|
||||
#AuthOrder mod_auth_pam.c* mod_auth_unix.c
|
||||
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
|
||||
#PersistentPasswd off
|
||||
|
||||
# Don't do reverse DNS lookups (hangs on DNS problems)
|
||||
UseReverseDNS off
|
||||
|
||||
# Set the user and group that the server runs as
|
||||
User nobody
|
||||
Group nobody
|
||||
|
||||
# To prevent DoS attacks, set the maximum number of child processes
|
||||
# to 20. If you need to allow more than 20 concurrent connections
|
||||
# at once, simply increase this value. Note that this ONLY works
|
||||
# in standalone mode; in inetd mode you should use an inetd server
|
||||
# that allows you to limit maximum number of processes per service
|
||||
# (such as xinetd)
|
||||
MaxInstances 20
|
||||
|
||||
# Disable sendfile by default since it breaks displaying the download speeds in
|
||||
# ftptop and ftpwho
|
||||
UseSendfile off
|
||||
|
||||
# Define the log formats
|
||||
LogFormat default "%h %l %u %t \"%r\" %s %b"
|
||||
LogFormat auth "%v [%P] %h %t \"%r\" %s"
|
||||
|
||||
# Dynamic Shared Object (DSO) loading
|
||||
# See README.DSO and howto/DSO.html for more details
|
||||
#
|
||||
# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
||||
LoadModule mod_sql.c
|
||||
#
|
||||
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables
|
||||
# (contrib/mod_sql_passwd.html)
|
||||
# LoadModule mod_sql_passwd.c
|
||||
#
|
||||
# Mysql support (requires proftpd-mysql package)
|
||||
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
||||
LoadModule mod_sql_mysql.c
|
||||
#
|
||||
# Postgresql support (requires proftpd-postgresql package)
|
||||
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
|
||||
# LoadModule mod_sql_postgres.c
|
||||
#
|
||||
# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html)
|
||||
LoadModule mod_quotatab.c
|
||||
#
|
||||
# File-specific "driver" for storing quota table information in files
|
||||
# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html)
|
||||
# LoadModule mod_quotatab_file.c
|
||||
#
|
||||
# SQL database "driver" for storing quota table information in SQL tables
|
||||
# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html)
|
||||
LoadModule mod_quotatab_sql.c
|
||||
#
|
||||
# LDAP support (requires proftpd-ldap package)
|
||||
# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html)
|
||||
# LoadModule mod_ldap.c
|
||||
#
|
||||
# LDAP quota support (requires proftpd-ldap package)
|
||||
# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html)
|
||||
# LoadModule mod_quotatab_ldap.c
|
||||
#
|
||||
# Support for authenticating users using the RADIUS protocol
|
||||
# (http://www.proftpd.org/docs/contrib/mod_radius.html)
|
||||
# LoadModule mod_radius.c
|
||||
#
|
||||
# Retrieve quota limit table information from a RADIUS server
|
||||
# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html)
|
||||
# LoadModule mod_quotatab_radius.c
|
||||
#
|
||||
# SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be
|
||||
# used to copy files/directories from one place to another on the server
|
||||
# without having to transfer the data to the client and back
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_copy.html)
|
||||
# LoadModule mod_copy.c
|
||||
#
|
||||
# Administrative control actions for the ftpdctl program
|
||||
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
|
||||
LoadModule mod_ctrls_admin.c
|
||||
#
|
||||
# Support for MODE Z commands, which allows FTP clients and servers to
|
||||
# compress data for transfer
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_deflate.html)
|
||||
# LoadModule mod_deflate.c
|
||||
#
|
||||
# Execute external programs or scripts at various points in the process
|
||||
# of handling FTP commands
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_exec.html)
|
||||
# LoadModule mod_exec.c
|
||||
#
|
||||
# Support for POSIX ACLs
|
||||
# (http://www.proftpd.org/docs/modules/mod_facl.html)
|
||||
# LoadModule mod_facl.c
|
||||
#
|
||||
# Support for using the GeoIP library to look up geographical information on
|
||||
# the connecting client and using that to set access controls for the server
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_geoip.html)
|
||||
# LoadModule mod_geoip.c
|
||||
#
|
||||
# Allow for version-specific configuration sections of the proftpd config file,
|
||||
# useful for using the same proftpd config across multiple servers where
|
||||
# different proftpd versions may be in use
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_ifversion.html)
|
||||
# LoadModule mod_ifversion.c
|
||||
#
|
||||
# Configure server availability based on system load
|
||||
# (http://www.proftpd.org/docs/contrib/mod_load.html)
|
||||
# LoadModule mod_load.c
|
||||
#
|
||||
# Limit downloads to a multiple of upload volume (see README.ratio)
|
||||
# LoadModule mod_ratio.c
|
||||
#
|
||||
# Rewrite FTP commands sent by clients on-the-fly,
|
||||
# using regular expression matching and substitution
|
||||
# (http://www.proftpd.org/docs/contrib/mod_rewrite.html)
|
||||
# LoadModule mod_rewrite.c
|
||||
#
|
||||
# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
|
||||
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
|
||||
# LoadModule mod_sftp.c
|
||||
#
|
||||
# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for
|
||||
# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html)
|
||||
# LoadModule mod_sftp_pam.c
|
||||
#
|
||||
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user
|
||||
# and host based authentication
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
|
||||
# LoadModule mod_sftp_sql.c
|
||||
#
|
||||
# Provide data transfer rate "shaping" across the entire server
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_shaper.html)
|
||||
# LoadModule mod_shaper.c
|
||||
#
|
||||
# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK,
|
||||
# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html)
|
||||
# LoadModule mod_site_misc.c
|
||||
#
|
||||
# Provide an external SSL session cache using shared memory
|
||||
# (contrib/mod_tls_shmcache.html)
|
||||
# LoadModule mod_tls_shmcache.c
|
||||
#
|
||||
# Provide a memcached-based implementation of an external SSL session cache
|
||||
# (contrib/mod_tls_memcache.html)
|
||||
# LoadModule mod_tls_memcache.c
|
||||
#
|
||||
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
|
||||
# files, for IP-based access control
|
||||
# (http://www.proftpd.org/docs/contrib/mod_wrap.html)
|
||||
# LoadModule mod_wrap.c
|
||||
#
|
||||
# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny
|
||||
# files, as well as SQL-based access rules, for IP-based access control
|
||||
# (http://www.proftpd.org/docs/contrib/mod_wrap2.html)
|
||||
# LoadModule mod_wrap2.c
|
||||
#
|
||||
# Support module for mod_wrap2 that handles access rules stored in specially
|
||||
# formatted files on disk
|
||||
# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html)
|
||||
# LoadModule mod_wrap2_file.c
|
||||
#
|
||||
# Support module for mod_wrap2 that handles access rules stored in SQL
|
||||
# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html)
|
||||
# LoadModule mod_wrap2_sql.c
|
||||
#
|
||||
# Implement a virtual chroot capability that does not require root privileges
|
||||
# (http://www.castaglia.org/proftpd/modules/mod_vroot.html)
|
||||
# Using this module rather than the kernel's chroot() system call works
|
||||
# around issues with PAM and chroot (http://bugzilla.redhat.com/506735)
|
||||
LoadModule mod_vroot.c
|
||||
#
|
||||
# Provide a flexible way of specifying that certain configuration directives
|
||||
# only apply to certain sessions, based on credentials such as connection
|
||||
# class, user, or group membership
|
||||
# (http://www.proftpd.org/docs/contrib/mod_ifsession.html)
|
||||
# LoadModule mod_ifsession.c
|
||||
|
||||
# Allow only user root to load and unload modules, but allow everyone
|
||||
# to see which modules have been loaded
|
||||
# (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs)
|
||||
ModuleControlsACLs insmod,rmmod allow user root
|
||||
ModuleControlsACLs lsmod allow user *
|
||||
|
||||
# Enable basic controls via ftpdctl
|
||||
# (http://www.proftpd.org/docs/modules/mod_ctrls.html)
|
||||
ControlsEngine on
|
||||
ControlsACLs all allow user root
|
||||
ControlsSocketACL allow user *
|
||||
ControlsLog /var/log/proftpd/controls.log
|
||||
|
||||
# Enable admin controls via ftpdctl
|
||||
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
|
||||
<IfModule mod_ctrls_admin.c>
|
||||
AdminControlsEngine on
|
||||
AdminControlsACLs all allow user root
|
||||
</IfModule>
|
||||
|
||||
# Enable mod_vroot by default for better compatibility with PAM
|
||||
# (http://bugzilla.redhat.com/506735)
|
||||
<IfModule mod_vroot.c>
|
||||
VRootEngine on
|
||||
</IfModule>
|
||||
|
||||
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
|
||||
<IfDefine TLS>
|
||||
TLSEngine on
|
||||
TLSRequired on
|
||||
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
|
||||
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
|
||||
TLSCipherSuite ALL:!ADH:!DES
|
||||
TLSOptions NoCertRequest
|
||||
TLSVerifyClient off
|
||||
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
|
||||
TLSLog /var/log/proftpd/tls.log
|
||||
<IfModule mod_tls_shmcache.c>
|
||||
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
|
||||
</IfModule>
|
||||
</IfDefine>
|
||||
|
||||
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
|
||||
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
|
||||
<IfDefine DYNAMIC_BAN_LISTS>
|
||||
LoadModule mod_ban.c
|
||||
BanEngine on
|
||||
BanLog /var/log/proftpd/ban.log
|
||||
BanTable /var/run/proftpd/ban.tab
|
||||
|
||||
# If the same client reaches the MaxLoginAttempts limit 2 times
|
||||
# within 10 minutes, automatically add a ban for that client that
|
||||
# will expire after one hour.
|
||||
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
|
||||
|
||||
# Inform the user that it's not worth persisting
|
||||
BanMessage "Host %a has been banned"
|
||||
|
||||
# Allow the FTP admin to manually add/remove bans
|
||||
BanControlsACLs all allow user ftpadm
|
||||
</IfDefine>
|
||||
|
||||
# Set networking-specific "Quality of Service" (QoS) bits on the packets used
|
||||
# by the server (contrib/mod_qos.html)
|
||||
<IfDefine QOS>
|
||||
LoadModule mod_qos.c
|
||||
# RFC791 TOS parameter compatibility
|
||||
QoSOptions dataqos throughput ctrlqos lowdelay
|
||||
# For a DSCP environment (may require tweaking)
|
||||
#QoSOptions dataqos CS2 ctrlqos AF41
|
||||
</IfDefine>
|
||||
|
||||
# Global Config - config common to Server Config and all virtual hosts
|
||||
# See: http://www.proftpd.org/docs/howto/Vhost.html
|
||||
<Global>
|
||||
|
||||
# Umask 022 is a good standard umask to prevent new dirs and files
|
||||
# from being group and world writable
|
||||
Umask 022
|
||||
|
||||
# Allow users to overwrite files and change permissions
|
||||
AllowOverwrite yes
|
||||
<Limit ALL SITE_CHMOD>
|
||||
AllowAll
|
||||
</Limit>
|
||||
|
||||
# CH-Root all users
|
||||
DefaultRoot ~
|
||||
# Reject rootlogin (just for security)
|
||||
RootLogin off
|
||||
# Noo need to require valid shell, because user is virtual
|
||||
RequireValidShell off
|
||||
</Global>
|
||||
|
||||
# A basic anonymous configuration, with an upload directory
|
||||
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
|
||||
<IfDefine ANONYMOUS_FTP>
|
||||
#<Anonymous ~ftp>
|
||||
#User ftp
|
||||
#Group ftp
|
||||
#AccessGrantMsg "Anonymous login ok, restrictions apply."
|
||||
|
||||
## We want clients to be able to login with "anonymous" as well as "ftp"
|
||||
#UserAlias anonymous ftp
|
||||
|
||||
## Limit the maximum number of anonymous logins
|
||||
#MaxClients 10 "Sorry, max %m users -- try again later"
|
||||
|
||||
## Put the user into /pub right after login
|
||||
##DefaultChdir /pub
|
||||
|
||||
## We want 'welcome.msg' displayed at login, '.message' displayed in
|
||||
## each newly chdired directory and tell users to read README* files.
|
||||
#DisplayLogin /welcome.msg
|
||||
#DisplayChdir .message
|
||||
#DisplayReadme README*
|
||||
|
||||
## Cosmetic option to make all files appear to be owned by user "ftp"
|
||||
#DirFakeUser on ftp
|
||||
#DirFakeGroup on ftp
|
||||
|
||||
## Limit WRITE everywhere in the anonymous chroot
|
||||
#<Limit WRITE SITE_CHMOD>
|
||||
#DenyAll
|
||||
#</Limit>
|
||||
|
||||
## An upload directory that allows storing files but not retrieving
|
||||
## or creating directories.
|
||||
#<Directory uploads/*>
|
||||
#AllowOverwrite no
|
||||
#<Limit READ>
|
||||
#DenyAll
|
||||
#</Limit>
|
||||
|
||||
#<Limit STOR>
|
||||
#AllowAll
|
||||
#</Limit>
|
||||
#</Directory>
|
||||
|
||||
## Don't write anonymous accesses to the system wtmp file (good idea!)
|
||||
#WtmpLog off
|
||||
|
||||
## Logging for the anonymous transfers
|
||||
#ExtendedLog /var/log/proftpd/access.log WRITE,READ default
|
||||
#ExtendedLog /var/log/proftpd/auth.log AUTH auth
|
||||
|
||||
#</Anonymous>
|
||||
</IfDefine>
|
||||
|
||||
<IfModule mod_sql_mysql.c>
|
||||
SQLLogFile /var/log/proftpd/sql.log
|
||||
SQLAuthTypes Crypt
|
||||
SQLAuthenticate users* groups*
|
||||
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
|
||||
SQLUserInfo ftp_users username password uid gid homedir shell
|
||||
SQLGroupInfo ftp_groups groupname gid members
|
||||
SQLUserWhereClause "login_enabled = 'y'"
|
||||
|
||||
SQLLog PASS login
|
||||
#SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users
|
||||
|
||||
SQLLog RETR download
|
||||
#SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users
|
||||
|
||||
SQLLog STOR upload
|
||||
#SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users
|
||||
#QuotaEngine on
|
||||
#QuotaShowQuotas on
|
||||
#QuotaDisplayUnits Mb
|
||||
#QuotaLock /var/lock/ftpd.quotatab.lock
|
||||
#QuotaLimitTable sql:/get-quota-limit
|
||||
#QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
|
||||
#SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'"
|
||||
#SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
|
||||
#SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
||||
#SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
||||
</IfModule>
|
||||
Reference in New Issue
Block a user