# # Fichier de configuration de ProFTPd pour AlternC # $Id: proftpd.conf,v 1.11 2006/01/17 12:04:14 benjamin Exp $ # # %%warning_message%% # version ETCH # # Includes required DSO modules. This is mandatory in proftpd 1.3 # Include /etc/proftpd/modules.conf ServerName "%%hosting%%" ServerIdent on "FTP Server Ready" ServerType standalone DeferWelcome on ShowSymlinks on MultilineRFC2228 on DefaultServer on AllowOverwrite on AllowStoreRestart on DefaultRoot ~ UseReverseDNS off IdentLookups off UseIPv6 off TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin /etc/welcome.msg # lenny-only #DisplayChdir .message ListOptions "-al" DenyFilter \*.*/ Port 21 MaxInstances 30 User nobody Group nogroup RequireValidShell off # Use the IANA registered ephemeral port range # If you have a firewall, you should open this portrange # (or change it) # since ip_conntrack_ftp cannot decrypt TLS session. PassivePorts 49152 65534 DenyAll Umask 022 022 AllowOverwrite on AllowAll AllowAll MaxClientsPerHost 8 "Sorry, no more than 8 simultaneous connections" AccessGrantMsg "Welcome on AlternC, %u" # database@host:port login password SQLConnectInfo %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%% # Table : SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL # Use mysql PASSWORD function SQLAuthTypes Crypt # Only mysql authentication enabled SQLAuthenticate users AuthPAM off # What this SQL query do : # - check if there is IP limitation for this account. If there isn't, allow everyone (by returning a TRUE) # - if there is some limitation : # - convert ip to integer (if convert impossible, it's an ipv6. Mysql6 will have ipv6 function, for mysql5 alternc create some function) # - calculate the last IP of the subnet. If the subnet is 32, return the original IP # - check that the user's ip is in an allowed range # - add the IP range who are defined as "always from everyone" (uid=0. Not uid=2000, because we could want to have some limitation for the root account) SQLUserWhereClause " \ true in ( \ select if(count(*)>0,false,(select value from variable where name='auth_ip_ftp_default_yes')) \ from authorised_ip_affected aia, ftpusers f \ where cast(aia.parameters as signed integer)=f.id and f.name='%U'\ UNION \ select \ ifnull(inet_aton('%h'),inet_aton6('%h')) \ between ifnull(inet_aton(ip),inet_aton6(ip)) \ and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \ from authorised_ip ai, authorised_ip_affected aia, ftpusers f \ where f.name='%U' and cast(aia.parameters as signed integer)=f.id and ai.id=aia.authorised_ip_id and aia.protocol='ftp' \ UNION \ select \ ifnull(inet_aton('%h'),inet_aton6('%h')) \ between ifnull(inet_aton(ip),inet_aton6(ip)) \ and ifnull( inet_aton(ip) + if(subnet=32,0,conv( lpad('',(32-subnet),'1'), 2 , 10)) , inet_aton6(ip) + conv( lpad('',(128-subnet),'1'), 2 , 10) ) \ from authorised_ip ai \ where ai.uid=0 \ ) \ " # Uncomment this line if you want to debug Proftpd's SQL #SQLLogFile /var/log/proftpd/sql.log # Default : www-data.www-data SQLDefaultGID 33 SQLDefaultUID 33 # Minimum ID allowed to log in. Other users should use SFTP SQLMinID 33 # We don't use Unix rights managment on AlternC, so let's hide real owner/group/rights DirFakeGroup on alternc DirFakeUser on ~ # Log file by default SystemLog /var/log/proftpd/proftpd.log TransferLog /var/log/proftpd/xferlog TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off # Server's certificate TLSRSACertificateFile /etc/alternc/apache.pem # TLSRSACertificateKeyFile /etc/ftpd/server.key.pem # CA the server trusts # TLSCACertificateFile /etc/ftpd/root.cert.pem # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. TLSRenegotiate required off