Thread: [Proftpd] Reject anonymous logins
View Single Post

  #1 (permalink)  
Old 01-30-2004
becco
 
Posts: n/a
Default [Proftpd] Reject anonymous logins
Hi, I'm trying to setup the proftpd server to reject anonymous
connections, and allow only users with a valid username/passwd.

I can't figure out why my proftpd.conf doesn't work: authenticated
users AND anonymous users are allowed to login, while I'd like the
anonymous ones to be rejected.

Can anyone help me?

Here is my proftpd.conf:
--------------------------------
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "Animal FTP Server"
#ServerType inetd
Servertype standalone
DeferWelcome off

ShowSymlinks off
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
#LsDefaultOptions "-l"

DenyFilter \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off

# Port 21 is the standard FTP port.
Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User proftpd
Group proftpd

# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

AllowOverwrite on
</Directory>

# here are my improvements
# chroot for all users of the group ftpuser
DefaultRoot ~ ftp

# grant login only for members of the group
<Limit LOGIN>
DenyGroup !ftp
</Limit>

# disable root login and require a valid shell (from /etc/shells)
<Global>
RootLogin off
RequireValidShell on
</Global>

# increase
UseReverseDNS off
IdentLookups off

# Logging formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"


# activate logging

# every login
ExtendedLog /var/log/ftp_auth.log AUTH auth

# file/dir access
ExtendedLog /var/log/ftp_access.log WRITE,READ write

# forr paranoid (big logfiles!)
#ExtendedLog /var/log/ftp_paranoid.log ALL default
-------------------

Thank you for your help

Marcello
Reply With Quote