ProFTPd is a high-performant, extremely configurable and most of all secure FTP server written for use on Unix and Unix-like operating systems. The FTP daemon has Apache-like configuration syntax and supports virtual servers – a parallel FTP environments that are physically located on the same system but that answer to different IP addresses or ports.
ProFTPD generally uses a single configuration file, found at /etc/proftpd.conf or at /etc/proftpd/proftpd.conf. This small cheatsheet describes directives in config file that helps to harden currently runningProFTPd instance.
To quickly secure ProFTPd server – open config file and make the following changes:
ServerType standalone ServerName "SysAdmin.MD secured FTP server" ServerIdent on "FTP server" DeferWelcome on UseIPv6 off IdentLookups off MaxInstances 30 MaxClients 10 MaxLoginAttempts 10 "Maximum number of allowed users are already connected (%m)" DefaultRoot ~ AllowFilter "^[a-zA-Z0-9 ,]*$"
Below is a short explanation for each directive:
Set the mode ProFTPd runs in. In standalone mode, a new connections to the server results in spawned child process for each new-connected client.
Sets the default message displayed when a new client connects. You can check this message by connecting with telnet to ftp port. Example:
srv:~# telnet 127.0.0.1 21 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 FTP server
Enabling this directive makes initial welcome message to be exceedingly generic and do not give any type of information about the host.
Set to off to disable IPv6 protocol support which is annoying on IPv4 only boxes.
Tells ProFTPd to disable attempts to identify the remote username when a client initially connects to the server.
The directive configures the maximum number of child processes that may be spawned by a parent proftpd process in standalone mode. This directive is used to prevent undesirable denial-of-service attacks.
Configures the maximum number of authenticated clients which may be logged into a server. Once this limit is reached, additional clients attempting to authenticate will be disconnected with message:
Maximum number of allowed users are already connected.
The DefaultRoot directive controls the default root directory assigned to a user upon login.
Symbol ~ means that the client is chroot-jailed into their home directory
AllowFilter controls what characters may be sent in a command to ProFTPD to prevent some possible types of attacks against FTP daemon.
Symbols "^[a-zA-Z0-9 ,]*$" tells to daemon to only accept commands containing alphanumeric characters and white-space.