User:Stefanwilkens/Glftpd

From ArchWiki
< User:Stefanwilkens
Revision as of 13:17, 9 November 2011 by TuxLyn (talk | contribs) (External Links)
Jump to: navigation, search

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in User talk:Stefanwilkens/Glftpd#)

Introduction

glFTPd stands for GreyLine File Transfer Protocol Daemon. It was named after the initial developer GreyLine. The first public release of glFTPd dates back to the beginning 1998. glFTPd is well known for its detailed user permissions, extensive scripting features, extensive configurabillity and for securely and efficiently transferring files between other sites using FXP. glFTPd has often been used on topsites for distribution of warez. (source: Wikipedia) Developement was stopped, the latest stable version of glFTPd dates 2005-12-25. glFTPd is still widely respected and used.

This guide describes the installation of glFTPd on Arch linux and includes requirements and basic configuration. Additionally, an extensive example is provided.

Installation

glFTPd comes with a well thought through installation script that will automatically create the required system groups, configure the most basic options and set-up /jail if you want to.

Preperation

Installing the requirements:

pacman -S xinetd zip unzip openssl tcp_wrappers inetutils


x86_64 users need to install also lib32-glibc .

pacman -S lib32-glibc


Find a dir to work from, /tmp is generally ok:

cd /tmp

Downloading the latest version:

wget http://www.glftpd.dk/files/glftpd-LNX_2.01.tgz

Unpacking and entering the dir:

gunzip -c glftpd-LNX_2.01.tgz | tar -xvf -
cd glftpd-LNX_2.01

installgl.sh

installgl.sh is the glFTPd installation script. It automates the installation procedure and makes sure everything is done right.


Let's start the installation:

sudo sh installgl.sh

You will now be prompted with several questions, below is an example of a jailed set-up, aswers are listed in bold. This is NOT a complete installation log, but close enough:

     ###  #     ##### ##### ####  ####        ###
   #   # #     #       #   #   # #   #      #   #
  #     #     ###     #   #   # #   #         #
 #  ## #     #       #   ####  #   #        # 
#   # #     #       #   #     #   #       # 
###  ##### #       #   #     ####       ##### 
--== WE MAKE FILES TRANSFER ==--
-----------------------------------------------------------
GLFTPD INSTALLER v2.0.1 (linux)
Originally done by jehsom and dn.
Made ready for the new era by turranius and psxc.  
-----------------------------------------------------------
Before we begin: If this installer fails on your system, please
let the devs know. You find us on irc (efnet) in #glftpd. Thank you.
Also, any bugs found in glftpd itself should be reported either to
the board @ http://www.glftpd.com, in the irc channel, or both.

Press <enter> to continue.
TCPD SETUP
Do you wish to use tcpd? If you are not sure then you should not
use it. If you decided to change this at a later time, please
search for tcpd in glftpd.docs for the required changes.
Use tcpd? [Y]es [N]o: Y

JAIL SETUP:
Do you want to run glftpd in a "Jailed" environment?  In this
environment a private directory will be created and glftpd will
be installed inside.  Regular shell users will not be able to get
inside this private directory.  The glftpd.conf is also moved
inside for added security and a new group will be created so
you and other users you specify can access glftpd through the shell.
Use a jailed environment? [Y]es [N]o: Y

Creating the jailed environment.

Please enter the private directory to install glftpd inside [/jail]: /jail

Do you want to create a private group?  If you say no then only root will
be able to access glftpd.  Otherwise you can add other shell users to the
group so they can access glftpd from the shell.
Use a private group? [Y]es [No]: Y

Setting permissions on /jail . . . 

GLFTPD BASE SETUP:
Please enter the directory inside /jail to install glftpd to [/glftpd]: /glftpd

Copying glftpd files to /jail/glftpd . . . 
Copying required binaries to /jail/glftpd/bin . . .
All binaries successfully copied.
Making glftpd's /dev/null , /dev/zero & /dev/urandom . . . 

SERVICE SETUP & MULTI-INSTALL:
Enter a service name for glftpd. This name will be used as the
service name mapped to the port in /etc/services, the name
used in your (x)inetd settings, and the name of your config-file.
NOTE: If you (wish to) have multiple instances of glftpd on the
same box, you *must* to change this.
Press <enter> for the default (glftpd)> glftpd

COMPILING SOURCES & COPYING LIBS:
modifying source (bin/sources/glconf.h) ...
#define GLCONF  "/jail/glftpd.conf"
OK
Compiling source files in /jail/glftpd/bin/sources to /jail/glftpd/bin...
OK

PORT AND SYSTEM SETUP:
Enter the port you would like glftpd to listen on [1337]: 21
Setting userfile permissions . . .
Adding glftpd service to /etc/services (as glftpd) . . 
Copying glftpd.conf to /jail/glftpd.conf . . .

Do you wish to use European weeks? European weeks starts with a Monday.
This is for glftpd's reset binary (see docs for more info) [Y/N]: Y

SSL/TLS SETUP:
We will now create a certificate for SSL/TLS support. This step is
required.

Please specify a generic name for this certificate.
This can be any name but should say something about the ftp server
like the name for it perhaps (press enter for glftpd): glftpd
Please wait while creating certificate... (will take time!)

FINISH:
Congratulations, glFtpD has been installed. Scroll up and note any errors
that needs fixing. ./installgl.debug contains a log of the installation process.
To get your site running, you must edit \033[1m/jail/glftpd.conf\033[0m according to
the instructions in /jail/glftpd/docs/glftpd.docs.
For help, visit #glftpd on EFnet after you've read (not skimmed) the docs/faq.

After configuring glftpd, visit the following websites for additional
scripts to give your site some style!:
Turranius - http://www.grandis.nu/glftpd
Jehsoms - http://runslinux.net/Template:Linkrot
http://www.chimera-coding.com
D-ViBEs collection - http://www.glftpd.atTemplate:Linkrot

The official glftpd homepage is located at http://www.glftpd.com

Thanks for your support!
the glFtpD team

Allowing access

xinetd

To start xinetd:

sudo /etc/rc.d/xinetd start

To make xinetd start automatically at boot, please add "xinetd" to the rc.conf DAEMONS section:

DAEMONS=(syslog-ng network ... ... xinetd)

hosts.allow

By default, arch will deny any connection to the system from the outside. To allow people people to acess the FTP server, please add the following to /etc/hosts.allow:

glftpd: ALL

local testing

First, make sure you have xinetd running and have allowed access to glftpd in /etc/hosts.allow.

Log on locally, the default administrator user is glftpd the password for this user is gtftpd. This user can only log on to the server from localhost. Try to log on, <port> is the portnumber you chose during installation:

ftp 127.0.0.1 <port>

Example:

# ftp 127.0.0.1
Connected to 127.0.0.1.
220 MY SITE NAME (glFTPd 2.00 Linux+TLS) ready.
Name (127.0.0.1:root): glftpd
331 Password required for glftpd.
Password:
230-                                _____
230- ______________________________|__   |____ ________________________________
230- \     _      /   _     /  _     /   |    |    _     /  _     /    _      /
230-  \    \     /    /    /   /____/.   |    |    /    /   /____/.    /_____/
230-   \________/____/    /______    |___|____|___/    /______    |____|
230- .-=----------- /____/ ---- |____| --------- /____/ ---- |____| -------=-.
230- `-=-------------------------------------------------------------------=-'
230-       `-----( Type 'site onel MESSAGE' to enter your message )-----'
230 User glftpd logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Success! to log off, type bye:

ftp> bye
221- Goodbye
221

Server Configuration

Now that we have successfully installed and tested (locally) our glFTPd set-up, let's look at some configuration to allow customization and remote log-on. We will also look at adding and configuring users and groups.

glftpd.conf

glftpd.conf, located in /jail/glftpd.conf (if you installed to jail), is the main configuration file for glFTPd. The default configuration works well in a local testing set-up, but needs some attention before the server can be considered operational.

Basics

Configures if your FTP is up, down or open to admin only: (0=up, 1=admin only, !*=down, default (commented with #) is up)

# shutdown 1

The FTP long name:

sitename_long MY[:space:]SITE[:space:]NAME

The FTP short name:

sitename_short MSN 

Admin E-Mail adress:

email root@127.0.0.1 

The ammount of users that can be online at the same time, the first number specifies the maximum amount of users allowed to connect to the site. The second number specifies how many exempt users can connect, if the site is already full. They must have exempt flag for this to work. Exempt users take up a slot, just like everyone else, so if you have max_users 5 5, and you have 5 exempt users logged in, non-exempt users won't be able to login.

max_users 15 5

The maximum ammount of accounts that can be registered with the server:

total_users 300
Folder rights

Folder rights configure which user(s) or group(s) are allowed to perform operations (read, write, create, delete) on folders. This is usefull as it will allow you to prevent users or groups deleting files or adding files when you don't want them too.

To configure this, edit /jail/glftpd.conf and look for this section:

##############################################################################
##################     THE RIGHTS SECTION BEGINS HERE     ####################
##############################################################################
# (you can use a ! in front of any group/user/flag to negate it)             #
# The default is no, you don't need to add "!*" at the end                   #
#                                                                            #
# Function       Path                   =GROUP or -username or X (flag)      #
##############################################################################

upload          *                               *
resume          *                               *
makedir         *                               *
download        *                               *
dirlog          *                               *
rename          *                               1 =STAFF
filemove        *                               1 =STAFF
renameown       *                               *
nuke            *                               *
delete          *                               1
deleteown       *                               *

##############################################################################
###################     THE RIGHTS SECTION ENDS HERE     #####################
##############################################################################

Now, let's say we add a user called upload. We want this user to be capable of:

  • Creating new folders
  • Uploading new files and resuming uploads
  • Deleting his own files

We also want our siteops, or site operators, (everybody with the 1 flag, look below for explenation) to be allpowerfull everywhere. Lastly, we want our group ftpusers to be able to download from everywhere.

##############################################################################
##################     THE RIGHTS SECTION BEGINS HERE     ####################
##############################################################################
# (you can use a ! in front of any group/user/flag to negate it)             #
# The default is no, you don't need to add "!*" at the end                   #
#                                                                            #
# Function       Path                   =GROUP or -username or X (flag)      #
##############################################################################

upload          *                               1 -upload
resume          *                               1 =ftpusers -upload
makedir         *                               1 -upload
download        *                               1 =ftpusers
dirlog          *                               1
rename          *                               1
filemove        *                               1
renameown       *                               1
nuke            *                               1
delete          *                               1 -upload
deleteown       *                               1 -upload

##############################################################################
###################     THE RIGHTS SECTION ENDS HERE     #####################
##############################################################################

It should be noted that a * in the Path collum superseeds any other configuration. Example:

upload          *                               -upload

This allows the user upload to upload anywhere it is allowed to go (you're able to configure the home directory any user is limited to through site commands)

upload          *                               1
upload          /site/uploads                   -upload

Here, the first line states that only people with flag 1 are allowed to upload anywhere. Now since /site/uploads is within "anywhere", the second line has no effect.

upload          /site/dir1                       1
upload          /site/dir2                       1
upload          /site/dir3                       1
upload          /site/uploads                   -upload

In this third example, any user with flag 1 is allowed to upload to dir1, dir2 and dir3. Nobody else will be allowed to upload to those locations. user upload is allowed to upload to uploads, nobody else.

By this I hope I have made it clear that any user on the ftp has to be allowed to do anything, the default is no acess to do anything at all.

Encrypted file transfers

glFTPd allows you to require your users to log on and transfer data with encryption enabled. The installation script has created a certificate you can use, we just need to set-up who will be required to use encryption to access the server.

The certificate that was created during installation is available in /glftpd/etc/ftpd-dsa.pem

Open glftpd.conf with your favorite editor and look for the following (near the top of the file):

#if you have dsa cert file
DSA_CERT_FILE /jail/glftpd//etc/ftpd-dsa.pem

Now, look for the following:

# TLS enforcements.
userrejectsecure        !*
userrejectinsecure      !*
denydiruncrypted        !*
denydatauncrypted       !*

! means not, * means everybody. This means that, currently, nobody is being rejected or denied based on secure or insecure log on. Now, let's make it so that:

  • Everybody connecting without encryption will be denied
  • The account useraccountname will be exempt from this rule and will be allowed to log on without encryption, but will not be denied if he logs on with encryption.
  • The group groupname will be rejected if it tries to log on with encryption.
# TLS enforcements.
userrejectsecure        =groupname !*
userrejectinsecure      !-useraccountname *
denydiruncrypted        !-useraccountname *
denydatauncrypted       !-useraccountname *
Dupecheck

By default, glFTPd checks for double files in the FTP's directory. Based on filenames, glFTPd may reject files and deny them during upload. Disabeling this feature can be usefull. Look for the following line in glftpd.conf:

# dupecheck     how many days?  ignore file case like Windows?
dupe_check      7               no

And change the default value of "7" to "0":

# dupecheck     how many days?  ignore file case like Windows?
dupe_check      0               no
Behind a router?

If you're running the FTP daemon from behind a router, you will need to configure glftpd.conf accordingly. You will want to operate the FTP in passive mode and define a port range for passive connections. Additionally, you will need to tell glFTPd what your WAN IP is.

Configures the PASV mode (used behind routers) portrange:

pasv_ports <X>-<Y>

Template:Box Note

Configures the PASV mode IP, this is your WAN IP (click here to determine your WAN IP): the trailing 1 is required if you're behind a router!

pasv_addr xxx.xxx.xxx.xxx 1

The default glftpd.conf file does not include these options, you can just add them to the end of the file.

Template:Box Note

Adding and configuring users and groups

glFTPd's users, groups and their respective settings (such as download speed, max. connections etc.) have to be configured by use of site commands. site commands are used when already logged on to the ftp server.


General tips

glFTPd's help feature is extensive and provides extremely helpful examples. For example, users can acess a list of all basic configuration commands with:

ftp> site help

if you're unsure about a command syntax, or want to know options, you can simply do:

ftp> site <command>

example:

ftp> site addip
200-  .------------------------------------------------.
200- | USAGE: SITE ADDIP <username> <ident@ip>          |
200- |                                                  |
200- |  <username> The username to add.                 |
200- |  <ident@ip> The IP address to add.               |
200- |                                                  |
200- | You can use [,],?, and * in the IPs.             |
200- | Note that a user may have a maximum of 10 IP's.  |
200- |                                                  |
200- | Examples: SITE ADDIP user frank@*.netcom.com     |
200- |           SITE ADDIP user blah@128.23.222.15     |
200- |           SITE ADDIP user a@24.1.5.[345][789]    |
200- |           SITE ADDIP user *@205.241.224.*        |
200-  `------------------------------------------------'
200 Command Successful.


As a final tip, any command you apply to a user can be applied to a group. This is good when wanting to apply speedlimits, connectionlimits or other options to all users in that group. In this example, we will apply a download speed limit to all users in our ftpusers group.

ftp> site change =ftpusers max_dlspeed 250
200 Change command applied to 2 users.

Specific commands to be applied to groups only (i.e. max ammount of logins per group) are discussed in the example, or can be found in glFTPd's help feature.

Example

The following example will show you how to:

  • Create an admin account to remotely administrate the server.
  • Create a new group, called ftpusers (note that this group is only available on glFTPd and has no link to linux usergroups).
  • Create a new user, called archie (note that this user is only available on glFTPd and has no link to linux usergroups).
  • Add this user to the ftpusers group.


  • Configure several settings for our new user archie.
  • Configure several options for our group ftpusers.


Log on to the server:

ftp 127.0.0.1 <port>

Create the new user admin, along with the password for this account:

ftp> site adduser admin adminpassword
200 User (admin) succesfully added.

Now, let's add an IP with which the admin user is allowed to log on. *@* allows admin to log on from any ip.

ftp> site addip admin *@*
200- IP '*@*' successfully added to admin.

Flags represent special rights on the server such as group admin or user kick rights. The meaning of these flags is available in the documentation. To list the flags your new admin user has, do:

ftp> site flags admin
200- FLAGS for user admin ...
200-
200-    [ ]SITEOP    -1-
200-    [ ]GADMIN    -2-
200-    [*]GLOCK     -3-
200-    [ ]EXEMPT    -4-
200-    [ ]COLOR     -5-
200-    [ ]DELETED   -6-
200-    [ ]USEREDIT  -7-
200-    [ ]ANONYMOUS -8-
200-    [ ]NUKE      -A-
200-    [ ]UNNUKE    -B-
200-    [ ]UNDUPE    -C-
200-    [ ]KICK      -D-
200-    [ ]KILL      -E-
200-    [ ]TAKE      -F-
200-    [ ]GIVE      -G-
200-    [ ]USERS     -H-
200-    [ ]IDLER     -I-
200-    [ ]CUST1     -J-
200-    [ ]CUST2     -K-
200-    [ ]CUST3     -L-
200-    [ ]CUST4     -M-
200-    [ ]CUST5     -N-

We want our user admin to have: SITEOP (1), USEREDIT (7), KICK (D), KILL (E) and USERS (H).

ftp> site change admin flags +17DEH
200- Command Successfull.

Create the new usergroup, ftpusers with:

ftp> site grpadd ftpusers
200- Group (ftpusers) successfully added.

Add the user admin to the ftpusers group:

ftp> site chgrp admin ftpusers
200- 'admin' has been successfully added to 'ftpusers'

Now, make admin group admin for the ftpusers group:

ftp> site chgadmin admin ftpusers
200- 'admin' has been successfully added as gadmin for 'ftpusers'

Add the user archie, along with the password for this account:

ftp> site adduser archie archrocks
200 User (archie) succesfully added.

Adding IP to archie:

ftp> site addip archie *@*
200- IP '*@*' successfully added to archie.

Add the user archie to the ftpusers group:

ftp> site chgrp archie ftpusers
200- 'archie' has been successfully added to 'ftpusers'


We now have:

  • Our admin account, able to remotely configure the server, configure users and is groupadmin of the main ftpusers group.
  • Our archie account.
  • Our main ftpusers group.


Now that our user archie can log on, we need to set some options to prevent him doing things we don't want. Let's set the following options for our user archie:

  • Max 1 login at the same time
  • Max 1 connections from the same IP
  • Max 1 simultaneous download (trivial in this case, since we already have max 1 connection. This serves as informative option for you)
  • Max downloadspeed of 250 kbyte / second.
  • User can log on between 10:00 and 21:00


Max 1 login at the same time, 1 connection from the same IP:

ftp> site change archie num_logins 1 1
200 Command Successful.

Max 1 simultaneous download:

ftp> site change archie max_sim_down 1
200- Changed max simultaneous downloads for archie to 1.
200 Command Successful.

Max downloadspeed of 250 kbyte / second:

ftp> site change archie max_dlspeed 250
200- Changed max download speed for archie to 250 KB/s
200 Command Successful.

User can log on between 10:00 and 21:00:

ftp> site change archie timeframe 10 21
200 Command Successful.


Finally, let's change some group options:

  • Max 1 user in this group may be online at the same time
  • Max 10 users may exist in this group


Max 1 user in this group may be online at the same time:

ftp> site grpchange ftpusers max_logins 1
200 Command Successful.

Max 10 users may exist in this group:

ftp> site grpchange ftpusers slots 10
200 Command Successful.

Credits?

glFTPd uses a credit system which is on by default. The credit system is simple: Uploads give you credits (at a certain ratio), Downloads cost you credits. This feature can be usefull, but isn't in most day to day ftp applications. The simpelest way to disable this system is to set the ratio to 0 for all users, or give them a high ammount of credits.

site change username ratio 0

This will set the Upload/Download ratio for that user to 0, this will effectively disable the credit system for that user. This situation referred to as "leech" in the community. Many options to configure the credit system are available, please refer to the docs for options.

Troubleshooting

System update killed glftpd

A system update may remove the glftpd line from /etc/services, to restore functionallity simply add

glftpd         portnumber/tcp


External Links