Help us understand the problem. What is going on with this article?

Proftpd+(TLS(ftps)+SFTP+MySQL連携)をインストールする(ソースからコンパイル) for CentOS7.3

More than 1 year has passed since last update.

はじめに

FTPは、セキュリティの問題から嫌煙されるケースもありますが、昨今ではクライアントソフトウェアが、FTPSに対応したことなども有り、手軽なファイル交換の手段として今でも多くの場所で活用されています。
FTPにおいては、vsftpdなどの製品が多く使われることがありますが、高機能で様々な設定が可能なProftpdを利用した、環境を構築します。
今回は、MySQLによるアカウント情報連携や、FTPS(TLS)とSFTP(SSH)にも対応させる前提での構成となります。
2017年5月現在、Proftpdは、1.3.6が最新版となります。

事前作業

MySQL及びOpenSSLのインストールが必要となります。
-MariaDB10.1のインストール(ソースからコンパイル)for CentOS7.3
-OpenSSL(1.0.x)をインストールする(ソースからコンパイル)for CentOS 7.2

インストール作業

(コンパイルオプションは、SFTPにも対応できるようにしています)

#事前インストール前作業
export LD_LIBRARY_PATH=/usr/local/mysql/lib:/usr/local/ssl/lib:${LD_LIBRARY_PATH}
ln -s /usr/local/mysql/lib/libmysqlclient.so /usr/lib/libmysqlclient.so
ln -s /usr/local/ssl/include/openssl /usr/local/include/openssl
mkdir -p /run/proftpd

#インストール作業
cd /usr/local/src
wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6.tar.gz
tar xvzf proftpd-1.3.6.tar.gz
cd proftpd-1.3.6
./configure \
--with-modules=mod_sftp:mod_tls:mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql \
--with-includes=/usr/local/mysql/include/mysql:/usr/local/ssl/include/openssl \
--with-libraries=/usr/local/mysql/lib/mysql:/usr/local/ssl/lib

以下の結果が出ていれば問題ない

--------------
Build Summary
--------------
Building the following static modules:
  mod_ident
  mod_auth_pam
  mod_sftp
  mod_tls
  mod_sql
  mod_sql_mysql
  mod_quotatab
  mod_quotatab_sql
  mod_cap

インストールを行う

make
make install

MySQLでテーブル作成の実行

CREATE USER 'proftpd'@'localhost' IDENTIFIED VIA mysql_native_password USING 'proftpd';
GRANT ALL PRIVILEGES ON *.* TO 'proftpd'@'localhost' REQUIRE NONE WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
CREATE DATABASE IF NOT EXISTS `proftpd`;
GRANT ALL PRIVILEGES ON `proftpd`.* TO 'proftpd'@'localhost';

//以下は、proftpdのデーターベースにて実行

CREATE TABLE users (
  userid varchar( 50 ) NOT NULL ,
  uid INT,
  gid INT,
  passwd varchar( 30 ) NOT NULL ,
  shell varchar( 20 ) DEFAULT '/bin/bash',
  homedir varchar( 30 ) NOT NULL ,
  count INT,
  comment varchar(100),
  primary key(userid),
  unique key k_uid(uid)
);

CREATE TABLE groups(
  groupname varchar(20) NOT NULL,
  gid int NOT NULL,
  members varchar(30) NOT NULL,
  primary key (groupname),
  key k_gid(gid)
);

CREATE TABLE quotalimits (
  name varchar(30),
  quota_type ENUM("user", "group", "class", "all") NOT NULL,
  per_session ENUM("false", "true") NOT NULL,
  limit_type ENUM("soft", "hard") NOT NULL,
  bytes_in_avail FLOAT NOT NULL,
  bytes_out_avail FLOAT NOT NULL,
  bytes_xfer_avail FLOAT NOT NULL,
  files_in_avail INT UNSIGNED NOT NULL,
  files_out_avail INT UNSIGNED NOT NULL,
  files_xfer_avail INT UNSIGNED NOT NULL );

CREATE TABLE quotatallies (
  name varchar(30) NOT NULL,
  quota_type ENUM("user", "group", "class", "all") NOT NULL,
  bytes_in_used FLOAT NOT NULL,
  bytes_out_used FLOAT NOT NULL,
  bytes_xfer_used FLOAT NOT NULL,
  files_in_used INT UNSIGNED NOT NULL,
  files_out_used INT UNSIGNED NOT NULL,
  files_xfer_used INT UNSIGNED NOT NULL
);

//検証用でテストのアカウントを作成する
INSERT INTO users
VALUES('test',12000,12000,'test','/bin/bash','/home/test',0,'テストアカウント');
INSERT INTO groups values('user',12000,'');

設定ファイルを変更する

vi /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerIdent off
ServerName          "Onpremiss FTPServer"
ServerType          standalone
DefaultServer       on
PidFile                         /run/proftpd/proftpd.pid

# Port 21 is the standard FTP port.
Port                21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask               022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances            30

# Set the user and group under which the server will run.
User                nobody
Group               nobody

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.

# Normally, we want files to be overwriteable.
<Directory />
  AllowOverwrite        on
</Directory>

#add passive setting
AllowForeignAddress   On
MasqueradeAddress   ftp.example.com
PassivePorts 8000 8024


# add by custome setting
PidFile         /run/proftpd/proftpd.pid
UseFtpUsers off
UseReverseDNS off

DefaultRoot ~
TimesGMT off

#quota
QuotaDirectoryTally on 
QuotaDisplayUnits "Mb" 
QuotaEngine on 

#QuotaLog "/usr/local/proftpd/var/quota" 

QuotaShowQuotas on 

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session,limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail,files_in_avail, files_out_avail, files_xfer_avail FROM quotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}'  AND quota_type = '%{7}'" quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" quotatallies 
QuotaLimitTable sql:/get-quota-limit 
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally 


#sql setting
SQLAuthenticate on
SQLConnectInfo  proftpd@localhost proftpd proftpd

SQLAuthTypes Plaintext
#SQLUserInfo users userid passwd uid gid homedir shell


SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1 where userid='%u'" users

#SQLHomedirOnDemand on
#SQLHomedirOnDemandは、サポートされなくなった。
CreateHome On

SQLDefaultGID 1001

SQLLogFile /var/log/proftpd

<IfModule mod_tls.c>
    TLSEngine on
    TLSVerifyClient off
    TLSLog          /var/log/proftpd.ftps.log
    TLSCipherSuite  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    TLSProtocol     TLSv1.2
    TLSRequired     off
    #Apacheと同じものを利用する
    TLSRSACertificateFile    /usr/local/apache2/conf/cert/servercert.crt
    TLSRSACertificateKeyFile /usr/local/apache2/conf/cert/server.key
    TLSOptions      NoSessionReuseRequired
    <VirtualHost 192.168.255.255>
        Port            990
        DefaultRoot     ~
        AllowOverwrite  on
        TLSEngine       on
        TLSVerifyClient off
        TLSLog          /var/log/proftpd.ftps.log
        TLSCipherSuite  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        TLSProtocol     TLSv1.2
        TLSRequired     ctrl
        #Apacheと同じものを利用する
        TLSRSACertificateFile    /usr/local/apache2/conf/cert/servercert.crt
        TLSRSACertificateKeyFile /usr/local/apache2/conf/cert/server.key
        #UseImplicitSSLにも対応させる
        TLSOptions      NoSessionReuseRequired UseImplicitSSL

        SQLAuthenticate on
        SQLConnectInfo  proftpd@localhost proftpd proftpd

        SQLAuthTypes Plaintext
        #SQLUserInfo users userid passwd uid gid homedir shell

        SQLLog PASS updatecount
        SQLNamedQuery updatecount UPDATE "count=count+1 where userid='%u'" users
    </VirtualHost>
</IfModule>

<IfModule mod_sftp.c>
    <VirtualHost 192.168.255.255>
        Port            20022
        DefaultRoot     ~/
        AllowOverwrite  on
        SFTPEngine      on
        SFTPLog         /var/log/proftpd.sftp.log
        #SSHDと同じものを利用する
        SFTPHostKey     /etc/ssh/ssh_host_dsa_key
        SFTPHostKey     /etc/ssh/ssh_host_rsa_key
        SFTPAuthMethods password

        SQLAuthenticate on
        SQLConnectInfo  proftpd@localhost proftpd proftpd

        SQLAuthTypes Plaintext
        #SQLUserInfo users userid passwd uid gid homedir shell

        SQLLog PASS updatecount
        SQLNamedQuery updatecount UPDATE "count=count+1 where userid='%u'" users
    </VirtualHost>
</IfModule>


# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User              ftp
  Group             ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias         anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients            10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin          welcome.msg
  DisplayFirstChdir     .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

起動スクリプトを設定

vi /usr/lib/systemd/system/proftpd.service
[Unit]
Description = ProFTPD FTP Server
After = network.target nss-lookup.target local-fs.target remote-fs.target

[Service]
Type = forking
PIDFile = /run/proftpd/proftpd.pid
Environment = PROFTPD_OPTIONS=
EnvironmentFile = -/etc/sysconfig/proftpd
ExecStart = /usr/local/sbin/proftpd $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID

[Install]
WantedBy = multi-user.target

自動起動設定

systemctl daemon-reload
systemctl start proftpd
systemctl enable proftpd

参考

http://server-helper.doorblog.jp/archives/5338382.html
http://triplesky.blogspot.jp/2013/02/proftpdsftpftps.html
http://www.proftpd.org/docs/contrib/mod_tls.html#TLSOption

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away