Proftpd-howto

From S23Wiki
Jump to: navigation, search

Proftpd(debian) Howto

FTP-Access using Quota and Traffic Limit

"A walkthrough for a common situation: you want to give someone the possibility to access your FTP-server, but you like the maximum amount of disk space granted to the user and the maximum traffic to be limited. Also the user will be unable to access files outside his home-directory and he will not be able to login via SSH"

Optional settings I recommend

  • Limit ssh-access to specific users
    Add the following code to /etc/sshd/sshd_config:
    AllowUsers somebody somebodyelse
    (please separate multiple users by space characters ;-) and disable root-login
    PermitRootLogin No


  • Disable ident- & dns-lookups to speed up FTP-access significantly
    To achieve this you need to add two lines to your /etc/proftpd.conf:
    IdentLookups    off
    UseReverseDNS   off


  • Precondition: kernel-support for quota has to be enabled (!somebody please insert how to check)


The actual setup

  • First you need to install the main packages
    # apt-get install quota quotatool


  • Activate quota for your partition(s) in /etc/fstab:
    /dev/hda1       /    ext3    defaults,usrquota               0       2
    In this example we use the root partition "/"


  • Create a file "quota.user" in the root of every partition you like to use quota on
    # touch /quota.user
    (in our example the file is created in "/", because this is the root of the partition we want to use)


  • We will now remount the filesystem(s) to activate our changes
    # mount -o remount /
    (This works perfectly even for "/")


  • check if "usrquota" is activated
    # cat /etc/mtab



  • Add a user you want to enable FTP-access for
    adduser fnord
    In our example we will limit the maximum disk space for our new user to 230 MB
    # quotatool -u fnord -b -q 230MB -v /
    Again we use "/" at the end of the line because our used partition is /


  • Final check to confirm settings
    # quota fnord


  • All users should be locked (chroot) inside their home directory, so nobody can access other files on the server. For this we simply add a line to /etc/proftpd.conf
    DefaultRoot ~


  • During the next steps we deal with our traffic limit for the user. Add these lines to /etc/proftpd.conf:
    QuotaEngine     on
    QuotaLimitTable file:/ftpquota.limittab
    QuotaTallyTable file:/ftpquota.tallytab
    (specify the location in which you want the config files to be. In our case we use / (please do not change the file name))


  • You can also choose what to display to the user by adding
    QuotaDisplayUnits "Gb"
    (or Mb / Kb)


  • The email-address for support can be inserted, but is not obligatory
    ServerAdmin "admin@server.org"


  • Now please navigate to the directory you chose to put the config files in and let the proftpd-included tool create our files
    # cd /
    # ftpquota --create-table --type=limit
    # ftpquota --create-table --type=tally


  • While still in this location, type the following command to add traffic restrictions for specific users. (in our example we will give the user "fnord" 5 GB of overall traffic (up & down combined)
    # ftpquota --add-record --type=limit --name=fnord --quota-type=user --bytes-xfer 5368709120
    (The maximum traffic amount is set in bytes unless you use --units=Mb or similar) You can also choose from these limiting options: "--bytes-upload=26214400" (limit uploads to 25 MB) "--bytes-download=734003200" (limit downloads to 700 MB)
    Already existent records can be updated by using "--update-record" instead of "--add-record", the same options are available. "--show-records" lists all active limits and "--delete-record" deletes it



  • The final step is to restart proftpd for the changes to take effect
    # /etc/init.d/proftpd restart


  • You can now connect to your ftp with the new user "fnord" and check if everything went right, by executing the command
    # quote SITE quota
    (You need to connect first)

    Congratulations! The setup is now complete.