配置chkconfig脚本
Proftpd的init.d脚本位于Proftpd源代码安装包contrib/dist/rpm目录,复制并改名到/etc/init.d/proftpd即可。
contrib/dist/rpm/proftpd.init.d
注意:源代码里面的安装包由于路径问题,无法执行,实际操作,请修改相应部分。
------------------------/etc/init.d/proftpd---------------------------------
#!/bin/sh
#
# Startupscript for ProFTPD
#
#chkconfig: - 85 15
#description: ProFTPD is an enhanced FTP server with a focus towards \
# simplicity, security, and ease ofconfiguration. \
# It features a very Apache-likeconfiguration syntax, \
# and a highly customizable serverinfrastructure, \
# including support for multiple'virtual' FTP servers, \
# anonymous FTP, andpermission-based directory visibility.
#processname: proftpd
# config:/usr/local/etc/proftpd.conf
# pidfile:/usr/local/var/proftpd.pid
### BEGININIT INFO
#Provides: proftpd ftpserver
#Required-Start: $local_fs $network $named $remote_fs
#Required-Stop: $local_fs $network $named $remote_fs
#Default-Stop: 0 1 6
#Short-Description: ProFTPd FTP Server
#Description: ProFTPd is an enhanced FTP server with a focus towards
# simplicity, security, and ease ofconfiguration.
# It features a very Apache-likeconfiguration syntax,
# and a highly customizable serverinfrastructure,
# including support for multiple 'virtual'FTP servers,
# anonymous FTP, and permission-baseddirectory visibility.
### ENDINIT INFO
# Sourcefunction library.
./etc/rc.d/init.d/functions
# Sourcenetworking configuration.
./etc/sysconfig/network
# SourceProFTPD configuration.
PROFTPD_OPTIONS=""
if[-f /etc/sysconfig/proftpd ];then
./etc/sysconfig/proftpd
fi
# Checkthat networking is enabled.
[ ${NETWORKING}="no"]&&exit1
# Makesure the binary is present.
##修改sbin/proftpd路径
[-x /usr/local/sbin/proftpd ]||exit5
##添加下面一行
PATH=$PATH:/usr/local/sbin:/usr/local/bin/
RETVAL=0
prog="proftpd"
start(){
echo -n $"Starting$prog: "
daemon proftpd $PROFTPD_OPTIONS 2>/dev/null
RETVAL=$?
echo
##修改lock/proftpd路径
[ $RETVAL -eq 0]&& touch /usr/local/var/lock/proftpd
}
stop(){
echo -n $"Shuttingdown $prog: "
killproc proftpd
RETVAL=$?
echo
##修改lock/proftpd路径
[ $RETVAL -eq 0]&& rm -f /usr/local/var/lock/proftpd
}
# See howwe were called.
case"$1"in
start)
start
;;
stop)
stop
;;
status)
status proftpd
RETVAL=$?
;;
restart)
stop
start
;;
try-restart|condrestart)
##修改lock/proftpd路径
if[-f /usr/local/var/lock/proftpd ];then
stop
start
fi
;;
reload|force-reload|reread)
echo -n $"Re-reading$prog configuration: "
killproc proftpd -HUP
RETVAL=$?
echo
;;
suspend)
hash ftpshut >/dev/null2>&1
if[ $?=0];then
if[ $# -gt 1 ];then
shift
echo -n "Suspendingwith '$*'"
ftpshut "$@"
RETVAL=$?
else
echo -n "SuspendingNOW"
ftpshut now "Maintenancein progress"
RETVAL=$?
fi
else
echo -n "Noway to suspend"
RETVAL=1
fi
echo
;;
resume)
if[-f /etc/shutmsg ];then
echo -n "Allowingsessions again"
rm -f /etc/shutmsg
else
echo -n "Wasnot suspended"
RETVAL=2
fi
echo
;;
*)
echo -n "Usage:$prog
start|stop|restart|try-restart|reload|status|reread|resume"
hash ftpshut
if[ $?=1];then
echo '}'
else
echo '|suspend}'
echo 'suspendaccepts additional arguments, which are passed to ftpshut(8)'
fi
exit2
esac
exit $RETVAL然后执行命令添加并启用Proftpd服务
chkconfig --addproftpd
chkconfigproftpd on
serviceproftpd start配置日志归档
由于Linux本身出于安全考虑,限制用户可操作的文件的大小。每个程序都只能操作大小不超过2G的文件。使用者可以选择修改Linux的ulimit信息。增大这个大小,或取消限制。但是,作者建议,还是乖一点,做个日志归档。
proftpd开发者为我们写好了RedHat发行版中使用的logrotate配置文件,位于contrib/dist/rpm/目录中,复制到/etc/logrotate.d/目录中并改名即可。
contrib/dist/rpm/proftpd.logrotate同样,要根据实际情况修改路径信息。修改过的文件如下
#修改路径
/usr/local/var/proftpd/log/*.log/var/log/xferlog {
compress
missingok
notifempty
sharedscripts
postrotate
#修改路径
test -f /usr/local/var/lock/proftpd&& /usr/bin/killall -HUP proftpd || :
endscript
}配置xinetd (可选)
如果使用xinetd管理proftpd,则需要配置这部分内容,否则可以跳过不看。但话说回来,看看也没什么坏处,哈哈~
在服务器负载不很重的情况下,为了节省服务器资源。往往使用xinetd管理proftpd服务。使用xinetd也能加强服务器的安全,可以有效阻止DDOS攻击。
首先修改proftpd.conf文件ServerType部分的standalone为inetd,其次,检查xinetd是否安装,没安装就安装先。
yum install xinetd -y
安装好xinetd后,复制配置文件contrib/dist/rpm/xinetd到/etc/xinetd.d/目录并改名为proftpd。文件内容照常修改如下
# default:off
#description: The ProFTPD FTP server
serviceftp
{
flags = REUSE
socket_type = stream
wait =no
user = root
#修改下面一行
server =/usr/local/sbin/in.proftpd
#添加下面一行
server_args =-c /etc/proftpd.conf
#注释掉下面两行
#log_on_success += DURATION
#log_on_failure += USERID
nice =10
disable =no
}最后说明一下,使用xinetd管理proftpd时,语言模块工作不正常,有可能是一个bug。最好使用standalone模式吧。
配置防火墙
需要开放20,21,60000-65535端口。
-A INPUT -m state --state NEW -mmultiport -p tcp --dport 20,21-d 10.1.10.168-j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 60000:65535-d 10.1.10.168-j ACCEPT
结合网络管理员,配置nat地址映射,配置防火墙区域间策略允许20,21端口通过。在支持ASPF的防火墙上设置域间启用detect ftp,其他防火墙设置相应策略以支持ftp的被动传输模式。
