How to install a ProFTP server for a virtual host in CentOS 6 using a port?


#1

Sorry for the long title.

I respectfully ask for help.

I want to install on my server CentOS 6.7 system, which has Apache’s virtual hosts, a ProFTP server (using SSH FTP), so I can have a user to access the files on such virtual host only.

For example, thru FileZilla, the user ftpsecure will connect to virtualhost www dot mydomain dot org (located in IP 1.2.3.4) thru port 3303 (for example). And this user will only see the files in virtual host www dot mydomain dot org.

I suppose the ftpsecure user already exists in the CentOS 6.7 system, and is part of the ftpusers group, and has NO shell and no home dir.

If it is possible, please explain how to install and config the security files (PAM or SSL or whatever is correct).

If am I saying something inaccurate, please forgive me, ;D
Thank you very much!!!


#2

Hello,

Sorry for the long title.

Long titles are great and much appreciated! No need for apology, in fact it is the opposite.

I just published the article on how to setup ProFTPD FTP server on CentOS 7. I understand that your server is CentOS 6 but I though since it is quite old already why to waste time and instead write about CentOS 7 and then simply point out the differences.

As it turns out the setup of ProFTPD FTP server on CentOS 7 and CentOS 6 is exactly the same. The only difference is the way how you open firewall port. On CentOS 6 you still need to use iptables whereas on CentOS 7 we can use firewall-cmd command.

Scenario:
I’m assuming that we need to get FTP running on host ftp.example.com on port 3303. That we need a single user e.g. luna to access directory /var/www/html/my-site. I’m also assuming that the port 3303 is already opened hence firewall is not blocking incoming packets to this port.

Here are the differences when you follow my how to setup ProFTPD FTP server on CentOS 7 guide:

Configure ProFTPD ftp server to lissten on port 3303 instead of default port 21:

# echo "Port 3303" >> /etc/proftpd.conf
# service proftpd restart

At this point do not setup passive FTP mode yet. Make sure that your FTP is set to create “active” FTP connection. If you do setup passive ftp mode make sure that your firewall carters for additional incoming ports as set by ProFTPD’s PassivePorts directive.!

Create user:
Be careful with permissions here! Make sure that you know what you are doing! I do not know your exact environment so do not want to give you are wrong suggestion:

# useradd luna -s /sbin/nologin -d /var/www/html/my-site
# passwd luna
# chown -R root.luna /var/www/html/my-site
# chmod -R 770 /var/www/html/my-site
# setsebool -P allow_ftpd_full_access=1

Rest of the tutorial is exactly the same including the TLS encryption.

Hope this helps

Lubos


#7

Hello, Lubos. Thanks for the above answer.
I’m the same lobaluna and lobaluna_server. Just using this new account to have it on my server machine.


#8

I have 3 virtual hosts on my machine (same IP all of them, and WordPress installations, by the way).

For each virtual host do I configure the ProFTP server as you mentioned in the above scenario? If so, where? This is not clear for me. In file:
/etc/proftpd.conf ?


#9

And each virtual host should be on each different port? Or the three vhosts on the same port? Maybe I misunderstood that the access directory might be any directory at all, and so I can put 1 ftp user to access the 3 vhosts from the
/ var / www
directory. Is this true?

For ftp service, and regarding ownership of files: Instead of

# chown -R root:luna / var /www /html/my-site

is it OK if I do

# chown -R apache:luna /var /www /html /my-site

so I can upload files to my site either using the self-uploading WP feature or using the ProFTPD server?


How to configure iptables in CentOS 6
#10

If all hosts are on the same IP address then configure the ProFTPD and its relevant SSL for a single hostname. No point to have multiple.

Here is what you can try.

Once you are ready perhaps the best solution is to create multiple users each with access to different site. I’m working here under the assumption that group apache has a write access to all relevant directories. For example:

# ls -dl /var/www/html/my-site1
drwxrwx---. 2 apache apache 4096 Jul 14 11:28 /var/www/html/my-site1

Read the following page for more information about file/directory ownership and permissions.

Create users, next set password and include each user into apache group:

# useradd user1 -s /sbin/nologin -d /var/www/html/my-site1
# useradd user2 -s /sbin/nologin -d /var/www/html/my-site2
# useradd user3 -s /sbin/nologin -d /var/www/html/my-site3

# passwd user1
# passwd user2
# passwd user3

# usermod -a -G apache user1
# usermod -a -G apache user2
# usermod -a -G apache user3

This way based on the username you can access different website site files.

Hope this helps.

Lubos


#11

Aaaaaaaaaah!
That solved all my questions. Thanks!!!