Servidor FTP no Ubuntu

Para aqueles que precisam de um servidor FTP no Ubuntu, o ProFTPD irá superar suas expectativas. Com ele é possível criar um servidor robusto com várias integrações, como quota de usuários, integração à base de dados MySQL para que não seja necessário gerenciar todos os usuários “na unha” e muito mais.

Neste tutorial (com vídeo tutorial ao final) você vai aprender a configurar o ProFTPD de duas maneiras: como um servidor FTP simples e como um servidor FTP com quota de usuários integrado com uma base de dados MySQL, onde você poderá gerenciar tudo pela base de dados. Note que a segunda opção também é interessante para quem deseja criar sistemas com PHP (por exemplo) para gerenciar os dados do servidor.

Então vamos deixar de prosa fiada e coloquemos nossas mãos na massa. Arregace suas mangas e prepare-se para digitar algumas linhas de comando no seu Ubuntu.

Servidor FTP simples com o ProFTPD

Primeiramente vamos instalar o ProFTPD, para isso abra o terminal (CTRL+ALT+T) e digite:

sudo apt-get install proftpd

Escolha “autônomo” e continue até finalizar.

O próximo passo é editar o arquivo proftpd.conf, para isso digite:

sudo nano /etc/proftpd/proftpd.conf

Altere as seguintes linhas:

...
# Adicione o nome do seu servidor
ServerName                      "Nome do seu servidor"
...
# Descomente a linha
DefaultRoot                     ~
...
# Descomente a linha
RequireValidShell               off
...
# Adicione
CreateHome                      on
...
# Não editei mais nada daqui adiante
...

Veja como ficou o arquivo completo (isso é apenas para você visualizar o que foi editado):

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

ServerName			"Todo Espaço Online - FTP"
ServerType			standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes 
DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell		off
CreateHome			on

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

Agora apenas precisamos criar os usuários que terão acesso ao nosso servidor FTP, para isso digite:

sudo adduser usuario-ftp --home=/home/usuario-ftp --shell=/bin/false

Saiba mais sobre o gerenciamento de usuários no Linux em:

E, por fim, reiniciar o proftpd:

sudo /etc/init.d/proftpd restart

Pronto, acesse o seu novo servidor com o cliente FTP que preferir.

Servidor FTP com MySQL e quota de usuários

Antes de continuar, saiba que é necessário instalar e configurar um servidor MySQL no seu Ubuntu, para isso siga o seguinte tutorial:

Depois disso vamos começar a instalação do ProFTPD (se você já fez isso anteriormente, pule esta parte):

sudo apt-get install proftpd proftpd-mod-mysql

Instale um servidor autônomo e vamos iniciar a configuração. Primeiramente, vamos alterar o arquivo proftpd.conf, para isso digite:

sudo nano /etc/proftpd/proftpd.conf

Veja o arquivo alterado (existe um comentário em cada linha alterada):

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
# 

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups			off

#########################################################################
# ALTERADO								#
#########################################################################
ServerName			"Todo Espaço Online - FTP"
ServerType			standalone
DeferWelcome			off

MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on

TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes
#########################################################################
# ALTERADO								#
#########################################################################
DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
#########################################################################
# ALTERADO								#
#########################################################################
RequireValidShell		off
#########################################################################
# ADICIONADO								#
#########################################################################
CreateHome			on

# Port 21 is the standard FTP port.
Port				21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress		1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

# Set the user and group that the server normally runs at.
User				proftpd
Group				nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd		off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder			mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile			off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
#########################################################################
# ALTERADO								#
#########################################################################
QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default. 
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#########################################################################
# ALTERADO								#
#########################################################################
Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

Agora vamos editar o arquivo sql.conf, para isso digite:

sudo nano /etc/proftpd/sql.conf

Agora veja o arquivo alterado (comentários em linhas alteradas):

#
# Proftpd sample configuration for SQL-based authentication.
#
# (This is not to be used if you prefer a PAM-based SQL authentication)
#

<IfModule mod_sql.c>
#
# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend 
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#########################################################################
# ALTERADO								#
#########################################################################
SQLBackend	mysql
#
#########################################################################
# ALTERADO								#
#########################################################################
SQLEngine on
SQLAuthenticate on
#
# Use both a crypted or plaintext password
#########################################################################
# ALTERADO								#
#########################################################################
SQLAuthTypes Crypt Plaintext
#
# Use a backend-crypted or a crypted password
#SQLAuthTypes Backend Crypt 
#
# Connection 
#########################################################################
# ALTERADO								#
#########################################################################
SQLConnectInfo [email protected] SeuUsuarioMySQL SenhaDoUsuarioMySQL
#
# Describes both users/groups tables
#
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
#

#########################################################################
# ADICIONADO								#
#########################################################################

#
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally


</IfModule>

Agora vamos editar o arquivo modules.conf, para isso digite:

sudo nano /etc/proftpd/modules.conf

Veja o arquivo alterado:

#
# This file is used to manage DSO modules and features.
#

# This is the directory where DSO modules reside

ModulePath /usr/lib/proftpd

# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded

ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *

LoadModule mod_ctrls_admin.c
LoadModule mod_tls.c

# Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other
# SQL backend engine to use this module and the required backend.
# This module must be mandatory loaded before anyone of
# the existent SQL backeds.
#########################################################################
# ALTERADO								#
#########################################################################
LoadModule mod_sql.c

# Install proftpd-mod-ldap to use this
#LoadModule mod_ldap.c

#
# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives 
# are required to have SQL authorization working. You can also comment out the
# unused module here, in alternative.
#

# Install proftpd-mod-mysql and decomment the previous
# mod_sql.c module to use this.
#########################################################################
# ALTERADO								#
#########################################################################
LoadModule mod_sql_mysql.c

# Install proftpd-mod-pgsql and decomment the previous 
# mod_sql.c module to use this.
#LoadModule mod_sql_postgres.c

# Install proftpd-mod-sqlite and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_sqlite.c

# Install proftpd-mod-odbc and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_odbc.c

# Install one of the previous SQL backends and decomment 
# the previous mod_sql.c module to use this
#########################################################################
# ALTERADO								#
#########################################################################
LoadModule mod_sql_passwd.c

LoadModule mod_radius.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c

# Install proftpd-mod-ldap to use this
#LoadModule mod_quotatab_ldap.c

# Install one of the previous SQL backends and decomment 
# the previous mod_sql.c module to use this
#########################################################################
# ALTERADO								#
#########################################################################
LoadModule mod_quotatab_sql.c
LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
LoadModule mod_rewrite.c
LoadModule mod_load.c
LoadModule mod_ban.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
# Install one of the previous SQL backends and decomment 
# the previous mod_sql.c module to use this
#LoadModule mod_wrap2_sql.c
LoadModule mod_dynmasq.c
LoadModule mod_exec.c
LoadModule mod_shaper.c
LoadModule mod_ratio.c
LoadModule mod_site_misc.c

LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c
# Install one of the previous SQL backends and decomment 
# the previous mod_sql.c module to use this
#LoadModule mod_sftp_sql.c

LoadModule mod_facl.c
LoadModule mod_unique_id.c
LoadModule mod_copy.c
LoadModule mod_deflate.c
LoadModule mod_ifversion.c
LoadModule mod_tls_memcache.c

# Install proftpd-mod-geoip to use the GeoIP feature
#LoadModule mod_geoip.c

# keep this module the last one
LoadModule mod_ifsession.c

Pronto, agora devemos criar a base de dados do proftpd, para você vai precisar baixar o arquivo abaixo:

Descompacte o arquivo em um local qualquer dentro do seu Ubuntu e digite o seguinte:

mysql -u UsuarioMySQL -p < /caminho/do/arquivo/proftpd.sql

Lembre-se de substituir “UsuarioMySQL” pelo nome de usuário do seu servidor MySQL e o caminho do arquivo proftpd.sql. O comando acima irá importar a base de dados do proftpd para seu servidor mysql, com isso, uma nova base de dados será criada com o nome de “proftpd”.

Dica: Normalmente eu utilizo o MySQL Workbench para gerenciar bases de dados MySQL. Ele poderá ser encontrado facilmente na Central de programas do Ubuntu.

Agora vamos criar o usuário padrão do nosso servidor FTP, para isso digite:

sudo adduser ftpuser --home=/home/FTP --shell=/bin/false

Conclua os dados requisitados após digitar este comando.

Verifique o UID e o GID do usuário e grupo que acabamos de criar com o seguinte comando:

id -u ftpuser
id -g ftpuser

No meu caso o UID e GID tem o valor 1001.

Lembre-se que você terá que lembrar estes valores na hora de criar novos usuários na sua base de dados.

Vamos criar nosso primeiro usuário FTP, para isso você pode utilizar o MySQL Workbench ou Emma para gerenciar sua base de dados por uma interface gráfica. Mas se você quiser ser bem herói e digitar sudo por linha de comando, digite:

mysql -u UsuarioMySQL -p

Para acessar o servidor MySQL. Em seguida, digite a seguinte consulta alterando os dados necessários:

INSERT INTO `proftpd`.`ftpuser` (`userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`) VALUES ('nomeusuario', 'senhausuario', '1001', '1001', '/home/FTP/nomeusuario', '/sbin/nologin', '', '');

Issso irá criar o usuário “novousuario” com a senha “senhausuario”. Lembre-se que também estamos enviando a home do usuário e o UID e GID do usuário que criamos como padrão para nosso servidor FTP.

Para adicionar quota para este usuário, digite a seguinte query:

INSERT INTO `proftpd`.`ftpquotalimits` (`name`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`) VALUES ('nomeusuario', 'hard', '104857600', '104857600');

INSERT INTO `proftpd`.`ftpquotatallies` (`name`) VALUES ('nomeusuario');

Neste caso estamos adicionando uma quota de 100MB (104857600 bytes) para o usuário “nomeusuario”, ele não será capaz de enviar mais arquivo quanto a quota for atingida.

Nota: O tamanho máximo que você poderá adicionar para quota será 9223372036854775807 (9.23EB – exabytes).

Agora você pode testar com o cliente FTP que preferir. Se ficou com alguma dúvida, assista ao vídeo tutorial ao final do artigo, ele detalha um pouco mais o que deverá ser feito para configurar o ProFTPD.

Vídeo tutorial

O vídeo tutorial abaixo complementa o texto do artigo acima:

Link do vídeo: https://www.youtube.com/watch?v=5hODYF1sLOM

Espero ter ajudado!