Apache Modules mod ftpd

From Gentoo Linux Wiki

Jump to: navigation, search

Apache2 Series

Main

Modules

Addons & Tunnels

Tips

Configuring

Other

edit

[edit] Introduction

mod_ftpd is an ftp module for Apache to allow you to access files over ftp.

[edit] Installing 

emerge mod_ftpd

[edit] Configuring

Define FTPD

File: /etc/conf.d/apache2 
APACHE2_OPTS="-D PHP4 -D SSL -D DOC -D FTPD"

[edit] Alternate and Quick Config

Here we're going to consider that you don't care about anything fancy, you want something that "Just Works ™" OoB. If you throw some files in /var/ftp, you should be able to access them, no problem.

  • Anonymous Read-Only Access
  • No user access
  • Change /home/ftp to /var/ftp twice
  • Comment out upload access
  • Disallow off active ftp
  • Set ServerName (may not be required, but works for me)
File: /etc/apache2/conf/modules.d/mod_ftpd.conf 
<IfDefine FTPD>
        LoadModule ftpd_module extramodules/mod_ftpd.so

        # Load any of the provider modules here (for user specific chroots)
        #LoadModule ftpd_dbm_module     extramodules/mod_ftpd_dbm.so
        #LoadModule ftpd_dbi_module     extramodules/mod_ftpd_dbi.so
        LoadModule ftpd_default_module  extramodules/mod_ftpd_default.so
        #LoadModule ftpd_fail_module    extramodules/mod_ftpd_fail.so

        Listen 21
        <VirtualHost *:21>
                ServerName coolaj86.homedns.org
                DocumentRoot /var/ftp
                FtpProtocol On
                FtpShowRealPermissions Off
                FtpAllowActive Off # Must be off if you are firewalled
                FtpPasvMinPort 1024
                FtpPasvMaxPort 65535
                FtpLimitOrder default
                FtpDefaultMaxLogins 100

                <Directory /var/ftp>
                        Anonymous_Authoritative On
                        AuthAuthoritative Off
                        Anonymous_NoUserID Off
                        Anonymous_MustGiveEmail Off
                        Anonymous_VerifyEmail Off
                        Anonymous_LogEmail Off
                        Anonymous anonymous
                        AuthName ftp
                        AuthType Basic
                        Require valid-user
                        Order allow,deny
                        Allow from all
                </Directory>

                # only allow changing, retrieving files, and listing on the site
                <Location />
                        <LimitExcept CHDIR GET LIST>
                                Deny from all
                        </LimitExcept>
                </Location>

                # allow making directories, listing, chdir, and uploading files.
                # But don't allow retrieving files.
                # <Location /upload>
                #        <LimitExcept LIST PUT MKCOL CHDIR>
                #                Deny from all
                #        </LimitExcept>
                # </Location>
        </VirtualHost>
</IfDefine>

[edit] Accessing your server

You can use one of many ftp clients, or if your client is a linux box, you might also try mounting the ftp connection!

[edit] Changing the FTP directory

Gentoo by default will set the ftp directory to /home/ftp. if you wish to change the directory please do this edit of /etc/apache2/modules.d/mod_ftpd.conf (yours may be /etc/apache2/conf/modules.d/mod_ftpd.conf) and change the following 2 lines

File: /etc/apache2/modules.d/mod_ftpd.conf (yours may be /etc/apache2/conf/modules.d/mod_ftpd.conf) 
...
DocumentRoot /home/ftp
...
 <Directory /home/ftp>
...

[edit] Troubleshooting

ftp works from localhost, but not externally (after a few days) This can happen or many reasons such as the following:

  • Many ISPs, such as Verizon constantly block ftp for the "protection" of their users, even if you switch the port on which ftp operates.
  • FTP is tricky on the firewall. Opening up just ports 20 and 21 doesn't seem to make it happen for me.
  • In order for a ftp client to connect to a server that does have 20 & 21 ports open but still won't allow connections, it is sometimes possible to disable pasv mode and use only port mode. I had the this problem and I found that once I disabled pasv in the client I could connect. This problem has to do with the manner in which certain routers handle incoming packets. i.e.) my old linksys router
  • It is not sufficient just to open ports 20 and 21 in a firewall because the server creates new sessions on high-numbered ports. The following iptables rules show the general idea: 
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21  
       -m state --state NEW,ESTABLISHED -j ACCEPT  
$IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535 
       -m state --state RELATED,ESTABLISHED -j ACCEPT  
$IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 1024:65535  
       -m state --state RELATED,ESTABLISHED -j ACCEPT  
$IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport 1024:65535  
       -m state --state RELATED,ESTABLISHED -j ACCEPT

where $i is the client and $j the server and $IPTABLES is the iptables command. Note you must "modprobe ip_conntrack_ftp".

Retrieved from "http://www.gentoo-wiki.com/Apache_Modules_mod_ftpd"
Personal tools