FTP: Avoiding "user@domain.tld" format for FTP accounts

Customization Hacks / Tools / Tips / Tricks
1

First, excuse my English :wink: This is a workaround to get some sort of “anonymous user” for FTP under INTERWORX Control Panel & proFTPd SQLAuthenticate method.

If you need to provide some sort of ‘free access’ to some files, you can use this instructions AT YOUR OWN RISK. This way you can use URLs like ‘ftp://User:Password@domain.tld’ that are easily accesible without exposing an anonymous FTP server just like Interworx prevents, for the sake of security.

NOTE:
It works for me on two boxes of mine, and perhaps some Iworx developer can point out some “bad things”, “never do” or security problems with this. I just figured out all of this and it worked.

The only side-effect I saw, was some PHP errors when accesing “FTP accounts” at interworx CP, but it seems to NOT cause malfunctions on any other existing ftp accounts nor prevents from create any additional ftp accounts. So it seems OK.

PREFACE

We’ll try to create an FTP user ‘download’, password ‘download’, so we’ll avoid the “user@domain.com” format for the ftp-user.

STEP 1

Locate and edit proftpd.conf

Look for these lines:

SQLAuthenticate users*
SQLConnectInfo iworx_ftp@127.0.0.1:2306 iworx Lj7a938PbsK
SQLAuthTypes Crypt

That word after ‘127.0.0.1:2306 iworx’ is the password (Lj7a938PbsK in this example). Copy that password.

STEP 2

SSH logged as root, connect to iworx’s mysql using that password:

mysql --host=127.0.0.1 --port=2306 -uiworx -p

Enter password: Lj7a938PbsK

STEP 3
You’ll be logged on Iworx mysql, so here is the output and commands:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2871 to server version: x

mysql> use iworx_ftp;
Database changed

mysql> insert users (domain, username, uid, gid, password, homedir, shell) values (‘domain.com’, ‘download’, 500, 500, ENCRYPT(‘download’), ‘/home/user/domain.com/html/download’, ‘/bin/false’);

Note that you must change the values after ‘values’ :stuck_out_tongue: with your domain, user desired (in this case ‘download’ and pass is also ‘download’).

Also Note that we give access to /home/user/domain.com/html/download
Change this line to fit with your server/domain/directory. You want to create that directory “download” under “html”, in the example, if you make it this way.

Note: It’s also recommended to change user:group for that directory:

chown download:download /home/user/domain.com/html/download

To guarantee that these files will only be accesible through FTP and the download user, for example. (Do the chown after logging out)

mysql> exit

END

And that’s it :slight_smile: We have a download/download ftp-user.

Now You can use the URL ‘ftp://download:download@domain.tld/somefile.ext’ to give a simple FTP access to any file :slight_smile: Don’t forget to put some file in that ‘download’ directory :stuck_out_tongue:

Regards,

Juan
www.sowsl.com

2

Very good howto juangake!

Chris

3

Thanks, Chris :stuck_out_tongue:

I would add these proftpd.conf tweaks that would mix fine with the above howto.

Under <Global>, put:

Make directory read only

<Directory /home/someuser/domain.tld/html/download/*>
<Limit READ DIRS>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

To allow resuming and/or control bandwidth (TransferRate, 23 KB/s)

Allow users to resume upload/download

AllowRetrieveRestart on
AllowStoreRestart on
MaxInstances 36
TransferRate APPE,RETR,STOR,STOU 23