uFTP - FTP Server configuration
uFTP server can be configured with the “uftpd.cfg” configuration file, the location of the file can be either on the same path of the binary application or under “/etc/uftpd.cfg”.
Here below a sample “uftpd.cfg” configuration file.
#FTP CONFIGURATION SAMPLE "/etc/uftpd.cfg"######################################################## UFTP SERVER SETTINGS #########################################################MAXIMUM ALLOWED CONNECTIONS ON THE SERVERMAXIMUM_ALLOWED_FTP_CONNECTION = 30#TCP/IP PORT SETTINGS (DEFAULT 21)FTP_PORT = 21#Allow only one server instance (true or false)SINGLE_INSTANCE = true#Run in background, daemon mode okDAEMON_MODE = true# Folder where to save the logs, use the same format below, the folder must terminate with /LOG_FOLDER = /var/log/# Maximum number of logs to keep, if 0 log functionality is disabledMAXIMUM_LOG_FILES = 0# Idle timeout in seconds, client are disconnected for inactivity after the# specified amount of time in seconds, set to 0 to disableIDLE_MAX_TIMEOUT = 3600#MAX CONNECTIONS PER IP#LIMIT THE MAXIMUM NUMBER OF CONNECTION FOR EACH IP ADDRESS# 0 TO DISABLEMAX_CONNECTION_NUMBER_PER_IP = 10#MAX LOGIN TRY PER IP#THE IP ADDRESS WILL BE BLOCKED FOR 5 MINUTES AFTER WRONG LOGIN USERNAME AND PASSWORD#0 TO DISABLEMAX_CONNECTION_TRY_PER_IP = 10#USE THE SERVER IP PARAMETER IF THE FTP SERVER IS UNDER NAT#SERVER IP SHOULD BE SET TO ROUTER IP IN THIS CASE#IF NOT IN USE LEAVE IT COMMENTED OR BLANK#USE , instad of . eg: 192,168,1,1#SERVER_IP = 192,168,1,1#TLS CERTIFICATE FILE PATHCERTIFICATE_PATH=/etc/uFTP/cert.pemPRIVATE_CERTIFICATE_PATH=/etc/uFTP/key.pem#Enable system authentication based on /etc/passwd#and /etc/shadowENABLE_PAM_AUTH = false# Force usage of the TLS# If enabled, only TLS connections will be allowedFORCE_TLS = false## Random port for passive FTP connections range#RANDOM_PORT_START = 10000RANDOM_PORT_END = 50000#USERS#START FROM USER 0 TO XXXUSER_0 = usernamePASSWORD_0 = passwordHOME_0 = /GROUP_NAME_OWNER_0 = usergroupUSER_NAME_OWNER_0 = userUSER_1 = apachePASSWORD_1 = apachePasswordHOME_1 = /var/www/html/GROUP_NAME_OWNER_1 = www-dataUSER_NAME_OWNER_1 = www-dataUSER_2 = anotherUsernamePASSWORD_2 = anotherPassowrdHOME_2 = /#blocked user that are not allowed to loginBLOCK_USER_0 = user1BLOCK_USER_1 = user2BLOCK_USER_2 = user3
Parameters explained.
Define the number of maximum client allowed connections on the FTP server, to reduce server memory usage this number can be reduced.
MAXIMUM_ALLOWED_FTP_CONNECTION = 30
If the parameter MAXIMUM_LOG_FILE is set different to zero, uFTP logs are enabled and data retention is the specified number of log files in days. Logs are useful to debug software issues, possible bugs and brute force attacks.
# Folder where to save the logs, use the same format below, the folder must terminate with /LOG_FOLDER = /var/log/# Maximum number of logs to keep, if 0 log functionality is disabledMAXIMUM_LOG_FILES = 0
FTP server TCP/IP port, 21 is the standard FTP service port.
FTP_PORT = 21
If the single instance check is enabled, only one server instance can be executed.
SINGLE_INSTANCE = true
When the daemon mode is activated uFTP server runs as a service in background, this option can be deactivated to run the server from the console for debug purpose.
DAEMON_MODE = true
Ftp clients are automatically closed if there is no activity for more than the specified number of seconds, every FTP commands reset the counter inside uFTP.
IDLE_MAX_TIMEOUT = 3600
FTP resource can be limited for each IP address by setting a maximum number of connections limit per IP.
MAX_CONNECTION_NUMBER_PER_IP = 2
To prevent brute force attacks IP address are banned from the server for 5 minutes after the specified number of wrong login attempts.
MAX_CONNECTION_TRY_PER_IP = 3
To enforce security, you can set FORCE_TLS = true, clients will need to use SSL.
# Force usage of the TLS# If enabled, only TLS connections will be allowedFORCE_TLS = true
Enables/Disables the standard /etc/passwd, /etc/shadow authentication.
ENABLE_PAM_AUTH = true
The path of the public certificate (needed only if TLS/SSL support is enabled).
CERTIFICATE_PATH=/etc/uFTP/cert.pem
The path of the private certificate (needed only if TLS/SSL support is enabled).
PRIVATE_CERTIFICATE_PATH=/etc/uFTP/key.pem
The range of random port will be used for data exchange between data and server for pasv mode.
RANDOM_PORT_START = 10000RANDOM_PORT_END = 50000
You can set SERVER_IP if you are under NAT, uFTP will respond to PASV commands with the address in the parameter if set.
#USE THE SERVER IP PARAMETER IF THE FTP SERVER IS UNDER NAT#SERVER IP SHOULD BE SET TO ROUTER IP IN THIS CASE#IF NOT IN USE LEAVE IT COMMENTED OR BLANK#USE , instad of . eg: 192,168,1,1SERVER_IP = 192,168,1,1
Ftp users can be configured by using the user list pattern, the ids suffix must be added to each user list parameter the pattern is from “_0” to “(N)” for instance USER_0, USER_1, USER_2 … USER_(N).Mandatory user list parameters:USER_(N) is the FTP username parameter.
PASSWORD_(N) is the FTP password parameter written in plain text.
HOME_(N) is the user home path, every user can be limited inside a directory.
Option parameters:GROUP_NAME_OWNER_(N) if set to match an existing user group in the OS, every new file created by the FTP client associated with the N username and password will be created with the group ownership of the parameter.
USER_NAME_OWNER_(N) if specified an existing user in the OS, every new file created by the FTP client associated with the N username and password will be created with the user ownership of the parameter.
If one of the 2 optional parameter GROUP_NAME_OWNER_(N), USER_NAME_OWNER_(N) are not specified, the default uFTP user and group ownership are used for new file creations, typically root:root.
USER_0 = usernamePASSWORD_0 = passwordHOME_0 = /GROUP_NAME_OWNER_0 = usergroupUSER_NAME_OWNER_0 = userUSER_1 = apachePASSWORD_1 = apachePasswordHOME_1 = /var/www/html/GROUP_NAME_OWNER_1 = www-dataUSER_NAME_OWNER_1 = www-dataUSER_2 = anotherUsernamePASSWORD_2 = anotherPassowrdHOME_2 = /#blocked user that are not allowed to loginBLOCK_USER_0 = user1BLOCK_USER_1 = user2BLOCK_USER_2 = user3
You can list in the format above the user you want to block the access, they will be rejected if they attempt to login.
#blocked user that are not allowed to loginBLOCK_USER_0 = user1BLOCK_USER_1 = user2BLOCK_USER_2 = user3