Virtual Hosting With Proftpd And MySQL (Incl.

Quota) On
Ubuntu 9.04
Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 10/19/2009

This document describes how to install a Proftpd server that uses virtual users from a MySQL
database instead of real system users. This is much more performant and allows to have
thousands of ftp users on a single machine. In addition to that I will show the use of quota with
this setup.

For the administration of the MySQL database you can use web based tools like phpMyAdmin
which will also be installed in this howto. phpMyAdmin is a comfortable graphical interface
which means you do not have to mess around with the command line.

This tutorial is based on Ubuntu 9.04. You should already have set up a basic Ubuntu 9.04 server
system, as described in the first eight chapters of this tutorial:
http://www.howtoforge.com/perfect-server-ubuntu-9.04-ispconfig-2

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of
setting up such a system. There are many ways of achieving this goal but this is the way I take. I
do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These
settings might differ for you, so you have to replace them where appropriate.

Make sure that you are logged in as root:

sudo su

1.1 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash
Install dash as /bin/sh? <-- No

1.2 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In
my opinion you don't need it to configure a secure system, and it usually causes more problems
than advantages (think of it after you have done a week of trouble-shooting because some service
wasn't working as expected, and then you find out that everything was ok, only AppArmor was
causing the problem). Therefore I disable it.

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils

2 Install MySQL And phpMyAdmin

This can all be installed with one single command:

aptitude install mysql-server mysql-client phpmyadmin apache2

You will be asked to provide a password for the MySQL root user - this password is valid for the
user root@localhost as well as root@server1.example.com, so we don't have to specify a
MySQL root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpassword

Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

In addition to this, you will see the following questions:

Web server to reconfigure automatically: <-- apache2

Configure database for phpmyadmin with dbconfig-common? <-- No

3 Install Proftpd With MySQL Support

For Ubuntu there is a pre-configured proftpd-mod-mysql package available. Install it as a

standalone daemon like this:

aptitude install proftpd-mod-mysql

You will be asked the following question:

Run proftpd: <-- standalone

Then we create an ftp group (ftpgroup) and user (ftpuser) that all our virtual users will be
mapped to. Replace the group- and userid 2001 with a number that is free on your system:

groupadd -g 2001 ftpgroup

useradd -u 2001 -s /bin/false -d /bin/null -c "proftpd user" -g ftpgroup ftpuser

4 Create The MySQL Database For Proftpd

Now we create a database called ftp and a MySQL user named proftpd which the proftpd
daemon will use later on to connect to the ftp database:

mysql -u root -p

CREATE DATABASE ftp;

GRANT SELECT, INSERT, UPDATE, DELETE ON ftp.* TO 'proftpd'@'localhost'
IDENTIFIED BY 'password';
GRANT SELECT, INSERT, UPDATE, DELETE ON ftp.* TO
'proftpd'@'localhost.localdomain' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

Replace the string password with whatever password you want to use for the MySQL user
proftpd. Still on the MySQL shell, we create the database tables we need:

USE ftp;

CREATE TABLE ftpgroup (

groupname varchar(16) NOT NULL default '',
gid smallint(6) NOT NULL default '5500',
members varchar(16) NOT NULL default '',
KEY groupname (groupname)
) TYPE=MyISAM COMMENT='ProFTP group table';

CREATE TABLE ftpquotalimits (

name varchar(30) default NULL,
quota_type enum('user','group','class','all') NOT NULL default 'user',
per_session enum('false','true') NOT NULL default 'false',
limit_type enum('soft','hard') NOT NULL default 'soft',
bytes_in_avail bigint(20) unsigned NOT NULL default '0',
bytes_out_avail bigint(20) unsigned NOT NULL default '0',
bytes_xfer_avail bigint(20) unsigned NOT NULL default '0',
files_in_avail int(10) unsigned NOT NULL default '0',
files_out_avail int(10) unsigned NOT NULL default '0',
files_xfer_avail int(10) unsigned NOT NULL default '0'
) TYPE=MyISAM;

CREATE TABLE ftpquotatallies (

name varchar(30) NOT NULL default '',
quota_type enum('user','group','class','all') NOT NULL default 'user',
bytes_in_used bigint(20) unsigned NOT NULL default '0',
bytes_out_used bigint(20) unsigned NOT NULL default '0',
bytes_xfer_used bigint(20) unsigned NOT NULL default '0',
files_in_used int(10) unsigned NOT NULL default '0',
files_out_used int(10) unsigned NOT NULL default '0',
files_xfer_used int(10) unsigned NOT NULL default '0'
) TYPE=MyISAM;

CREATE TABLE ftpuser (

id int(10) unsigned NOT NULL auto_increment,
userid varchar(32) NOT NULL default '',
passwd varchar(32) NOT NULL default '',
uid smallint(6) NOT NULL default '5500',
gid smallint(6) NOT NULL default '5500',
homedir varchar(255) NOT NULL default '',
shell varchar(16) NOT NULL default '/sbin/nologin',
count int(11) NOT NULL default '0',
accessed datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (id),
UNIQUE KEY userid (userid)
) TYPE=MyISAM COMMENT='ProFTP user table';

quit;

As you may have noticed, with the quit; command we have left the MySQL shell and are back
on the Linux shell.

BTW, (I'm assuming that the hostname of your ftp server system is server1.example.com) you
can access phpMyAdmin under http://server1.example.com/phpmyadmin/ (you can use the IP
address instead of server1.example.com) in a browser and log in as proftpd. Then you can have a
look at the database. Later on you can use phpMyAdmin to manage your Proftpd server.

5 Configure Proftpd

Open /etc/proftpd/modules.conf...

vi /etc/proftpd/modules.conf
... and enable the following three modules:

[...]
# Install proftpd-mod-mysql or proftpd-mod-pgsql to use this
LoadModule mod_sql.c
[...]
# Install proftpd-mod-mysql to use this
LoadModule mod_sql_mysql.c
[...]
# Install proftpd-mod-pgsql or proftpd-mod-mysql to use this
LoadModule mod_quotatab_sql.c
[...]

Then open /etc/proftpd/proftpd.conf and comment out the following lines:

vi /etc/proftpd/proftpd.conf

[...]
#<IfModule mod_quotatab.c>
#QuotaEngine off
#</IfModule>
[...]

Further down in the file, add the following lines:

[...]
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

DefaultRoot ~

SQLBackend mysql
# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes Plaintext Crypt
SQLAuthenticate users groups

# used to connect to the database

# databasename@host database_user user_password
SQLConnectInfo ftp@localhost proftpd password

# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID 500

# create a user's home directory on demand if it doesn't exist

CreateHome on

# Update count every time user logs in

SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE
userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file

SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session,

limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail,
files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE
name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,

bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,
files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type =
'%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used +

%{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used =
bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used
= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name
= '%{6}' AND quota_type = '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5},

%{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off
[...]

Make sure that you replace the string password with the real password for the MySQL user
proftpd in the line SQLConnectInfo!

Then restart Proftpd:

/etc/init.d/proftpd restart

6 Populate The Database And Test

To populate the database you can use the MySQL shell:

mysql -u root -p

USE ftp;

First we create an entry in the table ftpgroup. It contains the groupname, the groupid and the
username of the ftp group/user we created at the end of step two (replace the groupid
appropriately if you use another one than 2001):

INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES ('ftpgroup', 2001,

'ftpuser');

Now we are done with the table ftpgroup. We do not have to create further entries here.
Whenever you create a new virtual ftp user, you do this in the tables ftpquotalimits and ftpuser.
So let us create our first user exampleuser with a quota of 15MB and the password secret (we are
still in the MySQL shell):

INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`,

`bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`,
`files_xfer_avail`) VALUES ('exampleuser', 'user', 'true', 'hard', 15728640, 0, 0, 0, 0, 0);

INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`,
`accessed`, `modified`) VALUES (1, 'exampleuser', 'secret', 2001, 2001,
'/home/www.example.com', '/sbin/nologin', 0, '', '');

quit;

(Do not forget to replace the groud- and userid 2001 appropriately in the last INSERT statement
if you are using other values than in this tutorial!)

Now open your FTP client program on your work station (something like FileZilla, WS_FTP,
SmartFTP or gFTP) and try to connect. As hostname you use server1.example.com (or the IP
address of the system), the username is exampleuser, and the password is secret.

If you are able to connect - congratulations! If not, something went wrong.

Now, if you run

ls -l /home/

you should see that the directory /home/www.example.com (exampleuser's home directory) has
been automatically created, and it is owned by ftpuser and ftpgroup (the user/group we created at
the end of step two):
root@server1:~# ls -l /home/
total 12
drwxr-xr-x 2 administrator administrator 4096 2009-04-23 15:38 administrator
drwxr-xr-x 2 ftp nogroup 4096 2009-10-19 17:10 ftp
drwx------ 2 ftpuser ftpgroup 4096 2009-10-19 17:26 www.example.com
root@server1:~#

7 Database Administration

For most people it is easier if they have a graphical front-end to MySQL; therefore you can also
use phpMyAdmin (in this example under http://server1.example.com/phpmyadmin/) to
administrate the ftp database.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Whenever you create a new user, you only have to create entries in the tables ftpquotalimits and
ftpuser so I will explain the columns of these tables here:

ftpuser Table:

The important columns are these (the others are handled by MySQL or Proftpd automatically, so
do not fill these manually!):
  userid: The name of the virtual Proftpd user (e.g. exampleuser).
 passwd: The unencrypted (i.e., clear-text) password of the user.
 uid: The userid of the ftp user you created at the end of step two (e.g. 2001).
 gid: The groupid of the ftp group you created at the end of step two (e.g. 2001).
 homedir: The home directory of the virtual Proftpd user (e.g. /home/www.example.com).
If it does not exist, it will be created when the new user logs in the first time via FTP. The
virtual user will be jailed into this home directory, i.e., he cannot access other directories
outside his home directory.
 shell: It is ok if you fill in /sbin/nologin here by default.

ftpquotalimits Table:

The important columns are these (the others are handled by MySQL or Proftpd automatically, so
do not fill these manually!):

 name: The name of the virtual Proftpd user (e.g. exampleuser).

 quota_type: user or group. Normally, we use user here.
 per_session: true or false. true means the quota limits are valid only for a session. For
example, if the user has a quota of 15 MB, and he has uploaded 15 MB during the current
session, then he cannot upload anything more. But if he logs out and in again, he again
has 15 MB available. false means, that the user has 15 MB, no matter if he logs out and in
again.
 limit_type: hard or soft. A hard quota limit is a never-to-exceed limit, while a soft quota
can be temporarily exceeded. Normally you use hard here.
 bytes_in_avail: Upload limit in bytes (e.g. 15728640 for 15 MB). 0 means unlimited.
 bytes_out_avail: Download limit in bytes. 0 means unlimited.
 bytes_xfer_avail: Transfer limit in bytes. The sum of uploads and downloads a user is
allowed to do. 0 means unlimited.
 files_in_avail: Upload limit in files. 0 means unlimited.
 files_out_avail: Download limit in files. 0 means unlimited.
 files_xfer_avail: Tranfer limit in files. 0 means unlimited.

The ftpquotatallies table is used by Proftpd internally to manage quotas so you do not have to
make entries there!

8 Anonymous FTP

If you want to create an anonymous ftp account (an ftp account that everybody can login to
without a password), you can do it like this:

First we create a user and group with the name anonymous_ftp. The user has the home directory
/home/anonymous_ftp:
groupadd -g 2002 anonymous_ftp
useradd -u 2002 -s /bin/false -d /home/anonymous_ftp -m -c "Anonymous FTP User" -g
anonymous_ftp anonymous_ftp

(Replace 2002 with a group-/userid that is free on your system.)

A few files beginning with a . have been created by the last command (useradd) in the
/home/anonymous_ftp directory. We don't need them, so we delete them:

cd /home/anonymous_ftp
rm -f .bash_logout
rm -f .profile
rm -f .bashrc

Then we create the directory /home/anonymous_ftp/incoming which will allow anonymous users
to upload files:

mkdir /home/anonymous_ftp/incoming
chown anonymous_ftp:nogroup /home/anonymous_ftp/incoming

And finally, open /etc/proftpd/proftpd.conf and append the following directives to it:

vi /etc/proftpd/proftpd.conf

[...]
<Anonymous ~anonymous_ftp>
User anonymous_ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous anonymous_ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on anonymous_ftp
DirFakeGroup on anonymous_ftp

RequireValidShell off

# Limit the maximum number of anonymous logins

MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message

# Limit WRITE everywhere in the anonymous chroot

<Directory *>
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
</Directory>
 # Uncomment this if you're brave.
<Directory incoming>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
<Limit READ WRITE SITE_CHMOD>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>

</Anonymous>

Finally restart Proftpd:

/etc/init.d/proftpd restart

Now anonymous users can login, and they can download files from /home/anonymous_ftp, but
uploads are limited to /home/anonymous_ftp/incoming (and once a file is uploaded into
/home/anonymous_ftp/incoming, it cannot be read nor downloaded from there; the server admin
has to move it into /home/anonymous_ftp first to make it available to others).

(Please note: You can only have one anonymous ftp account per IP address!)