ProFTPD

ProFTPD is a cross-platform, open source, free and highly-configurable software project that has been designed from the ground up to act as a FTP (File Transfer Protocol) daemon (server) for GNU/Linux, BSD, Solaris, Microsoft Windows and Mac OS X operating systems.

Features at a glance

Key features include support for hidden files and folders, the ability to run in standalone mode as a configurable non-privileged user for increased security, support for UTMP and WTMP logging systems, logging support, support for shadow passwords, support for expired accounts, IPv6 support, no SITE EXEC command, as well as per folder ".ftpaccess" configuration.

Additionally, the program uses a single configuration file, which includes directive groups and directives, supports multiple anonymous FTP services and virtual FTP servers that are easy to configure, does not require specific system binaries or directory structure for anonymous FTP root directories, and has been designed to run either as from inetd or xinetd, or as a standalone server.

Offers a modular design

ProFTPD comes with a modular design that allows you to extended its default functionality listed above through modules written for LDAP servers, SQL databases, RADIUS support, SSL/TLS encryption, and much more.

Under the hood and availability

The entire software has been written in the C programming language. Like any other important Linux program, ProFTPD is distributed as a universal sources archive, allowing users to optimize it for their GNU/Linux platform. However, new Linux users can install it from the default software repositories of their Linux distros.

Supported operating systems and hardware platforms

Officially supported operating systems include Linux, Linux for IBM S/390, zSeries, AIX, IRIX, BSD/OS, Cygwin, Digital Unix, DG/UX, HP/UX, Mac OS X, SCO, FreeBSD, NetBSD, OpenBSD, Solaris and SunOS. Both 32-bit and 64-bit hardware platforms are supported at this time.

What is new in this release:

• Support for using Redis for caching, logging; see the doc/howto/Redis.html documentation.
• Fixed mod_sql_postgres SSL support (Issue #415).
• Support building against LibreSSL instead of OpenSSL (Issue #361).
• Better support on AIX for login restraictions (Bug #4285).
• TimeoutLogin (and other timeouts) were not working properly for SFTP connections (Bug#4299).
• Handling of the SIGILL and SIGINT signals, by the daemon process, now causes the child processes to be terminated as well (Issue #461).
• RPM .spec file naming changed to conform to Fedora guidelines.
• Fix for "AllowChrootSymlinks off" checking each component for symlinks (CVE-2017-7418).

What is new in version :

• New Configuration Directives:
• RLimitChroot When proftpd chroots a session (e.g. via DefaultRoot or ), certain attacks become possible, such as the "Roaring Beast" attack:
• http://auscert.org.au/15286 https://auscert.org.au/15526
• To help mitigate these attacks, proftpd now rejects any attempt to do a write of any kind to paths under /etc and /lib, when the session is chrooted to a path other than "/".
• If these restrictions cause problems for any sites, this guard can be disabled via the new RLimitChroot directive, e.g.:
• RLimitChroot off
• See doc/modules/mod_rlimit.html#RLimitChroot for more information.
• Changed Configuration Directives:
• SFTPOptions AllowInsecureLogin Some SFTP clients may wish to use the 'none' cipher, and/or 'none' digest, for testing purposes. For example, disabling the cipher and digest can be used for testing the raw transfer speed over SFTP.
• mod_sftp, by default, will not allow connections which attempt to use the 'none' cipher or 'none' digest, even if these are explicitly enabled via the SFTPCiphers and SFTPDigests directive, as use of these algorithms disables the security protections on the transferred data (such as username/password).
• Thus to explicitly allow usage for these insecure algorithms, use:
• SFTPOptions AllowInsecureLogin
• See doc/contrib/mod_sftp.html#SFTPOptions for details.
• SQLPasswordPBKDF2 sql:// The mod_sql_passwd module now supports retrieval of PBKDF2 parameters, such as algorithm, iteration count, and output length, on a per-user basis, via a SQLNamedQuery, in addition to staticly configured parameters.
• See doc/contrib/mod_sql_passwd.html#SQLPasswordPBKDF2 for details.

What is new in version 1.3.5 RC3:

• Fixed mod_sql "SQLAuthType Backend" MySQL issues
• HideUser/HideGroup now work as expected for virtual users
• New Modules:
• mod_snmp The mod_snmp module is intended to collect various state information and expose them via SNMP counters and gauges. Currently only SNMPv1/SNMPv2 are supported. See doc/contrib/mod_snmp.html for more information.
• New Configuration Directives:
• SQLUserPrimaryKey, SQLGroupPrimaryKey The mod_sql module now has directives for specifying primary key columns for user/group data; these can be used for storing user/group values in tables which require foreign key constraints. See doc/howto/SQL.html#SQLPrimaryKeys for a more detailed description and use cases for these directives.
• SQLPasswordPBKDF2 The mod_sql_passwd module now supports handling passwords encrypted using the PBKDF2 algorithm. See doc/contrib/mod_sql_passwd.html#SQLPasswordPBKDF2 for more information.
• Changed Configuration Directives:
• DeleteAbortedStores To preserve the principle of least surprise, the behavior of the DeleteAbortedStores directive has been changed slightly. Specifically, DeleteAbortedStores is automatically enabled now whenever "HiddenStores on" is configured.
• LogFormat, SQLLog The LogFormat and SQLLog directives now supports a %g variable, for logging the name of the primary group of the logged-in user. See doc/modules/mod_log.html#LogFormat.
• SFTPDigests The mod_sftp module now supports UMAC as an SSH digest algorithm, using the digest name as used by OpenSSH, i.e. "umac-64@openssh". Support for this digest is automatically enabled where supported. See doc/contrib/mod_sftp.html#SFTPDigests for details.
• SFTPExtensions fsync The mod_sftp module now supports the custom "fsync@openssh" SFTP extension, for handling fsync requests from SFTP clients that need to ensure that any buffered uploaded data has been flushed out to the backing store on the server. See doc/contrib/mod_sftp.html#SFTPExtensions for details.

What is new in version 1.3.4d:

• Fixed broken build when using --disable-ipv6 configure option
• Fixed mod_sql "SQLAuthType Backend" MySQL issues

What is new in version 1.3.4c:

• Bug 3795 ProFTPD needs to use -pthread linker option if linking against OpenSSL with thread support.
• Bug 3816 Installation of ftpasswd does not honor DESTDIR environment variable.
• Bug 3806 Support reverse DNS resolution for IPv6 addresses when gethostbyname2(3) is not available.
• Bug 3828 Certain sequences of FTP data transfer commands lead to NULL pointer dereferences in mod_deflate.
• Bug 3830 MFF/MFMT command segfaults due to insufficient parameter checks.
• Bug 3829 RNFR without following RNTO can lead to NULL pointer dereference.
• Bug 3719 LIST -R can loop endlessly if bad directory symlink exists.
• Bug 3831 Sporadic "451 Insufficient memory or file locked" failure when downloading.
• Bug 3837 mod_tls unable to read certificate files after SIGHUP.
• Bug 3822 Resolving %U/%u LogFormat variables inconsistent between mod_log/mod_sql in certain cases.
• Bug 3842 Incorrect handling of REALPATH requests for symlink paths in mod_sftp.
• Bug 3845 mod_sftp does not provide response codes for %s LogFormat variable for AUTH ExtendedLog.
• Bug 3851 SFTPPassPhraseProvider fails due to incorrect pointer.
• Bug 3841 Possible symlink race when applying UserOwner to newly created directory.
• Bug 3855 Restarting proftpd may cause Include files not to be parsed.
• Bug 3859 MLSD fails to show symlinks when ShowSymlinks is not configured.
• Bug 3863 mod_sftp does not handle MaxLoginAttempts properly.
• Bug 3865 BanEngine not set in "server config" results in "mod_ban not enabled" ftpdctl error.
• Bug 3866 Issuing invalid 'ftpdctl ban' request causes segfault.
• Bug 3867 ftpasswd fails with "Permission denied" when adding subsequent passwd/group entries.
• Bug 3868 Only first DH param in TLSDHParamFile is used, regardless of requested keylength.
• Bug 3870 Handling of OPTS command can lead to crash.
• Bug 3871 REALPATH SFTP request not properly handled by configuration.
• Bug 3878 QuotaExcludeFilter not honored for uploads when 'hard' limits are used.
• Bug 3884 Configure script not detecting MySQL make_scrambled_password functions.
• Bug 3887 erroneously blocks the PROT command used for FTPS.
• Bug 3819 Second and subsequent LIST of directory with many files is very slow.
• Bug 3894 ftptop doesn't work with --enable-nls.
• Bug 3895 Missing TransferLog entry under some out-of-space conditions.
• Bug 3905 Handle the Linux-specific PAM_RADIO_TYPE message properly.
• Bug 3904 scp downloads using glob pattern sometimes fails.

What is new in version 1.3.3d:

• This is a maintenance release, containing backported fixes for bugs found in the 1.3.3 release.