1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
ServerName "ProFTPD SlapOS"
ServerType standalone
MaxInstances 30
DefaultAddress {{ proftpd['ipv6'] }} {{ proftpd['ipv4']}}
SocketBindTight on
DefaultServer off
Port {{ proftpd['sftp-port'] }}
User {{ proftpd['user'] }}
Group {{ proftpd['group'] }}
ScoreboardFile {{ proftpd['scoreboard-file'] }}
PidFile {{ proftpd['pid-file'] }}
Umask 022
AllowOverwrite on
# SFTP
SFTPEngine on
SFTPHostKey {{ proftpd['ssh-host-rsa-key'] }}
SFTPHostKey {{ proftpd['ssh-host-dsa-key'] }}
SFTPHostKey {{ proftpd['ssh-host-ecdsa-key'] }}
#SFTPAuthorizedUserKeys file:{{ proftpd['ssh-authorized-keys-dir'] }}%u
# Logging
TransferLog {{ proftpd['xfer-log'] }}
SFTPLog {{ proftpd['sftp-log'] }}
BanLog {{ proftpd['ban-log'] }}
# Virtual users
RequireValidShell off
AuthUserFile {{ proftpd['auth-user-file'] }}
# Prevent partially uploaded files to be visible
HiddenStores on
DeleteAbortedStores on
AllowStoreRestart off
# Limitations of running as non-root user
WtmpLog off
# ( we cannot use DefaultRoot ~ )
# Prevent user for escaping their home
<Directory />
<Limit ALL>
DenyAll
</Limit>
</Directory>
<Directory {{ proftpd['data-dir'] }}>
<Limit ALL>
AllowAll
</Limit>
</Directory>
# Ban failed logins
MaxLoginAttempts 1
BanEngine on
BanTable {{ proftpd['ban-table'] }}
# 5 failed login attemps in 5 minutes -> ban for 20 minutes
BanOnEvent MaxLoginAttempts 5/00:05:00 00:20:00 "Too many Failed Login Attempts"
BanControlsACLs all allow user {{ proftpd['user'] }}
# This depends on a control socket
ControlsSocket {{ proftpd['control-socket'] }}
ControlsSocketOwner {{ proftpd['user'] }} {{ proftpd['group'] }}