MikeL's FreeBSD ftpd setup

MikeL's FreeBSD ftpd HowTo

20200304
You may want ftp event logging:
Note! You could modify /etc/syslog.conf - this is how it was done in the old days. Now in the default file, you'll notice the line:
include /etc/syslog.d
In that dir, you'll find the file ftp.conf
In this file, change:
ftp.info /var/log/xferlog
to:
ftp.* /var/log/xferlog
Then do:
service syslogd restart
service ftpd restart
Note that if you get doubled entries for events in the syslog, that probably means you have the same service called out multiple times in syslog.conf. This happened to me when I did not notice the above include, and I simply added a new ftp line to the base file.

I've been trying to get failed login attempts to ftp into the logs. This is only temporary, I don't really want to know how many tens of thousands of blind attacks are being made onto my server, talk about logspam! But - I do have some remote automated sites that are failing, and I want to figure out why - determining if they're getting in at all is the first step. Unfortunately, I can't seem to get this in the logs. It's not in auth.log, xferlog, messages, or console.log. If you figure this one out, please feel free to contact me!

20200301
By default, the stock ftpd installation DOES allow anonymous ftp. Assuming you don't want this, you'll need to do the following:

grep ftp /etc/passwd -- the pkg install should have created a new user named 'ftp'. This user is used for anonymous login - if not there, you'll need to create it - google for it.
edit /etc/ftpusers; add ftp as a line all by itself. Each line with a username in this file is DISALLOWED from ftp access.

Note that the default installation does ftpd via inetd. I recommenmd changing it to be a standalone daemon.

Comment out the appropriate line(s) in /etc/inetd.conf
Add the following to /etc/rc.conf
ftpd_enable="YES"
ftpd_flags="-ll -p /var/run/ftpd.pid"

This allows you to use service ftpd restart when you make chages to config.

20191216 MikeL
Finally getting back to this. This time trying pure-ftpd.
[be sure to read ahead - this was a disaster - do not do this.]

as root:
pkg install pure-ftpd
edit /etc/rc.conf, add pureftp_enable="YES"
edit /etc/group. Add new line 'ftp:*:14:'
edit /etc/master.passwd, dup the line for user 22 immediately before it, and replace the 22's with 14, and change username to 'ftp'. Change fullname from 'Secure Shell' to 'pureftp'
vipw, dirty the file, I'd suggest change fullname 'pureftp' to 'Pureftp'.
cd /usr/local/etc
cp pure-ftpd.conf.sample pure-ftpd.conf
edit pure-ftpd.conf
changes I made were:
NoAnonymous yes
UnixAuthentication yes
TLS 1
CertFileAndKey "/root/cert/..." "/root/cert/..."
ExtCert /var/run/ftpd-certs.sock
Allrighty, we're done, let's try it...
service ftpd stop
service pure-ftpd start
Got an error here: Shared object "libdl.so.1" not found
Some google searching it appears that I may need to to a pkg upgrade.
pkg upgrade -f
It asked if I wanted to change 'php56' to php71. I have php72, so I said no. It then asked if I wanted to change php56 to php72 - yes!
Did pkg upgrade -f again immediately it finished, buncha more stuff to do.
FYI: observed emacs is broken with the same libdl.so.1 missing error - this is very very bad. Sure hope the upgrade fixes it.
In the end, I ftp'ed a copy of libdl.so.1, and libdl.a from a twin server, then recreated the libdl.so.1 symbolic link.

20190216 MikeL
The builtin FreeBSD ftpd does not do "secure" ftp, specifically SSL. (Every time I use Filezilla to ftp, I get a warning about this.) So to fix this, I will try to use bsdftpd-ssl. I've installed it from the ports collection, edited it in to /etc/rc.conf, when I start it, it just fails. Looking at /var/log/messages, it says it can't find /etc/ssl/certs/ftpd.pem. I added a link to my existing .csr that I'm using for sendmail and apache, but now it gives an error about "can't find start line" or something. Oh yeah, .pem format is not the same as .csr. Maybe I'll get back to this later.

18-Mar-2018

As I recall, ftpd came already installed and configured reasonably on my FreeBSD11.1 install. I run the ftp deamon standalone, not under inetd, I think that's the way it came. You may need to do a man inetd and/or edit /etc/inetd.conf if you want to change things.

One special thing that I do have to do though, is that I have customer accounts that should only be allowed to ftp into their own website area. I do this as follows:
Once only: edit /etc/group
Add a new line to create a new group named customer.
customer:*:30:
I arbitrarily chose to use group number 30 - just pick any number that's not already taken. Offhand I'd suggest using a several digit number as there are some standard packages with numbers they want to use, e.g. web servers like to use 80. I've gotten away with 30 for years, so I'm sticking with it, even though I may be skating on thin ice.

Then, edit /etc/ftpchroot, and add:
@customer
If this file is not already present to edit, simply create it with this single line in it. Note that you can do a man ftpchroot for more info on this config file, there's lots more you can do here.

If you haven't already created it: mkdir /web
Note that this may also be made on a separate (big) disk/volume, and may simply be a symbolic link in the root dir, eg:
mkdir /[big disk name]/web
ln -s /[big disk name]/web /web

Whenever you add a customer account, do your normal old adduser, and use group customer. Then do the following:

cd /
mv /home/[their username] /web/[their domain name]
ln -s /home/[their username] /web/[their domain name]

Lastly, note that if you want to change an account to be limited this way, you can simply use vipw to edit this user and change their group to this one.