proftpd配置的几个要注意的地方

1. 必须要加的两行配置:

UseReverseDNS off
IdentLookups off

如果你发现你的ftp超级慢,几秒到十几秒都没有连接完毕,那加上这两行试试。

2  选择认证方式
proftpd支持很多的认证方式,如passwd, PAM, sql, ldap等。
ldap在国内貌似应用得不广,忽略。
数据库有一个很大的好处就是便于管理,便于和别的程序整合用户系统。但是它的查询非常昂贵,因为每一次登陆都要做很多次的数据库查询。用SQLNegativeCache可以好一点,但是对于一个ftpd来说,还是觉得昂贵了。
看官方的说法:
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-SQL.html
Question: How can I make mod_sql go faster?
Answer: There are a couple of things you might try. First, if using a version of mod_sql from ProFTPD-1.2.7rc1 or later, make use of the SQLNegativeCache configuration directive.

Other forms of this question are "Why does mod_sql iterate through every user in the database?", or "Why is mod_sql so slow during logins?" Here’s the reason: mod_sql is designed to handle all authentication functions that the daemon throws at it. This includes the functions that iterate through all users (setpwent(), getpwent(), endpwent()) and the functions that iterate through all groups (setgrent(), getgrent(), endgrent()).

When you see mod_sql iterating through all groups or users, it is doing so because it has been asked to do so by the daemon. Since there is no good way to keep an open query around without adding more to the various backend modules than we already have, mod_sql pre-caches all users when setpwent() is called, and pre-caches all groups when setgrent() is called. This allows the getpwent() and getgrent() calls to be simple, at the cost of more time during login.

In simple situations, these functions are never called. When you start limiting access to directories, files, or various FTP commands based on user or group, that is when the daemon needs to iterate through the users and groups to check permissions. A basic FTP server, including virtual and anonymous servers, will never make the (potentially, very) expensive user iteration calls, but may iterate through all groups.

The SQLAuthenticate directive provides a method to tune mod_sql; by default, mod_sql will handle the various *pwent() and *grent() calls. When SQLAuthenticate is told not to handle userset or groupset, mod_sql simply passes the request on to whatever authentication handlers exist in the system. Keep in mind that using SQLAuthenticate in this way means that the proftpd daemon is not using the same information to authenticate the user as it is to control the user’s actions during their session.

For those of you who have used mod_sql in the past, these lookups should probably be set to off. Versions of mod_sql prior to 3.2.0 (or thereabouts) did not handle the {set|get|end}{pw|gr}ent functions at all, so by setting these lookups to off, you lose no functionality. Those of you new to mod_sql should to consider your needs: is the cost of iterating through every user stored in the database worth the ability to limit access based on users/groups from the database? If not, you will need to re-evaluate the way you are using the database, and where you should be storing your user/group information.

PAM是一个不错的选择,但是它默认使用的是系统上真实存在的用户,管理用户(增、删、改)都涉及到系统用户的变动。

passwd应该是建虚拟用户FTP的首选。它基本文本,速度快,开销小,可以让用户虚拟化,和系统用户可以没有直接关联,因为它指定了passwd文件,并代替系统的/etc/passwd供ftpd使用。http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-AuthFiles.html

其它还有几种认证方式,在这里可以找到介绍:http://proftpd.org/docs/faq/linked/faq-ch7.html

Leave a Reply

Your email address will not be published. Required fields are marked *