To provide an FTP service, Plesk uses the ProFTPD FTP server. Plesk includes the following two packages:

  • psa-proftpd which contains the main component.
  • psa-proftpd-xinetd which contains patches and configurations to work with xinetd .

FTP Startup

The ProFTPD is started by the xinetd every time the server receives an FTP request. In the case of authorized access, the FTP service is started on behalf of the user whose request is to be processed. For anonymous users, the service is started with the UID of the psaftp user.

FTP Users

The FTP server allows for document access of authenticated users that are listed in the /etc/passwd and /etc/shadow files. The first one defines the user name, group membership, home directory, and active access method. The second one stores password hash values. Let us look at FTP users created during the virtual hosting setup procedure. The following are some /etc/passwd lines defining FTP user parameters.

# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
psaftp:x:2524:2522:anonftp psa user:/:/bin/false
ftpuser:x:10006:10001::/var/www/vhosts/domain.tst:/bin/false
ftpuser55:x:10010:10001::/var/www/vhosts/domainXX.tst:/bin/false

The first two lines are default FTP users. The psaftp is the user on behalf of whom the FTP service is started when the Plesk server receives an anonymous FTP request.

The last two lines define typical FTP users. The group ID 10001 refers to the psacln group that contains FTP users. The psacln is added to the /etc/ftpchroot file. For every FTP user logged into the Plesk, a “chroot” procedure is executed, which ensures the user cannot see files owned by other users.

Plesk stores all FTP user accounts in a single database; therefore, FTP users cannot have the same names even if they are created for different virtual hosts. Besides, since the FTP service cannot be name based, only one virtual host on each IP address can provide anonymous FTP access.

FTP Configuration

The FTP server configuration parameters are stored in the /etc/proftpd.conf file. Here are some of the parameters. A sample of the proftpd.conf file is displayed below:

DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd/scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /usr/local/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
<Directory /var/www/vhosts>
    GroupOwner  psacln
</Directory>
# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd
IdentLookups off
UseReverseDNS off
AuthGroupFile   /etc/group
Include /etc/proftpd.include

Each virtual host FTP configuration is stored in the /etc/proftpd.include file. The configurations consist of two sections:

  • The general section configures FTP for authorized users. It configures the following:

    • Virtual server name to IP address binding.
    • Log file path.
    • Write permission.

    Login access allowed only to the psacln group.

    Below is a sample of the general section:

<VirtualHost 192.168.37.101>
ServerName "ftp.swtrn.com"
TransferLog /usr/local/psa/var/log/xferlog
AllowOverwrite on
<Limit LOGIN>
        Order allow, deny
        AllowGroup psacln
        Deny from all
</Limit>

  • The Anonymous section configures FTP for anonymous users. It configures:

    • An alias for the psaftp user account.
    • anon_ftp as the home directory that is inside the domain directory opened for the authorized domain user.
    • A log file for anonymous FTP access.
    • User and group for anonymous FTP access.
    • Login access and read-only rights for everyone

    Below is a sample of this section:

UserAlias anonymous psaftp
<Anonymous /var/www/vhosts/domain.tst/anon_ftp>
        TransferLog /var/www/vhosts/domain.tst/statistics/logs/xferlog
        PathDenyFilter "^\.quota$"
        RequireValidShell off
        TransferRate RETR 0.000
        User psaftp
        Group psaftp
        <Limit LOGIN>
                AllowAll
        </Limit>
        <Limit WRITE>
                DenyAll
        </Limit>
        <Directory incoming>
                UserOwner ftpuser
                Umask 022 002
                <Limit STOR>
                        DenyAll
                </Limit>
                <Limit WRITE>
                        DenyAll
                </Limit>
                <Limit READ>
                        DenyAll
                </Limit>
                <Limit MKD XMKD>
                        DenyAll
                </Limit>
        </Directory>
</Anonymous>

For more information on the ProFTPD configuration, please refer to the www.proftpd.org.

FTP Logs and Statistics

For each domain, the ProFTPD service writes statistics for both anonymous and authorized access to log files located in the /var/www/vhosts/<domain_name>/statistics/logs/ directory. Once a day, Plesk processes the logs with the statistics utility and separates the statistical data into two parts:

Anonymous access information stored in the s tatistics/anon_ftpstat subdirectory of the virtual host directory.

Authorized access information stored in the statistics/ftpstat/ subdirectory.

In addition, the statistics utility writes the statistical data to the psa database and calls the log rotation utility logrotate. For more information on statistics processing and log rotation, refer to the chapter Statistics and Logs.

Switching On Implicit FTPS

By default Plesk FTP server supports explicit FTPS only. To turn on implicit FTPS, follow these instructions:

  1. Run the following commands in the shell:
touch /etc/xinetd.d/ftps_psa
chmod 0644 /etc/xinetd.d/ftps_psa
  1. Paste the following into the /etc/xinetd.d/ftps_psa file:
service ftps
{
   flags = IPv6
        disable = no
        socket_type = stream
        protocol = tcp
        wait = no
        user = root
        instances = UNLIMITED
        server = /usr/sbin/in.proftpd
        server_args  = -c /etc/proftpd.conf
}
  1. Edit the /etc/proftpd.conf file to insert the following section after the </Global> closing tag:
<IfModule mod_tls.c>
<VirtualHost 0.0.0.0>
    Port 990
    TLSEngine on
    TLSOptions UseImplicitSSL
</VirtualHost>
</IfModule>
DefaultTransferMode binary
UseFtpUsers on
DefaultTransferMode binary
UseFtpUsers on
  1. Run the service xinetd restart command.