ubuntu-machine 0.5.3.2.25
Sign up to get free protection for your applications and to get access to all the features.
- data/MIT-LICENSE +20 -0
- data/README +15 -0
- data/lib/capistrano/ext/ubuntu-machine.rb +30 -0
- data/lib/capistrano/ext/ubuntu-machine/apache.rb +118 -0
- data/lib/capistrano/ext/ubuntu-machine/aptitude.rb +99 -0
- data/lib/capistrano/ext/ubuntu-machine/extras.rb +39 -0
- data/lib/capistrano/ext/ubuntu-machine/ffmpeg.rb +43 -0
- data/lib/capistrano/ext/ubuntu-machine/gems.rb +41 -0
- data/lib/capistrano/ext/ubuntu-machine/git.rb +15 -0
- data/lib/capistrano/ext/ubuntu-machine/helpers.rb +36 -0
- data/lib/capistrano/ext/ubuntu-machine/iptables.rb +20 -0
- data/lib/capistrano/ext/ubuntu-machine/lmsensors.rb +26 -0
- data/lib/capistrano/ext/ubuntu-machine/machine.rb +50 -0
- data/lib/capistrano/ext/ubuntu-machine/mysql.rb +64 -0
- data/lib/capistrano/ext/ubuntu-machine/network.rb +42 -0
- data/lib/capistrano/ext/ubuntu-machine/ntp.rb +37 -0
- data/lib/capistrano/ext/ubuntu-machine/odbc.rb +44 -0
- data/lib/capistrano/ext/ubuntu-machine/php.rb +8 -0
- data/lib/capistrano/ext/ubuntu-machine/postfix.rb +7 -0
- data/lib/capistrano/ext/ubuntu-machine/rails3.rb +7 -0
- data/lib/capistrano/ext/ubuntu-machine/ruby.rb +86 -0
- data/lib/capistrano/ext/ubuntu-machine/ssh.rb +64 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/apache2.erb +7 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/deflate.conf.erb +3 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/freetds.conf.erb +8 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/iptables.erb +46 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/my.cnf.erb +3 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/new_db.erb +5 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/ntp.conf.erb +16 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/ntpdate.erb +13 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/odbc.ini.erb +8 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/odbcinst.ini.erb +7 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/passenger.conf.erb +2 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/passenger.load.erb +1 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/sources.jaunty.erb +55 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/sources.lucid.erb +22 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/sshd_config.erb +80 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/vhost.erb +17 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/vsftpd.conf.erb +158 -0
- data/lib/capistrano/ext/ubuntu-machine/templates/xsendfile.load.erb +1 -0
- data/lib/capistrano/ext/ubuntu-machine/tmpfs.rb +17 -0
- data/lib/capistrano/ext/ubuntu-machine/utils.rb +49 -0
- data/lib/capistrano/ext/ubuntu-machine/vsftpd.rb +63 -0
- metadata +130 -0
@@ -0,0 +1,46 @@
|
|
1
|
+
*filter
|
2
|
+
|
3
|
+
|
4
|
+
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
|
5
|
+
-A INPUT -i lo -j ACCEPT
|
6
|
+
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
|
7
|
+
|
8
|
+
|
9
|
+
# Accepts all established inbound connections
|
10
|
+
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
11
|
+
|
12
|
+
|
13
|
+
# Allows all outbound traffic
|
14
|
+
# You can modify this to only allow certain traffic
|
15
|
+
-A OUTPUT -j ACCEPT
|
16
|
+
|
17
|
+
|
18
|
+
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
|
19
|
+
-A INPUT -p tcp --dport 80 -j ACCEPT
|
20
|
+
-A INPUT -p tcp --dport 443 -j ACCEPT
|
21
|
+
|
22
|
+
|
23
|
+
# Allows SSH connections
|
24
|
+
#
|
25
|
+
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
|
26
|
+
#
|
27
|
+
-A INPUT -p tcp -m state --state NEW --dport <%= ssh_options[:port] %> -j ACCEPT
|
28
|
+
|
29
|
+
<% if hosting_provider=="ovh-rps" %>
|
30
|
+
# allow packets from SAN, only for ovh-rps
|
31
|
+
-A OUTPUT -p tcp --dport 3260 -j ACCEPT
|
32
|
+
<% end %>
|
33
|
+
|
34
|
+
# Allow ping
|
35
|
+
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
36
|
+
|
37
|
+
|
38
|
+
# log iptables denied calls
|
39
|
+
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
|
40
|
+
|
41
|
+
|
42
|
+
# Reject all other inbound - default deny unless explicitly allowed policy
|
43
|
+
-A INPUT -j REJECT
|
44
|
+
-A FORWARD -j REJECT
|
45
|
+
|
46
|
+
COMMIT
|
@@ -0,0 +1,5 @@
|
|
1
|
+
CREATE DATABASE `<%= db_name %>` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
|
2
|
+
CREATE USER '<%= db_username %>'@'localhost' IDENTIFIED BY '<%= db_user_password %>';
|
3
|
+
GRANT USAGE ON * . * TO '<%= db_username %>'@'localhost' IDENTIFIED BY '<%= db_user_password %>' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
|
4
|
+
GRANT ALL PRIVILEGES ON `<%= db_name %>` . * TO '<%= db_username %>'@'localhost' WITH GRANT OPTION ;
|
5
|
+
FLUSH PRIVILEGES ;
|
@@ -0,0 +1,16 @@
|
|
1
|
+
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
|
2
|
+
|
3
|
+
driftfile /var/lib/ntp/ntp.drift
|
4
|
+
filegen clockstats file clockstats type day enable
|
5
|
+
filegen loopstats file loopstats type day enable
|
6
|
+
filegen peerstats file peerstats type day enable
|
7
|
+
restrict -4 default kod notrap nomodify nopeer noquery
|
8
|
+
restrict -6 default kod notrap nomodify nopeer noquery
|
9
|
+
restrict 10.13.0.0 mask 255.255.255.0 nomodify notrap
|
10
|
+
restrict 10.14.0.0 mask 255.255.255.0 nomodify notrap
|
11
|
+
restrict 127.0.0.1
|
12
|
+
restrict ::1
|
13
|
+
<% ntp_pool_servers.each_with_index do |ntp_server,index|%>
|
14
|
+
<%= "server #{ntp_server} #{index == 0 ? 'iburst' : ''}" %>
|
15
|
+
<% end %>
|
16
|
+
statistics loopstats peerstats clockstats
|
@@ -0,0 +1,13 @@
|
|
1
|
+
# The settings in this file are used by the program ntpdate-debian, but not
|
2
|
+
# by the upstream program ntpdate.
|
3
|
+
|
4
|
+
# Set to "yes" to take the server list from /etc/ntp.conf, from package ntp,
|
5
|
+
# so you only have to keep it in one place.
|
6
|
+
NTPDATE_USE_NTP_CONF=yes
|
7
|
+
|
8
|
+
# List of NTP servers to use (Separate multiple servers with spaces.)
|
9
|
+
# Not used if NTPDATE_USE_NTP_CONF is yes.
|
10
|
+
NTPSERVERS="ntp.ubuntu.com"
|
11
|
+
|
12
|
+
# Additional options to pass to ntpdate
|
13
|
+
NTPOPTIONS=""
|
@@ -0,0 +1 @@
|
|
1
|
+
LoadModule passenger_module /opt/<%= ruby_enterprise_version %>/lib/ruby/gems/1.8/gems/passenger-<%= passenger_version %>/ext/apache2/mod_passenger.so
|
@@ -0,0 +1,55 @@
|
|
1
|
+
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
|
2
|
+
# newer versions of the distribution.
|
3
|
+
# Copied here by ubuntu machine
|
4
|
+
|
5
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty main restricted
|
6
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty main restricted
|
7
|
+
|
8
|
+
## Major bug fix updates produced after the final release of the
|
9
|
+
## distribution.
|
10
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted
|
11
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted
|
12
|
+
|
13
|
+
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
|
14
|
+
## team, and may not be under a free licence. Please satisfy yourself as to
|
15
|
+
## your rights to use the software. Also, please note that software in
|
16
|
+
## universe WILL NOT receive any review or updates from the Ubuntu security
|
17
|
+
## team.
|
18
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty universe
|
19
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty universe
|
20
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-updates universe
|
21
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates universe
|
22
|
+
|
23
|
+
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
|
24
|
+
## team, and may not be under a free licence. Please satisfy yourself as to
|
25
|
+
## your rights to use the software. Also, please note that software in
|
26
|
+
## multiverse WILL NOT receive any review or updates from the Ubuntu
|
27
|
+
## security team.
|
28
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty multiverse
|
29
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty multiverse
|
30
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-updates multiverse
|
31
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates multiverse
|
32
|
+
|
33
|
+
## Uncomment the following two lines to add software from the 'backports'
|
34
|
+
## repository.
|
35
|
+
## N.B. software from this repository may not have been tested as
|
36
|
+
## extensively as that contained in the main release, although it includes
|
37
|
+
## newer versions of some applications which may provide useful features.
|
38
|
+
## Also, please note that software in backports WILL NOT receive any review
|
39
|
+
## or updates from the Ubuntu security team.
|
40
|
+
# deb http://cl.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse
|
41
|
+
# deb-src http://cl.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse
|
42
|
+
|
43
|
+
## Uncomment the following two lines to add software from Canonical's
|
44
|
+
## 'partner' repository. This software is not part of Ubuntu, but is
|
45
|
+
## offered by Canonical and the respective vendors as a service to Ubuntu
|
46
|
+
## users.
|
47
|
+
# deb http://archive.canonical.com/ubuntu jaunty partner
|
48
|
+
# deb-src http://archive.canonical.com/ubuntu jaunty partner
|
49
|
+
|
50
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted
|
51
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted
|
52
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-security universe
|
53
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security universe
|
54
|
+
deb http://archive.ubuntu.com/ubuntu/ jaunty-security multiverse
|
55
|
+
deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security multiverse
|
@@ -0,0 +1,22 @@
|
|
1
|
+
#############################################################
|
2
|
+
################### OFFICIAL UBUNTU REPOS ###################
|
3
|
+
#############################################################
|
4
|
+
|
5
|
+
###### Ubuntu Main Repos
|
6
|
+
deb http://nl.archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse
|
7
|
+
deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse
|
8
|
+
|
9
|
+
###### Ubuntu Update Repos
|
10
|
+
deb http://nl.archive.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
|
11
|
+
deb http://nl.archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse
|
12
|
+
deb http://nl.archive.ubuntu.com/ubuntu/ lucid-proposed main restricted universe multiverse
|
13
|
+
deb http://nl.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
|
14
|
+
deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
|
15
|
+
deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse
|
16
|
+
deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-proposed main restricted universe multiverse
|
17
|
+
deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
|
18
|
+
|
19
|
+
###### Ubuntu Partner Repo
|
20
|
+
deb http://archive.canonical.com/ubuntu lucid partner
|
21
|
+
deb-src http://archive.canonical.com/ubuntu lucid partner
|
22
|
+
|
@@ -0,0 +1,80 @@
|
|
1
|
+
# Package generated configuration file
|
2
|
+
# See the sshd(8) manpage for details
|
3
|
+
|
4
|
+
# What ports, IPs and protocols we listen for
|
5
|
+
Port <%= ssh_options[:port] %>
|
6
|
+
# Use these options to restrict which interfaces/protocols sshd will bind to
|
7
|
+
#ListenAddress ::
|
8
|
+
#ListenAddress 0.0.0.0
|
9
|
+
Protocol 2
|
10
|
+
# HostKeys for protocol version 2
|
11
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
12
|
+
HostKey /etc/ssh/ssh_host_dsa_key
|
13
|
+
#Privilege Separation is turned on for security
|
14
|
+
UsePrivilegeSeparation yes
|
15
|
+
|
16
|
+
# Lifetime and size of ephemeral version 1 server key
|
17
|
+
KeyRegenerationInterval 3600
|
18
|
+
ServerKeyBits 768
|
19
|
+
|
20
|
+
# Logging
|
21
|
+
SyslogFacility AUTH
|
22
|
+
LogLevel INFO
|
23
|
+
|
24
|
+
# Authentication:
|
25
|
+
LoginGraceTime 120
|
26
|
+
PermitRootLogin yes # allow it to enable OVH to connect to your server
|
27
|
+
StrictModes yes
|
28
|
+
|
29
|
+
RSAAuthentication yes
|
30
|
+
PubkeyAuthentication yes
|
31
|
+
AuthorizedKeysFile .ssh/authorized_keys2
|
32
|
+
UsePam yes
|
33
|
+
|
34
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
35
|
+
IgnoreRhosts yes
|
36
|
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
37
|
+
RhostsRSAAuthentication no
|
38
|
+
# similar for protocol version 2
|
39
|
+
HostbasedAuthentication no
|
40
|
+
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
41
|
+
#IgnoreUserKnownHosts yes
|
42
|
+
|
43
|
+
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
44
|
+
PermitEmptyPasswords no
|
45
|
+
|
46
|
+
# Change to yes to enable challenge-response passwords (beware issues with
|
47
|
+
# some PAM modules and threads)
|
48
|
+
ChallengeResponseAuthentication no
|
49
|
+
|
50
|
+
# Change to no to disable tunnelled clear text passwords
|
51
|
+
PasswordAuthentication no
|
52
|
+
|
53
|
+
# Kerberos options
|
54
|
+
#KerberosAuthentication no
|
55
|
+
#KerberosGetAFSToken no
|
56
|
+
#KerberosOrLocalPasswd yes
|
57
|
+
#KerberosTicketCleanup yes
|
58
|
+
|
59
|
+
# GSSAPI options
|
60
|
+
GSSAPIAuthentication no
|
61
|
+
#GSSAPICleanupCredentials yes
|
62
|
+
|
63
|
+
X11Forwarding no
|
64
|
+
X11DisplayOffset 10
|
65
|
+
PrintMotd no
|
66
|
+
PrintLastLog yes
|
67
|
+
KeepAlive yes
|
68
|
+
#UseLogin no
|
69
|
+
|
70
|
+
#MaxStartups 10:30:60
|
71
|
+
#Banner /etc/issue.net
|
72
|
+
|
73
|
+
# Allow client to pass locale environment variables
|
74
|
+
AcceptEnv LANG LC_*
|
75
|
+
|
76
|
+
Subsystem sftp /usr/lib/openssh/sftp-server
|
77
|
+
|
78
|
+
UseDNS no
|
79
|
+
|
80
|
+
AllowUsers <%= user %>
|
@@ -0,0 +1,17 @@
|
|
1
|
+
<VirtualHost *:80>
|
2
|
+
|
3
|
+
# Admin email, Server Name (domain name) and any aliases
|
4
|
+
ServerAdmin <%= server_admin %>
|
5
|
+
ServerName <%= server_name %>
|
6
|
+
ServerAlias <%= server_alias %>
|
7
|
+
|
8
|
+
# Index file and Document Root (where the public files are located)
|
9
|
+
DirectoryIndex <%= directory_index %>
|
10
|
+
DocumentRoot /home/<%= user %>/websites/<%= server_name %>/public
|
11
|
+
|
12
|
+
# Custom log file locations
|
13
|
+
LogLevel warn
|
14
|
+
ErrorLog /home/<%= user %>/websites/<%= server_name %>/logs/error.log
|
15
|
+
CustomLog /home/<%= user %>/websites/<%= server_name %>/logs/access.log combined
|
16
|
+
|
17
|
+
</VirtualHost>
|
@@ -0,0 +1,158 @@
|
|
1
|
+
# Example config file /etc/vsftpd.conf
|
2
|
+
#
|
3
|
+
# The default compiled in settings are fairly paranoid. This sample file
|
4
|
+
# loosens things up a bit, to make the ftp daemon more usable.
|
5
|
+
# Please see vsftpd.conf.5 for all compiled in defaults.
|
6
|
+
#
|
7
|
+
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
|
8
|
+
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
|
9
|
+
# capabilities.
|
10
|
+
#
|
11
|
+
#
|
12
|
+
# Run standalone? vsftpd can run either from an inetd or as a standalone
|
13
|
+
# daemon started from an initscript.
|
14
|
+
#listen=YES
|
15
|
+
#
|
16
|
+
# Run standalone with IPv6?
|
17
|
+
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
|
18
|
+
# instead of an IPv4 one. This parameter and the listen parameter are mutually
|
19
|
+
# exclusive.
|
20
|
+
#listen_ipv6=YES
|
21
|
+
#
|
22
|
+
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
|
23
|
+
#anonymous_enable=YES
|
24
|
+
#
|
25
|
+
# Uncomment this to allow local users to log in.
|
26
|
+
#local_enable=YES
|
27
|
+
#
|
28
|
+
# Uncomment this to enable any form of FTP write command.
|
29
|
+
#write_enable=YES
|
30
|
+
#
|
31
|
+
# Default umask for local users is 077. You may wish to change this to 022,
|
32
|
+
# if your users expect that (022 is used by most other ftpd's)
|
33
|
+
#local_umask=022
|
34
|
+
#
|
35
|
+
# Uncomment this to allow the anonymous FTP user to upload files. This only
|
36
|
+
# has an effect if the above global write enable is activated. Also, you will
|
37
|
+
# obviously need to create a directory writable by the FTP user.
|
38
|
+
#anon_upload_enable=YES
|
39
|
+
#
|
40
|
+
# Uncomment this if you want the anonymous FTP user to be able to create
|
41
|
+
# new directories.
|
42
|
+
#anon_mkdir_write_enable=YES
|
43
|
+
#
|
44
|
+
# Activate directory messages - messages given to remote users when they
|
45
|
+
# go into a certain directory.
|
46
|
+
#dirmessage_enable=YES
|
47
|
+
#
|
48
|
+
# Activate logging of uploads/downloads.
|
49
|
+
#xferlog_enable=YES
|
50
|
+
#
|
51
|
+
# Make sure PORT transfer connections originate from port 20 (ftp-data).
|
52
|
+
#connect_from_port_20=YES
|
53
|
+
#
|
54
|
+
# If you want, you can arrange for uploaded anonymous files to be owned by
|
55
|
+
# a different user. Note! Using "root" for uploaded files is not
|
56
|
+
# recommended!
|
57
|
+
#chown_uploads=YES
|
58
|
+
#chown_username=whoever
|
59
|
+
#
|
60
|
+
# You may override where the log file goes if you like. The default is shown
|
61
|
+
# below.
|
62
|
+
#xferlog_file=/var/log/vsftpd.log
|
63
|
+
#
|
64
|
+
# If you want, you can have your log file in standard ftpd xferlog format
|
65
|
+
#xferlog_std_format=YES
|
66
|
+
#
|
67
|
+
# You may change the default value for timing out an idle session.
|
68
|
+
#idle_session_timeout=600
|
69
|
+
#
|
70
|
+
# You may change the default value for timing out a data connection.
|
71
|
+
#data_connection_timeout=120
|
72
|
+
#
|
73
|
+
# It is recommended that you define on your system a unique user which the
|
74
|
+
# ftp server can use as a totally isolated and unprivileged user.
|
75
|
+
#nopriv_user=ftpsecure
|
76
|
+
#
|
77
|
+
# Enable this and the server will recognise asynchronous ABOR requests. Not
|
78
|
+
# recommended for security (the code is non-trivial). Not enabling it,
|
79
|
+
# however, may confuse older FTP clients.
|
80
|
+
#async_abor_enable=YES
|
81
|
+
#
|
82
|
+
# By default the server will pretend to allow ASCII mode but in fact ignore
|
83
|
+
# the request. Turn on the below options to have the server actually do ASCII
|
84
|
+
# mangling on files when in ASCII mode.
|
85
|
+
# Beware that on some FTP servers, ASCII support allows a denial of service
|
86
|
+
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
|
87
|
+
# predicted this attack and has always been safe, reporting the size of the
|
88
|
+
# raw file.
|
89
|
+
# ASCII mangling is a horrible feature of the protocol.
|
90
|
+
#ascii_upload_enable=YES
|
91
|
+
#ascii_download_enable=YES
|
92
|
+
#
|
93
|
+
# You may fully customise the login banner string:
|
94
|
+
#ftpd_banner=Welcome to blah FTP service.
|
95
|
+
#
|
96
|
+
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
|
97
|
+
# useful for combatting certain DoS attacks.
|
98
|
+
#deny_email_enable=YES
|
99
|
+
# (default follows)
|
100
|
+
#banned_email_file=/etc/vsftpd.banned_emails
|
101
|
+
#
|
102
|
+
# You may restrict local users to their home directories. See the FAQ for
|
103
|
+
# the possible risks in this before using chroot_local_user or
|
104
|
+
# chroot_list_enable below.
|
105
|
+
#chroot_local_user=YES
|
106
|
+
#
|
107
|
+
# You may specify an explicit list of local users to chroot() to their home
|
108
|
+
# directory. If chroot_local_user is YES, then this list becomes a list of
|
109
|
+
# users to NOT chroot().
|
110
|
+
#chroot_list_enable=YES
|
111
|
+
# (default follows)
|
112
|
+
#chroot_list_file=/etc/vsftpd.chroot_list
|
113
|
+
#
|
114
|
+
# You may activate the "-R" option to the builtin ls. This is disabled by
|
115
|
+
# default to avoid remote users being able to cause excessive I/O on large
|
116
|
+
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
|
117
|
+
# the presence of the "-R" option, so there is a strong case for enabling it.
|
118
|
+
#ls_recurse_enable=YES
|
119
|
+
#
|
120
|
+
#
|
121
|
+
# Debian customization
|
122
|
+
#
|
123
|
+
# Some of vsftpd's settings don't fit the Debian filesystem layout by
|
124
|
+
# default. These settings are more Debian-friendly.
|
125
|
+
#
|
126
|
+
# This option should be the name of a directory which is empty. Also, the
|
127
|
+
# directory should not be writable by the ftp user. This directory is used
|
128
|
+
# as a secure chroot() jail at times vsftpd does not require filesystem
|
129
|
+
# access.
|
130
|
+
secure_chroot_dir=/var/run/vsftpd
|
131
|
+
#
|
132
|
+
# This string is the name of the PAM service vsftpd will use.
|
133
|
+
pam_service_name=vsftpd
|
134
|
+
#
|
135
|
+
# This option specifies the location of the RSA certificate to use for SSL
|
136
|
+
# encrypted connections.
|
137
|
+
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
138
|
+
# This option specifies the location of the RSA key to use for SSL
|
139
|
+
# encrypted connections.
|
140
|
+
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
141
|
+
|
142
|
+
# We run from init.d
|
143
|
+
listen=YES
|
144
|
+
# We do not want anons connecting nor uploading
|
145
|
+
anonymous_enable=NO
|
146
|
+
anon_upload_enable=NO
|
147
|
+
# We want local users connecting/writing
|
148
|
+
local_enable=YES
|
149
|
+
write_enable=YES
|
150
|
+
# Files are initially created as Owner/Group read/write
|
151
|
+
file_open_mode=0660
|
152
|
+
local_umask=0007
|
153
|
+
# No need for active directory messages
|
154
|
+
dirmessage_enable=NO
|
155
|
+
xferlog_enable=YES
|
156
|
+
connect_from_port_20=YES
|
157
|
+
# Jail that local user!
|
158
|
+
chroot_local_user=YES
|