|Ocean FTP Server
Help, configuration and tips.
Accounts and Groups
Ocean FTP Server has been designed to offer a large amount of control over accounts while avoiding unnecessary complexity. This control is made quicker, easier and safer by the use of groups (which help to manipulate multiple accounts at the same time). The relationship between an account and a group is documented in detail on the How Groups Work page. Accounts and groups have almost identical control options. Therefore, once you understand how to set up an account, all you need to learn for groups is how they affect accounts belonging to them. The following sections detail each tab option of an account dialog and demonstrate how each control can help you run a secure and flexible FTP server.
- Add - This allows you to add an account / group.
- Edit - Once created, this allows you to edit an existing account / group.
- Copy - This allows you to easily mimic the settings of and existing account / group to help save time creating additional accounts / groups with similar settings.
- Delete - This allows you to delete an account / group. You will be warned of deletions to prevent necessary removals.
To skip to a particular topic on this page...
Editing While Online
How to Create an Anonymous Account
How Groups Work
This is the page where basic information is set such as the user name, password, group allocation and access rights. For groups, the options differ slightly in that groups have no password.
- Enable Account/Group - If you uncheck this option, the account (or in a group all the accounts associated with the group) will become disabled. This can be used to temporarily disable an account without having to delete the account.
- User/Login/Name - For an account, this is the login name and also the account name. For a group, this is the group name.
- Password - This allows you to control the password of the account (not available in group controls).
- Part of Group - This allows you to set the account / group to be part of a group. The effect of this is documented in the How Groups Work page. It is possible for groups to be part of other groups. This opens up the possibility of nested groups and complex tree like structures. However, the most common use is just to assign an account to a group.
- Access Rights - This allows you to control the overall access permissions the account has. These settings not only effect the root folder but also effect any virtual folders in the account. So by disabling 'File Read', all virtual folders will also disallow file reading (even if they are set to allow it). If 'File Read' was enabled here but not in a virtual folder, then that virtual folder would still disallow file reading. If a group did not enable 'File Read' then all the associated accounts and their virtual folders would not be granted file read access. By enabling 'File Read' in a group, all associated accounts do not automatically get 'File Read' access, but instead are just allowed to enable 'File Read'.
- Allow Users to Change the Password - With this enabled, any logged in user can send the 'SITE CPWD (newpassword)' command to change the account password. If this option is disabled in a group, then none of the associated accounts would be allowed to change the password. Please note that this option is also controlled via the overall general settings security option which also has to be enabled for password changing to work.
- Allow Users to Execute (Run/Open) Files - With this enabled, any logged in user can send the 'SITE EXEC (filepath) (parameters)' command to execute a file on the server. If this option is disabled in a group, then none of the associated accounts would be allowed this access right. It is recommended that any account which has this enabled should have a strong password that is known only by trusted users.
- Only Allow Login With SSL - With this enabled, only users who are connecting via SSL or TLS will be allowed access. This is useful if you want to protect important files by forcing users to login securely.
- Always Allow Login - If you set a restriction on the number of users (in the account or group this account is part of), this will ensure that those limits are ignored. This option is not available for groups and is usually only applied to a special account (such as the account owned by you).
- Log Account Activities Separately - If required, you can set an account to log all it's activities into a separate log file (for easier analysis). This log is located in the accountlogs folder and will be named after the user/login of the account (e.g. anonymous.txt).
This is the page where the root folder is set, the virtual folders are created and the start directory is set. This allows you to control which areas of the hard drive an account has access to and set individual access rights to particular folders (using virtual folders).
- Root Folder - If an account requires a root folder this is where it is set. If an account is not given a root folder then the users will only be able to access and write to the assigned virtual folders. If this option is set in a group then all associated accounts will share this same root folder.
- Virtual Folders - This is the list of virtual folders which will appear and be accessible as though they were real folders in the account's root folder. When setting the name of a virtual folder you can set it to be a sub-folder (i.e."/uploads/special files"). This would cause a logged in user to see an "uploads" folder in the root folder and then a "special files" folder would appear in the "uploads" folder. However, in most cases a simple name like "/uploads" is used. If a group defines a virtual folder, all associated accounts will inherit the virtual folder. Should the group define a virtual folder which has the same name as a virtual folder in an associated account, the account's virtual folder is ignored and only the group's virtual folder is accessible.
- Start in Directory - When a user first logs into an account, by default they are placed in the root folder. However, if you want them to be placed in a certain sub-folder (i.e."latest news", to ensure users have a chance to read your latest news updates) you can set the start folder.
Virtual folders are commonly used to share important sub-folders amongst many accounts. They also open the possibility of creating accounts with different access permissions in different folders and allow rather complex but often needed account structures.
- Name- This is the name and also the remote path description of the virtual folder. When setting the name of the virtual folder you can set it to be a sub-folder (i.e."/uploads/special files"). This would cause a logged in user to see an "uploads" folder in the root folder and then a "special files" folder appear in the "uploads" folder. However, in most cases a simple name like "/uploads" is used.
- Path - This is the physical location of the virtual folder on the hard drive.
- Max Size (MB) - If a virtual folder should require a maximum limit of the amount of hard drive space it can use then you can set this value here. Once a virtual folder reaches this limit then no more files can be written into the virtual folder until some space is freed.
- Access Rights - These controls allow you to restrict the access permissions for the virtual folder. However, these access rights are still limited by the account's overall access rights (i.e. if the account's overall 'File Read' permission is disabled, then the virtual folder will not be allowed 'File Read' access regardless).
- Visible in Folder View - If you disable this option, the virtual folder will become 'invisible'. This is useful if you want a particular folder and its contents to remain secret. Although the virtual folder is not visible, it is still possible to access the virtual folder.
- Counts Towards Current Account Size - If the account has a limitation on its hard drive space use (Max Account Size on the Limits page), then the virtual folder will be taken into account when calculating the current disk space used. For shared virtual folders this is often disabled but if a virtual folder is private to particular account then it is often enabled.
If you need to restrict an account in any way then this page offers a large selection of controls. You can restrict the maximum size allocation of the account, upload / download speeds, maximum currently connected users and also apply credit rules (upload / download ratios). If a group specifies any of these limits, all associated accounts will inherit the limits. An account which defines a stronger limit (i.e. if an account specifies a Max Users value of 5 and the group specifies a value of 10) then the account limit will remain unaffected.
- Max Account Size (MB) - This option allows you to restrict the account to a fixed amount of disk usage (disk quota control). Once the account contains or exceeds the amount of data specified here, no more file writing will be permitted until space is freed.
- Max Daily Upload (KB) - This options allows you to restrict the amount of data that can be uploaded to the account per day.
- Max Daily Download (KB) - This options allows you to restrict the amount of data that can be downloaded from the account per day.
- Max Upload Speed (KB/s) - This option allows you to restrict the bandwidth allowance for the uploading of files. This value is shared amongst all the users of this account and so if the limit was set to 10 KB/s, the result would be that 2 simultaneous uploads on the same account be limited to 5 KB/s each.
- Max Download Speed (KB/s) - This option allows you to restrict the bandwidth allowance for the downloading of files. This value is shared amongst all the users of this account and so if the limit was set to 10 KB/s, the result would be that 2 simultaneous downloads on the same account would be limited to 5 KB/s each.
- Max Users - This option allows a restriction to be placed on the maximum allowed number of users logged in at the same time.
- Enable Credits - This enables or disables the credit system for this account. For more information on credits you can look at the Using Credits page. If a group enabled credits then all associated accounts would also have credits enabled.
- Credits Per Uploaded KB - This allows you to specify how many credits are given or taken on uploads. This value can be either positive or negative.
- Credits Per Downloaded KB - This allows you to specify how many credits are given or taken on downloads. This value can be either positive or negative.
- Current Credits - This allows you to adjust the current number of credits or preset the credits on a new account. This option is not available to groups because the current credits is only relevant to a particular account.
Often it is important to ensure that a particular account is only accessible from certain computers. The IP Restrictions page offers a flexible IP security system which can be configured to let only the computers you want to access the account. There are usually two methods in which the IP Restrictions are used. The first and most simple method is to just block bad IPs which should not be allowed access (perhaps abusive users). The second and more secure method is to block all IPs and then only allow certain IPs access by adding them to the safe IP list. Note that safe IPs (if enabled) overrule any blocked IPs.
- Safe IPs - This allows you to specify which IPs are safe and should always be allowed access. Its important to note that safe IPs will always overrule any blocked IPs. If a group specifies any safe IPs then any associated account will be limited to only those safe IPs.
- Blocked IPs - This allows you to specify which IPs should be blocked. If a group specifies any blocked IPs then any associated account will inherit these additional blocked IPs.
Editing While Online
If you are editing an account or group while the server is online, any changes you make will be effective immediately. This means a change of password or user login will disconnect any currently connected users. Also, if you decided to reduce the bandwidth allowance on downloads for example, this will instantly take effect on all downloads for this account. This method ensures that you has true control over the FTP server and all connected users making the FTP server a more secure environment.
How to Create an Anonymous Account
Most FTP servers (especially public servers) usually have an account created called anonymous. This allows a user to login into an FTP server without the need for a password (usually to access some free downloads). Ocean FTP Server supports anonymous accounts by simply allowing you to create an account like any other but by calling the account 'anonymous'. All accounts that are created in Ocean FTP Server must have a password set. However, in the case of the anonymous account this is not required. However, it is still possible for you to set a password for the anonymous account (to prevent normal public access).