2010. 4. 28. 16:15

vsFTPd and FTP user account configuration

2010. 4. 28. 16:15 in 팁&테크/Linux

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recomended FTP daemon for use on FTP servers.

Enable vsftpd:

  • Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
    Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
    Configure vsftpd to start upon system boot: chkconfig --add vsftpd

  • SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
    disable = yes
    to:
    disable = no
    Restart the xinetd daemon: /etc/init.d/xinetd restart
    Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.

  • Ubuntu (dapper/hardy) / Debian:
    • Install: apt-get install vsftpd
    • VsFTPd is a stand alone service.
      • Start: /etc/init.d/vsftpd start
      • Stop: /etc/init.d/vsftpd stop
      • Restart: /etc/init.d/vsftpd restart
        (Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services

Configuration files:

  • vsFTPd configuration file:
    • Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
    • S.u.S.e. / Ubuntu (dapper/hardy) / Debian: /etc/vsftpd.conf
    Default for Fedora Core 3: 
    anonymous_enable=YES            - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp

local_enable=YES                - Uncomment this to allow local users to log in with FTP.
                                  Must also set SELinux boolean: setsebool -P ftp_home_dir 1

write_enable=YES                - Uncomment this to enable any form of FTP write or upload command.

local_umask=022                 - Default is 077. Umask 022 is used by most other ftpd's.

#anon_upload_enable=YES         - Uncomment to allow the anonymous FTP user to upload files. 
    
                                  Requires the above global write enabled. Directory must also be writable by user.    
#anon_mkdir_write_enable=YES    - Uncomment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES           - Activate directory messages. 
    
                                  Messages given to remote users when they enter certain directories    
xferlog_enable=YES              - Activate logging of uploads/downloads.

connect_from_port_20=YES        - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES              - Uploaded anonymous files set to a specified owner. (not root)
#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

xferlog_std_format=YES          - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600       - Set timing out for an idle session.

#data_connection_timeout=120    - Set timing out for an idle data connection. Port 20

#nopriv_user=ftpsecure          - Run ftp server as an isolated and unprivileged user.

# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
#async_abor_enable=YES

#ascii_upload_enable=YES        - Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file".
#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails  (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)

#chroot_list_enable=YES         - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list     (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)

ls_recurse_enable=YES           - Allow "ls -R" recursive directory list. Default is disabled.

pam_service_name=vsftpd

userlist_enable=YES             - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list
                                  If "userlist_enable=NO" then allow specified users.
                                  Red Hat: /etc/vsftpd/user_list
#deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

listen=YES                      - Enable for standalone mode as opposed to an xinetd service.
                                  Must set SELinux boolean: setsebool -P ftpd_is_daemon 1
tcp_wrappers=YES
    Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

    [Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

    directive=XXX # comment

    vsftp.conf man page

  • Specify list of local users chrooted to their home directories:
    • Red Hat: /etc/vsftpd/vsftpd/chroot_list
    • Ubuntu: /etc/vsftpd/vsftpd.chroot_list
    (Requires: chroot_list_enable=YES) 
    user1
    
user2
    
...
    
user-n
    If userlist_enable=NO, then specify users not to be chroot'd..

  • Specify list of users:
    • Red Hat: /etc/vsftpd/user_list
    • Ubuntu: /etc/vsftpd.user_list
    (Deny list of users requires: userlist_enable=YES)
    Also see PAM configuration below. 
    root
    
bin
    
daemon
    
adm
    
lp
    
sync
    
shutdown
    
halt
    
...
    If userlist_enable=NO, then specify valid users.

  • PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd 
    #%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
    This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.

    PAM authentication configuration file: ftpusers
    • Red Hat: /etc/vsftpd/ftpusers
    • Ubuntu: /etc/vsftpd.ftpusers
    root
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6     - Users to deny
user8
...
...

  • Logrotate configuration file: /etc/logrotate.d/vsftpd.log 
    /var/log/xferlog {
    # ftpd doesn't handle SIGHUP properly
    nocompress
    missingok
}

Sample vsFTPd configurations:

  • Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf 
    # Access rights
anonymous_enable=YES          - Turn on anonymous FTP
chown_uploads=YES             - Uploaded files owned by an assigned user
chown_username=ftp            - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO               - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
    Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.

  • Web hosting configuration: /etc/vsftpd/vsftpd.conf 
    # Access rights
anonymous_enable=NO
local_enable=YES                              - Allow users to ftp to their home directories
write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO                               - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.
chroot_local_user=YES                         - Limit user to browse their own directory only
chroot_list_enable=YES                        - Enable list of system / power users
chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

    Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
    Ubuntu typically: /etc/vsftpd.chroot_list
    (Requires: chroot_list_enable=YES) 

    user1
    
user2
    
...
    
user-n
    If userlist_enable=NO, then specify users not to be chroot'd..

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.

File: .message 

A NOTE TO USERS UPLOADING FILES:
   File names may consist of letters (a-z, A-Z), numbers (0-9),
   an under score ("_"), dash ("-") or period (".") only.
   The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp 

[root]# netstat -a | grep ftp

tcp        0      0 *:ftp                       *:*                         LISTEN

Links:

저작자표시 비영리 동일조건
Posted by 와이즈번

티스토리툴바