Vsftpd is a popular FTP
server for Unix/Linux systems. For thoes unaware of
the vsftpd ftp server, note that this is not just another ftp
server, but a mature product that has been around for over 12 years in the Unix
world. While Vsftpd it is found as an installation option on
many Linux distributions, it is not often Linux system
administrators are seeking for installation and configuration
instructions for it, which is the reason we decide to cover it on Firewall.cx.
This article focuses on the installation and
setup of the Vsftpd service on Linux Redhat Enterprise, Fedora and CentOS,
however it is applicable to almost all other Linux distributions. We'll
also take a look at a number of great tips which include setting quotas,
restricting access to anonymous users, disabling uploads, setting a dedicated
partition for the FTP service, configuring the system's IPTable firewall and
much more.
VSFTPD Features
Following is a list of vsftpd's features which
confirms this small FTP package is capable of delivering a lot more than most
FTP servers out there:
- Virtual IP configurations
- Virtual users
- Standalone or inetd operation
- Powerful per-user configurability
- Bandwidth throttling
- Per-source-IP configurability
- Per-source-IP limits
- IPv6
- Encryption support through SSL integration
- and much more....!
Installing the VSFTPD Linux Server
To initiate the installation of the vsftpd
package, simply open your CLI prompt and use the yum command (you need root
privileges) as shown below:
# yum
install vsftpd
Yum will automatically locate, download and
install the latest vsftpd version.
Configure VSFTPD Server
To open the configuration file, type:
# vi
/etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format and
turn on verbose vsftpd log format by making the following changes in the
vsftpd.conf file:
xferlog_std_format=NO
log_ftp_protocol=YES
log_ftp_protocol=YES
Note: the default vsftpd log file
is /var/log/vsftpd.log.
Above two directives will enable logging of all
FTP transactions.
To lock down users to their home directories:
chroot_local_user=YES
You can create warning banners for all FTP users,
by defining the path:
banner_file=/etc/vsftpd/issue
Now you can create the /etc/vsftpd/issue
file with a message compliant with the local site policy or a legal disclaimer:
“NOTICE TO USERS - Use of this
system constitutes consent to security monitoring and testing. All activity is
logged with your host name and IP address”.
Turn On VFSTPD Service
Turn on vsftpd on boot:
# systemctl
enable vsftpd@.service
Start the service:
# systemctl start vsftpd@vsftpd.service
You can verify the service is running and
listening on the correct port using the following command:
# netstat
-tulpn | grep :21
Here's the expected output:
tcp
0 0
0.0.0.0:21
0.0.0.0:*
LISTEN LISTEN 9734/vsftpd
Configure IPtables To Protect The FTP Server
In case IPTables are configured on the system, it
will be necessary to edit the iptables file and open the ports used by FTP to
ensure the service's operation.
To open file /etc/sysconfig/iptables,
enter:
# vi
/etc/sysconfig/iptables
Add the following lines, ensuring that they
appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A
RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Next, open file /etc/sysconfig/iptables-config,
and enter:
# vi
/etc/sysconfig/iptables-config
Ensure that the space-separated list of modules
contains the FTP connection-tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file and finally restart the
firewall using the following commands:
# systemctl
restart iptables.service
# systemctl restart ip6tables.service
# systemctl restart ip6tables.service
Tip: View FTP Log File
Type the following command:
# tail
-f /var/log/vsftpd.log
Tip: Restricting Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf
and add the following:
local_enable=NO
Tip: To Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf
and add the following:
write_enable=NO
Tip: To Enable Disk Quota
Disk quota must be enabled to prevent users from
filling a disk used by FTP upload services. Edit the vsftpd configuration file.
Add or correct the following configuration options to represents a directory
which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
The ftp users are the same users as those on the
hosting machine.
You could have a separate group for ftp users, to
help keep their privileges down (for example 'anonftpusers'). Knowing that,
your script should do:
useradd -d /www/htdocs/hosted/bob
-g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd
--stdin bob
echo bob >>
/etc/vsftpd/user_list
Be extremely careful with your scripts, as they
will have to be run as root.
However, for this to work you will have to have
the following options enabled in /etc/vsftpd/vsftpd.conf:
userlist_enable=YES
userlist_deny=NO
userlist_deny=NO
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP
users files may result into a better and secure system. Restricting the growth
of certain file systems is possible using various techniques. For example, use
/ftp partition to store all ftp home directories and mount ftp with nosuid,
nodev and noexec options. A sample /etc/fstab entry:
/dev/sda5
/ftp
ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Example File for vsftpd.conf
Following is an example for vsftpd.conf.
It allows the users listed in the user_list file to log in, no anonymous users,
and quite tight restrictions on what users can do:
# Allow anonymous FTP?
anonymous_enable=NO
#
# Allow local users to log in?
local_enable=YES
#
# Allow any form of FTP write
command.
write_enable=YES
#
# To make files uploaded by your
users writable by only
# themselves, but readable by
everyone and if, through some
# misconfiguration, an anonymous
user manages to upload a file, # the file will have no read, write or execute
permission. Just to be # safe.
local_umask=0000
file_open_mode=0644
anon_umask=0777
#
# Allow the anonymous FTP user to
upload files?
anon_upload_enable=NO
#
# Activate directory messages -
messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of
uploads/downloads?
xferlog_enable=YES
#
# Make sure PORT transfer
connections originate from port 20 (ftp-data)?
connect_from_port_20=YES
#
# Log file in standard ftpd
xferlog format?
xferlog_std_format=NO
#
# User for vsftpd to run as?
nopriv_user=vsftpd
#
# Login banner string:
ftpd_banner= NOTICE TO USERS -
Use of this system constitutes consent to security monitoring and testing. All
activity is logged with your host name and IP address.
#
# chroot local users (only allow
users to see their directory)?
chroot_local_user=YES
#
# PAM service name?
pam_service_name=vsftpd
#
# Enable user_list (see next
option)?
userlist_enable=YES
#
# Should the user_list file
specify users to deny(=YES) or to allow(=NO)
userlist_deny=NO
#
# Standalone (not run through
xinetd) listen mode?
listen=YES
#
#
tcp_wrappers=NO
#
# Log all ftp actions (not just
transfers)?
log_ftp_protocol=YES
# Initially YES for trouble
shooting, later change to NO
#
# Show file ownership as ftp:ftp
instead of real users?
hide_ids=YES
#
# Allow ftp users to change
permissions of files?
chmod_enable=NO
#
# Use local time?
use_localtime=YES
#
# List of raw FTP commands, which
are allowed (some commands may be a security hazard):
cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM,DEL,MKD,RMD
With this config, uploaded files are not readable or executable by anyone,
so the server is acting as a 'dropbox'. Change the file_open_modeoption
to change that.
Lastly, it is also advised to have a look at 'man
vsftpd.conf' for a full list and description of all options.
No comments:
Post a Comment