Red Hat / CentOS VSFTPD FTP Server Configuration

Vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

1.                  Setup vsftpd to Provide FTP Service.

2.                  Configure vsftpd.

3.                  Configure Firewalls to Protect the FTP Server.

4.                  Configure vsftpd with SSL/TLS.

5.                  Setup vsftpd as Download Only Anonymous Internet Server.

6.                  Setup vsftpd With Virtual Users and Much More.

VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

1.                  Virtual IP configurations

2.                  Virtual users

3.                  Run as standalone or inetd / xinetd operation

4.                  Per-user configuration

5.                  Bandwidth throttling

6.                  Per-source-IP configurability

7.                  Per-source-IP limits

8.                  IPv6 ready

9.                  Encryption support through SSL integration

10.              And much more.

Install Vsftpd FTP Server

Install the vsftpd package via yum command:

# yum install vsftpd

Vsftpd Defaults

1.                  Default port: TCP / UDP - 21 and 20

2.                  The main configuration file: /etc/vsftpd/vsftpd.conf

3.                  Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server

Open the configuration file, type:

# vim /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format:

xferlog_std_format=NO

Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES

Above to directive es will enable logging of all FTP transactions. Lock down users to their home directories:

chroot_local_user=YES

Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS

Use of this system constitutes consent to security monitoring and testing.

All activity is logged with your host name and IP address.

Turn On Vsftpd Service

Turn on vsftpd on boot:

# chkconfig vsftpd on

Start the service:

# service vsftpd start

# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server

Open file /etc/sysconfig/iptables, enter:

# vim /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Open file /etc/sysconfig/iptables-config, enter:

# vim /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"

Save and close the file. Restart firewall:

# service iptables restart

Tip: View FTP Log File

Type the following command:

# tail -f /var/log/vsftpd.log

Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530

Please login with USER and PASS."

Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER

vivekda"

Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108

", "331 Please specify the password."

Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108"

, "PASS "

Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"

Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108

", "230 Login successful."

Tip: Restrict Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO

Tip: Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5  /ftp   ext3 defaults,nosuid,nodev,noexec,usrquota 1 2

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

Create An FTP User Account

Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:

# adduser -c 'FTP USER mike' -m mike

# passwd mike

Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf

local_enable=YES

Restart the vftpd:

# service vsftpd restart

Allow anonymous access ftp access

Edit the vsftpd configuration file, enter:

# vi /etc/vsftpd/vsftpd.conf

Add or correct the following configuration option:
Only allow anonymous access ftp access:

anonymous_enable=YES

Disable local users login to ftp server:

local_enable=NO

Disable upload files and writing permission on the FTP server:

write_enable=NO

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

Only allow file reading permission to the rest of the world:

anon_world_readable_only=YES

connect_from_port_20=YES

hide_ids=YES

pasv_min_port=40000

pasv_max_port=60000

Turn on log features

xferlog_enable=YES

# Do not allow the use of "ls -R" to avoid consume a lot of resources

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

Set performance option:

# Uses one process per connection to gain performance.

# This is used to supports huge numbers of simultaneously connected users.

one_process_model=YES

# The timeout, in seconds, which is the maximum time a remote client may spend

# between FTP commands.  If the timeout triggers, the remote client is kicked off.

idle_session_timeout=120

# The timeout, in seconds, which is roughly the maximum time we permit data

# transfers to stall for with no progress. If the timeout triggers,the remote client

# is kicked off.

data_connection_timeout=300

# The timeout, in seconds, for a remote client to establish connection with

# a PASV style data connection.

accept_timeout=60

# The timeout, in seconds, for a remote client to respond to our PORT

# style data connection.

connect_timeout=60

# The maximum data transfer rate permitted, in bytes per second,

# for anonymous clients.

anon_max_rate=50000

Restart the ftp server:

# service vsftpd restart

Pluggable Authetication Module

# vim /etc/pam.d/vsftpd

sense = allow or deny (default in deny state)

If its in deny then users in vim /etc/vsftpd/ftpusers are unable to access

If its in allow the users in vim /etc/vsftpd/ftpusers are able to access

Posted by Unknown 0 comments

Read More

CentOS / Red Hat Configure an NTP Client And Server

How do I configure an NTP (Network Time Protocol) client or server under CentOS / RHEL / Fedora Linux to manage the system clock over a network?

The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Under CentOS / RHEL you can use NTP or OpenNTPD server software. Both packages provide client and server software programs for time synchronization.

Install ntp

The ntp package contains utilities and daemons that will synchronize your computers time to Coordinated Universal Time (UTC) via the NTP protocol and NTP servers. The ntp package includes ntpdate (a program for retrieving the date and time from remote machines via a network) and ntpd (a daemon which continuously adjusts system time). Install the ntp package:

# yum install ntp

How do I configure an NTP Client?

Simply open /etc/ntp.conf file, enter:

# vi /etc/ntp.conf

Make sure the following line exists:

server ntp.server.com

Where,

Ø       ntp.server.com : the hostname or IP address of the site NTP server. If your ntp server located at 192.168.1.5, enter server 192.168.1.5. You can also use public ntp server located at ntp.org.

You can also run ntpd using cron:

# echo '30 * * * * root /usr/sbin/ntpd -q -u ntp:ntp' > /etc/cron.d/ntpd

The above instructs crond to run ntpd and after setting the clock just exit, and the -u option instructs it to run as the ntp user.

Configure an NTP Server

If you have lots of server and desktop system, configure your own NTP server. Your NTP server contacts a central NTP server, provided by your ISP or a public time
server located at ntp.org, to obtain accurate time data. The server then allows other machines on your network to request the time data. Our sample setup:

192.168.1.5            ==> CentOS / Fedora / RHEL NTPD Server.

202.54.1.5              ==> ISP remote NTP server.

192.168.1.0/24        ==> NTP clients including desktop systems.

First, install and enable ntpd on 192.168.1.5:

# yum install ntp

# chkconfig ntpd on

Now open /etc/ntp.conf:

# vi /etc/ntp.conf

Make sure the following line exits:

restrict default ignore

Above will deny all access to any machine, server or client. However, you need to specifically authorized policy settings. Set it as follows:

restrict 202.54.1.5 mask 255.255.255.245 nomodify notrap noquery

server 202.54.1.5

Replace 202.54.1.5 and mask with actual remote ISP or ntp.org NTP server IP. Save and close the file.

Configure NTP clients to access your NTP Server

 

Now, you need to allow legitimate NTP clients to access the Server. For example, allow 192.168.1.0/24 network to synchronize to this server located at 192.168.1.5. Open /etc/ntp.conf and add policy as follows:

# Hosts on local network are less restricted.

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Update your firewall settings, open /etc/sysconfig/iptables.

# vi /etc/sysconfig/iptables

Add the following line, before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:

 -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Save and close the file. Finally, start ntpd:

# service ntpd start

# service iptables restart

# netstat -tulpn

NTP Server config in GUI in RHEL

# system-config-date

select or put tick mark in synchronize date and time over the network

remove all the ntp server and then add the recommended ntp server

select adavanced options and select or put tick mark in speed up initial synchronization

refer fig1.0 for your reference

fig 1.0 NTP_GUI

# service ntpd restart

# chkconfig ntpd on

Related Topics
Stratum
ntpdate -b ntpserver

Posted by Unknown 0 comments

Read More

CentOS / Redhat: Setup NFS v4.0 File Server (Advanced)

How do I setup NFS v4.0 distributed file system access server under CentOS / RHEL v5.x for sharing files with UNIX and Linux workstations? How to export a directory with NFSv4? How to mount a directory with NFSv4?

Network File System (NFS) is a network file system protocol originally developed by Sun Microsystems. It allows your users or client compute to access files over a network. Linux and UNIX like operating systems (including MS-Windows) can mount file system over a network and work as they are mounted locally. This is perfect for sharing files or centralized home directories.

NFS version 4 provides the following benefits over NFSv3 or earlier NFS versions:

1.            Performance improvements

2.            Mandates security and ACL

3.            NFS v4 by default works over TCP s

4.            Easy to setup firewall option

5.             And much more.

Required Packages

You need to install the following packages:

§  nfs-utils - The nfs-utils package provides a daemon for the kernel NFS server and related tools, which provides a much higher level of performance than the traditional Linux NFS server used by most users.

§  portmap - The portmap package should be installed on any machine which acts as a server for protocols using RPC.

§  nfs4-acl-tools - This package contains commandline and GUI ACL utilities for the Linux NFSv4 client.

Install NFS Server

Type the following command (install nfs4-acl-tools and nfs-utils on client systems too):
# yum install nfs-utils nfs4-acl-tools portmap

Sample outputs:

Loaded plugins: downloadonly, protectbase, rhnplugin, security, verify

0 packages excluded due to repository protections

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package nfs-utils.x86_64 1:1.0.9-44.el5 set to be updated

---> Package nfs4-acl-tools.x86_64 0:0.3.3-1.el5 set to be updated

---> Package portmap.x86_64 0:4.0-65.2.2.1 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================

 Package           Arch      Version              Repository               Size

==============================================================================

Installing:

 nfs-utils         x86_64    1:1.0.9-44.el5       rhel-x86_64-server-5    390 k

 nfs4-acl-tools    x86_64    0.3.3-1.el5          rhel-x86_64-server-5     44 k

 portmap           x86_64    4.0-65.2.2.1         rhel-x86_64-server-5     38 k

Transaction Summary

==============================================================================

Install       3 Package(s)

Upgrade       0 Package(s)

Total download size: 472 k

Is this ok [y/N]: y

Downloading Packages:

(1/3): portmap-4.0-65.2.2.1.x86_64.rpm                   |  38 kB     00:00

(2/3): nfs4-acl-tools-0.3.3-1.el5.x86_64.rpm             |  44 kB     00:00

(3/3): nfs-utils-1.0.9-44.el5.x86_64.rpm                 | 390 kB     00:00

------------------------------------------------------------------------------

Total                                           1.2 MB/s | 472 kB     00:00

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing     : portmap                                                  1/3

  Installing     : nfs4-acl-tools                                           2/3

  Installing     : nfs-utils                                                3/3

Installed:

  nfs-utils.x86_64 1:1.0.9-44.el5      nfs4-acl-tools.x86_64 0:0.3.3-1.el5

  portmap.x86_64 0:4.0-65.2.2.1

Complete!

Share File System

/etc/exports This is main NFS server config file which controls what directories the NFS server exports (shared with client). It use the following format:

/directory1 server.example.com(options)

/directory2 192.168.1.0/24(options)

/directory3 192.168.1.5(options) 192.168.1.15(options) pc202.nixcraft.net.in(options)

You can share /sales file system as follows. Edit /etc/exports, enter:

# vi /etc/exports

Add configuration as follows:

/sales                       192.168.1.15(rw,sync,fsid=0) 192.168.1.16(rw,sync,fsid=0)

Where,
/sales - Share this directory.

1.    192.1681.15 and 192.168.1.16 - Users from 192.168.1.15 and 192.168.1.16 are allowed to mount /sales with the read-write permissions.

2.    rw - Read write option.

3.    fsid=0 - Export a directory over NFS v4. NFSv4 has a concept of a root of the overall exported filesystem. The export point exported with fsid=0 will be used as this root. The /sales directory will be root for clients. For example, if you got /sales/mumbai, /sales/pune subdir, then client would see them as /mumbai and /pune directory. Please note that this can only export one directory with the fsid=0 option.

Save and close the file. Turn on services:

# chkconfig nfs on
# chkconfig portmap on

Start both portmap and nfs services, enter:

# service portmap start <-- for NFSv3 support
# service nfs start

Sample outputs:

Starting NFS services:                                     [  OK  ]

Starting NFS quotas:                                       [  OK  ]

Starting NFS daemon:                                       [  OK  ]

Starting NFS mountd:                                       [  OK  ]

Please note that portmap service is not required for NFSv4.

Optional: NFS Server Configuration GUI Tool

Type the following command to use GUI tool:

# system-config-nfs

Sample outputs:

Fig.01: Linux NFS Server Configuration

NFSv4 Firewall Configuration

Edit /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

Open TCP port # 2049 which is used by NFSv4. Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT

Save and close the file. Restart RHEL/CentOS firewall:

# service iptables restart

TCP Wrapper Configuration

TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet. Edit /etc/hosts.deny, enter:

# vi /etc/hosts.deny

Add the following lines (useful for both NFSv4 and NFSv3):
portmap:ALL
Finally, edit /etc/hosts.allow and add your subnet:
portmap:192.168.1.0/24
Save and close the file.

NFS Client Configuration

The clients can then mount the NFSv4 export using the following command:

# mkdir /sales
# mount -t nfs4 servername:/ /sales/
# df -H
# su - username
$ cd /sales/mumbai
$ ls
$ >testfile
$ ls testfile && rm testfile

A Note about User Management

Use NIS or OpenLDAP for user management for large number of users. If you've small number of NFS clients add them to your systems using the useradd command. Make sure UID and GID matches correctly. For example, if user vivek (UID=500) is part of group vivek (gid=500) and sales group (Gid=502) on NFSv4 server, than use the following command to add user toNFSv4 client:

# grep -q '^sales' /etc/group || /usr/sbin/groupadd -g 502 sales
# /usr/sbin/useradd -s /bin/bash -d /sales -M -u 500 -g 500 -G 502 sales
# su - sales
$ pwd
$ ls && cd mumbai && >testfile && ls -l testfile && rm testfile

The above command matches client and server UIDs and GIDs. Otherwise you will get permission denied message on NFSv4 clients. As I said earlier, for a large number of NFSv4 users/clients, use centralized authentication systems such as NIS or OpenLDAP.

Mounting NFS File Systems Using /etc/fstab

Edit /etc/fstab, enter:

# vi /etc/fstab

Append the entry, enter:

server:/    /sales  nfs4   soft,intr,rsize=8192,wsize=8192,nosuid

Save and close the file. Make sure netfs service is turned on:

# chkconfig netfs on

How Do I See NFS Statistics?

To displays statistics kept about NFS client and server activity, enter:

# nfsstat

Sample outputs:

Server rpc stats:

calls      badcalls   badauth    badclnt    xdrcall

28131      0          0          0          0

Server nfs v3:

null         getattr      setattr      lookup       access       readlink

10        0% 12302    58% 62        0% 166       0% 2122     10% 35        0%

read         write        create       mkdir        symlink      mknod

7         0% 4039     19% 52        0% 3         0% 0         0% 0         0%

remove       rmdir        rename       link         readdir      readdirplus

47        0% 2         0% 6         0% 0         0% 1         0% 2273     10%

fsstat       fsinfo       pathconf     commit

21        0% 13        0% 0         0% 4         0%

Server nfs v4:

null         compound

8         0% 6726     99%

Server nfs v4 operations:

op0-unused   op1-unused   op2-future   access       close        commit

0         0% 0         0% 0         0% 54        0% 2019      7% 0         0%

create       delegpurge   delegreturn  getattr      getfh        link

0         0% 0         0% 1         0% 8563     30% 2094      7% 0         0%

lock         lockt        locku        lookup       lookup_root  nverify

0         0% 0         0% 0         0% 78        0% 0         0% 0         0%

open         openattr     open_conf    open_dgrd    putfh        putpubfh

2022      7% 0         0% 14        0% 0         0% 6710     24% 0         0%

putrootfh    read         readdir      readlink     remove       rename

12        0% 70        0% 16        0% 7         0% 5         0% 3         0%

renew        restorefh    savefh       secinfo      setattr      setcltid

1         0% 2022      7% 2025      7% 0         0% 4         0% 5         0%

setcltidconf verify       write        rellockowner

5         0% 0         0% 2003      7% 0         0%

How Do I Display Information About Shared Directories?

To see mount information for an NFS server (rpc portmap service is required), enter:

# showmount -e
# showmount -d
# showmount -a server.ip

A Note About NFSv4 Services

1.    The NFSv4 server works without the portmap, rpc.lockd, and rpc.statd daemons. The rpc.mountd daemon is still required on the server.

2.    The NFSv4 client works without rpc.lockd and rpc.statd.

3.    However, if you are going to mix NFSv4 and NFSv3 than make sure you start above services on both client and server.

Recommend readings:

For more information on use of the nfs server, client and additional options, please refer to the following man pages:

man nfs
man 5 exports
man 8 mount
man 8 umount
man 8 nfsstat
man showmount

Posted by Unknown 0 comments

Read More