Vsftpd (Very Secure FTP Daemon) is an FTP
server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux
distributions. It supports IPv6, SSL, locking users to their home directories
and many other advanced features.
In this
guide you will learn:
1.
Setup vsftpd to Provide FTP Service.
2.
Configure vsftpd.
3.
Configure Firewalls to Protect the FTP Server.
4.
Configure vsftpd with SSL/TLS.
5.
Setup vsftpd as Download Only Anonymous Internet Server.
6.
Setup vsftpd With Virtual Users and Much More.
VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
1.
Virtual IP configurations
2.
Virtual users
3.
Run as standalone or inetd / xinetd operation
4.
Per-user configuration
5.
Bandwidth throttling
6.
Per-source-IP configurability
7.
Per-source-IP limits
8.
IPv6 ready
9.
Encryption support through SSL integration
10.
And much more.
Install
Vsftpd FTP Server
Install the vsftpd package via yum command:
# yum install vsftpd
Vsftpd Defaults
1.
Default port: TCP / UDP - 21 and 20
2.
The main configuration file: /etc/vsftpd/vsftpd.conf
3.
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers
Configure Vsftpd Server
Open the configuration file, type:
# vim /etc/vsftpd/vsftpd.conf
Turn off standard ftpd
xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd
log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directive es
will enable logging of all FTP transactions. Lock down users to their home
directories:
chroot_local_user=YES
Create warning banners
for all FTP users:
banner_file=/etc/vsftpd/issue
Create
/etc/vsftpd/issue file with a message compliant with the local site policy or a
legal disclaimer:
NOTICE TO USERS
Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn
on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vim /etc/sysconfig/iptables
Add the following
lines, ensuring that they appear before the final LOG and DROP lines for the
RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file
/etc/sysconfig/iptables-config, enter:
# vim /etc/sysconfig/iptables-config
Ensure that the
space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the
file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following
command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530
Please login with USER and PASS."
Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER
vivekda"
Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108
", "331 Please specify the password."
Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108"
, "PASS "
Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108
", "230 Login successful."
Tip: Restrict Access to Anonymous User Only
Edit the
vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO
Tip:
Disable FTP Uploads
Edit the
vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO
Security
Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users
files may result into a better and secure system. Restrict the growth of
certain file systems is possible using various techniques. For e.g., use /ftp
partition to store all ftp home directories and mount ftp with nosuid, nodev
and noexec options. A sample /etc/fstab enter:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users
from filling a disk used by FTP upload services. Edit the vsftpd configuration
file. Add or correct the following configuration options to represents a
directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
Create An FTP User
Account
Now your FTP server is up and running. It is time to add
additional users to FTP server so that they can login into account to upload /
download files. To add a user called tom and set the password, enter:
# adduser -c 'FTP USER mike' -m mike
# passwd mike
Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf
local_enable=YES
Restart the vftpd:
# service vsftpd restart
Allow anonymous
access ftp access
Edit the vsftpd
configuration file, enter:
# vi /etc/vsftpd/vsftpd.conf
Add or correct the
following configuration option:
Only allow anonymous access ftp access:
Only allow anonymous access ftp access:
anonymous_enable=YES
Disable local users
login to ftp server:
local_enable=NO
Disable upload files
and writing permission on the FTP server:
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
Only allow file
reading permission to the rest of the world:
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=40000
pasv_max_port=60000
Turn on log features
xferlog_enable=YES
# Do not allow the use of "ls -R" to avoid consume a lot of resources
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
Set performance
option:
# Uses one process per connection to gain performance.
# This is used to supports huge numbers of simultaneously connected users.
one_process_model=YES
# The timeout, in seconds, which is the maximum time a remote client may spend
# between FTP commands. If the timeout triggers, the remote client is kicked off.
idle_session_timeout=120
# The timeout, in seconds, which is roughly the maximum time we permit data
# transfers to stall for with no progress. If the timeout triggers,the remote client
# is kicked off.
data_connection_timeout=300
# The timeout, in seconds, for a remote client to establish connection with
# a PASV style data connection.
accept_timeout=60
# The timeout, in seconds, for a remote client to respond to our PORT
# style data connection.
connect_timeout=60
# The maximum data transfer rate permitted, in bytes per second,
# for anonymous clients.
anon_max_rate=50000
Restart the ftp
server:
# service vsftpd restart
Pluggable Authetication Module
# vim /etc/pam.d/vsftpd
sense = allow or deny (default in deny state)
If its in deny then users in vim /etc/vsftpd/ftpusers are unable to access
If its in allow the users in vim /etc/vsftpd/ftpusers are able to access
