This is an old revision of the document!


This is my first attempt at documentation so please don't hold anything against me if it is not clear. I like “vim” as my editor and have that installed so I will use that but feel free to use any other editor like “joe” if you feel more comfortable with it.

Why USE VSFTP?

Well you may have a different reason but mine was that I simply wanted more control over my ftp client and I wanted to force my users to use some sort of encryption. I have the DNS-321 which is a great little device and according to my reading these instructions should work for the dns-323 and well any CH3SNAS device.

How to vsftpd

First step is of course install fun-plug. You can find the wiki http://wiki.dns323.info/howto:fun_plug and that should get you going. or you can use these instructions http://www.iterasi.net/openviewer.aspx?sqrlitid=1hqeasef7eavz8rdkus60a which were the original ones I used.

Installation

Log into your device using ssh or telnet and download the package using rsync. The packages are already precompiled so its actually pretty simple to do.

cd /ffp/pkg/
rsync -av --delete inreto.de::dns323/fun-plug/0.5/extra-packages/All/vsftpd-2.0.7-2.tgz .

(note the version number at the time of my install this was the latest and greatest)

Now you have the package so lets install it.

funpkg -i vsftpd-2.0.7-2.tgz

You should see some notes about it having been installed correctly…

Some Prep Work

We need to set up some stuff before we continue.

To make things neet lets create a vsftd folder

mkdir -p  /ffp/etc/vsftpd

Lets also make the chroot directory. Note: I am still not 100% sure what it is for but read that it has something to do with security and it's a good thing to have. If anyone has any better insight feel free to update this…

mkdir -p /ffp/var/empty

I also like to periodically check logs so I keep all my logs in /ffp/var/log lets create that directory as well.

mkdir -p /ffp/var/log

Adding FTP Users and CHROOTING

Let's make the necessary user and chroot files

cd /ffp/etc/vsftpd
vim vsftpd.chroot_list

File contents should look like this assuming you want “john” & “jane” to be chrooted

john
jane

Of course if you dont care just leave the file empty but I would create it anyway.

cd /ffp/etc/vsftpd
vim vsftpd.user_list

File contents should look like this with all the users you want to give access to.

harry
john
jane
bob
marry

By the way these must be real users on your box. If they dont exist you must create them.

Adding Users to your box

You can check which users exist in your box by seeing the contents of your /etc/passd file

By default after installation of fun-plug yours should look like this

vim /etc/passwd
root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh
sshd:x:33:33:sshd:/:/bin/false

now we add a user using the useradd command heres a brief example -d = home directory this is where your user will be chrooted -s = shell /bin/sh is like a false shell to my understanding

useradd bob
passwd bob  (enter your password twice)
usermod - d /mnt/HD_a2/bob
usermod -s /bin/sh

Ok now we added our user bob so we can see the /etc/passwd file has changed.

vim /etc/passwd
root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh
sshd:x:33:33:sshd:/:/bin/false
bob:x:508:702:some random comment goes here not really important:/mnt/HD_a2/bob:/bin/sh

:!: But wait don't go too fast! We need to save our changes because if we reboot now that user we just added will go bye-bye.

store-passwd.sh

Ok at this point we have our users, user_list and chrootlist files, our log directory set up, our chroot directory set up, and the pachkage installed. The last thing that needs to be done is to set up the certificate file and key, configure the server and write our startup script. We are almost there I promise.

To create your ssl key and crt files

:!: if you dont have openssl installed on your box follow this section below otherwise skip to the next section

cd /ffp/pkg/
rsync -av --delete inreto.de::dns323/fun-plug/0.5/packages/openssl-0.9.8h-1.tgz .

(note the version number at the time of my install this was the latest and greatest)

Now you have the package so lets install it.

funpkg -i openssl-0.9.8h-1.tgz

You should see some notes about it having been installed correctly…

Continue here if you already have openssl installed

Step 1: Generate a Private Key

    openssl genrsa -des3 -out server.key 1024
 
    Generating RSA private key, 1024 bit long modulus
    .........................................................++++++
    ........++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request) Note: When I put a passord in the challenge it kept failing on me so left it blank and it worked. I am not sure if that is a bug with openssl…

openssl req -new -key server.key -out server.csr
 
    Country Name (2 letter code) [US]:US
    State or Province Name (full name) [Florida]:Florida
    Locality Name (eg, city) [Miami]:Miami
    Organization Name (eg, company) [My Company Ltd]:urbanlime.com
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:www.urbanlime.com
    Email Address []:noatmaildotcom
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

Step 3: Remove Passphrase from Key

    cp server.key server.key.org
    openssl rsa -in server.key.org -out server.key
 
    -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
    -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
    -rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate (Generate a temporary certificate which is good for 365 days)

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Signature ok
    subject=/C=US/ST=Florida/L=Miami/CN=www.urbanlime.com/Email=noatmaildotcom
    Getting Private key

Step 5: Installing the Private Key and Certificate

  cp server.crt /ffp/etc/vsftpd/xxx.crt
  cp server.key /ffp/etc/vsftpd/xxx.key

This completes the SSL portion lets move on to the configuration

configuration

cd /ffp/etc
vim vsftpd.conf

The following is a tested working configuration which requires TLS authentication.

#The chroot dir
secure_chroot_dir=/ffp/var/empty
#dont allow anonymous users
anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
connect_from_port_20=YES
chown_uploads=NO
xferlog_enable=YES
xferlog_std_format=YES
#set your location for your logs if you want them
xferlog_file=/ffp/var/log/vsftpdxf.log
vsftpd_log_file=/ffp/var/log/vsftpd.log
idle_session_timeout=600               
data_connection_timeout=120            
nopriv_user=nobody                     
ascii_upload_enable=YES                
ascii_download_enable=YES              
ftpd_banner=Your Fancy Banner Here!
#The following will allow you to put specific users in a chroot so that they cant move back from the chroot dir
chroot_list_enable=YES                                                 
#file to keep the chroot users
chroot_list_file=/ffp/etc/vsftpd/vsftpd.chroot_list                    
userlist_deny=NO                                                       
userlist_enable=YES                                                    
#file to keep all users able to access ftp
userlist_file=/ffp/etc/vsftpd/vsftpd.user_list                         
#background=YES                                                        
#enable the listen to allow the ftp to listen we use this also so that we can write a startup script...
listen=YES                                                             
#pasv_promiscuous=YES                                                  
pasv_enable=YES                                                        
pasv_min_port=5000                                                    
pasv_max_port=5500                   
# You should not need this if you not going to use it through the web
pasv_address=YOUR.PUBLIC.IP.HERE                     
ls_recurse_enable=NO                                                                        
#finally force the ssl connection
ssl_enable=YES                                                         
allow_anon_ssl=NO                                                      
force_local_data_ssl=YES                                               
force_local_logins_ssl=YES                                             
ssl_tlsv1=YES                                                          
ssl_sslv2=YES                                                          
ssl_sslv3=YES                                                          
#point to your certificate and key                                                                       
rsa_cert_file=/ffp/etc/vsftpd/xxx.crt                      
rsa_private_key_file=/ffp/etc/vsftpd/xxx.key

Lets start this bad boy

To start it manually the command is broken up as follows

vsftpd = tells it to run vsftpd /ffp/etc/vsftpd.conf = use this config file not default which would be somewhere in /etc instead of /ffp/etc

/dev/null 2>&1 </dev/null & = throw the job in the background
vsftpd /ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &

Once you have seen that it is running and you tested it and it works you can set up a startup script like the one that follows. It has also been tested and works great.

vim /ffp/start/vsftpd.sh
#!/ffp/bin/sh
 
# PROVIDE: vsftpd
# REQUIRE: LOGIN
 
. /ffp/etc/ffp.subr
 
name="vsftpd"
command="/ffp/sbin/vsftpd"
vsftpd_flags="/ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &"
required_files="/ffp/etc/vsftpd.conf"
start_cmd="vsftpd_start"
 
vsftpd_start()
{
  proc_start_bg "$command"
}

You need to change the permissions to allow it to start up

chmod a+x /ffp/start/vsftpd.sh

REBOOT AND YOU ARE DONE!!! 8-)


Navigation

Personal Tools