Differences

This shows you the differences between the selected revision and the current version of the page.

howto:vsftpd 2009/02/04 06:48 howto:vsftpd 2017/09/06 18:38 current
Line 1: Line 1:
This is my first attempt at documentation so please don't hold anything against me if it is not clear. This is my first attempt at documentation so please don't hold anything against me if it is not clear.
-I like "vim" as my editor and have that installed so I will use that but feel free to use any other editor like "joe" if you feel more comfortable with it.+I like "vim" as my editor and have that installed so I will use that but feel free to use any other editor like "joe" if you feel more comfortable with it. Thanks to fonz for helping me out with my installation. This wouldn't be possible without him!
-====== Why USE VSFTP? ====== 
-Well you may have a different reason but mine was that I simply wanted more control over my ftp client and I wanted to force my users to use some sort of encryption. I have the DNS-321 which is a great little device and according to my reading these instructions should work for the dns-323 and well any CH3SNAS device. 
 +====== Why Use VSFTP? ======
 +Well, you may have a different reason but mine was that I simply wanted more control over my ftp client. I also wanted to force my users to use some sort of encryption. I have the DNS-321 which is a great little device and according to my reading these instructions should work for the DNS-323, DNS-343, and probably any CH3SNAS device.
-====== How to vsftpd ====== 
-First step is of course install fun-plug. + 
-You can find the wiki [[http://wiki.dns323.info/howto:fun_plug]] and that should get you going.  +====== How to Set Up VSFTPD ====== 
-or you can use these instructions [[http://www.iterasi.net/openviewer.aspx?sqrlitid=1hqeasef7eavz8rdkus60a]] which were the original ones I used.+ 
 +The first step is to install fun_plug. You can find the wiki [[http://dns323.kood.org/]] and that should get you going.  
 +Or you can use these instructions [[http://www.iterasi.net/openviewer.aspx?sqrlitid=1hqeasef7eavz8rdkus60a]] which were the original ones I used.
Line 92: Line 93:
By the way these must be real users on your box. If they dont exist you must create them. By the way these must be real users on your box. If they dont exist you must create them.
-====== Adding Users to your box ====== 
-You can check which users exist in your box by seeing the contents of your /etc/passd file+====== Adding Users to Your Box ======
-By default after installation of fun-plug yours should look like this+You can check which users exist on your box by seeing the contents of your /etc/passwd file. 
 + 
 +After installation of fun_plug, your default user list should look like this:
<code bash> <code bash>
Line 106: Line 108:
</code> </code>
-now we add a user using the useradd command heres a brief example+Now we add a user via the useradd command. Here is an example:
-d = home directory this is where your user will be chrooted -d = home directory this is where your user will be chrooted
-s = shell /bin/sh is like a false shell to my understanding -s = shell /bin/sh is like a false shell to my understanding
Line 113: Line 115:
useradd bob useradd bob
passwd bob  (enter your password twice) passwd bob  (enter your password twice)
-usermod - d /mnt/HD_a2/bob +usermod -d /mnt/HD_a2/bob bob 
-usermod -s /bin/sh +usermod -s /bin/sh bob
</code> </code>
-Ok now we added our user bob so we can see the /etc/passwd file has changed.+Ok now user bob is added, so we can see the /etc/passwd file has changed:
<code bash> <code bash>
Line 129: Line 131:
-:!: But wait don't go too fast!  +:!: But wait! Don't go too fast!  
-We need to save our changes because if we reboot now that user we just added will go bye-bye.+We need to save our changes because if we reboot now that new user go bye-bye. Save changes with:
<code bash> <code bash>
Line 137: Line 139:
-Ok at this point we have our users, user_list and chrootlist files, our log directory set up, our chroot directory set up, and the pachkage installed. The last thing that needs to be done is to set up the certificate file and key, configure the server and write our startup script. We are almost there I promise. +Now we have our users, user_list, and chrootlist files, our log directory set up, our chroot directory set up, and the package installed. The last things that need to be done are to set up the certificate file and key, configure the server, and write our startup script. We are almost done, I promise.
- +
====== To create your ssl key and crt files ====== ====== To create your ssl key and crt files ======
Line 148: Line 148:
<code bash> <code bash>
cd /ffp/pkg/ cd /ffp/pkg/
-rsync -av --delete inreto.de::dns323/fun-plug/0.5/packages/openssl-0.9.8h-1.tgz .+rsync -av --delete inreto.de::dns323/fun-plug/0.5/packages/openssl-0.9.8k-1.tgz .
</code> </code>
(note the version number at the time of my install this was the latest and greatest) (note the version number at the time of my install this was the latest and greatest)
Line 156: Line 156:
<code bash> <code bash>
-funpkg -i openssl-0.9.8h-1.tgz+funpkg -i openssl-0.9.8k-1.tgz
</code> </code>
Line 224: Line 224:
This completes the SSL portion lets move on to the configuration This completes the SSL portion lets move on to the configuration
-====== configuration ======+====== Alternate Creation of SSL ====== 
 + 
 +Another way to create the SSL is to use the following command: 
 +<code bash> 
 +openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem 
 +</code> 
 + 
 + 
 + 
 +====== Configuration ======
<code bash> <code bash>
Line 250: Line 259:
xferlog_file=/ffp/var/log/vsftpdxf.log xferlog_file=/ffp/var/log/vsftpdxf.log
vsftpd_log_file=/ffp/var/log/vsftpd.log vsftpd_log_file=/ffp/var/log/vsftpd.log
-idle_session_timeout=600                +idle_session_timeout=600 
-data_connection_timeout=120            +data_connection_timeout=120 
-nopriv_user=nobody                      +nopriv_user=nobody 
-ascii_upload_enable=YES                +ascii_upload_enable=YES 
-ascii_download_enable=YES             +ascii_download_enable=YES
ftpd_banner=Your Fancy Banner Here! ftpd_banner=Your Fancy Banner Here!
#The following will allow you to put specific users in a chroot so that they cant move back from the chroot dir #The following will allow you to put specific users in a chroot so that they cant move back from the chroot dir
-chroot_list_enable=YES                                                 +chroot_list_enable=YES
#file to keep the chroot users #file to keep the chroot users
-chroot_list_file=/ffp/etc/vsftpd/vsftpd.chroot_list                    +chroot_list_file=/ffp/etc/vsftpd/vsftpd.chroot_list 
-userlist_deny=NO                                                        +userlist_deny=NO 
-userlist_enable=YES                                                   +userlist_enable=YES
#file to keep all users able to access ftp #file to keep all users able to access ftp
-userlist_file=/ffp/etc/vsftpd/vsftpd.user_list                          +userlist_file=/ffp/etc/vsftpd/vsftpd.user_list 
-#background=YES                                                       +#background=YES
#enable the listen to allow the ftp to listen we use this also so that we can write a startup script... #enable the listen to allow the ftp to listen we use this also so that we can write a startup script...
-listen=YES                                                              +listen=YES 
-#pasv_promiscuous=YES                                                  +#pasv_promiscuous=YES 
-pasv_enable=YES                                                        +pasv_enable=YES 
-pasv_min_port=5000                                                    +pasv_min_port=5000 
-pasv_max_port=5500                   +pasv_max_port=5500
# You should not need this if you not going to use it through the web # You should not need this if you not going to use it through the web
-pasv_address=YOUR.PUBLIC.IP.HERE                      +pasv_address=YOUR.PUBLIC.IP.HERE 
-ls_recurse_enable=NO                                                                       +ls_recurse_enable=NO
#finally force the ssl connection #finally force the ssl connection
-ssl_enable=YES                                                          +ssl_enable=YES 
-allow_anon_ssl=NO                                                      +allow_anon_ssl=NO 
-force_local_data_ssl=YES                                                +force_local_data_ssl=YES 
-force_local_logins_ssl=YES                                              +force_local_logins_ssl=YES 
-ssl_tlsv1=YES                                                          +ssl_tlsv1=YES 
-ssl_sslv2=YES                                                          +ssl_sslv2=YES 
-ssl_sslv3=YES                                                          +ssl_sslv3=YES 
-#point to your certificate and key                                                                        +#point to your certificate and key 
-rsa_cert_file=/ffp/etc/vsftpd/xxx.crt                      +rsa_cert_file=/ffp/etc/vsftpd/xxx.crt 
-rsa_private_key_file=/ffp/etc/vsftpd/xxx.key +rsa_private_key_file=/ffp/etc/vsftpd/xxx.key
</code> </code>
 +
 +====== Configuration (More Secure) ======
 +
 +The following configuration is more secure although it takes a little more effort.
 +
 +Using the ''userlist'' feature of ''**vsftpd**'' has a security implication:
 +The connection is dropped right after the user has provided the username. This can be used (although with a fairly time-comsuming brute force attack) to deduce the available usernames on the system. It is better if the user (attacker) has to provide both username and password before she is rejected. This way the attacker won't know whether the username or the password was incorrect and thus it expands the search space immensely.
 +
 +The configuration below supports a scenario where a few persons need to share a ftp directory from the Internet. It does this using a master config file which is very strict (empty local_root dir, no upload, no download, guest account, etc.) and then there is a vsftpd_user_conf dir with a config file per user that relaxes the strict permissions.
 +
 +<code bash>
 +joe /ffp/etc/vsftpd.conf
 +</code>
 +
 +<code bash>
 +# vsftpd configuration file
 +#
 +# This file is for multiple users sharing the same ftp directory but such
 +# that each user has his own login and the uploaded files are stored with
 +# the userid of each user
 +#
 +# Anonymous access is turned off such that only local users can login
 +#
 +# The default access is that users are logged in with the guest account without
 +# download nor upload permissions
 +# Special priviledged users have each a configuration file in the
 +# etc/vsftpd_user_conf directory where the permissions are relaxed with the
 +# following configuration:
 +#  write_enable=YES
 +#  download_enable=YES
 +#  guest_enable=NO
 +#  local_root=/mnt/HD_a2/ftp
 +
 +
 +listen=YES
 +listen_port=10021
 +pasv_enable=YES
 +pasv_address=[YOUR EXTERNAL IP ADDRESS GOES HERE]
 +# Remember to port forward these ports if you are behind a firewall!
 +pasv_min_port=10022
 +pasv_max_port=10099
 +
 +ssl_enable=YES
 +force_local_logins_ssl=YES
 +force_local_data_ssl=YES
 +ssl_tlsv1=YES
 +ssl_sslv2=NO
 +ssl_sslv3=YES
 +rsa_cert_file=/ffp/etc/vsftpd/server.pem
 +
 +# Allow local users to login and chroot them to the specified directory
 +# Note that chroot_local_user=YES means that text_userdb_names will NOT work!
 +# The local_root directory is overriden in the per-user configuration file
 +local_enable=YES
 +chroot_local_user=YES
 +local_root=/ffp/var/empty
 +file_open_mode=0666
 +local_umask=007
 +# Show usernames instead of "ftp". This does NOT work when chroot_local_user=YES
 +text_userdb_names=YES
 +hide_ids=NO
 +
 +# By default, local users are logged in under the guest account with the specified userid
 +guest_enable=YES
 +guest_username=nobody
 +
 +# We make a directory of user configuration files such that only the allowed users
 +# will have access
 +user_config_dir=/ffp/etc/vsftpd_user_conf
 +
 +# Disallow upload and download. Can be relaxed in the per-user configuration file
 +write_enable=NO
 +download_enable=NO
 +
 +# It is recommended that you define on your system a unique user which the
 +# ftp server can use as a totally isolated and unprivileged user.
 +nopriv_user=ftp
 +secure_chroot_dir=/ffp/var/empty
 +
 +# Print directory's .message file if it exists
 +dirmessage_enable=YES
 +
 +vsftpd_log_file=/ffp/var/log/vsftpd.log
 +xferlog_enable=YES
 +xferlog_file=/ffp/var/log/xfer_vsftpd.log
 +log_ftp_protocol=YES
 +</code>
 +
 +Now make the per-user configuration files:
 +<code bash>
 +mkdir /ffp/etc/vsftpd_user_conf
 +cd /ffp/etc/vsftpd_user_conf
 +cat > default_user_config
 +write_enable=YES
 +download_enable=YES
 +guest_enable=NO
 +local_root=/mnt/HD_a2/ftp
 +^D
 +ln -s default john
 +ln -s default jane
 +</code>
 +
 +Now John and Jane share the same configuration. You can also make special files to each if you want.
 +
 +
====== Lets start this bad boy ====== ====== Lets start this bad boy ======
Line 313: Line 427:
name="vsftpd" name="vsftpd"
command="/ffp/sbin/vsftpd" command="/ffp/sbin/vsftpd"
-vsftpd_flags="/ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &"+vsftpd_flags="/ffp/etc/vsftpd.conf"
required_files="/ffp/etc/vsftpd.conf" required_files="/ffp/etc/vsftpd.conf"
start_cmd="vsftpd_start" start_cmd="vsftpd_start"
Line 321: Line 435:
  proc_start_bg "$command"   proc_start_bg "$command"
} }
 +
 +run_rc_command "$1"
 +
</code> </code>

Navigation
[Edit]
Personal Tools