This is an old revision of the document!
This is my first attempt at documentation so please don't hold anything against me if it is not clear. I like “vim” as my editor and have that installed so I will use that but feel free to use any other editor like “joe” if you feel more comfortable with it. Thanks to fonz for helping me out with my installation. This wouldn't be possible without him!
Why USE VSFTP?
Well you may have a different reason but mine was that I simply wanted more control over my ftp client and I wanted to force my users to use some sort of encryption. I have the DNS-321 which is a great little device and according to my reading these instructions should work for the dns-323 and well any CH3SNAS device.
How to vsftpd
First step is of course install fun-plug. You can find the wiki http://wiki.dns323.info/howto:fun_plug and that should get you going. or you can use these instructions http://www.iterasi.net/openviewer.aspx?sqrlitid=1hqeasef7eavz8rdkus60a which were the original ones I used.
Installation
Log into your device using ssh or telnet and download the package using rsync. The packages are already precompiled so its actually pretty simple to do.
cd /ffp/pkg/ rsync -av --delete inreto.de::dns323/fun-plug/0.5/extra-packages/All/vsftpd-2.0.7-2.tgz .
(note the version number at the time of my install this was the latest and greatest)
Now you have the package so lets install it.
funpkg -i vsftpd-2.0.7-2.tgz
You should see some notes about it having been installed correctly…
Some Prep Work
We need to set up some stuff before we continue.
To make things neet lets create a vsftd folder
mkdir -p /ffp/etc/vsftpd
Lets also make the chroot directory. Note: I am still not 100% sure what it is for but read that it has something to do with security and it's a good thing to have. If anyone has any better insight feel free to update this…
mkdir -p /ffp/var/empty
I also like to periodically check logs so I keep all my logs in /ffp/var/log lets create that directory as well.
mkdir -p /ffp/var/log
Adding FTP Users and CHROOTING
Let's make the necessary user and chroot files
cd /ffp/etc/vsftpd
vim vsftpd.chroot_list
File contents should look like this assuming you want “john” & “jane” to be chrooted
john jane
Of course if you dont care just leave the file empty but I would create it anyway.
cd /ffp/etc/vsftpd
vim vsftpd.user_list
File contents should look like this with all the users you want to give access to.
harry john jane bob marry
By the way these must be real users on your box. If they dont exist you must create them.
Adding Users to your box
You can check which users exist in your box by seeing the contents of your /etc/passd file
By default after installation of fun-plug yours should look like this
vim /etc/passwd root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh admin:x:500:500:Linux User,,,:/home/admin:/bin/sh nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh sshd:x:33:33:sshd:/:/bin/false
now we add a user using the useradd command heres a brief example -d = home directory this is where your user will be chrooted -s = shell /bin/sh is like a false shell to my understanding
useradd bob passwd bob (enter your password twice) usermod -d /mnt/HD_a2/bob bob usermod -s /bin/sh bob
Ok now we added our user bob so we can see the /etc/passwd file has changed.
vim /etc/passwd root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh admin:x:500:500:Linux User,,,:/home/admin:/bin/sh nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh sshd:x:33:33:sshd:/:/bin/false bob:x:508:702:some random comment goes here not really important:/mnt/HD_a2/bob:/bin/sh
But wait don't go too fast! We need to save our changes because if we reboot now that user we just added will go bye-bye.
store-passwd.sh
Ok at this point we have our users, user_list and chrootlist files, our log directory set up, our chroot directory set up, and the pachkage installed. The last thing that needs to be done is to set up the certificate file and key, configure the server and write our startup script. We are almost there I promise.
To create your ssl key and crt files
if you dont have openssl installed on your box follow this section below otherwise skip to the next section
cd /ffp/pkg/ rsync -av --delete inreto.de::dns323/fun-plug/0.5/packages/openssl-0.9.8h-1.tgz .
(note the version number at the time of my install this was the latest and greatest)
Now you have the package so lets install it.
funpkg -i openssl-0.9.8h-1.tgz
You should see some notes about it having been installed correctly…
Continue here if you already have openssl installed
Step 1: Generate a Private Key
openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .........................................................++++++ ........++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:
Step 2: Generate a CSR (Certificate Signing Request) Note: When I put a passord in the challenge it kept failing on me so left it blank and it worked. I am not sure if that is a bug with openssl…
openssl req -new -key server.key -out server.csr Country Name (2 letter code) [US]:US State or Province Name (full name) [Florida]:Florida Locality Name (eg, city) [Miami]:Miami Organization Name (eg, company) [My Company Ltd]:urbanlime.com Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.urbanlime.com Email Address []:noatmaildotcom Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Step 3: Remove Passphrase from Key
cp server.key server.key.org openssl rsa -in server.key.org -out server.key -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key -rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org
Step 4: Generating a Self-Signed Certificate (Generate a temporary certificate which is good for 365 days)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=Florida/L=Miami/CN=www.urbanlime.com/Email=noatmaildotcom Getting Private key
Step 5: Installing the Private Key and Certificate
cp server.crt /ffp/etc/vsftpd/xxx.crt cp server.key /ffp/etc/vsftpd/xxx.key
This completes the SSL portion lets move on to the configuration
Configuration
cd /ffp/etc
vim vsftpd.conf
The following is a tested working configuration which requires TLS authentication.
#The chroot dir secure_chroot_dir=/ffp/var/empty #dont allow anonymous users anonymous_enable=NO local_enable=YES write_enable=YES anon_upload_enable=NO anon_mkdir_write_enable=NO dirmessage_enable=YES connect_from_port_20=YES chown_uploads=NO xferlog_enable=YES xferlog_std_format=YES #set your location for your logs if you want them xferlog_file=/ffp/var/log/vsftpdxf.log vsftpd_log_file=/ffp/var/log/vsftpd.log idle_session_timeout=600 data_connection_timeout=120 nopriv_user=nobody ascii_upload_enable=YES ascii_download_enable=YES ftpd_banner=Your Fancy Banner Here! #The following will allow you to put specific users in a chroot so that they cant move back from the chroot dir chroot_list_enable=YES #file to keep the chroot users chroot_list_file=/ffp/etc/vsftpd/vsftpd.chroot_list userlist_deny=NO userlist_enable=YES #file to keep all users able to access ftp userlist_file=/ffp/etc/vsftpd/vsftpd.user_list #background=YES #enable the listen to allow the ftp to listen we use this also so that we can write a startup script... listen=YES #pasv_promiscuous=YES pasv_enable=YES pasv_min_port=5000 pasv_max_port=5500 # You should not need this if you not going to use it through the web pasv_address=YOUR.PUBLIC.IP.HERE ls_recurse_enable=NO #finally force the ssl connection ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES #point to your certificate and key rsa_cert_file=/ffp/etc/vsftpd/xxx.crt rsa_private_key_file=/ffp/etc/vsftpd/xxx.key
Configuration (More Secure)
The following configuration is more secure although it takes a little more effort.
Using the userlist
feature of vsftpd
has a security implication: The connection is dropped right after the user has provided the username. This can be used (although with a fairly time-comsuming brute force attack) to deduce the available usernames on the system. It is better if the user (attacker) has to provide both username and password before she is rejected. This way the attacker won't know whether the username or the password was incorrect and thus it expands the search space immensely.
The configuration below supports a scenario where a few persons need to share a ftp directory from the Internet. It does this using a master config file which is very strict (empty local_root dir, no upload, no download, guest account, etc.) and then there is a vsftpd_user_conf dir with a config file per user that relaxes the strict permissions.
joe /ffp/etc/vsftpd.conf
# vsftpd configuration file # # This file is for multiple users sharing the same ftp directory but such # that each user has his own login and the uploaded files are stored with # each user's userid # # Anonymous access is turned off such that only local users can login # # The default access is that users are logged in with the guest account without # download nor upload permissions # Special priviledged users have each a configuration file in the # etc/vsftpd_user_conf directory where the permissions are relaxed with the # following configuration: # write_enable=YES # download_enable=YES # guest_enable=NO # local_root=/mnt/HD_a2/ftp listen=YES listen_port=10021 pasv_enable=YES pasv_address=[YOUR EXTERNAL IP ADDRESS GOES HERE] # Remember to port forward these ports if you are behind a firewall! pasv_min_port=10022 pasv_max_port=10099 ssl_enable=YES force_local_logins_ssl=YES force_local_data_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=YES rsa_cert_file=/ffp/etc/vsftpd/server.pem # Allow local users to login and chroot them to the specified directory # Note that chroot_local_user=YES means that text_userdb_names will NOT work! # The local_root directory is overriden in the per-user configuration file local_enable=YES chroot_local_user=YES local_root=/ffp/var/empty file_open_mode=0666 local_umask=007 # Show usernames instead of "ftp". This does NOT work when chroot_local_user=YES text_userdb_names=YES hide_ids=NO # By default, local users are logged in under the guest account with the specified userid guest_enable=YES guest_username=nobody # We make a directory of user configuration files such that only the allowed users # will have access user_config_dir=/ffp/etc/vsftpd_user_conf # Disallow upload and download. Can be relaxed in the per-user configuration file write_enable=NO download_enable=NO # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. nopriv_user=ftp secure_chroot_dir=/ffp/var/empty # Print directory's .message file if it exists dirmessage_enable=YES vsftpd_log_file=/ffp/var/log/vsftpd.log xferlog_enable=YES xferlog_file=/ffp/var/log/xfer_vsftpd.log log_ftp_protocol=YES
Now make the per-user configuration files:
mkdir /ffp/etc/vsftpd_user_conf cd /ffp/etc/vsftpd_user_conf cat > default_user_config write_enable=YES download_enable=YES guest_enable=NO local_root=/mnt/HD_a2/ftp ^D ln -s default john ln -s default jane
Now John and Jane share the same configuration. You can also make special files to each if you want.
Lets start this bad boy
To start it manually the command is broken up as follows
vsftpd = tells it to run vsftpd /ffp/etc/vsftpd.conf = use this config file not default which would be somewhere in /etc instead of /ffp/etc
/dev/null 2>&1 </dev/null & = throw the job in the background
vsftpd /ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &
Once you have seen that it is running and you tested it and it works you can set up a startup script like the one that follows. It has also been tested and works great.
vim /ffp/start/vsftpd.sh #!/ffp/bin/sh # PROVIDE: vsftpd # REQUIRE: LOGIN . /ffp/etc/ffp.subr name="vsftpd" command="/ffp/sbin/vsftpd" vsftpd_flags="/ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &" required_files="/ffp/etc/vsftpd.conf" start_cmd="vsftpd_start" vsftpd_start() { proc_start_bg "$command" }
You need to change the permissions to allow it to start up
chmod a+x /ffp/start/vsftpd.sh
REBOOT AND YOU ARE DONE!!!