This is an old revision of the document!


This is my first attempt at documentation so please don't hold anything against me if it is not clear. I like “vim” as my editor and have that installed so I will use that but feel free to use any other editor like “joe” if you feel more comfortable with it. Thanks to fonz for helping me out with my installation. This wouldn't be possible without him!

Why USE VSFTP?

Well you may have a different reason but mine was that I simply wanted more control over my ftp client and I wanted to force my users to use some sort of encryption. I have the DNS-321 which is a great little device and according to my reading these instructions should work for the dns-323 and well any CH3SNAS device.

How to vsftpd

First step is of course install fun-plug. You can find the wiki http://wiki.dns323.info/howto:fun_plug and that should get you going. or you can use these instructions http://www.iterasi.net/openviewer.aspx?sqrlitid=1hqeasef7eavz8rdkus60a which were the original ones I used.

Installation

Log into your device using ssh or telnet and download the package using rsync. The packages are already precompiled so its actually pretty simple to do.

cd /ffp/pkg/
rsync -av --delete inreto.de::dns323/fun-plug/0.5/extra-packages/All/vsftpd-2.0.7-2.tgz .

(note the version number at the time of my install this was the latest and greatest)

Now you have the package so lets install it.

funpkg -i vsftpd-2.0.7-2.tgz

You should see some notes about it having been installed correctly…

Some Prep Work

We need to set up some stuff before we continue.

To make things neet lets create a vsftd folder

mkdir -p  /ffp/etc/vsftpd

Lets also make the chroot directory. Note: I am still not 100% sure what it is for but read that it has something to do with security and it's a good thing to have. If anyone has any better insight feel free to update this…

mkdir -p /ffp/var/empty

I also like to periodically check logs so I keep all my logs in /ffp/var/log lets create that directory as well.

mkdir -p /ffp/var/log

Adding FTP Users and CHROOTING

Let's make the necessary user and chroot files

cd /ffp/etc/vsftpd
vim vsftpd.chroot_list

File contents should look like this assuming you want “john” & “jane” to be chrooted

john
jane

Of course if you dont care just leave the file empty but I would create it anyway.

cd /ffp/etc/vsftpd
vim vsftpd.user_list

File contents should look like this with all the users you want to give access to.

harry
john
jane
bob
marry

By the way these must be real users on your box. If they dont exist you must create them.

Adding Users to your box

You can check which users exist in your box by seeing the contents of your /etc/passd file

By default after installation of fun-plug yours should look like this

vim /etc/passwd
root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh
sshd:x:33:33:sshd:/:/bin/false

now we add a user using the useradd command heres a brief example -d = home directory this is where your user will be chrooted -s = shell /bin/sh is like a false shell to my understanding

useradd bob
passwd bob  (enter your password twice)
usermod -d /mnt/HD_a2/bob bob
usermod -s /bin/sh bob

Ok now we added our user bob so we can see the /etc/passwd file has changed.

vim /etc/passwd
root:x:0:0:Linux User,,,:/mnt/HD_a2/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh
sshd:x:33:33:sshd:/:/bin/false
bob:x:508:702:some random comment goes here not really important:/mnt/HD_a2/bob:/bin/sh

:!: But wait don't go too fast! We need to save our changes because if we reboot now that user we just added will go bye-bye.

store-passwd.sh

Ok at this point we have our users, user_list and chrootlist files, our log directory set up, our chroot directory set up, and the pachkage installed. The last thing that needs to be done is to set up the certificate file and key, configure the server and write our startup script. We are almost there I promise.

To create your ssl key and crt files

:!: if you dont have openssl installed on your box follow this section below otherwise skip to the next section

cd /ffp/pkg/
rsync -av --delete inreto.de::dns323/fun-plug/0.5/packages/openssl-0.9.8k-1.tgz .

(note the version number at the time of my install this was the latest and greatest)

Now you have the package so lets install it.

funpkg -i openssl-0.9.8h-1.tgz

You should see some notes about it having been installed correctly…

Continue here if you already have openssl installed

Step 1: Generate a Private Key

    openssl genrsa -des3 -out server.key 1024
 
    Generating RSA private key, 1024 bit long modulus
    .........................................................++++++
    ........++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request) Note: When I put a passord in the challenge it kept failing on me so left it blank and it worked. I am not sure if that is a bug with openssl…

openssl req -new -key server.key -out server.csr
 
    Country Name (2 letter code) [US]:US
    State or Province Name (full name) [Florida]:Florida
    Locality Name (eg, city) [Miami]:Miami
    Organization Name (eg, company) [My Company Ltd]:urbanlime.com
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:www.urbanlime.com
    Email Address []:noatmaildotcom
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

Step 3: Remove Passphrase from Key

    cp server.key server.key.org
    openssl rsa -in server.key.org -out server.key
 
    -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
    -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
    -rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate (Generate a temporary certificate which is good for 365 days)

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Signature ok
    subject=/C=US/ST=Florida/L=Miami/CN=www.urbanlime.com/Email=noatmaildotcom
    Getting Private key

Step 5: Installing the Private Key and Certificate

  cp server.crt /ffp/etc/vsftpd/xxx.crt
  cp server.key /ffp/etc/vsftpd/xxx.key

This completes the SSL portion lets move on to the configuration

Alternate Creation of SSL

Another way to create the SSL is to use the following command:

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

Configuration

cd /ffp/etc
vim vsftpd.conf

The following is a tested working configuration which requires TLS authentication.

#The chroot dir
secure_chroot_dir=/ffp/var/empty
#dont allow anonymous users
anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
connect_from_port_20=YES
chown_uploads=NO
xferlog_enable=YES
xferlog_std_format=YES
#set your location for your logs if you want them
xferlog_file=/ffp/var/log/vsftpdxf.log
vsftpd_log_file=/ffp/var/log/vsftpd.log
idle_session_timeout=600
data_connection_timeout=120
nopriv_user=nobody
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=Your Fancy Banner Here!
#The following will allow you to put specific users in a chroot so that they cant move back from the chroot dir
chroot_list_enable=YES
#file to keep the chroot users
chroot_list_file=/ffp/etc/vsftpd/vsftpd.chroot_list
userlist_deny=NO
userlist_enable=YES
#file to keep all users able to access ftp
userlist_file=/ffp/etc/vsftpd/vsftpd.user_list
#background=YES
#enable the listen to allow the ftp to listen we use this also so that we can write a startup script...
listen=YES
#pasv_promiscuous=YES
pasv_enable=YES
pasv_min_port=5000
pasv_max_port=5500
# You should not need this if you not going to use it through the web
pasv_address=YOUR.PUBLIC.IP.HERE
ls_recurse_enable=NO
#finally force the ssl connection
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
#point to your certificate and key
rsa_cert_file=/ffp/etc/vsftpd/xxx.crt
rsa_private_key_file=/ffp/etc/vsftpd/xxx.key

Configuration (More Secure)

The following configuration is more secure although it takes a little more effort.

Using the userlist feature of vsftpd has a security implication: The connection is dropped right after the user has provided the username. This can be used (although with a fairly time-comsuming brute force attack) to deduce the available usernames on the system. It is better if the user (attacker) has to provide both username and password before she is rejected. This way the attacker won't know whether the username or the password was incorrect and thus it expands the search space immensely.

The configuration below supports a scenario where a few persons need to share a ftp directory from the Internet. It does this using a master config file which is very strict (empty local_root dir, no upload, no download, guest account, etc.) and then there is a vsftpd_user_conf dir with a config file per user that relaxes the strict permissions.

joe /ffp/etc/vsftpd.conf
# vsftpd configuration file
#
# This file is for multiple users sharing the same ftp directory but such
# that each user has his own login and the uploaded files are stored with
# each user's userid
#
# Anonymous access is turned off such that only local users can login
#
# The default access is that users are logged in with the guest account without
# download nor upload permissions
# Special priviledged users have each a configuration file in the
# etc/vsftpd_user_conf directory where the permissions are relaxed with the
# following configuration:
#   write_enable=YES
#   download_enable=YES
#   guest_enable=NO
#   local_root=/mnt/HD_a2/ftp


listen=YES
listen_port=10021
pasv_enable=YES
pasv_address=[YOUR EXTERNAL IP ADDRESS GOES HERE]
# Remember to port forward these ports if you are behind a firewall!
pasv_min_port=10022
pasv_max_port=10099

ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=YES
rsa_cert_file=/ffp/etc/vsftpd/server.pem

# Allow local users to login and chroot them to the specified directory
# Note that chroot_local_user=YES means that text_userdb_names will NOT work!
# The local_root directory is overriden in the per-user configuration file
local_enable=YES
chroot_local_user=YES
local_root=/ffp/var/empty
file_open_mode=0666
local_umask=007
# Show usernames instead of "ftp". This does NOT work when chroot_local_user=YES
text_userdb_names=YES
hide_ids=NO

# By default, local users are logged in under the guest account with the specified userid
guest_enable=YES
guest_username=nobody

# We make a directory of user configuration files such that only the allowed users
# will have access
user_config_dir=/ffp/etc/vsftpd_user_conf

# Disallow upload and download. Can be relaxed in the per-user configuration file
write_enable=NO
download_enable=NO

# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftp
secure_chroot_dir=/ffp/var/empty

# Print directory's .message file if it exists
dirmessage_enable=YES

vsftpd_log_file=/ffp/var/log/vsftpd.log
xferlog_enable=YES
xferlog_file=/ffp/var/log/xfer_vsftpd.log
log_ftp_protocol=YES

Now make the per-user configuration files:

mkdir /ffp/etc/vsftpd_user_conf
cd /ffp/etc/vsftpd_user_conf
cat > default_user_config
write_enable=YES
download_enable=YES
guest_enable=NO
local_root=/mnt/HD_a2/ftp
^D
ln -s default john
ln -s default jane

Now John and Jane share the same configuration. You can also make special files to each if you want.

Lets start this bad boy

To start it manually the command is broken up as follows

vsftpd = tells it to run vsftpd /ffp/etc/vsftpd.conf = use this config file not default which would be somewhere in /etc instead of /ffp/etc

/dev/null 2>&1 </dev/null & = throw the job in the background
vsftpd /ffp/etc/vsftpd.conf >/dev/null 2>&1 </dev/null &

Once you have seen that it is running and you tested it and it works you can set up a startup script like the one that follows. It has also been tested and works great.

vim /ffp/start/vsftpd.sh
#!/ffp/bin/sh
 
# PROVIDE: vsftpd
# REQUIRE: LOGIN
 
. /ffp/etc/ffp.subr
 
name="vsftpd"
command="/ffp/sbin/vsftpd"
vsftpd_flags="/ffp/etc/vsftpd.conf"
required_files="/ffp/etc/vsftpd.conf"
start_cmd="vsftpd_start"
 
vsftpd_start()
{
  proc_start_bg "$command"
}
 
run_rc_command "$1"

You need to change the permissions to allow it to start up

chmod a+x /ffp/start/vsftpd.sh

REBOOT AND YOU ARE DONE!!! 8-)


Navigation

Personal Tools