Howto: Easy FTP with vsftpd
I like vsftpd. It's very very simple to configure.
Now let's get to the point.
Installation
Code:
sudo apt-get install vsftpd
This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/.
Configuration
Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case.
Code:
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
Now edit the file /etc/vsftpd.conf and change it's settings as follows.
Basic Setup
To disable anonymous login and to enable local users login and give them write permissions:
Code:
# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES
# Write permissions
write_enable=YES
NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).
To chroot users
To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:
Code:
# 1. All users are jailed by default:
chroot_local_user=YES
chroot_list_enable=NO
# 2. Just some users are jailed:
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
# 3. Just some users are "free":
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
To deny (or allow) just some users to login
To deny some users to login, add the following options in the end of the file:
Code:
userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users
In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.
To allow just some users to login:
Code:
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
In the file /etc/vsftpd.allowed_users add the username of the users that can login.
The not allowed users will get an error that they can't login before they type their password.
TLS/SSL/FTPS
NOTE: you definitely have to use this if you connect from the Internet.
To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):
Code:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990
No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default). Please don't be afraid of it's name!
Install Filezilla (on the repositories), and use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS.
Additional Options
Here are some other available options. The values are examples:
Code:
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=2
# Maximum number of clients:
max_clients=20
Apply new configuration settings
Don't forget that to apply new configurations, you must restart the vsftpd service.
Code:
sudo /etc/init.d/vsftpd restart
Webmin Module
For those who use webadmin, there is a module for VSFTPD here
Firewall Problems
If you find problems when connecting, set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.
Code:
pasv_min_port=12000
pasv_max_port=12100
Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd
Virtual users are users that do not exist on the system - they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security.
You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want).
The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples in this forum that can be found here and here.
From the FAQ in vsftpd site:
Quote:
Note - currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.
This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.
The workshop
This is an example for a work directory where various virtual users can save (upload) their work - in this case it will be /home/work, that must be owned by the guest_username (workers).
Create the system user (workers) and the work directory (/home/work) to be used by the virtual users in vsftpd where they will upload their work in it:
Code:
# Don't use -m (--create-home) option. This avoids creating a home
# directory based on /etc/skel (.bash* and .profile files).
sudo useradd -d /home/work workers
sudo mkdir /home/work
sudo chown workers /home/work
Create directories to save the virtual users definitions.
Code:
sudo mkdir /etc/vsftpd
sudo mkdir /etc/vsftpd/vusers
Change the PAM authentication in vsftpd.conf and create a new PAM file that uses the pam_userdb module to provide authentication for the virtual users.
If you still didn't do it, make a backup copy of your vsftpd.conf or make a backup copy of the default one (it is a very good starting point and it is very well commented, as I previously wrote).
Edit the default /etc/vsftpd.conf:
Code:
sudo nano /etc/vsftpd.conf
Change the line anonymous=YES, uncomment local_enable=YES and change pam_service_name=vsftpd:
Code:
# Disable anonymous_enable is optional.
anonymous_enable=NO
...
local_enable=YES
...
pam_service_name=ftp
Then add the TLS/SSL/FTPS definitions (from above) in the end of the file and after it also add:
Code:
# Enable (only) guests.
guest_enable=YES
# This is not needed, it's the default. Just here for clarity.
guest_username=ftp
# Where the guests (virtual) usernames are set.
user_config_dir=/etc/vsftpd/vusers
The default settings in vsftpd.conf are restricted just for anonymous user that can download from /home/ftp, are chrooted there and can't upload nor create directories. Virtual users are treated as anonymous users by vsftpd. We have disabled anonymous logins, enabled local_users (virtual users in this case, authenticated by the PAM file we will create) and enabled guests (local users - guests - will be virtual users).
The rest of the options are the default ones, so nobody can upload and because we set guest_enable=YES, if a username exists and have an empty username file, it will be treated as an anonymous user ("ftp" user). We added the TLS/SSL/FTPS so no cleartext passwords are used in the connections.
Now you will override the vsftpd.conf settings for each username individually with files in the directory /etc/vsftpd/vusers wich was set in "user_config_dir=" option. Lets continue.
Create the new file /etc/pam.d/ftp for the new authentication system:
Code:
sudo nano /etc/pam.d/ftp
And add the following content:
Code:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
Create a file with the virtual usernames and passwords that can login (one line for username, one line for password and so on for all the users) and call it "logins.txt":
Code:
mike
password1
sarah
password2
Install libdb3-util, create the login database with the file logins.txt and restrict permissions to the database:
Code:
sudo apt-get install libdb3-util
sudo db3_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
sudo chmod 600 /etc/vsftpd/vsftpd_login.db
# This is not safe, you should delete this file.
sudo chmod 600 logins.txt
Create a file for the workers settings (mike and sarah on logins.txt):
Code:
sudo nano /etc/vsftpd/workers
Add the new definitions for this users (remember that virtual users are treated as anonymous users by default on vsftpd, default anonymous settings are set on /etc/vsftpd.conf):
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/work
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES
guest_username=workers
Link this file to the workers usernames in /etc/vsftpd/vusers/, so that any change made at /etc/vsftpd/workers is applied to all workers (after you restart vsftpd).
Code:
sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/mike
sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/sarah
If this was suppose to be for web development, you would add this directory in apache, make it an available site and enable it as an enabled website.
Restart vsftpd.
System users as a virtual user with non-system password
The next example file for one user, like a system user. Add his username and a password - not the system one please, just to be a little bit safer - in logins.txt and repeat the db3_load command. Create a file named after his username inside /etc/vsftpd/vusers/:
Code:
sudo nano /etc/vsftpd/vusers/user
And save the following in it:
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
chroot_local_user=YES
# change /home/user to the actual user home directory.
local_root=/home/user
dirlist_enable=YES
download_enable=YES
guest_username=user
As you can see, guest_username is important because it will be the user that owns the uploaded files on the directories owned by the guest_username and only files owned by this guest_username can be deleted by him (if you allow it). If you don't set a guest_username, then the "ftp" user will be the used (default in /etc/vsftpd.conf). If you create an empty file of a username present in /etc/vsftpd/vsftpd_login.db (logins.txt), this user will only have the permissions set to anonymous users in /etc/vsftpd.conf, his default home directory will be /home/ftp/ and the owner of the files he uploads (if you allow him and the directory is owned by ftp) will be "ftp".
Only usernames in both /etc/vsftpd/vsftpd_login.db (logins.txt) AND with a file in /etc/vsftpd/vusers/ can login. So, the username can't login if:
- If a file exist in /etc/vsftpd/vusers/ but the username is not in /etc/vsftpd/vsftpd_login.db (logins.txt) - you can add filenames that aren't on the database, no harm done.
- If the username is in /etc/vsftpd/vsftpd_login.db (logins.txt) but do not exist in /etc/vsftpd/vusers/ - you can disable logins, just (re)move/rename the file(s) and/or link(s).
Restart vsftpd.
EDIT1: removed SFTP reference in TLS/SSL/FTPS section
EDIT2: added virtual users configuration.
EDIT3: added allow/deny userlist.
Create SSL Certificate
Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Sample output:
Generating a 1024 bit RSA private key
.......++++++
........................................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in
Edit the vsftpd configuration file, enter:
# vi vsftpd.conf
Add or correct the following configuration option:
# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart the ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21
Test SSL Aware FTP Server With ftp-ssl
ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl
Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:
Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in
List of SSL Aware FTP Client
lftp UNIX / Linux client is also SSL aware client. It needs to compiled with OpenSSL (configure --with-openssl).
WinSCP FTP / SFTP / SCP client
Fireftp Cross-platform: Windows, Mac OS X, Linux FTP / SFTP / SCP client
FreeBSD /usr/ports/ftp/ftp-tls/ - Ftp client based on the OpenBSD ftp client code, implements the FTP AUTH TLS IETF draft.
This blog post is 3 of 5 in the "Redhat / CentOS VSFTPD FTP Server Tutorial" series. Keep reading the rest of the series:
转自: