Set up vsftp

What is VSFTPD?

VSFTPD is FTP server software. The first two letters in VSFTPD stand for "very secure". The software was built around the vulnerabilities of the FTP protocol. Nevertheless, you should always remember that there are better solutions for secure transfer and management of files such as SFTP(uses openssh). The FTP protocol is particularly useful for sharing non-sensitive data and is very reliable at that.

Installing VSFTPD

You can quickly install VSFTPD on your server through the command line interface with:

sudo apt-get install vsftpd

Restarting the service

After configuring the server you need to restart the service in order for changes to take effect:

sudo /etc/init.d/vsftpd restart

Configuration

Most VSFTPD's configuration takes place in /etc/vsftpd.conf. The file itself is well-documented, so this section only highlights some important changes you may want to make. For all available options and basic documentation see the man pages:

man vsftpd.conf

Files are served by default from /srv/ftp as per the Filesystem Hierarchy Standard.

Enable Uploading

The "write_enable" flag must be set to YES in order to allow changes to the filesystem, such as uploading:

write_enable=YES

Allow Local Users to Login

In order to allow users in /etc/passwd to login, the "local_enable" directive must look like this:

local_enable=YES

Anonymous Login

The following lines control whether anonymous users can login:

# Allow anonymous login

anonymous_enable=YES
# No password is required for an anonymous login (Optional)
no_anon_password=YES
# Maximum transfer rate for an anonymous client in Bytes/second (Optional)
anon_max_rate=30000
# Directory to be used for an anonymous login (Optional)
anon_root=/example/directory/

Chroot Jail

It is possible to set up a chroot environment, which prevents the user from leaving his home directory. To enable this, add/change the following lines in the configuration file:

chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list

The "chroot_list_file" variable specifies the file in which the jailed users are contained to.

For a more restrictive environment, you should make the following change:

chroot_local_user=YES

NOTE: This will make local users jailed by default. In this case, the file specified by "chroot_list_file" lists users that are not in a chroot jail.

Because of a recent VSFTPD update, the server will refuse to run the service with writable root inside the chroot folder. An easy way to address this issue is to do the following:

  • Create a new directory within the user's home directory

mkdir /home/username/files
  • Change the ownership of that file to root (the user logging in via FTP cannot have write permissions on this folder)

chown root:root /home/username
  • Make all necessary changes within the "files" subdirectory

Using SSL to Secure FTP

Generate an SSL Cert

The following is just an example. You should read the OpenSSL's documentation so you can end up with a more appropriate configuration. You will be asked a lot of questions, these can be ignored, if you are not planning on having the certificate be part of an intricate chain (refer to the Documentation). This certificate will be used for encryption. If you need your certificate to be trusted with pre-existing software and other institutions, you must get one from a recognized Certificate Authority such as: Thawte, Verisign,...

cd /etc/ssl/certs openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem chmod 600 /etc/ssl/certs/vsftpd.pem

Configure VSFTPD

The following directives will allow clients to use SSL and how they will do it:

ssl_enable=YES
  # To accept anon connections when SSL is enabled on the server
allow_anon_ssl=NO
  # This option will improve performance on limited hardware
force_local_data_ssl=NO
  # To disallow normal FTP logins and only accept SSL encrypted connections
force_local_logins_ssl=YES
  # It is a good idea to enable one or multiple of these for security reasons (see documentation)
ssl_tlsv1=YES
# Choose what you prefer
ssl_sslv2=YES
# Choose what you prefer
ssl_sslv3=YES

# Include the path to your previously generated *.pem file

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
# Include the path to the private key # The *.pem file contains both the key and cert if you used the command above
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

Revisions

07/18/2014 - 22:42
alimiracle
01/29/2015 - 12:34
Trisquelian
09/22/2024 - 09:04
knife