Revisión de Set up vsftp de Vie, 07/18/2014 - 22:42
La revisión le permite rastrear las diferencias que hay entre distintas versiones de una entrada.
what vsftp:
The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.
Install vsftpd:
You can quickly install vsftpd on your virtual private server in the command line:
sudo apt-get install vsftpd
Configuration
Most of the settings in vsftpd are done by editing the file /etc/vsftpd.conf. The file itself is well-documented, so this section only highlights some important
changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5) (or visit
vsftpd.conf online manpage
). Files are served by default from /srv/ftp.
Enabling uploading:
The WRITE_ENABLE flag must be set to YES in /etc/vsftpd.conf in order to allow changes to the filesystem, such as uploading:
write_enable=YES
Local user login
One must set the line to /etc/vsftpd.conf to allow users in /etc/passwd to login:
local_enable=YES
Anonymous login
The line in /etc/vsftpd.conf controls whether anonymous users can login:
# Allow anonymous login
anonymous_enable=YES
# No password is required for an anonymous login
no_anon_password=YES
# Maximum transfer rate for an anonymous client in Bytes/second
anon_max_rate=30000
# Directory to be used for an anonymous login
anon_root=/example/directory/
Chroot jail:
One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to /etc/vsftpd.conf:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
The chroot_list_file variable specifies the file which contains users that are jailed.
For a more restricted environment, one can specify the line:
chroot_local_user=YES
This will make local users jailed by default. In this case, the file specified by chroot_list_file lists users that are not in a chroot jail.
Because of a recent vsftpd upgrade, vsftpd is "refusing to run with writable root inside chroot". A handy way to address this issue to is to take the following
steps:
1. Create a new directory within the user's home directory
mkdir /home/username/files
2. Change the ownership of that file to root
chown root:root /home/username
3. Make all necessary changes within the "files" subdirectory
Using SSL to Secure FTP:
Generate an SSL Cert, e.g. like that:
# cd /etc/ssl/certs
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
# chmod 600 /etc/ssl/certs/vsftpd.pem
You will be asked a lot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will
use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.
edit your configuration /etc/vsftpd.conf
#this is important
ssl_enable=YES
#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO
#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO
#choose what you like
force_local_logins_ssl=YES
#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
