www.cioby.ro

Introduction

FTP (File Transfer Protocol) is a well-known network protocol used to transfer files between servers on the Internet or local networks. The FTP protocol is based on a client-server architecture and allows an FTP client to connect to an FTP server and download or upload files. From a networking perspective, two main types of FTP exists active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client. The vsftpd (Very Secure FTP Daemon) program is a fairly popular FTP server and is being used by major FTP sites and by default comes with many Linux distributions. The vsftpd software was designed to be fast, stable, and secure.

Installing vsftpd

If the vsftpd package is not already installed, we can install it by using one of the following commands depending on your Linux distribution. If you are using a rpm based distribution like Red Hat, CentOS, Fedora you can use the yum command to install it.

# yum install vsftpd

In case of Debian based distributions you need to use the apt-get command:

# apt-get install vsftpd

SuSE distribution comes with a similar package management tool called zypper. To install vsftpd use the following command:

# zypper install vsftpd

If you decide to install the vsftpd package from sources you can get the latest version available here. After you download it you need to extract the package using the tar command and then browse into the newly created directory. The next step is to compile the source files. Assuming we downloaded the package in the /usr/local folder run the following sequence of commands to install it:

# tar xzvf vsftpd-2.3.4.tar.gz
# cd vsftpd-2.3.4
# make
# make install

All these installation methods require that you have superuser privileges on the system. If using one of the package management tools described earlier the vsftpd server should be started automatically after install and ready to use.

Configuring vsftpd service

The server can be started in two modes: using the xinetd superserver or in standalone mode using a "/etc/init.d" startup script. In both cases the default configuration file named vsftpd.conf is located in /etc or /etc/vsftpd directory, depending on your distribution. This file can be used to control different aspects of the FTP server. Each directive in the configuration file has the following format option=value. Comments are also permitted by inserting a hash character "#" at the beginning of a line. If you want run vsftpd in standalone mode open the vsftpd.conf configuration file and make sure the "listen" directive is uncommented and set to "YES".

listen=YES

If you want ro run vsftpd as a xinetd service edit the vsftpd.conf configuration file set the "listen" directive to "NO". Then open the file /etc/xinetd.d/vsftpd file using a text editor and add the following lines:

# default: off
# description: The vsftpd FTP server serves FTP connections. It uses\
# normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10

Here the vsftpd server is started as a xinetd service under the root account and with a default priority of 10. After adding the above lines save the file contents and restart the xinetd service by running the following command:

# /etc/init.d/xinetd restart

Configuring vsftpd network options

Vsftpd uses by default port 21 to listen to incoming connections from FTP clients. To increase security you can change the default listening port using the listen_port directive.

listen_port=2021

By default vsftpd does not impose any restrictions regarding the download speed, the maximum number of connected users and the number of connected users from the same IP. For example if your FTP server is under heavy traffic you can limit this by using the following directives:

local_max_rate=524288
max_clients=100
max_per_ip=10

In the above example the local_max_rate directive limits the transfer speed to 512Kb/second. The max_clients directive allows up to 100 simultaneous connections from different IP's and the max_per_ip directive limits the number of connections from the same IP to 10. The default value for these directives is 0 which means there are no restrictions.

The vsftpd server supports also displaying a banner upon client login. This banner can be customized using the ftpd_banner directive:

ftpd_banner=Welcome to Cioby's FTP server

Vsftpd support both connection methods active and passive. These connections methods are enabled by default using the following options:

pasv_enable=YES
port_enable=YES

Note!: Be careful when disabling passive connections because clients connecting from behind a firewall will be unable to connect.

Setting vsftpd as an anonymous FTP server

An anonymous FTP server is a server that allows anyone to log in with the username ftp or anonymous and an e-mail address for the password to download or upload files. This kind of setup is useful for public FTP sites where files are made available to the general public. A default instalation of vsftpd allows anonymous access to the FTP server. This is enabled by setting the anonymous_enable directive to "YES" in the vsftpd.conf configuration file.

anonymous_enable=YES

Normally all Linux distribution have an preconfigured user account called "ftp". This account is a non-privileged system account without shell access and is especially used for accesing anonymous FTP sites. This account is necessary for anonymous FTP to work. To verify this account exists on your server use the following command:

# getent passwd ftp

This will output something similar to the below:

ftp:x:114:65534:FTP User:/home/ftp:/bin/false

If this account does not exist you need to create it manually using the useradd utility.

# useradd -c "FTP User" -d /home/ftp -r -s /bin/false ftp

In the default configuration of vsftpd as anonymous FTP server, anonymous users have read-only access to the directory set in the "home directory" field of the /etc/passwd file for the ftp account, in our case "/home/ftp". We can change this path by using the anon_root directive in the vsftpd.conf file and point to the new location.

anon_root=/var/ftp/data

Also if we need to enable write access for anomymous users set the anon_upload_enable to "YES" along with the write_enable directive. This will allow anonymous users to upload files if they have proper permissions in the upload directory.

anon_upload_enable=YES

There are many other options regarding anonymous users which can be tweaked. For details please consult the manpage for the vsftpd.conf file available here http://vsftpd.beasts.org/vsftpd_conf.html.

Configuring vsftpd for local users

If you manage a private FTP server anonymous access should be disabled. Instead you can configure the FTP server to allow access to local user accounts defined on the server. In order to do this you need to set the local_enable directive to "YES".

local_enable=YES

This way users defined on /etc/passwd file should have read-only ftp access to their home directories. If you wish to grant upload rights to your users you must use the write_enable directive.

write_enable=YES

The write_enable option permits the use of commands for changing the file system, like creating, renaming, and deleting both files and directories. You can also specify the permissions for uploaded files by using the local_umask directive(the default value set in vsftpd.conf is 022, which allows read and write for the owner and readonly for all other users, 644).

local_umask=022

Controlling vsftpd access

Vsftpd supports several options which allows you to control which users can log into the FTP server and what folders can they access. By default all user accounts (excepting system accounts) defined in /etc/passwd file can connect to the FTP server. You can limit the access to a list of specific users with the help of some directives defined in the configuration file.

The userlist_enable option controls which users can access FTP, by denying access to those listed in the file specified by the userlist_file option (usually vsftpd.user_list located in the same directory as the configuration file).

userlist_enable=YES
userlist_file=vsftpd.user_list

Local user accounts which are granted FTP access can change directories levels up their home directory and browse the file system, of course depending on the permissions set. You can disable this behaviour by restricting each user to their home directory (chroot). This kind of setup is commonly used on shared web servers. To enable this use the chroot_local_user directive.

chroot_local_user=YES

When this directive is enabled all local users are jailed to their home directories after logging in. Furthermore you can use the chroot_list_enable directive along with the chroot_list_file to specify exactly which users are chrooted and which are not.

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

When this directives are used together only users listed in the vsftpd.chroot_list file are restricted to their home directories. If the chroot_local_user directive is also enabled then the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon login.

Logging FTP Connections

By default vsftpd mantains a log of all downloads and uploads by enabling the xferlog_enable directive.

xferlog_enable=YES

When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive. The default location of this file is /var/log/vsftpd.log

vsftpd_log_file=/var/log/vsftpd.log

This log file records information such as a time stamp, the username and the IP of the client and the files which are being transferred. Vsftpd permits also logging to Syslog. If you have set syslog_enable directive, then the vsftpd.log file is not written and output is sent to the system log instead.

Enabling TLS/SSL Encryption

Beginning with version 2 vsftpd offers support for SSL and TLS encryption. Since the FTP protocol is insecure, using SSL/TLS gives you increased protection against password sniffing. The vsftpd package which is available on most Linux distros repositories comes with SSL/TLS support enabled. For safety you can check this by running the following command:

# ldd /usr/sbin/vsftpd | grep ssl

If SSL support is enabled the output of the above command is similar to this:

libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7753000)

Assuming SSL/TLS support is enabled the next step is to generate a new self-signed SSL certificate.

#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

This command will ask you a series of questions before generating the certificate. Follow the instructions on the screen. At the end you will see a vsftpd.pem file located in the /etc/vsftpd directory. Depending on you distribution you can change the path for the certificate file according to your needs.

After this you need to edit the vsftpd.conf file and add the following lines to enable SSL/TLS encryption.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

This configuration does not allow SSL access for anonymous users and the preferred encryption method is TLSv1 which is the successor of SSL. After adding these options save the configuration file and restart the vsftpd server using the following command:

# /etc/init.d/vsftpd restart

If you set the force_local_logins_ssl directive to "YES" then the clients will need to use an FTP client that support TLS/SSL to connect. If is set to “NO” then people can connect using whichever method they prefer.

Testing connectivity from an FTP client

After all have been set up and the server is up and running it's time to test connectivity by using an FTP client. There are many FTP clients available on the net but for the purpose of testing we will use the builtin FTP client which exists on all operating systems. Launch the command-line FTP client program, and connect to the FTP server using your user credentials:

# ftp cioby.net
Connected to cioby.net.
220 Welcome to cioby.net FTP server.
User (cioby.net:(none)):

Now you are prompted to enter your username

Name (cioby.net:root): cioby

Type your password and press Enter. After this if the credentials are valid you will be logged into your home directory.

331 Please specify the password.
Password:
230 Login successful.
ftp>

To confirm this you can run the ls -l command at the ftp prompt to display the files and folders located in your home directory. The builtin ftp client supports many commands for downloading or uploading files, create or delete folders, list folder contents, etc.

Conclusion

The Very Secure FTP Daemon (vsftpd) is a powerful FTP server offering many features for running a FTP server in a secure manner. The configuration options presented here a just are few of a very long list. To view the full list of directives please consult the manpage for the vsftpd.conf file http://vsftpd.beasts.org/vsftpd_conf.html. As final tip every time you add or modify an option in the configuration file do not forget to restart the vsftpd service.

Share this post