Very Secure FTP Daemon
From ArchWiki
| i18n |
|---|
| English |
| Italiano |
| Русский |
vsftpd is the "very secure ftp daemon." It's a nice little ftp server should you need one.
It will run either with or without xinetd, but I'll describe how to use it with xinetd.
First, grab the packages you'll need with pacman:
pacman -Sy xinetd vsftpd
The following config files will need to be changed:
/etc/xinetd.d/vsftpd:
service ftp
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
}
/etc/vsftpd.conf is a very well documented config file, but here are the basics you'll probably want to set:
anonymous_enable=NO # Assuming you don't want anonymous ftp local_enable=YES # This lets local machine users log in write_enable=YES # Be really careful using this with anonymous_enable=YES tcp_wrappers=YES # Use tcp_wrappers to control connections. Then allow in hosts.allow
Finally, add xinetd to your daemons line in /etc/rc.conf. You don't need to add vsftpd, as it will be called by xinetd whenever necessary.
If you get errors like
500 OOPS: cap_set_proc
when connecting to the server, you need to add capability in MODULES= line in /etc/rc.conf.
[edit] Without xinetd (simpler)
If you want to avoid the extra complications of xinetd, just grab the package:
pacman -Sy vsftpd
then edit /etc/vsftpd.conf and set listen=YES. Add these useful config options too if you want
listen=YES # Lets vsftpd act as a stand alone server anonymous_enable=NO # Assuming you don't want anonymous ftp local_enable=YES # This lets local machine users log in write_enable=YES # Be really careful using this with anonymous_enable=YES
After that, append 'vsftpd: ALL' to your /etc/hosts.allow file. You can then start the server with /etc/rc.d/vsftpd start. Add it to your DAEMONS list in /etc/rc.conf if you want it to start at bootup.
[edit] PAM with "virtual users"
Advantage: virtual users don't have a real login account on the system. Keeping the environment in a container is of course a more secure option.
A virtual users database has to be created by first making a simple text file like this:
user1 password1 user2 password2
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name doesn't have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you choosed to call it:
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
It's recommended to restrict permissions for the now created vsftpd_login.db file:
# chmod 600 /etc/vsftpd_login.db
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash account required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash
Now it's time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:
# useradd -d /srv/ftp virtual
Make virtual the owner:
# chown virtual:virtual /srv/ftp
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp:
anonymous_enable=NO local_enable=YES chroot_local_user=YES guest_enable=YES guest_username=virtual
If the xinetd method is used start the sevice, i.e. '/etc/rc.d/xinetd start'. You should now only be allowed to login by user-name and password according to the made database.