https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ongky&feedformat=atomArchWiki - User contributions [en]2024-03-29T10:20:55ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Very_Secure_FTP_Daemon&diff=180833Very Secure FTP Daemon2012-01-28T03:45:11Z<p>Ongky: </p>
<hr />
<div>[[Category:Networking (English)]]<br />
{{i18n|Very Secure FTP Daemon}}<br />
<br />
'''vsftpd''' (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems.<br />
<br />
== Installation ==<br />
Vsftpd is included in the official repository. Simply install it with pacman:<br />
# pacman -S vsftpd<br />
<br />
The server can be started by using the script below:<br />
# /etc/rc.d/vsftpd start<br />
<br />
You can also add vsftpd to your daemon array in {{Filename|/etc/rc.conf}} if you want it to be started automatically at boot.<br />
<br />
See the xinetd section below for procedures to use vsftpd with xinetd.<br />
<br />
== Configuration ==<br />
Most of the settings in vsftpd are done by editing the file {{Filename|/etc/vsftpd.conf}}. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5). Files are served by default from {{Filename|/srv/ftp}}.<br />
<br />
=== Enabling uploading ===<br />
The {{Ic|WRITE_ENABLE}} flag must be set to YES in {{Filename|/etc/vsftpd.conf}} in order to allow changes to the filesystem, such as uploading:<br />
write_enable=YES<br />
<br />
=== Local user logging ===<br />
One must set the line to {{Filename|/etc/vsftpd.conf}} to allow users in {{Filename|/etc/passwd}} to login:<br />
local_enable=YES<br />
<br />
=== Anonymous login ===<br />
The line in {{Filename|/etc/vsftpd.conf}} controls whether anonymous users can login:<br />
anonymous_enable=YES # Allow anonymous login<br />
no_anon_password=YES # No password is required for an anonymous login<br />
anon_max_rate=30000 # Maximum transfer rate for an anonymous client in bytes per second<br />
<br />
=== Chroot jail ===<br />
One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to {{Filename|/etc/vsftpd.conf}}:<br />
chroot_list_enable=YES<br />
chroot_list_file=/etc/vsftpd.chroot_list<br />
The {{Ic|chroot_list_file}} variable specifies the file which contains users that are jailed.<br />
<br />
For a more restricted environment, one can specify the line:<br />
chroot_local_user=YES<br />
This will make local users jailed by default. In this case, the file specified by {{Ic|chroot_list_file}} lists users that are '''not''' in a chroot jail.<br />
<br />
=== Limiting user login ===<br />
It's possible to prevent users from logging into the FTP server by adding two lines to {{Filename|/etc/vsftpd.conf}}:<br />
userlist_enable=YES<br />
userlist_file=/etc/vsftpd.user_list<br />
{{Ic|userlist_file}} now specifies the file which lists users that are not able to login.<br />
<br />
If you only want to allow certain users to login, add the line:<br />
userlist_deny=NO<br />
The file specified by {{Ic|userlist_file}} will now contain users that are able to login.<br />
<br />
=== Limiting connections ===<br />
One can limit the data transfer rate, number of clients and connections per IP for local users by adding the information in {{Filename|/etc/vsftpd.conf}}:<br />
local_max_rate=1000000 # Maximum data transfer rate in bytes per second<br />
max_clients=50 # Maximum number of clients that may be connected<br />
max_per_ip=2 # Maximum connections per IP<br />
<br />
=== Using xinetd ===<br />
If you want to use vsftpd with xinetd, add the following lines to {{Filename|/etc/xinetd.d/vsftpd}}:<br />
<pre><br />
service ftp<br />
{<br />
socket_type = stream<br />
wait = no<br />
user = root<br />
server = /usr/sbin/vsftpd<br />
log_on_success += HOST DURATION<br />
log_on_failure += HOST<br />
disable = no<br />
}<br />
</pre><br />
<br />
The option below should be set in {{Filename|/etc/vsftpd.conf}}:<br />
pam_service_name=ftp<br />
<br />
Finally, add xinetd to your daemons line in {{Filename|/etc/rc.conf}}. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.<br />
<br />
If you get errors like this while connecting to the server:<br />
500 OOPS: cap_set_proc<br />
You need to add ''capability'' in MODULES= line in {{Filename|/etc/rc.conf}}.<br />
<br />
While upgrading to version 2.1.0 you might get an error like this when connecting to the server from a client:<br />
500 OOPS: could not bind listening IPv4 socket<br />
In earlier versions it has been enough to leave the following lines commented:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
# listen=YES<br />
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to '''not''' run in a standalone mode, like this:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
listen=NO<br />
<br />
=== Using SSL to Secure FTP ===<br />
<br />
Generate an SSL Cert, e.g. like that: <br />
# cd /etc/ssl/certs<br />
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem<br />
# chmod 600 /etc/ssl/certs/vsftpd.pem<br />
You will be asked alot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc. <br />
<br />
edit your configuration {{Filename|/etc/vsftpd.conf}}<br />
<pre><br />
#this is important<br />
ssl_enable=YES<br />
<br />
#choose what you like, if you accept anon-connections<br />
# you may want to enable this<br />
# allow_anon_ssl=NO<br />
<br />
#choose what you like,<br />
# it's a matter of performance i guess<br />
# force_local_data_ssl=NO<br />
<br />
#choose what you like<br />
force_local_logins_ssl=YES<br />
<br />
#you should at least enable this if you enable ssl...<br />
ssl_tlsv1=YES<br />
#choose what you like<br />
ssl_sslv2=YES<br />
#choose what you like<br />
ssl_sslv3=YES<br />
#give the correct path to your currently generated *.pem file<br />
rsa_cert_file=/etc/ssl/certs/vsftpd.pem<br />
#the *.pem file contains both the key and cert<br />
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem<br />
</pre><br />
<br />
== Tips and tricks ==<br />
=== PAM with virtual users ===<br />
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.<br />
<br />
A virtual users database has to be created by first making a simple text file like this:<br />
user1<br />
password1<br />
user2<br />
password2<br />
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:<br />
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db<br />
It is recommended to restrict permissions for the now created {{Filename|vsftpd_login.db}} file:<br />
# chmod 600 /etc/vsftpd_login.db<br />
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{Ic|rm logins.txt}}.}}<br />
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the {{Filename|/etc/pam.d/}} directory with the following information:<br />
auth required pam_userdb.so db=/etc/vsftpd_login crypt=hash <br />
account required pam_userdb.so db=/etc/vsftpd_login crypt=hash<br />
{{Note|We use /etc/vsftpd_login without .db extension in PAM-config!}}<br />
Now it is time to create a home for the virtual users. In the example {{Filename|/srv/ftp}} is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make {{Filename|/srv/ftp}} its home:<br />
# useradd -d /srv/ftp virtual<br />
Make virtual the owner:<br />
# chown virtual:virtual /srv/ftp<br />
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area {{Filename|/srv/ftp}}:<br />
anonymous_enable=NO<br />
local_enable=YES<br />
chroot_local_user=YES<br />
guest_enable=YES<br />
guest_username=virtual<br />
virtual_use_local_privs=YES<br />
If the xinetd method is used start the service. You should now only be allowed to login by user-name and password according to the made database.<br />
<br />
==== Adding private folders for the virtual users ====<br />
First create directories for users:<br />
# mkdir /srv/ftp/user1<br />
# mkdir /srv/ftp/user2<br />
# chown virtual:virtual /srv/ftp/user?/<br />
<br />
Then, add the following lines to {{Filename|/etc/vsftpd.conf}}:<br />
local_root=/srv/ftp/$USER<br />
user_sub_token=$USER<br />
<br />
== Troubleshooting ==<br />
<br />
=== vsftpd: refusing to run with writable root inside chroot() ===<br />
As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.<br />
To do this:<br />
# chmod a-w /home/user<br />
<br />
Workaround:<br />
Install vsftpd-ext from AUR and set in the conf file allow_writable_root=YES<br />
<br />
<br />
== More resources ==<br />
* [http://vsftpd.beasts.org/ vsftpd official homepage]<br />
* [http://vsftpd.beasts.org/vsftpd_conf.html vsftpd.conf man page]</div>Ongkyhttps://wiki.archlinux.org/index.php?title=Very_Secure_FTP_Daemon&diff=180832Very Secure FTP Daemon2012-01-28T03:43:34Z<p>Ongky: adds solution for writable root error</p>
<hr />
<div>[[Category:Networking (English)]]<br />
{{i18n|Very Secure FTP Daemon}}<br />
<br />
'''vsftpd''' (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems.<br />
<br />
== Installation ==<br />
Vsftpd is included in the official repository. Simply install it with pacman:<br />
# pacman -S vsftpd<br />
<br />
The server can be started by using the script below:<br />
# /etc/rc.d/vsftpd start<br />
<br />
You can also add vsftpd to your daemon array in {{Filename|/etc/rc.conf}} if you want it to be started automatically at boot.<br />
<br />
See the xinetd section below for procedures to use vsftpd with xinetd.<br />
<br />
== Configuration ==<br />
Most of the settings in vsftpd are done by editing the file {{Filename|/etc/vsftpd.conf}}. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5). Files are served by default from {{Filename|/srv/ftp}}.<br />
<br />
=== Enabling uploading ===<br />
The {{Ic|WRITE_ENABLE}} flag must be set to YES in {{Filename|/etc/vsftpd.conf}} in order to allow changes to the filesystem, such as uploading:<br />
write_enable=YES<br />
<br />
=== Local user logging ===<br />
One must set the line to {{Filename|/etc/vsftpd.conf}} to allow users in {{Filename|/etc/passwd}} to login:<br />
local_enable=YES<br />
<br />
=== Anonymous login ===<br />
The line in {{Filename|/etc/vsftpd.conf}} controls whether anonymous users can login:<br />
anonymous_enable=YES # Allow anonymous login<br />
no_anon_password=YES # No password is required for an anonymous login<br />
anon_max_rate=30000 # Maximum transfer rate for an anonymous client in bytes per second<br />
<br />
=== Chroot jail ===<br />
One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to {{Filename|/etc/vsftpd.conf}}:<br />
chroot_list_enable=YES<br />
chroot_list_file=/etc/vsftpd.chroot_list<br />
The {{Ic|chroot_list_file}} variable specifies the file which contains users that are jailed.<br />
<br />
For a more restricted environment, one can specify the line:<br />
chroot_local_user=YES<br />
This will make local users jailed by default. In this case, the file specified by {{Ic|chroot_list_file}} lists users that are '''not''' in a chroot jail.<br />
<br />
=== Limiting user login ===<br />
It's possible to prevent users from logging into the FTP server by adding two lines to {{Filename|/etc/vsftpd.conf}}:<br />
userlist_enable=YES<br />
userlist_file=/etc/vsftpd.user_list<br />
{{Ic|userlist_file}} now specifies the file which lists users that are not able to login.<br />
<br />
If you only want to allow certain users to login, add the line:<br />
userlist_deny=NO<br />
The file specified by {{Ic|userlist_file}} will now contain users that are able to login.<br />
<br />
=== Limiting connections ===<br />
One can limit the data transfer rate, number of clients and connections per IP for local users by adding the information in {{Filename|/etc/vsftpd.conf}}:<br />
local_max_rate=1000000 # Maximum data transfer rate in bytes per second<br />
max_clients=50 # Maximum number of clients that may be connected<br />
max_per_ip=2 # Maximum connections per IP<br />
<br />
=== Using xinetd ===<br />
If you want to use vsftpd with xinetd, add the following lines to {{Filename|/etc/xinetd.d/vsftpd}}:<br />
<pre><br />
service ftp<br />
{<br />
socket_type = stream<br />
wait = no<br />
user = root<br />
server = /usr/sbin/vsftpd<br />
log_on_success += HOST DURATION<br />
log_on_failure += HOST<br />
disable = no<br />
}<br />
</pre><br />
<br />
The option below should be set in {{Filename|/etc/vsftpd.conf}}:<br />
pam_service_name=ftp<br />
<br />
Finally, add xinetd to your daemons line in {{Filename|/etc/rc.conf}}. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.<br />
<br />
If you get errors like this while connecting to the server:<br />
500 OOPS: cap_set_proc<br />
You need to add ''capability'' in MODULES= line in {{Filename|/etc/rc.conf}}.<br />
<br />
While upgrading to version 2.1.0 you might get an error like this when connecting to the server from a client:<br />
500 OOPS: could not bind listening IPv4 socket<br />
In earlier versions it has been enough to leave the following lines commented:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
# listen=YES<br />
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to '''not''' run in a standalone mode, like this:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
listen=NO<br />
<br />
=== Using SSL to Secure FTP ===<br />
<br />
Generate an SSL Cert, e.g. like that: <br />
# cd /etc/ssl/certs<br />
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem<br />
# chmod 600 /etc/ssl/certs/vsftpd.pem<br />
You will be asked alot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc. <br />
<br />
edit your configuration {{Filename|/etc/vsftpd.conf}}<br />
<pre><br />
#this is important<br />
ssl_enable=YES<br />
<br />
#choose what you like, if you accept anon-connections<br />
# you may want to enable this<br />
# allow_anon_ssl=NO<br />
<br />
#choose what you like,<br />
# it's a matter of performance i guess<br />
# force_local_data_ssl=NO<br />
<br />
#choose what you like<br />
force_local_logins_ssl=YES<br />
<br />
#you should at least enable this if you enable ssl...<br />
ssl_tlsv1=YES<br />
#choose what you like<br />
ssl_sslv2=YES<br />
#choose what you like<br />
ssl_sslv3=YES<br />
#give the correct path to your currently generated *.pem file<br />
rsa_cert_file=/etc/ssl/certs/vsftpd.pem<br />
#the *.pem file contains both the key and cert<br />
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem<br />
</pre><br />
<br />
== Tips and tricks ==<br />
=== PAM with virtual users ===<br />
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.<br />
<br />
A virtual users database has to be created by first making a simple text file like this:<br />
user1<br />
password1<br />
user2<br />
password2<br />
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:<br />
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db<br />
It is recommended to restrict permissions for the now created {{Filename|vsftpd_login.db}} file:<br />
# chmod 600 /etc/vsftpd_login.db<br />
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{Ic|rm logins.txt}}.}}<br />
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the {{Filename|/etc/pam.d/}} directory with the following information:<br />
auth required pam_userdb.so db=/etc/vsftpd_login crypt=hash <br />
account required pam_userdb.so db=/etc/vsftpd_login crypt=hash<br />
{{Note|We use /etc/vsftpd_login without .db extension in PAM-config!}}<br />
Now it is time to create a home for the virtual users. In the example {{Filename|/srv/ftp}} is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make {{Filename|/srv/ftp}} its home:<br />
# useradd -d /srv/ftp virtual<br />
Make virtual the owner:<br />
# chown virtual:virtual /srv/ftp<br />
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area {{Filename|/srv/ftp}}:<br />
anonymous_enable=NO<br />
local_enable=YES<br />
chroot_local_user=YES<br />
guest_enable=YES<br />
guest_username=virtual<br />
virtual_use_local_privs=YES<br />
If the xinetd method is used start the service. You should now only be allowed to login by user-name and password according to the made database.<br />
<br />
==== Adding private folders for the virtual users ====<br />
First create directories for users:<br />
# mkdir /srv/ftp/user1<br />
# mkdir /srv/ftp/user2<br />
# chown virtual:virtual /srv/ftp/user?/<br />
<br />
Then, add the following lines to {{Filename|/etc/vsftpd.conf}}:<br />
local_root=/srv/ftp/$USER<br />
user_sub_token=$USER<br />
<br />
== Troubleshooting ==<br />
<br />
=== vsftpd: refusing to run with writable root inside chroot() ===<br />
As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.<br />
To do this:<br />
# chmod a-w /home/user<br />
<br />
Workaround:<br />
Install vsftpd-ext from AUR and set in the conf file allow_writable_root=yes<br />
<br />
<br />
== More resources ==<br />
* [http://vsftpd.beasts.org/ vsftpd official homepage]<br />
* [http://vsftpd.beasts.org/vsftpd_conf.html vsftpd.conf man page]</div>Ongky