https://wiki.archlinux.org/api.php?action=feedcontributions&user=Skatias&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:42:54ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Talk:RTorrent/WTorrent&diff=96327Talk:RTorrent/WTorrent2010-02-12T01:33:15Z<p>Skatias: </p>
<hr />
<div>Can we get a version of the guide for lighttpd? When I find some time I might try doing it, but I don't have enough at the moment.<br />
<br />
There is no "sqlite" package [[User:Skatias|Skatias]] 20:33, 11 February 2010 (EST)</div>Skatiashttps://wiki.archlinux.org/index.php?title=Very_Secure_FTP_Daemon&diff=96277Very Secure FTP Daemon2010-02-11T20:44:34Z<p>Skatias: /* PAM with "virtual users" */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{i18n_links_start}}<br />
{{i18n_entry|English|Very Secure FTP Daemon}}<br />
{{i18n_entry|Italiano|Very secure ftp daemon (Italiano)}}<br />
{{i18n_entry|Русский|Very Secure FTP Daemon (russian)}}<br />
{{i18n_entry|简体中文|Very Secure FTP Daemon (简体中文)}}<br />
{{i18n_links_end}}<br />
'''vsftpd''' is the "very secure ftp daemon", a small FTP server.<br />
<br />
Because it will run either with or without xinetd, this article will cover both methods.<br />
<br />
==Without xinetd (simpler)==<br />
If you want to avoid the extra complications of xinetd, just grab the package:<br />
# pacman -S vsftpd<br />
then edit /etc/vsftpd.conf and set <code>listen=YES</code>. These are useful options (optional):<br />
listen=YES # Lets vsftpd act as a stand alone server<br />
anonymous_enable=NO # Assuming you do not want anonymous ftp<br />
local_enable=YES # This lets local machine users log in<br />
write_enable=YES # Be really careful using this with anonymous_enable=YES<br />
After that, append 'vsftpd: ALL' to your /etc/hosts.allow file. You can then start the server with /etc/rc.d/vsftpd start. Add it to your DAEMONS list in /etc/rc.conf if you want it to start at bootup.<br />
<br />
==Using xinetd==<br />
First, grab the packages you will need with pacman:<br />
# pacman -S xinetd vsftpd<br />
<br />
The following configuration files will need to be changed:<br />
<br />
/etc/xinetd.d/vsftpd:<br />
<pre><br />
service ftp<br />
{<br />
socket_type = stream<br />
wait = no<br />
user = root<br />
server = /usr/sbin/vsftpd<br />
log_on_success += HOST DURATION<br />
log_on_failure += HOST<br />
disable = no<br />
}<br />
</pre><br />
<br />
/etc/vsftpd.conf is a very well documented configuration file, but here are the basics you will probably want to set:<br />
anonymous_enable=NO # Assuming you do not want anonymous ftp<br />
local_enable=YES # This lets local machine users log in<br />
write_enable=YES # Be really careful using this with anonymous_enable=YES<br />
tcp_wrappers=YES # Use tcp_wrappers to control connections. Then allow in hosts.allow<br />
pam_service_name=vsftpd<br />
<br />
/etc/hosts.allow - add following entry:<br />
<pre><br />
vsftpd: ALL<br />
</pre><br />
<br />
Finally, add xinetd to your daemons line in /etc/[[rc.conf]]. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.<br />
<br />
If you get errors like <br />
500 OOPS: cap_set_proc<br />
when connecting to the server, you need to add ''capability'' in MODULES= line in /etc/rc.conf.<br />
<br />
<br />
When upgrading to '''version 2.1.0''' you might get an error like this when connecting to the server from a client:<br />
500 OOPS: could not bind listening IPv4 socket<br />
In earlier versions it has been enough to leave the following lines commented:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
# listen=YES<br />
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to ''not'' run in a standalone mode, like this:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
listen=NO<br />
<br />
==PAM with "virtual users"==<br />
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.<br />
<br />
A virtual users database has to be created by first making a simple text file like this:<br />
user1<br />
password1<br />
user2<br />
password2<br />
<br />
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:<br />
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db<br />
<br />
It is recommended to restrict permissions for the now created vsftpd_login.db file:<br />
# chmod 600 /etc/vsftpd_login.db<br />
<br />
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{codeline|rm logins.txt}}.}}<br />
<br />
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:<br />
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash <br />
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash<br />
<br />
Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:<br />
# useradd -d /srv/ftp virtual<br />
<br />
Make virtual the owner:<br />
# chown virtual:virtual /srv/ftp<br />
<br />
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp:<br />
anonymous_enable=NO<br />
local_enable=YES<br />
chroot_local_user=YES<br />
guest_enable=YES<br />
guest_username=virtual<br />
virtual_use_local_privs=YES<br />
<br />
If the xinetd method is used start the sevice, i.e. '/etc/rc.d/xinetd start'. You should now only be allowed to login by user-name and password according to the made database.<br />
===To add private folders for the virtual users===<br />
First create their directories<br />
# mkdir /srv/ftp/user1<br />
# mkdir /srv/ftp/user2<br />
# chown virtual:virtual /srv/ftp/user?/<br />
<br />
Again, in your vsftpd.conf file, add the following.<br />
local_root=/srv/ftp/$USER<br />
user_sub_token=$USER</div>Skatiashttps://wiki.archlinux.org/index.php?title=Very_Secure_FTP_Daemon&diff=92205Very Secure FTP Daemon2010-01-14T20:34:18Z<p>Skatias: /* PAM with "virtual users" */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{i18n_links_start}}<br />
{{i18n_entry|English|Very Secure FTP Daemon}}<br />
{{i18n_entry|Italiano|Very secure ftp daemon (Italiano)}}<br />
{{i18n_entry|Русский|Very Secure FTP Daemon (russian)}}<br />
{{i18n_entry|简体中文|Very Secure FTP Daemon (简体中文)}}<br />
{{i18n_links_end}}<br />
'''vsftpd''' is the "very secure ftp daemon", a small FTP server.<br />
<br />
Because it will run either with or without xinetd, this article will cover both methods.<br />
<br />
==Without xinetd (simpler)==<br />
If you want to avoid the extra complications of xinetd, just grab the package:<br />
# pacman -Sy vsftpd<br />
then edit /etc/vsftpd.conf and set <code>listen=YES</code>. These are useful options (optional):<br />
listen=YES # Lets vsftpd act as a stand alone server<br />
anonymous_enable=NO # Assuming you do not want anonymous ftp<br />
local_enable=YES # This lets local machine users log in<br />
write_enable=YES # Be really careful using this with anonymous_enable=YES<br />
After that, append 'vsftpd: ALL' to your /etc/hosts.allow file. You can then start the server with /etc/rc.d/vsftpd start. Add it to your DAEMONS list in /etc/rc.conf if you want it to start at bootup.<br />
<br />
==Using xinetd==<br />
First, grab the packages you will need with pacman:<br />
# pacman -Sy xinetd vsftpd<br />
<br />
The following configuration files will need to be changed:<br />
<br />
/etc/xinetd.d/vsftpd:<br />
<pre><br />
service ftp<br />
{<br />
socket_type = stream<br />
wait = no<br />
user = root<br />
server = /usr/sbin/vsftpd<br />
log_on_success += HOST DURATION<br />
log_on_failure += HOST<br />
disable = no<br />
}<br />
</pre><br />
<br />
/etc/vsftpd.conf is a very well documented configuration file, but here are the basics you will probably want to set:<br />
anonymous_enable=NO # Assuming you do not want anonymous ftp<br />
local_enable=YES # This lets local machine users log in<br />
write_enable=YES # Be really careful using this with anonymous_enable=YES<br />
tcp_wrappers=YES # Use tcp_wrappers to control connections. Then allow in hosts.allow<br />
pam_service_name=vsftpd<br />
<br />
/etc/hosts.allow - add following entry:<br />
<pre><br />
vsftpd: ALL<br />
</pre><br />
<br />
Finally, add xinetd to your daemons line in /etc/[[rc.conf]]. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.<br />
<br />
If you get errors like <br />
500 OOPS: cap_set_proc<br />
when connecting to the server, you need to add ''capability'' in MODULES= line in /etc/rc.conf.<br />
<br />
<br />
When upgrading to '''version 2.1.0''' you might get an error like this when connecting to the server from a client:<br />
500 OOPS: could not bind listening IPv4 socket<br />
In earlier versions it has been enough to leave the following lines commented:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
# listen=YES<br />
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to ''not'' run in a standalone mode, like this:<br />
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd<br />
listen=NO<br />
<br />
==PAM with "virtual users"==<br />
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.<br />
<br />
A virtual users database has to be created by first making a simple text file like this:<br />
user1<br />
password1<br />
user2<br />
password2<br />
<br />
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:<br />
# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db<br />
<br />
It is recommended to restrict permissions for the now created vsftpd_login.db file:<br />
# chmod 600 /etc/vsftpd_login.db<br />
<br />
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{codeline|rm logins.txt}}.}}<br />
<br />
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:<br />
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash <br />
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash<br />
<br />
Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:<br />
# useradd -d /srv/ftp virtual<br />
<br />
Make virtual the owner:<br />
# chown virtual:virtual /srv/ftp<br />
<br />
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp:<br />
anonymous_enable=NO<br />
local_enable=YES<br />
chroot_local_user=YES<br />
guest_enable=YES<br />
guest_username=virtual<br />
virtual_use_local_privs=YES<br />
<br />
If the xinetd method is used start the sevice, i.e. '/etc/rc.d/xinetd start'. You should now only be allowed to login by user-name and password according to the made database.</div>Skatias