Difference between revisions of "Very Secure FTP Daemon"

From ArchWiki
Jump to: navigation, search
m (Installation)
m
Line 58: Line 58:
 
  userlist_deny=NO
 
  userlist_deny=NO
 
The file specified by {{Codeline|chroot_list_file}} will now contain users that are able to login.
 
The file specified by {{Codeline|chroot_list_file}} will now contain users that are able to login.
 +
 +
=== Limiting connections ===
 +
One can limit the data transfer rate, number of clients and maximum connection per IP for local users by adding the information in {{Filename|/etc/vsftpd.conf}}:
 +
local_max_rate=1000000 # Maximum data transfer rate in bytes per second
 +
max_clients=50        # Maximum number of clients that may be connected
 +
max_per_ip=2          # Maximum connections per IP
  
 
=== Using xinetd ===
 
=== Using xinetd ===

Revision as of 11:58, 1 November 2010

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

vsftpd (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems.

Installation

Vsftpd is included in the official repository. Simply install it with pacman:

# pacman -S vsftpd

Modify Template:Filename in order to allow connections to vsftpd:

# Allow all connections
vsftpd: ALL
# Restrict to a certain IP range
vsftpd: 10.0.0.0/255.255.255.0

The server can be started by using the script below:

# /etc/rc.d/vsftpd start

You can also add vsftpd to your daemon array in Template:Filename if you want it to be started automatically at boot.

See the xinetd section below for procedures to use vsftpd with xinetd.

Configuration

Most of the settings in vsftpd are done by editing the file Template:Filename. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5).

Enabling uploading

The Template:Codeline flag must be set to YES in Template:Filename in order to allow changes to the filesystem, such as uploading:

write_enable=YES

Local user logging

One must set the line to Template:Filename to allow users in Template:Filename to login:

local_enable=YES

Anonymous logging

The line in Template:Filename controls whether anonymous users can login:

anonymous_enable=YES # Allow anonymous login
no_anon_password=YES # No password is required for an anonymous login
anon_max_rate=30000  # Maximum transfer rate for an anonymous client in bytes per second

Chroot jail

One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to Template:Filename:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

The Template:Codeline variable specifies the file which contains users that are jailed.

For a more restricted environment, one can specify the line:

chroot_local_user=YES

This will make local users jailed by default. In this case, the file specified by Template:Codeline lists users that are not in a chroot jail.

Limiting user login

It's possible to prevent users from logging into the FTP server by adding two lines to {{Filename|/etc/vsftpd.conf}:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

Template:Codeline now specifies the file which lists users that are not able to login.

If you only want to allow certain users to login, add the line:

userlist_deny=NO

The file specified by Template:Codeline will now contain users that are able to login.

Limiting connections

One can limit the data transfer rate, number of clients and maximum connection per IP for local users by adding the information in Template:Filename:

local_max_rate=1000000 # Maximum data transfer rate in bytes per second
max_clients=50         # Maximum number of clients that may be connected
max_per_ip=2           # Maximum connections per IP

Using xinetd

If you want to use vsftpd with xinetd, add the following lines to Template:Filename:

service ftp
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/vsftpd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
        disable                 = no
}

The options below should be set in Template:Filename:

tcp_wrappers=YES        # Use tcp_wrappers to control connections. Then allow in hosts.allow
pam_service_name=vsftpd

Then, make sure vsftpd is allowed in Template:Filename for IPs that may connect to the server:

vsftpd: ALL

Finally, add xinetd to your daemons line in Template:Filename. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.

If you get errors like this while connecting to the server:

500 OOPS: cap_set_proc

You need to add capability in MODULES= line in Template:Filename.

While upgrading to version 2.1.0 you might get an error like this when connecting to the server from a client:

500 OOPS: could not bind listening IPv4 socket

In earlier versions it has been enough to leave the following lines commented:

# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
# listen=YES

In this newer version, and maybe future releases, it is necessary however to explicitly configure it to not run in a standalone mode, like this:

# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
listen=NO

Tips and tricks

PAM with virtual users

Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.

A virtual users database has to be created by first making a simple text file like this:

user1
password1
user2
password2

Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:

# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

It is recommended to restrict permissions for the now created Template:Filename file:

# chmod 600 /etc/vsftpd_login.db
Warning: Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with Template:Codeline.

PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the Template:Filename directory with the following information:

auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash 
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login crypt=hash
Note: We use /etc/vsftpd_login without .db extension in PAM-config!

Now it is time to create a home for the virtual users. In the example Template:Filename is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make Template:Filename its home:

# useradd -d /srv/ftp virtual

Make virtual the owner:

# chown virtual:virtual /srv/ftp

Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area Template:Filename:

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
virtual_use_local_privs=YES

If the xinetd method is used start the service. You should now only be allowed to login by user-name and password according to the made database.

Adding private folders for the virtual users

First create directories for users:

# mkdir /srv/ftp/user1
# mkdir /srv/ftp/user2
# chown virtual:virtual /srv/ftp/user?/

Then, add the following lines to Template:Filename:

local_root=/srv/ftp/$USER
user_sub_token=$USER

More resources