Difference between revisions of "Very Secure FTP Daemon"

From ArchWiki
Jump to: navigation, search
(Anonymous login: anon_root)
(37 intermediate revisions by 22 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:File Transfer Protocol]]
[[Category:HOWTOs (English)]]
+
[[cs:Very Secure FTP Daemon]]
{{i18n|Very Secure FTP Daemon}}
+
[[es:Very Secure FTP Daemon]]
 +
[[it:Very Secure FTP Daemon]]
 +
[[ru:Very Secure FTP Daemon]]
 +
[[zh-CN:Very Secure FTP Daemon]]
 +
'''vsftpd''' (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems.
  
'''vsftpd''' is the "very secure ftp daemon", a small FTP server.
+
== Installation ==
 +
Simply install {{pkg|vsftpd}} from the [[Official Repositories]].
  
Because it will run either with or without xinetd, this article will cover both methods.
+
To start the server:
 +
# systemctl start vsftpd.service
  
==Without xinetd (simpler)==
+
If you want it to be started automatically at boot:
If you want to avoid the extra complications of xinetd, just grab the package:
+
  # systemctl enable vsftpd.service
  # pacman -S vsftpd
+
then edit /etc/vsftpd.conf and set <code>listen=YES</code>.  These are useful options (optional):
+
listen=YES          # Lets vsftpd act as a stand alone server
+
anonymous_enable=NO # Assuming you do not want anonymous ftp
+
local_enable=YES    # This lets local machine users log in
+
write_enable=YES    # Be really careful using this with anonymous_enable=YES
+
After that, append 'vsftpd: ALL' to your /etc/hosts.allow file. You can then start the server with /etc/rc.d/vsftpd start.  Add it to your DAEMONS list in /etc/rc.conf if you want it to start at bootup.
+
  
==Using xinetd==
+
See the xinetd section below for procedures to use vsftpd with xinetd.
First, grab the packages you will need with pacman:
+
# pacman -S xinetd vsftpd
+
  
The following configuration files will need to be changed:
+
== Configuration ==
 +
Most of the settings in vsftpd are done by editing the file {{ic|/etc/vsftpd.conf}}. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5). Files are served by default from {{ic|/srv/ftp}}.
  
/etc/xinetd.d/vsftpd:
+
=== Enabling uploading ===
 +
The {{Ic|WRITE_ENABLE}} flag must be set to YES in {{ic|/etc/vsftpd.conf}} in order to allow changes to the filesystem, such as uploading:
 +
write_enable=YES
 +
 
 +
=== Local user login ===
 +
One must set the line to {{ic|/etc/vsftpd.conf}} to allow users in {{ic|/etc/passwd}} to login:
 +
local_enable=YES
 +
 
 +
=== Anonymous login ===
 +
The line in {{ic|/etc/vsftpd.conf}} controls whether anonymous users can login:
 +
anonymous_enable=YES          # Allow anonymous login
 +
no_anon_password=YES          # No password is required for an anonymous login
 +
anon_max_rate=30000          # Maximum transfer rate for an anonymous client in Bytes/second
 +
anon_root=/example/directory/ # Directory to be used for an anonymous login
 +
 
 +
=== Chroot jail ===
 +
One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to {{ic|/etc/vsftpd.conf}}:
 +
chroot_list_enable=YES
 +
chroot_list_file=/etc/vsftpd.chroot_list
 +
The {{Ic|chroot_list_file}} variable specifies the file which contains users that are jailed.
 +
 
 +
For a more restricted environment, one can specify the line:
 +
chroot_local_user=YES
 +
This will make local users jailed by default. In this case, the file specified by {{Ic|chroot_list_file}} lists users that are '''not''' in a chroot jail.
 +
 
 +
=== Limiting user login ===
 +
It's possible to prevent users from logging into the FTP server by adding two lines to {{ic|/etc/vsftpd.conf}}:
 +
userlist_enable=YES
 +
userlist_file=/etc/vsftpd.user_list
 +
{{Ic|userlist_file}} now specifies the file which lists users that are not able to login.
 +
 
 +
If you only want to allow certain users to login, add the line:
 +
userlist_deny=NO
 +
The file specified by {{Ic|userlist_file}} will now contain users that are able to login.
 +
 
 +
=== Limiting connections ===
 +
One can limit the data transfer rate, number of clients and connections per IP for local users by adding the information in {{ic|/etc/vsftpd.conf}}:
 +
local_max_rate=1000000 # Maximum data transfer rate in bytes per second
 +
max_clients=50        # Maximum number of clients that may be connected
 +
max_per_ip=2          # Maximum connections per IP
 +
 
 +
=== Using xinetd ===
 +
If you want to use vsftpd with xinetd, add the following lines to {{ic|/etc/xinetd.d/vsftpd}}:
 
<pre>
 
<pre>
 
service ftp
 
service ftp
Line 37: Line 77:
 
</pre>
 
</pre>
  
/etc/vsftpd.conf is a very well documented configuration file, but here are the basics you will probably want to set:
+
The option below should be set in {{ic|/etc/vsftpd.conf}}:
  anonymous_enable=NO      # Assuming you do not want anonymous ftp
+
  pam_service_name=ftp
local_enable=YES        # This lets local machine users log in
+
write_enable=YES    # Be really careful using this with anonymous_enable=YES
+
tcp_wrappers=YES    # Use tcp_wrappers to control connections. Then allow in hosts.allow
+
pam_service_name=vsftpd
+
  
/etc/hosts.allow - add following entry (for security reasons hosts.allow could be configured differently [[Beginners'_Guide#.2Fetc.2Fhosts.deny_and_.2Fetc.2Fhosts.allow | /etc/hosts.deny and /etc/hosts.allow]]):
+
Finally, add xinetd to your daemons line in {{ic|/etc/rc.conf}}. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.
<pre>
+
vsftpd: ALL
+
</pre>
+
  
Finally, add xinetd to your daemons line in /etc/[[rc.conf]].  You do not need to add vsftpd, as it will be called by xinetd whenever necessary.
+
If you get errors like this while connecting to the server:
 
+
If you get errors like  
+
 
  500 OOPS: cap_set_proc
 
  500 OOPS: cap_set_proc
when connecting to the server, you need to add ''capability'' in MODULES= line in /etc/rc.conf.
+
You need to add ''capability'' in MODULES= line in {{ic|/etc/rc.conf}}.
 
+
  
When upgrading to '''version 2.1.0''' you might get an error like this when connecting to the server from a client:
+
While upgrading to version 2.1.0 you might get an error like this when connecting to the server from a client:
 
  500 OOPS: could not bind listening IPv4 socket
 
  500 OOPS: could not bind listening IPv4 socket
 
In earlier versions it has been enough to leave the following lines commented:
 
In earlier versions it has been enough to leave the following lines commented:
 
  # Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
 
  # Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
 
  # listen=YES
 
  # listen=YES
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to ''not'' run in a standalone mode, like this:
+
In this newer version, and maybe future releases, it is necessary however to explicitly configure it to '''not''' run in a standalone mode, like this:
 
  # Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
 
  # Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
 
  listen=NO
 
  listen=NO
  
==PAM with "virtual users"==
+
=== Using SSL to Secure FTP  ===
 +
 
 +
Generate an SSL Cert, e.g. like that:
 +
# cd /etc/ssl/certs
 +
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
 +
# chmod 600 /etc/ssl/certs/vsftpd.pem
 +
You will be asked a lot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.
 +
 
 +
edit your configuration {{ic|/etc/vsftpd.conf}}
 +
<pre>
 +
#this is important
 +
ssl_enable=YES
 +
 
 +
#choose what you like, if you accept anon-connections
 +
# you may want to enable this
 +
# allow_anon_ssl=NO
 +
 
 +
#choose what you like,
 +
# it's a matter of performance i guess
 +
# force_local_data_ssl=NO
 +
 
 +
#choose what you like
 +
force_local_logins_ssl=YES
 +
 
 +
#you should at least enable this if you enable ssl...
 +
ssl_tlsv1=YES
 +
#choose what you like
 +
ssl_sslv2=YES
 +
#choose what you like
 +
ssl_sslv3=YES
 +
#give the correct path to your currently generated *.pem file
 +
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
 +
#the *.pem file contains both the key and cert
 +
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
 +
</pre>
 +
 
 +
=== Dynamic DNS ===
 +
Make sure you put the following two lines in {{ic|/etc/vsftpd.conf}}:
 +
pasv_addr_resolve=YES
 +
pasv_address=yourdomain.noip.info
 +
It is '''not''' necessary to use a script that updates pasv_address periodically and restarts the server, as it can be found elsewhere!
 +
{{Note|You won't be able to connect in passive mode via LAN anymore. Try the active mode on your LAN PC's FTP client.}}
 +
 
 +
== Tips and tricks ==
 +
=== PAM with virtual users ===
 
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.
 
Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.
  
Line 73: Line 147:
 
  user2
 
  user2
 
  password2
 
  password2
 
 
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:
 
Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:
 
  # db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
 
  # db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
 
+
It is recommended to restrict permissions for the now created {{ic|vsftpd_login.db}} file:
It is recommended to restrict permissions for the now created vsftpd_login.db file:
+
 
  # chmod 600 /etc/vsftpd_login.db
 
  # chmod 600 /etc/vsftpd_login.db
 
+
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{Ic|rm logins.txt}}.}}
{{Warning|Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with {{codeline|rm logins.txt}}.}}
+
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the {{ic|/etc/pam.d/}} directory with the following information:
 
+
  auth required pam_userdb.so db=/etc/vsftpd_login crypt=hash  
PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:
+
  account required pam_userdb.so db=/etc/vsftpd_login crypt=hash
  auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login.db crypt=hash  
+
{{Note|We use /etc/vsftpd_login without .db extension in PAM-config!}}
  account required /lib/security/pam_userdb.so db=/etc/vsftpd_login.db crypt=hash
+
Now it is time to create a home for the virtual users. In the example {{ic|/srv/ftp}} is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make {{ic|/srv/ftp}} its home:
 
+
Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:
+
 
  # useradd -d /srv/ftp virtual
 
  # useradd -d /srv/ftp virtual
 
 
Make virtual the owner:
 
Make virtual the owner:
 
  # chown virtual:virtual /srv/ftp
 
  # chown virtual:virtual /srv/ftp
 
+
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area {{ic|/srv/ftp}}:
Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp:
+
 
  anonymous_enable=NO
 
  anonymous_enable=NO
 
  local_enable=YES
 
  local_enable=YES
Line 99: Line 167:
 
  guest_username=virtual
 
  guest_username=virtual
 
  virtual_use_local_privs=YES
 
  virtual_use_local_privs=YES
 +
If the xinetd method is used start the service. You should now only be allowed to login by user-name and password according to the made database.
  
If the xinetd method is used start the sevice, i.e. '/etc/rc.d/xinetd start'. You should now only be allowed to login by user-name and password according to the made database.
+
==== Adding private folders for the virtual users ====
===To add private folders for the virtual users===
+
First create directories for users:
First create their directories
+
 
  # mkdir /srv/ftp/user1
 
  # mkdir /srv/ftp/user1
 
  # mkdir /srv/ftp/user2
 
  # mkdir /srv/ftp/user2
 
  # chown virtual:virtual /srv/ftp/user?/
 
  # chown virtual:virtual /srv/ftp/user?/
  
Again, in your vsftpd.conf file, add the following.
+
Then, add the following lines to {{ic|/etc/vsftpd.conf}}:
 
  local_root=/srv/ftp/$USER
 
  local_root=/srv/ftp/$USER
 
  user_sub_token=$USER
 
  user_sub_token=$USER
 +
 +
== Troubleshooting ==
 +
 +
=== vsftpd: refusing to run with writable root inside chroot() ===
 +
As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.
 +
To do this:
 +
# chmod a-w /home/user
 +
 +
Workaround:
 +
You can put this into your {{ic|/etc/vsftpd.conf}} to workaround this security enhancement (since vsftpd 3.0.0; from [http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/ Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()]):
 +
allow_writeable_chroot=YES
 +
or alternative:
 +
 +
Install vsftpd-ext from AUR and set in the conf file allow_writable_root=YES
 +
 +
=== FileZilla Client: GnuTLS error -8 when connecting via SSL ===
 +
vsftpd tries to display plain-text error messages in the SSL session. In order to debug this, temporarily disable encryption and you will see the correct error message.[http://ramblings.linkerror.com/?p=45]
 +
 +
== See also ==
 +
* [http://vsftpd.beasts.org/ vsftpd official homepage]
 +
* [http://vsftpd.beasts.org/vsftpd_conf.html vsftpd.conf man page]

Revision as of 05:56, 22 February 2013

vsftpd (Very Secure FTP Daemon) is a lightweight, stable and secure FTP server for UNIX-like systems.

Installation

Simply install vsftpd from the Official Repositories.

To start the server:

# systemctl start vsftpd.service

If you want it to be started automatically at boot:

# systemctl enable vsftpd.service

See the xinetd section below for procedures to use vsftpd with xinetd.

Configuration

Most of the settings in vsftpd are done by editing the file /etc/vsftpd.conf. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, one can man vsftpd.conf (5). Files are served by default from /srv/ftp.

Enabling uploading

The WRITE_ENABLE flag must be set to YES in /etc/vsftpd.conf in order to allow changes to the filesystem, such as uploading:

write_enable=YES

Local user login

One must set the line to /etc/vsftpd.conf to allow users in /etc/passwd to login:

local_enable=YES

Anonymous login

The line in /etc/vsftpd.conf controls whether anonymous users can login:

anonymous_enable=YES          # Allow anonymous login
no_anon_password=YES          # No password is required for an anonymous login
anon_max_rate=30000           # Maximum transfer rate for an anonymous client in Bytes/second
anon_root=/example/directory/ # Directory to be used for an anonymous login

Chroot jail

One can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to /etc/vsftpd.conf:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

The chroot_list_file variable specifies the file which contains users that are jailed.

For a more restricted environment, one can specify the line:

chroot_local_user=YES

This will make local users jailed by default. In this case, the file specified by chroot_list_file lists users that are not in a chroot jail.

Limiting user login

It's possible to prevent users from logging into the FTP server by adding two lines to /etc/vsftpd.conf:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

userlist_file now specifies the file which lists users that are not able to login.

If you only want to allow certain users to login, add the line:

userlist_deny=NO

The file specified by userlist_file will now contain users that are able to login.

Limiting connections

One can limit the data transfer rate, number of clients and connections per IP for local users by adding the information in /etc/vsftpd.conf:

local_max_rate=1000000 # Maximum data transfer rate in bytes per second
max_clients=50         # Maximum number of clients that may be connected
max_per_ip=2           # Maximum connections per IP

Using xinetd

If you want to use vsftpd with xinetd, add the following lines to /etc/xinetd.d/vsftpd:

service ftp
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/vsftpd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
        disable                 = no
}

The option below should be set in /etc/vsftpd.conf:

pam_service_name=ftp

Finally, add xinetd to your daemons line in /etc/rc.conf. You do not need to add vsftpd, as it will be called by xinetd whenever necessary.

If you get errors like this while connecting to the server:

500 OOPS: cap_set_proc

You need to add capability in MODULES= line in /etc/rc.conf.

While upgrading to version 2.1.0 you might get an error like this when connecting to the server from a client:

500 OOPS: could not bind listening IPv4 socket

In earlier versions it has been enough to leave the following lines commented:

# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
# listen=YES

In this newer version, and maybe future releases, it is necessary however to explicitly configure it to not run in a standalone mode, like this:

# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
listen=NO

Using SSL to Secure FTP

Generate an SSL Cert, e.g. like that:

# cd /etc/ssl/certs
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
# chmod 600 /etc/ssl/certs/vsftpd.pem

You will be asked a lot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.

edit your configuration /etc/vsftpd.conf

#this is important
ssl_enable=YES

#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO

#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO

#choose what you like
force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

Dynamic DNS

Make sure you put the following two lines in /etc/vsftpd.conf:

pasv_addr_resolve=YES
pasv_address=yourdomain.noip.info

It is not necessary to use a script that updates pasv_address periodically and restarts the server, as it can be found elsewhere!

Note: You won't be able to connect in passive mode via LAN anymore. Try the active mode on your LAN PC's FTP client.

Tips and tricks

PAM with virtual users

Using virtual users has the advantage of not requiring a real login account on the system. Keeping the environment in a container is of course a more secure option.

A virtual users database has to be created by first making a simple text file like this:

user1
password1
user2
password2

Include as many virtual users as you wish according to the structure in the example. Save it as logins.txt; the file name does not have any significance. Next step depends on Berkeley database system, which is included in the core system of Arch. As root create the actual database with the help of the logins.txt file, or what you chose to call it:

# db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

It is recommended to restrict permissions for the now created vsftpd_login.db file:

# chmod 600 /etc/vsftpd_login.db
Warning: Be aware that stocking passwords in plain text is not safe. Don't forget to remove your temporary file with rm logins.txt.

PAM should now be set to make use of vsftpd_login.db. To make PAM check for user authentication create a file named ftp in the /etc/pam.d/ directory with the following information:

auth required pam_userdb.so db=/etc/vsftpd_login crypt=hash 
account required pam_userdb.so db=/etc/vsftpd_login crypt=hash
Note: We use /etc/vsftpd_login without .db extension in PAM-config!

Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:

# useradd -d /srv/ftp virtual

Make virtual the owner:

# chown virtual:virtual /srv/ftp

Configure vsftpd to use the created environment by editing /etc/vsftpd.conf. These are the necessary settings to make vsftpd restrict access to virtual users, by user-name and password, and restrict their access to the specified area /srv/ftp:

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
virtual_use_local_privs=YES

If the xinetd method is used start the service. You should now only be allowed to login by user-name and password according to the made database.

Adding private folders for the virtual users

First create directories for users:

# mkdir /srv/ftp/user1
# mkdir /srv/ftp/user2
# chown virtual:virtual /srv/ftp/user?/

Then, add the following lines to /etc/vsftpd.conf:

local_root=/srv/ftp/$USER
user_sub_token=$USER

Troubleshooting

vsftpd: refusing to run with writable root inside chroot()

As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty. To do this:

# chmod a-w /home/user

Workaround: You can put this into your /etc/vsftpd.conf to workaround this security enhancement (since vsftpd 3.0.0; from Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()):

allow_writeable_chroot=YES

or alternative:

Install vsftpd-ext from AUR and set in the conf file allow_writable_root=YES

FileZilla Client: GnuTLS error -8 when connecting via SSL

vsftpd tries to display plain-text error messages in the SSL session. In order to debug this, temporarily disable encryption and you will see the correct error message.[1]

See also