Vsftpd

From Omnia
Jump to navigation Jump to search

vsftpd

vsftpd: - Very Secure Ftp Daemon

"vsftpd is a Very Secure FTP daemon. It was written completely from scratch."

Installation

yum install vsftpd
apt-get install vsftpd

Tutorial

Howto: Easy FTP with vsftpd - Ubuntu Forums - http://ubuntuforums.org/showthread.php?t=518293

SFTP

SFTP Shell:

/usr/libexec/openssh/sftp-server

To provide SFTP access to linux accounts only (no shell access) change user's shell to:

test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

Add to /etc/shells:

/bin/sh
/bin/bash
/sbin/nologin
/usr/libexec/openssh/sftp-server

Source: https://help.ubuntu.com/10.04/serverguide/C/ftp-server.html

Configuration Files

/etc/vsftpd/

/etc/vsftpd/vsftpd.conf

Simple banner:

ftpd_banner=My FTP

OR more complex banner...

Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS

Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.

Tutorial

Files

/etc/vsftpd/              # config folder
/etc/vsftpd/vsftpd.conf   # config file

/etc/rc.d/init.d/vsftpd   # startup file
/usr/sbin/vsftpd          # executable

/etc/vsftpd/ftpusers      # deny ftp users
/etc/vsftpd/user_list     # deny user list

/etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=My FTP
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Changes from default:

anonymous_enable=NO
local_umask=002
ftpd_banner=My FTP
chroot_local_user=YES

/etc/pam.d/vsftpd:

#%PAM-1.0
# htpasswd access
auth    required pam_pwdfile.so pwdfile /etc/htpasswd
account required pam_permit.so

See Linux PAM and htpasswd

Original /etc/pam.d/vsftpd:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so

Default

/etc/vsftpd/vsftpd.conf:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

/etc/pam.d/vsftpd:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so

Service Start and Stop

service vsftpd start
service vsftpd stop
service vsftpd restart

Firewall Settings

pasv_enable=YES
pasv_min_port=12000
pasv_max_port=12003
-A RH-Firewall-1-INPUT -p tcp --dport 11000:11010 -j ACCEPT

References:

Allow Only Specified Users

Append to bottom:

#ken#
anonymous_enable=NO
local_umask=002
ftpd_banner=My FTP
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO

and add your user to "vsftpd/user_list"

check that your user is not in "vsftpd/ftpusers"

Source: How to allow specific user to login Vsftp server - http://www.linuxquestions.org/questions/linux-networking-3/how-to-allow-specific-user-to-login-vsftp-server-446064/

SFTP Server

Server ftp.lindonlabs.com


/etc/vsftpd.conf: (compared to above vsftpd.conf)

# matching config
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
pam_service_name=vsftpd

# missing config
#local_umask=002
#xferlog_std_format=YES
#ftpd_banner=My FTP
#userlist_enable=YES
#tcp_wrappers=YES

# additional config
secure_chroot_dir=/var/run/vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
banner_file=/home/ftp2/ftp_banner
log_ftp_protocol=yes

## SSL Config
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

The SSL config options do not appear to affect SFTP. Maybe for FTPS?

/etc/pam.d/vsftpd:

# Standard behaviour for ftpd(8).
auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own.  Do not enable
# pam_ftp.so.

# Standard blurb.
@include common-account
@include common-session

@include common-auth
auth    required        pam_shells.so

Debian:

/usr/lib/sftp-server

CentOS:

/usr/libexec/openssh/sftp-server

Enabling SFTP on CentOS locks out SSH and *FTP* access, but allows SFTP. To allow FTP also, the PAM file will need to be modified.

Firewall

Passing Through a Stateless Firewall

The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol (FTP). [1]

Install and configure ftp server in Amazon EC2 instance | Linux Admin Zone - http://linuxadminzone.com/install-and-configure-ftp-server-in-amazon-ec2-instance/

Open a good range of addresses:

$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048
$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
	pasv_enable=YES
	pasv_min_port=1024
	pasv_max_port=1048
	pasv_address=<Public IP of your instance>

Issues

chroot - GnuTLS error -15: An unexpected TLS packet was received

Error:	GnuTLS error -15: An unexpected TLS packet was received.
Error:	Could not connect to server

chroot was enabled with a writable root. Need to override, or make non writable.

keywords