Daily *Nix

User Tools

Site Tools

Trace:
vsftpd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
vsftpd [2009/06/12 04:57]
k2patel created 		vsftpd [2020/08/10 02:35] (current)
Line 2: Line 2:
  
 Very secure, but hard to configure for virtual users and chroot.\\ Very secure, but hard to configure for virtual users and chroot.\\
-Here i have crack it down one day for my client.+Usually virtual user help in hosting environment.\\ 
 +But it is good to have diff. account on FTP for each person to specific location.\\ 
 + 
 +Use configuration below and use the commands specified to create new user / manage users. 
  
 <code bash | /​etc/​vsftpd/​vsftpd.conf>​ <code bash | /​etc/​vsftpd/​vsftpd.conf>​
 +# Disable Anonymous login
 +
 anonymous_enable=NO anonymous_enable=NO
 +
 +# Controls whether local logins are permitted or not. If enabled, normal user accounts in /​etc/​passwd ​
 +# (or wherever your PAM config references) may be used to log in. 
 +# This must be enable for any non-anonymous login to work, including virtual users.
 +
 local_enable=YES local_enable=YES
 +
 +# This controls whether any FTP commands which change the filesystem are allowed or not. (we override later)
 +
 write_enable=NO write_enable=NO
 +
 +# by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later)
 +
 anon_upload_enable=NO anon_upload_enable=NO
 +
 +# When enabled, anonymous users will only be allowed to download files which are world readable
 +
 +anon_world_readable_only=NO
 +
 +# If set to YES, anonymous users will be permitted to create new directories (we override later)
 +
 anon_mkdir_write_enable=NO anon_mkdir_write_enable=NO
 +
 +# operation other than upload, creation consider as other_write e.g.. overwrite ( we override later)
 anon_other_write_enable=NO anon_other_write_enable=NO
 +
 +# define custom pam service for our purpose.
 +
 pam_service_name=ftp pam_service_name=ftp
 +
 +# chroot users !! yeah we need this
 +
 chroot_local_user=YES chroot_local_user=YES
-guest_enable=NO+ 
 +# Guest enable will separate login from passwd - so you do not need system account to exists. 
 +# need this for standalone authentication. 
 + 
 +guest_enable=YES 
 + 
 +# where you want to guest user to - generally apache user OR directory owner 
 guest_username=www guest_username=www
 +
 +# This needed as listen has to be enable for ftp to work
 +
 listen=YES listen=YES
 +
 +# Passive port range specification
 +
 pasv_min_port=30000 pasv_min_port=30000
 pasv_max_port=30999 pasv_max_port=30999
 +
 +# Location where we override all above options where we need overriding.
 +
 user_config_dir=/​etc/​vsftpd/​vsftpd_user_conf user_config_dir=/​etc/​vsftpd/​vsftpd_user_conf
 +
 +# Need this to disable some users from system
 +
 userlist_enable=YES userlist_enable=YES
 +
 +# List of the users which is disabled
 +
 userlist_file=/​etc/​vsftpd/​denied_users userlist_file=/​etc/​vsftpd/​denied_users
 +
 +# Maximum ftp client at any given moment of time
 +
 +max_clients=100
 +
 +# How many connection from single ip
 +
 +max_per_ip=10
 </​code>​ </​code>​
 +
 +Additional Log options, you would like to add to above config i have added
 +
 +<code bash>
 +xferlog_enable=YES
 +xferlog_std_format=YES
 +dual_log_enable=YES
 +log_ftp_protocol=YES
 +</​code>​
 +
 +  * create directory "/​etc/​vsftpd/​vsftpd_user_conf"​
 +  * create file "/​etc/​vsftpd/​vsftpd_user_conf/​www" ​
 +
 +NOTE : now we are overriding all disabled options for each user. (if not you will be denied for anything LOL)
 +
 +<code bash | /​etc/​vsftpd/​vsftpd_user_conf/​www>​
 +write_enable=YES
 +dirlist_enable=YES
 +download_enable=YES
 +anon_upload_enable=YES
 +anon_other_write_enable=YES
 +anon_mkdir_write_enable=YES
 +local_root=/​var/​www/​html
 +</​code>​
 +
 +  * create pam auth rule for db4 based database
  
 <code bash | /​etc/​pam.d/​ftp>​ <code bash | /​etc/​pam.d/​ftp>​
Line 27: Line 115:
 account required /​lib/​security/​pam_userdb.so db=/​etc/​vsftpd/​vsftpd_login account required /​lib/​security/​pam_userdb.so db=/​etc/​vsftpd/​vsftpd_login
 </​code>​ </​code>​
 +
 +  * crate text file with username / password. users.txt
 +
 +<code bash | /​etc/​vsftpd/​users.txt>​
 +www
 +wwwpassword
 +username2
 +password2
 +</​code>​
 +
 +  * generate database based on users.txt file
 +
 +<code bash>
 +db_load -T -t hash -f logins.txt /​etc/​vsftpd/​vsftpd_login.db
 +</​code>​
 +
 +  * generate virtual user restriction for second user
 +
 +<code bash | /​etc/​vsftpd/​vsftpd_user_conf/​username2>​
 +local_root=/​var/​www/​html/​xyz.com
 +dirlist_enable=YES
 +download_enable=YES
 +write_enable=YES
 +anon_upload_enable=YES
 +anon_other_write_enable=YES
 +anon_mkdir_write_enable=YES
 +</​code>​
 +
 +  * If you see permission 600 and you have issue with that permission and not able to chmod. try following additional lines.
 +
 +<code bash | /​etc/​vsftpd/​vsftpd_user_conf/​username2>​
 +chmod_enable=YES
 +virtual_use_local_privs=YES
 +</​code>​
 +
 +NOTE : any change to user setting does not require restart - but new ftp connection needed.
 +
 +Some use full link : \\
 +[[ http://​kbase.redhat.com/​faq/​docs/​DOC-6202 | user permission fix ]]
 +
 +DONE
vsftpd.1244782673.txt.gz · Last modified: 2020/08/10 02:29 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki