Debian DokuWiki

User Tools

Site Tools

Trace: scripts script_to_parse_space_separated_file vsftpd
vsftpd

This is an old revision of the document!

VsFTPD

Very secure, but hard to configure for virtual users and chroot.
Here i have crack it down one day for my client.

| /etc/vsftpd/vsftpd.conf
# Disable Anonymous login
 
anonymous_enable=NO
 
# Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd 
# (or wherever your PAM config references) may be used to log in. 
# This must be enable for any non-anonymous login to work, including virtual users.
 
local_enable=YES
 
# This controls whether any FTP commands which change the filesystem are allowed or not. (we override later)
 
write_enable=NO
 
# by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later)
 
anon_upload_enable=NO
 
# When enabled, anonymous users will only be allowed to download files which are world readable
 
anon_world_readable_only=NO
 
# If set to YES, anonymous users will be permitted to create new directories (we override later)
 
anon_mkdir_write_enable=NO
 
# operation other than upload, creation consider as other_write e.g.. overwrite ( we override later)
anon_other_write_enable=NO
 
# define custom pam service for our purpose.
 
pam_service_name=ftp
 
# chroot users !! yeah we need this
 
chroot_local_user=YES
 
# Guest enable will separate login from passwd - so you do not need system account to exists.
# need this for standalone authentication.
 
guest_enable=YES
 
# where you want to guest user to - generally apache user OR directory owner
 
guest_username=www
 
# This needed as listen has to be enable for ftp to work
 
listen=YES
 
# Passive port range specification
 
pasv_min_port=30000
pasv_max_port=30999
 
# Location where we override all above options where we need overriding.
 
user_config_dir=/etc/vsftpd/vsftpd_user_conf
 
# Need this to disable some users from system
 
userlist_enable=YES
 
# List of the users which is disabled
 
userlist_file=/etc/vsftpd/denied_users
 
# Maximum ftp client at any given moment of time
 
max_clients=100
 
# How many connection from single ip
 
max_per_ip=10

Additional Log options 

xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
log_ftp_protocol=YES
  • create directory “/etc/vsftpd/vsftpd_user_conf”
  • create file “/etc/vsftpd/vsftpd_user_conf/www”
| /etc/vsftpd/vsftpd_user_conf/www
write_enable=YES
dirlist_enable=YES
download_enable=YES
local_root=/var/www/html
  • create pam auth rule for db4 based database
| /etc/pam.d/ftp
auth    required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
  • crate text file with username / password. users.txt
| /etc/vsftpd/users.txt
www
wwwpassword
username2
password2
  • generate database based on users.txt file
db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
  • generate virtual user restriction for second user
| /etc/vsftpd/vsftpd_user_conf/username2
local_root=/var/www/html/xyz.com
dirlist_enable=YES
download_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES

DONE

vsftpd.1244796515.txt.gz · Last modified: 2020/08/10 02:29 (external edit)