User Tools

Site Tools


vsftpd

This is an old revision of the document!


VsFTPD

Very secure, but hard to configure for virtual users and chroot.
Here i have crack it down one day for my client.

| /etc/vsftpd/vsftpd.conf
# Disable Anonymous login
 
anonymous_enable=NO
 
# Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd 
# (or wherever your PAM config references) may be used to log in. 
# This must be enable for any non-anonymous login to work, including virtual users.
 
local_enable=YES
 
# This controls whether any FTP commands which change the filesystem are allowed or not. (we override later)
 
write_enable=NO
 
# by default, virtual users are treated with anonymous (i.e. maximally restricted) privilege. (we override later)
 
anon_upload_enable=NO
 
# When enabled, anonymous users will only be allowed to download files which are world readable
 
anon_world_readable_only=NO
 
# If set to YES, anonymous users will be permitted to create new directories (we override later)
 
anon_mkdir_write_enable=NO
 
# operation other than upload, creation consider as other_write e.g.. overwrite ( we override later)
anon_other_write_enable=NO
 
# define custom pam service for our purpose.
 
pam_service_name=ftp
 
# chroot users !! yeah we need this
 
chroot_local_user=YES
 
# Guest enable will separate login from passwd - so you do not need system account to exists.
# need this for standalone authentication.
 
guest_enable=YES
 
# where you want to guest user to - generally apache user OR directory owner
 
guest_username=www
 
# This needed as listen has to be enable for ftp to work
 
listen=YES
 
# Passive port range specification
 
pasv_min_port=30000
pasv_max_port=30999
 
# Location where we override all above options where we need overriding.
 
user_config_dir=/etc/vsftpd/vsftpd_user_conf
 
# Need this to disable some users from system
 
userlist_enable=YES
 
# List of the users which is disabled
 
userlist_file=/etc/vsftpd/denied_users
 
# Maximum ftp client at any given moment of time
 
max_clients=100
 
# How many connection from single ip
 
max_per_ip=10

Additional Log options, you would like to add to above config i have added

xferlog_enable=YES
xferlog_std_format=YES
dual_log_enable=YES
log_ftp_protocol=YES
  • create directory “/etc/vsftpd/vsftpd_user_conf”
  • create file “/etc/vsftpd/vsftpd_user_conf/www”

NOTE : now we are overriding all disabled options for each user. (if not you will be denied for anything LOL)

| /etc/vsftpd/vsftpd_user_conf/www
write_enable=YES
dirlist_enable=YES
download_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
local_root=/var/www/html
  • create pam auth rule for db4 based database
| /etc/pam.d/ftp
auth    required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
  • crate text file with username / password. users.txt
| /etc/vsftpd/users.txt
www
wwwpassword
username2
password2
  • generate database based on users.txt file
db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
  • generate virtual user restriction for second user
| /etc/vsftpd/vsftpd_user_conf/username2
local_root=/var/www/html/xyz.com
dirlist_enable=YES
download_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES
  • If you see permission 600 and you have issue with that permission and not able to chmod. try following additional lines.
| /etc/vsftpd/vsftpd_user_conf/username2
chmod_enable=YES
virtual_use_local_privs=YES

NOTE : any change to user setting does not require restart - but new ftp connection needed.

Some use full link :
user permission fix

DONE

vsftpd.1274395648.txt.gz · Last modified: 2010/05/20 18:47 by k2patel