Using the Very Secure FTP Server (vsFTPd)
Using the Very Secure FTP Server (vsFTPd)
The Very Secure FTP Server (vsFTPd) is the only FTP server software included in the Red Hat Linux distribution. Although it hasn't been around as long as WU-FTPD, vsFTPd is becoming the FTP server of choice for sites that need to support thousands of concurrent downloads. It was also designed to secure your systems against most common attacks.
Red Hat, Inc. itself uses vsFTPd on its own FTP servers (ftp.redhat.com). Other organizations in the Linux/GNU world have also made the switch to vsFTPd, including Debian Linux (ftp.debian.org) and the GNU Project (ftp.gnu.org).
Besides security and scalability, vsFTPd was designed for simplicity. Therefore, fewer options exist for configuring vsFTPd than you find in WU-FTPD, so you are expected to rely on standard Linux file and directory permissions to provide refined access to your server. Getting started with vsFTPd, or using it to replace WU-FTPD, is fairly straightforward.
Quick-starting vsFTPd
By enabling the vsFTPd service, you can almost instantly have an FTP service running with the default values (set in the /etc/vsftpd/vsftpd.conf file). The following is a quick procedure for getting your vsFTPd server up and running.
| Note? |
If you have been using the WU-FTP server on your computer and you are switching to vsFTPd, you need to turn off WU-FTP. To do that, change disable=no to disable=yes in the /etc/xinetd.d/wu-ftpd file. Then, once you have completed the following procedure, vsFTPd will take control of the default FTP configuration, allowing access to the /var/ftp directory and listening on the default FTP port. Because the two packages have some different default settings, however, you may want to do additional tuning to get vsFTPd to perform as you would like it to. |
-
To use the vsFTPd server, you must make sure that the vsFTPd software package is installed.
# rpm -qa vsftpd
-
Enable the vsFTPd server by typing the following line (as root user):
# chkconfig vsftpd on
-
Start the vsFTPd server as follows:
# /etc/init.d/vsftpd start
-
Try to log in to the FTP server as anonymous (using any e-mail address as the password) (if you are connecting over a network, use the more-secure sftp command instead):
$ ftp localhost Connected to yourhost 220 (vsFTPd 1.2.0) 530 Please login with USER and PASS Name (localhost:chris): anonymous 331 Please specify the password. Pasword: ****** 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
If you saw messages similar to the preceding, your vsFTPd server is now up and running. Next, try to access the server from another computer on the network to be sure that it is accessible.
| Note? |
If your FTP server is not accessible to the outside world, you may need to ensure that your network is configured properly and that your firewall allows access to port 21. Refer to Appendix C for information on getting your network services working. |
The next section explains the /etc/vsftpd/vsftpd.conf configuration file.
Configuring vsFTPd
Most of the configuration of vsFTPd is done in the /etc/vsftpd/vsftpd.conf file. Although many values are not set explicitly in vsftpd.conf, you can override the defaults by setting option=value statements in this file. You can set such things as which users have access to your vsFTPd server, how logging is done, and how timeouts are set.
Go through the following section for more information about how vsFTPd is configured by default and how you can further configure your vsFTPd server.
User accounts
Users who can access your vsFTPd server are, by default, the anonymous user and any users with real-user accounts on your system. (A guest user is simply a real user account that is restricted to its own home directory.) The following lines set these user access features:
anonymous_enable=YES local_enable=YES
The anonymous_enable line lets users log in anonymously using either the anonymous or ftp user name. Any users with local accounts (in /etc/passwd) can log into the FTP server with local_enable set to YES. An exception to this rule is that, by default, all user accounts listed in the /etc/vsftpd.user_list file are denied access.
| Note? |
If you want to disable access by anonymous users, don't just comment out anonymous_enable. Anonymous access is on by default, so you must set anonymous_enable=NO to disable it. |
Check the vsftpd.user_list file to see which users are denied access to the vsFTPd server. Note that root and other administrative logins are excluded. You can add other users to this list or change the location of the list by setting the userlist_file parameter to the file you want. To add a user to the vsftpd.user_list or use the userlist_file parameter to create a new list, you must also have userlist_enable set to YES (as it is by default). For example:
userlist_file=/etc/vsftpd.user_list_local userlist_enable=YES
If you like, you can change the meaning of the /etc/vsftpd.user_list file so that only the users in that list are allowed to use the vsFTPd service. Set userlist_deny=NO and change the /etc/vsftpd.user_list to include only names of users to whom you want to grant access to the server. (All other users, including anonymous and ftp, will be denied access.)
Setting FTP access
The vsFTPd server software provides a simple and seemingly secure approach to access permissions. Instead of using settings in the FTP service to selectively prevent downloads and uploads of particular directories (as WU-FTPD does), you can use standard Linux file and directory permissions to limit access. There are, however, the following general settings in the /etc/vsftpd/vsftpd.conf file to let users get files from and put files onto your vsFTPd server.
Downloading files
Any users with valid logins (anonymous or real users, excluding some administrative logins) can download files from the vsFTPd server, by default. The ability to download a particular file or a file from a particular directory is governed by the following basic Linux features:
-
File and directory permissions — Standard file and directory permissions apply as a means of limiting access to particular files, even in accessible file systems. So, if the root user puts a file with 600 permission (read/write to root only) in the /var/ftp directory, an anonymous user is not able to download that file.
-
Root directory — The root directory (chroot) for anonymous users is /var/ftp. The root directory for regular users is the entire computer's root directory (/), although their current directory after connecting to FTP is /home/user, where user is the user name. So an anonymous user is restricted to downloads from the /var/ftp directory structure, while a regular user potentially has access to the whole file system. Another possibility is to create guest accounts by restricting some or all users to their home directories.
You can use the chroot_local_user option to change the root directory for regular users so that they are restricted to their home directory. In general you will not want to do this, because using the same user name and password for general Linux logins doesn't place such restrictions on your users. To restrict all regular users to their home directory when using vsFTPd, add this line to the vsftpd.conf file:
chroot_local_user=YES
To enable the concept of guest users, you can choose to limit only selected users to their home directories. You do this by setting chroot_list_enable to YES, then adding a list of guest users to a file noted with the chroot_list_file option. The following example lets you add such a list (one user name per line) to the /etc/vsftpd.chroot_list file:
chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list
One setting you can add to the vsftpd.conf file can affect how files are downloaded. To enable ASCII downloads, you would have to enable that feature as follows:
ascii_download_enable=YES
Without making that change, all downloads are done in binary mode. Although vsFTPd will seem to allow the user to change to ascii mode, ascii mode will not work if this setting is NO.
Uploading (writing) files from local users
Two values set in the vsftpd.conf file allow the uploading of files during a vsFTPd session. These defaults allow any users with regular, local user accounts to upload files:
write_enable=YES local_umask=022
The write_enable value must be YES if you intend to allow any users the ability to write to the FTP server. The umask=022 value sets the default file permission used when a local user creates a file on the server. (The 022 value causes files created to have 644 permission, allowing the user read and write permission and everyone else only read permission.)
As with downloading, uploading in ascii mode is prohibited by default. Though ascii downloads create a potential security hole for draining resources from your server, ascii uploads are apparently not as dangerous and can be useful for uploading text files. To allow ascii uploads, add the following line:
ascii_upload_enable=YES
Uploading (writing) files from anonymous users
The ability to upload files is turned off for anonymous FTP users. If you want to turn it on, add the following line to the vsftpd.conf file:
anon_upload_enable=YES
You must also make sure that the /var/ftp directory contains one or more directories with write permissions open to anonymous users. For example, you might want to create an incoming directory and open its permissions (chmod 777 /var/ftp/incoming).
Files uploaded by anonymous users will be created with 600 permission by default (read/write for the ftp user, not accessible to any other users so that even the user who uploaded the file can't remove it). To allow 644 permission, for example, you can add the following line:
anon_umask=077
Once you allow the anonymous user to upload files, you can grant limited ability to change the files he or she uploads. By adding the following line, you can allow anonymous users to rename or delete any files owned by anonymous users (providing the files are in directories for which the users have write permission):
anon_other_write_enable=YES
If you also want to allow anonymous users to create their own directories, add the following:
anon_mkdir_write_enable=YES
By default, the ftp user is given ownership of uploaded files from anonymous users. If you want to indicate that anonymous uploads be owned by a different user (of your choice), you can use the chown_uploads and chown_username options. For example, if you have a user account named mynewuser, you can set these options as follows:
chown_uploads=YES chown_username=mynewuser
Of course, you can create and use any user name you want. You should not, however, use the root login or any other administrative login for this purpose (for security reasons).
Adding message files
Although vsFTPd doesn't support the arrangement of README and welcome files the WU-FTP supports, you can add .message files to any accessible directory on your vsFTPd server. Then, if you use the default dirmessage_enable option as follows, the text from the .message file will be displayed when the user enters the directory:
dirmessage_enable=YES
You will probably at least want to add a .message file to the root directory of the FTP server for anonymous users. By default, that location is /var/ftp/.message. If you want to use files other than .message files, you can set the message_file option. For example, to have text from the .mymessage file displayed when you enter a directory, you can add the following line:
message_file=.mymessage
You can also set a one-line message to appear before the login prompt. You can do this by entering the following line, replacing the text with anything you want to say:
ftpd_banner=Welcome to My FTP service.
Logging vsFTPd activities
Logging is enabled in vsFTPd by default, and the activities of your vsFTPd site are written to the /var/log/vsftpd.log file. The following options enable logging in that way:
xferlog_enable=YES xferlog_file=/var/log/vsftpd.log
You can turn off logging if you like (not recommended, since logging allows you to watch for potential break-ins) by changing YES to NO. Or you can change the location of the log file by changing the value of the xferlog_file option. The log file is output in standard format (that is, the same way WU-FTPD does it), based on the following option:
xferlog_std_format=YES
Setting timeouts
The following timeouts are set by default in vsFTPd (these values are built in, so you don't have to make any changes to the /etc/vsftpd/vsftpd.conf file for them to take effect):
accept_timeout=60 connect_timeout=60 idle_session_timeout=600 data_connection_timeout=120
The accept_timeout=60 and connect_timeout=60 values determine how long the client has to establish a PASV or PORT style connection, respectively, before the connection times out. Both are set to 60 seconds. The idle_session_timeout=600 option causes the FTP session to be dropped if the user has been inactive for more than 10 minutes (600 seconds). The data_connection_timeout value sets the amount of time, during which no progress occurs, that the server will wait before dropping the connection (the default here is 120 seconds, or two minutes).
Navigating the vsFTPd site
In general, vsFTPd does not offer as many shortcuts for clients trying to navigate through the FTP site as does WU-FTPD. For example, most shell wildcard characters that a user might expect to use, such as question marks and brackets, are not supported.
There is, however, one very useful wildcard character you can use with the ls command, and one option you can turn. The asterisk (*) wildcard can be used with the ls command. Multiple asterisks in the same line are supported. You can add support for the –R option of ls so that a user can recursively list the contents of the current directory and all subdirectories. To turn on this feature, which is off by default, you can add the following line to the vsftpd.conf file:
ls_recurse_enable=YES
