Differences between revisions 11 and 12
Revision 11 as of 2015-09-30 07:09:10
Size: 3503
Editor: ?OlavSeyfarth
Comment: In current stable, default is "anonymous_enable=NO".
Revision 12 as of 2015-09-30 07:24:20
Size: 3526
Editor: ?OlavSeyfarth
Comment: Access is enabled for authorized local users by default.
Deletions are marked like this. Additions are marked like this.
Line 67: Line 67:
To enable authorized local users, uncomment: Access is enabled for authorized local users by default. To disable:
Line 69: Line 69:
local_enable=YES local_enable=NO

Translation(s): English - Français - Русский

(!) ?Discussion


Installing and configuring FTP server vsftpd.

Introduction

This article aims to detail the steps to set up an FTP file sharing server, using vsftpd (Very Secure FTP Daemon).

Installation

As usual, installation is very simple with apt-get or Aptitude. As root run:

aptitude install vsftpd

After installing, the server starts automatically and listens on TCP port 21 by default.

You can check it within netstat:

# netstat -npl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      22468/vsftpd    

If your host does not have a firewall, it is recommended to stop vsftpd before configuring.

/etc/init.d/vsftpd stop

Configuration

The configuration file for this server is /etc/vsftpd.conf. You can find example configuration files in /usr/share/doc/vsftpd/EXAMPLE.

The configuration file has three option types:

  • BOOLEAN OPTIONS - can be YES or NO;
  • NUMERIC OPTIONS - e.g. time in seconds, port number
  • STRING OPTIONS - path to directory or file /var/run/vsftpd/;

If certain options are not present in the configuration file, the server will be use default parameters (see man vsftpd.conf).

Anonymous access

By default, anonymous connections are not allowed.

If you enable this, only access to directory /srv/ftp/ is allowed:

anonymous_enable=YES

For enabling anonymous uploading, set:

  • anon_upload_enable - allow file uploads from anonymous users (under certain conditions).

  • anon_mkdir_write_enable - allow directory creation.

  • anon_root=/data/directory - allow to change the default directory.

For enabling changes to ownership, set:

chown_uploads=YES
chown_username=username

User access control

Access is enabled for authorized local users by default. To disable:

local_enable=NO

To enable write access:

write_enable=YES

User Management

Containment of users

User accounts can access files of the whole system which is not always desirable and can help to compromise the machine, they can be confined by changing vsftpd.conf :

chroot_local_user=YES

The root of their FTP will be their home directory.

Nevertheless, an account can be used to connect outside of ftp: ssh, getty (terminal login) are examples . It will then still have access to the rest of the system by the shell. You can configure the services given as examples to block the account or to contain it, but the main solution is to disable the shell for the user.

For that we assign the user's shell to false , a simple binary which returns an error signal :

usermod -s /bin/false

Then, you need to add false to the shells list :

echo /bin/false >> /etc/shells

See also :