/Main_Page

::You must have ninja focus to complete your mission::NinjaFocus::

VSFTPD

Views:

Contents

Introduction

VSFTPD stands for Very Secure FTP Daemon. It is a very stable and secure FTP sever but still has a lot of good features. It's also very fast. If you want a very fully featured FTP daemon you should consider ProFTPD.

I never like to create shell accounts for people to access hosted services. It opens up lots more access than is really necessary and can be a pain to administer. VSFTPD supports fully virtual user accounts and can be backed by many different user-authentication schemes. VSFTPD supports PAM authentication and so you can authentication with anything you can get a PAM module for.

If you don't have an existing system to use for authentication, such as LDAP or another network directory such as eDirectory you can quickly and easily create a MySQL database. Using a database makes it very simple to add or remove users, or to change their password. It also becomes very easy to create a simple web interface or to manage accounts using scripts.

VSFTPD supports per user configuration by using an additional configuration for each user. These files must use the same name as the user account and support settings such as chrooting users to a specific folder

User Accounts Database

Here is a simple database schema you can use for holding your user account details. This will be used with the pam_mysql module to provide authentication for your users.

CREATE DATABASE `vsftpd`;

USE `vsftpd`;

CREATE TABLE `accounts` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(200) default NULL,
  `clearpw` varchar(200) default NULL,
  `name` tinytext,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `username` (`username`),
  KEY `clearpw` (`clearpw`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

GRANT SELECT ON `vsftpd`.* to 'vfstpd'@'localhost' IDENTIFIED BY '<password>';

PAM Configuration

Make sure you have pam_mysql installed and available for use on your system. Then set about configuring pam to use your MySQL database to authentication VSFTPD users.

Create a file called /etc/pam.d/vsftpd and add the following configuration information:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth     required     pam_mysql.so user=vsftpd passwd=<password> host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=clearpw crypt=0 md5=0 verbose=true
account  required     pam_permit.so

Installing VSFTPD

On CentOS 5.0 installation is really simple, VSFTPD is available in the base repository so you can install it through yum:

# yum install vsftpd

Make sure that VSFTPD will start automatically:

# chkconfig vsftpd on

and then start VSFTPD:

# service vsftpd start

VSFTPD Configuration

There are several steps needed to configure VSFTPD. We need to create some local user accounts, configure VSFTPD to use virtual user accounts and PAM for authentication and also create some files which provide configuration for each of your virtual ftp users.

Local User Accounts

Two local user accounts are needed. One is so we can run the vsftpd process as an unprivileged user and the other is for all filesystem access for the virtual users.

# useradd -rmd /var/lib/vsftpd vsftpd
# useradd -rmd /var/ftp virtualftp -s /bin/false

Main Configuration

We are configuring the daemon to run chrooted, so we a directory to use for the jail:

# mkdir /var/lib/vsftpd/chroot

VSFTPD lets us have per-user configuration. This is done by placing the settings in a file named after the user. We need to create a directory to store the files:

# mkdir /var/lib/vsftpd/users

The main configuration file is found at /etc/vsftpd/vsftpd.conf


# This is the user account we created so that the vsftpd process will run as an
# unprivileged user.
nopriv_user=vsftpd
secure_chroot_dir=/var/lib/vsftpd/chroot

listen=YES
tcp_wrappers=YES
connect_from_port_20=YES
pasv_min_port=50000
pasv_max_port=60000

# This should be an external ip address not the loopback interface
pasv_address=<public server ip>

max_clients=10
max_per_ip=4

idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000

anonymous_enable=NO
userlist_enable=YES
userlist_file=/etc/vsftpd/vsftpd_no_anonymous

#
# Enable virtual users
guest_enable=YES

# This is the name of the local user account we created for accessing the local 
# filesystem when logged in as a virtual user account
guest_username=virtualftp

# PAM will use a configuration file of the same name, i.e. 
# /etc/pam.d/vsftpd
pam_service_name=vsftpd

#
# Uncomment this to allow local users to log in.
local_enable=YES
chroot_local_user=YES
user_config_dir=/var/lib/vsftpd/users

hide_ids=NO

#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES

#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

#
# To make sure the 'virtual user' doesn't notice, he isn't real.
# We give him all the privileges he expects.
virtual_use_local_privs=YES

#
# Uncomment this to enable any form of FTP write command.
write_enable=YES

#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022

log_ftp_protocol=YES
setproctitle_enable=YES

#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES

Main Menu

Personal tools

Toolbox