Configuring the Very Secure FTP Server

The vsftpd server, although not as popular as Wu-FTPd, is used by Red Hat, Inc. for its FTP server operations. (The vsftpd server home page is located at http://vsftpd.beasts.org/.) The server offers features such as simplicity, security, and speed. It has been used by a number of sites, such as ftp.debian.org, ftp.gnu.org, rpmfind.net, and ftp.gimp.org. Note that despite its name, the Very Secure FTP server does not enable use of encrypted usernames or passwords.

Its main configuration file is vsftpd.conf, which resides under the /etc/vsftpd directory. The server has a number of features and default policies, but these can be overridden by changing the installed configuration file.

By default, anonymous logins are enabled, but users are not allowed to upload files, create new directories, or delete or rename files. The configuration file installed by Fedora allows local users (that is, users with a login and shell account) to log in and then access their home directory. This configuration presents potential security risks because usernames and passwords are passed without encryption over a network. The best policy is to deny your users access to the server from their user accounts. The standard vsftpd configuration disables this feature.

Controlling Anonymous Access

Toggling anonymous access features for your FTP server is done by editing the vsftpd.conf file and changing related entries to YES or NO in the file. Settings to control how the server works for anonymous logins include

anonymous_enable Enabled by default; use a setting of NO, and then restart the server to turn off anonymous access.

anon_mkdir_write_enable Allows or disallows creating of new directories.

anon_other_write_enable Allows or disallows deleting or renaming of files and directories.

anon_upload_enable Controls whether anonymous users can upload files (also depends on the global write_enable setting); this is a potential security and liability hazard and should rarely be used; if enabled, consistently monitor any designated upload directory.

anon_world_readable_only Only allows anonymous users to download files with world-readable (444) permission.

After making any changes to your server configuration file, make sure to restart the server; this forces vsftpd to reread its settings.

Other vsftpd Server Configuration Files

You can edit vsftpd.conf to enable, disable, and configure many features and settings of the vsftpd server, such as user access, filtering of bogus passwords, and access logging. Some features might require the creation and configuration of other files, such as

/etc/vsftpd.user_list Used by the userlist_enable and/or the userlist_deny options; the file contains a list of usernames to be denied access to the server.

/etc/vsftpd.chroot_list Used by the chroot_list_enable and/or chroot_local_user options, this file contains a list of users who are either allowed or denied access to a home directory. An alternate file can be specified using the chroot_list_file option.

/etc/vsftpd.banned_emails A list of anonymous password entries used to deny access if the deny_email_enable setting is enabled. An alternate file can be specified using the banned_email option.

/var/log/vsftpd.log Data transfer information is captured to this file if logging is enabled using the xferlog_enable setting.

Default vsftpd Behaviors

The contents of a file named .message (if it exists in the current directory) are displayed when a user enters the directory. This feature is enabled in the installed configuration file, but disabled by the daemon. FTP users are also not allowed to perform recursive directory listings, which can help reduce bandwidth use.

The PASV data connection method is enabled to let external users know the IP address of the FTP server. This is a common problem when using FTP from behind a firewall/gateway using IP masquerading or when incoming data connections are disabled. For example, here is a connection to an FTP server (running ProFTPD), an attempt to view a directory listing, and the resulting need to use ftp's internal passive command:

 $ ftp ftp.tux.org Connected to gwyn.tux.org. 220 ProFTPD 1.2.5rc1 Server (ProFTPD on ftp.tux.org) [gwyn.tux.org] 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (ftp.tux.org:gbush): gbush 331 Password required for gbush. Password: 230 User gbush logged in. Remote system type is Unix. Using binary mode to transfer files. ftp> cd public_html 250 CWD command successful. ftp> ls 500 Illegal PORT command. ftp: bind: Address already in use ftp> ftp> pass Passive mode on. ftp> ls  227 Entering Passive Mode (204,86,112,12,187,89). 150 Opening ASCII mode data connection for file list -rw-r--r--   1 gbush    gbush        8470 Jan 10  2000 LinuxUnleashed.gif -rw-r--r--   1 gbush    gbush        4407 Oct  4  2001 RHU72ed.gif -rw-r--r--   1 gbush    gbush        6732 May 18  2000 SuSEUnleashed.jpg -rw-r--r--   1 gbush    gbush        6175 Jan 10  2000 TYSUSE.gif -rw-r--r--   1 gbush    gbush        3135 Jan 10  2000 TZones.gif ... 

NOTE

Browse to http://slacksite.com/other/ftp.html for a detailed discussion regarding active and passive FTP modes and the effect of firewall blocking of service ports on FTP server and client connections.

Other default settings are that specific user login controls are not set, but you can configure the controls to deny access to one or more users.

The data transfer rate for anonymous client access is unlimited, but a maximum rate (in bytes per second) can be set using the anon_max_rate setting in vsftpd.conf. This can be useful for throttling bandwidth use during periods of heavy access. Another default is that remote clients will be logged out after five minutes of idle activity or a stalled data transfer. You can set idle and transfer timeouts (stalled connections) separately.

Other settings that might be important for managing your system's resources (networking bandwidth or memory) when offering FTP access include

dirlist_enable Toggles directory listings on or off.

dirmessage_enable Toggles display of a message when user enters a directory; a related setting is ls_recurse_enable, which can be used to disallow recursive directory listings.

download_enable Toggles downloading on or off.

max_clients Sets a limit on the maximum number of connections.

max_per_ip Sets a limit on the number of connections from the same IP address.

TIP

A number of techniques, such as adjusting TCP socket buffers based on bandwidth characteristics, have been researched in an effort to speed up FTP file transfers. Many factors can slow FTP server performance. Disk I/O, system resources such as RAM, and network speeds are just some of these factors. Directories containing large numbers of files can cause bottlenecks. Even the underlying file system can slow file transfers. Tuning your system's disk I/O, interrupt priorities, network interfaces, and use of TCP are only a few approaches for improving transfer speeds. For additional ideas and a list of links to other system tuning information, browse to http://linuxperf.nl.linux.org/.