< Day Day Up > |
The vsftpd server, although not as popular as Wu-FTPd, is used by Red Hat, Inc. for its FTP server operations. (The vsftpd server home page is located at http://vsftpd.beasts.org/.) The server offers features such as simplicity, security, and speed. It has been used by a number of sites, such as ftp.debian.org, ftp.gnu.org, rpmfind.net, and ftp.gimp.org. Note that despite its name, the Very Secure FTP server does not enable use of encrypted usernames or passwords. Its main configuration file is vsftpd.conf, which resides under the /etc/vsftpd directory. The server has a number of features and default policies, but these can be overridden by changing the installed configuration file. By default, anonymous logins are enabled, but users are not allowed to upload files, create new directories, or delete or rename files. The configuration file installed by Fedora allows local users (that is, users with a login and shell account) to log in and then access their home directory. This configuration presents potential security risks because usernames and passwords are passed without encryption over a network. The best policy is to deny your users access to the server from their user accounts. The standard vsftpd configuration disables this feature. Controlling Anonymous AccessToggling anonymous access features for your FTP server is done by editing the vsftpd.conf file and changing related entries to YES or NO in the file. Settings to control how the server works for anonymous logins include
After making any changes to your server configuration file, make sure to restart the server; this forces vsftpd to reread its settings. Other vsftpd Server Configuration FilesYou can edit vsftpd.conf to enable, disable, and configure many features and settings of the vsftpd server, such as user access, filtering of bogus passwords, and access logging. Some features might require the creation and configuration of other files, such as
Default vsftpd BehaviorsThe contents of a file named .message (if it exists in the current directory) are displayed when a user enters the directory. This feature is enabled in the installed configuration file, but disabled by the daemon. FTP users are also not allowed to perform recursive directory listings, which can help reduce bandwidth use. The PASV data connection method is enabled to let external users know the IP address of the FTP server. This is a common problem when using FTP from behind a firewall/gateway using IP masquerading or when incoming data connections are disabled. For example, here is a connection to an FTP server (running ProFTPD), an attempt to view a directory listing, and the resulting need to use ftp's internal passive command: $ ftp ftp.tux.org Connected to gwyn.tux.org. 220 ProFTPD 1.2.5rc1 Server (ProFTPD on ftp.tux.org) [gwyn.tux.org] 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (ftp.tux.org:gbush): gbush 331 Password required for gbush. Password: 230 User gbush logged in. Remote system type is Unix. Using binary mode to transfer files. ftp> cd public_html 250 CWD command successful. ftp> ls 500 Illegal PORT command. ftp: bind: Address already in use ftp> ftp> pass Passive mode on. ftp> ls 227 Entering Passive Mode (204,86,112,12,187,89). 150 Opening ASCII mode data connection for file list -rw-r--r-- 1 gbush gbush 8470 Jan 10 2000 LinuxUnleashed.gif -rw-r--r-- 1 gbush gbush 4407 Oct 4 2001 RHU72ed.gif -rw-r--r-- 1 gbush gbush 6732 May 18 2000 SuSEUnleashed.jpg -rw-r--r-- 1 gbush gbush 6175 Jan 10 2000 TYSUSE.gif -rw-r--r-- 1 gbush gbush 3135 Jan 10 2000 TZones.gif ... NOTE Browse to http://slacksite.com/other/ftp.html for a detailed discussion regarding active and passive FTP modes and the effect of firewall blocking of service ports on FTP server and client connections. Other default settings are that specific user login controls are not set, but you can configure the controls to deny access to one or more users. The data transfer rate for anonymous client access is unlimited, but a maximum rate (in bytes per second) can be set using the anon_max_rate setting in vsftpd.conf. This can be useful for throttling bandwidth use during periods of heavy access. Another default is that remote clients will be logged out after five minutes of idle activity or a stalled data transfer. You can set idle and transfer timeouts (stalled connections) separately. Other settings that might be important for managing your system's resources (networking bandwidth or memory) when offering FTP access include
TIP A number of techniques, such as adjusting TCP socket buffers based on bandwidth characteristics, have been researched in an effort to speed up FTP file transfers. Many factors can slow FTP server performance. Disk I/O, system resources such as RAM, and network speeds are just some of these factors. Directories containing large numbers of files can cause bottlenecks. Even the underlying file system can slow file transfers. Tuning your system's disk I/O, interrupt priorities, network interfaces, and use of TCP are only a few approaches for improving transfer speeds. For additional ideas and a list of links to other system tuning information, browse to http://linuxperf.nl.linux.org/. |
< Day Day Up > |