Using the Very Secure FTP Server
The Very Secure FTP Server (vsFTPd) is the only general-purpose FTP server software included in Fedora and RHEL distributions. vsFTPd is becoming the FTP server of choice for sites that need to support thousands of concurrent downloads. It was also designed to secure your systems against most common attacks.
| Note | The Trivial File Transfer Protocol server (tftp-server package), which is distributed with Fedora and RHEL systems, can also be used to provide FTP service. The tftpd daemon is used primarily to provide support for diskless devices, which gather the files they need to boot and run from a TFTP server. TFTP is not intended for general, public FTP service. Because TFTP is considered a security risk to use publicly , it is generally only used on private LANs that are not accessible to public networks. |
Red Hat, Inc. itself uses vsFTPd on its own FTP servers ( ftp.redhat.com ). Other organizations in the Linux/GNU world have also made the switch to vsFTPd, including Debian Linux ( ftp.debian.org ) and the GNU Project ( ftp.gnu.org ).
Besides security and scalability, vsFTPd was designed for simplicity. Therefore, fewer options exist for configuring vsFTPd than you find in WU-FTPD, an older FTP server package that is still commonly used, so you are expected to rely on standard Linux file and directory permissions to provide refined access to your server. Getting started with vsFTPd, or using it to replace WU- FTPD , is fairly straightforward.
| Note | Although vsFTPd is the only full-blown FTP server software in Fedora and RHEL, the WU-FTPD FTP server software, which was once part of Red Hat Linux, is still available on the Web. However, WU-FTPD is considered by most to be far less secure than vsFTPd and should, therefore, not be used in most cases. |
Quick-Starting vsFTPd
By enabling the vsFTPd service, you can almost instantly have an FTP service running with the default values (set in the /etc/vsftpd/vsftpd.conf file). The following is a quick procedure for getting your vsFTPd server up and running. In case you didn't install vsFTPd when you originally installed Fedora, install it now by typing:
# yum install vsftpd
-
To use the vsFTPd server, you must make sure that the vsFTPd software package is installed.
# rpm -q vsftpd
-
Enable the vsFTPd server by typing the following line (as root user ):
# chkconfig vsftpd on
-
Start the vsFTPd server as follows :
# service vsftpd start
-
Try to log in to the FTP server as anonymous (using any e-mail address as the password):
$ ftp localhost Connected to yourhost 220 (vsFTPd 2.0.3) 530 Please login with USER and PASS Name (localhost:chris): anonymous 331 Please specify the password. Password: ****** 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
If you saw messages similar to the preceding , your vsFTPd server is now up and running. Next , try to access the server from another computer on the network to be sure that it is accessible.
| Note | If your FTP server is not accessible to the outside world, you may need to ensure that your network is configured properly and that your firewall allows access to ports 20 and 21. The quick way is to run system-config-securitylevel and add FTP as a trusted service. Refer to Appendix B for information on getting your network services working. |
The next section explains the /etc/vsftpd/vsftpd.conf configuration file.
Configuring vsFTPd
Most of the configuration of vsFTPd is done in the /etc/vsftpd/vsftpd.conf file. Although many values are not set explicitly in vsftpd.conf , you can override the defaults by setting option = value statements in this file. You can set such things as which users have access to your vsFTPd server, how logging is done, and how timeouts are set.
Read the following sections for more information about how vsFTPd is configured by default and how you can further configure your vsFTPd server.
User Accounts
Users who can access your vsFTPd server are, by default, the anonymous user and any users with real-user accounts on your system. (A guest user is simply a real user account that is restricted to its own home directory.) The following lines set these user access features:
anonymous_enable=YES local_enable=YES
The anonymous_enable line lets users log in anonymously using either the anonymous or ftp user name. If you want to disable access by anonymous users, don't just comment out anonymous_enable . Anonymous access is on by default, so you must set anonymous_enable=NO to disable it.
Any users with local accounts (in /etc/passwd ) can log into the FTP server with local_enable set to YES . An exception to this rule is that, by default, all user accounts listed in the /etc/vsftpd/user_list file are denied access.
| Note | Before you start logging into an FTP server with your personal user name and password, keep in mind that FTP login service uses clear text passwords. Because of this fact, a network sniffer is capable of seeing this information. If you want to use an FTP interface to access file on an FTP server using your personal account, consider using the sftp command instead of a normal FTP client. If the FTP server includes an SSH server, using sftp will connnect to that server using encrypted passwords. |
Check the user_list file to see which users are denied access to the vsFTPd server. Note that root and other administrative logins are excluded. You can add other users to this list or change the location of the list by setting the userlist_file parameter to the file you want. To add a user to the user_list or use the userlist_file parameter to create a new list, you must also have userlist_enable set to YES (as it is by default). For example:
userlist_file=/etc/vsftpd/user_list_local userlist_enable=YES
If you like, you can change the meaning of the /etc/vsftpd/user_list file so that only the users in that list are allowed to use the vsFTPd service. Set userlist_deny=NO and change the /etc/vsftpd/user_list to include only names of users to whom you want to grant access to the server. All other users, including anonymous and ftp, will be denied access.
Setting FTP Access
The vsFTPd server software provides a simple and seemingly secure approach to access permissions. Instead of using settings in the FTP service to selectively prevent downloads and uploads of particular directories (as FTP servers such as WU-FTPD do), you can use standard Linux file and directory permissions to limit access. There are, however, the following general settings in the /etc/vsftpd/vsftpd.conf file to let users get files from and put files onto your vsFTPd server.
Downloading Files
Any users with valid logins (anonymous or real users, excluding some administrative logins) can download files from the vsFTPd server by default. The ability to download a particular file or a file from a particular directory is governed by the following basic Linux features:
-
File and directory permissions - Standard file and directory permissions apply as a means of limiting access to particular files, even in accessible file systems. So, if the root user puts a file with 600 permission (read/write to root only) in the /var/ftp directory, an anonymous user is not able to download that file.
-
Root directory - The root directory (chroot) for anonymous users is /var/ftp . The root directory for regular users is the entire computer's root directory ( / ), although their current directory after connecting to FTP is /home/ user , where user is the user name. So an anonymous user is restricted to downloads from the /var/ftp directory structure, while a regular user potentially has access to the whole file system. Another possibility is to create guest accounts by restricting some or all users to their home directories.
You can use the chroot_local_user option to change the root directory for regular users so that they are restricted to their home directory. To restrict all regular users to their home directory when using vsFTPd, add this line to the vsftpd.conf file:
chroot_local_user=YES
To enable the concept of guest users, you can choose to limit only selected users to their home directories. You do this by setting chroot_list_enable to YES , and then adding a list of guest users to a file noted with the chroot_list_file option. The following example lets you add such a list (one user name per line) to the /etc/vsftpd/vsftpd.chroot_list file:
chroot_list_enable=YES chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
| Tip | To restrict a user to FTP access only, set the user's shell to /sbin/ nologin in the /etc/passwd file. Do this by running the system-config-users command or usermod command and changing properties for the user, as described in Chapter 11. |
You can add a setting to the vsftpd.conf file to affect how files are downloaded. To enable ASCII downloads, you can enable that feature as follows:
ascii_download_enable=YES
Without making that change, all downloads are done in binary mode. Although vsFTPd will seem to allow the user to change to ascii mode, ascii mode will not work if this setting is NO. Allowing ASCII file transfers is considered to be a security risk (vulnerable to denial-of-service attacks) and should be avoided.
Uploading (Writing) Files from Local Users
Two values set in the vsftpd.conf file allow the uploading of files during a vsFTPd session. The following defaults allow any users with regular, local user accounts to upload files:
write_enable=YES local_umask=022
The write_enable value must be YES if you intend to allow any users the capability to write to the FTP server. The umask=022 value sets the default file permission used when a local user creates a file on the server. (The 022 value causes files created to have 644 permission, allowing the user read and write permission and everyone else only read permission.)
As with downloading, uploading in ascii mode is prohibited by default. Although ascii downloads create a potential security hole for draining resources from your server, ascii uploads are apparently not as dangerous and can be useful for uploading text files. To allow ascii uploads, add the following line:
ascii_upload_enable=YES
Uploading (Writing) Files from Anonymous Users
The ability to upload files is turned off for anonymous FTP users. If you want to turn it on, add the following line to the vsftpd.conf file:
anon_upload_enable=YES
To use anonymous upload, the global write enable must be activated. You must also make sure that the /var/ftp directory contains one or more directories with write permissions open to anonymous users. For example, you might want to create an incoming directory and open its permissions ( chmod 777 /var/ftp/incoming ).
Files uploaded by anonymous users will be created with 600 permission by default (read/write permission for the ftp user, not accessible to any other users so that even the user who uploaded the files can't remove them). To allow 644 permission, for example, you can add the following line:
anon_umask=022
When you allow the anonymous user to upload files, you can grant limited ability to change the files he or she uploads. By adding the following line, you can allow anonymous users to rename or delete any files owned by anonymous users (provided that the files are in directories for which the users have write permission):
anon_other_write_enable=YES
If you also want to allow anonymous users to create their own directories, add the following:
anon_mkdir_write_enable=YES
By default, the ftp user is given ownership of uploaded files from anonymous users. If you want to indicate that anonymous uploads be owned by a different user (of your choice), you can use the chown_uploads and chown_username options. For example, if you have a user account named mynewuser , you can set these options as follows:
chown_uploads=YES chown_username=mynewuser
Of course, you can create and use any user name you want. However, for security reasons you should not use the root login or any other administrative login for this purpose.
Adding Message Files
Although vsFTPd doesn't support the arrangement of README and welcome files that FTP servers such as WU-FTP support, you can add .message files to any accessible directory on your vsFTPd server. Then, if you use the default dirmessage_enable option as follows, the text from the .message file will be displayed when the user enters the directory:
dirmessage_enable=YES
You will probably at least want to add a .message file to the root directory of the FTP server for anonymous users. By default, that location is /var/ftp/.message . If you want to use files other than .message files, you can set the message_file option. For example, to have text from the .mymessage file displayed when you enter a directory, you can add the following line:
message_file=.mymessage
You can also set a one-line message to appear before the login prompt. You can do this by entering the following line, replacing the text with anything you want to say:
ftpd_banner=Welcome to My FTP service.
As a security measure, you could consider adding a banner that indicates a different operating system than you have running. Any information that can slow down a potential intruder from finding out what software you are running makes it easier for you to keep that intruder out.
Logging vsFTPd Activities
Logging is enabled in vsFTPd by default, and the activities of your vsFTPd site are written to the /var/log/xferlog file. The following options enable logging and change the log file to /var/log/vsftpd.log :
xferlog_enable=YES xferlog_file=/var/log/vsftpd.log
You can turn off logging if you like by changing YES to NO . (Note, however, that logging enables you to watch for potential break-ins, so turning it off is not recommended.) Or you can change the location of the log file by changing the value of the xferlog_file option.
If you want to be able to use tools that generate transfer statistics, you can have vsFTPd log data written in the standard xferlog format that is used by WU-FTPD and other FTP servers. To store your transfer data in xferlog format, set the following option:
xferlog_std_format=YES
Setting Timeouts
The following timeouts are set by default in vsFTPd (these values are built in, so you don't have to make any changes to the /etc/vsftpd/vsftpd.conf file for them to take effect):
accept_timeout=60 connect_timeout=60 idle_session_timeout=600 data_connection_timeout=120
The accept_timeout=60 and connect_timeout=60 values determine how long the client has to establish a PASV or PORT style connection, respectively, before the connection times out. Both are set to 60 seconds. (Note that these two lines are not automatically included in the configuration file; you can add them by hand if you want to change their values.) The idle_session_timeout=600 option causes the FTP session to be dropped if the user has been inactive for more than 10 minutes (600 seconds). The data_connection_timeout value sets the amount of time, during which no progress occurs, that the server will wait before dropping the connection (the default here is 120 seconds).
Navigating a vsFTPd Site
Most shell wildcard characters that a user might expect to use, such as question marks and brackets, are supported by vsFTPd. There is one particularly useful wildcard character you can use with the ls command, and one option you can turn on. The asterisk ( * ) wildcard can be used with the ls command. Multiple asterisks in the same line are supported. You can add support for the -R option of ls so that a user can recursively list the contents of the current directory and all subdirectories. To turn on this feature, which is off by default, you can add the following line to the vsftpd.conf file:
ls_recurse_enable=YES
Setting Up vsFTPd Behing a Firewall
If you are configuring an FTP server behind a firewall, you need to do some special configuration to allow communications to pass through that firewall to those you want to allow access to your server. To deal with the issue, you can use ephemeral port numbers (which provide random, temporary port numbers within a range of numbers as needed). For a description of the issue, refer to the FTP and Your Firewall page at www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html .
EAN: 2147483647
Pages: 279