9.2. Users Need to Download Files
Many people depend on exchanging files for collaboration and information sharing. If you're working with just a few people, it may be sufficient for you to send the files directly to those people in an email attachment. This is not a problem as long as the associated files and number of users are relatively small. But as demand grows, you'll need a different method to distribute downloads.
One efficient method for distributing downloads in a TCP/IP network is the File Transfer Protocol (FTP). The most secure (for FTP) configuration provides anonymous-only access and is run in a chroot jail, which keeps users on your FTP server and away from any non-FTP related directories on your system. One advantage of vsFTP is that it configures a chroot jail and anonymous access by default.
There are other excellent FTP servers. Those listed earlier in this chapter may meet your needs more closely than vsFTP. However, note that Red Hat, SUSE, and the Berkeley Standard Distribution (BSDa cousin of the Linux operating system) use it to share their operating system distributions quickly and securely.
9.2.1. Configuring vsFTP
You can download the vsFTP server from an installation CD or network source on Red Hat/Fedora, SUSE, and Debian distributions. In each case, the package name is vsftpd, and there are slight variations between distributions. The vsFTP configuration file, vsftpd.conf, can be found in your /etc or /etc/vsftpd directory, depending on your distribution.
220.127.116.11. Red Hat/Fedora
Red Hat/Fedora installs the basic vsFTP configuration files in a dedicated directory, /etc/vsftpd. It configures an individual vsftpd start script in the /etc/init.d directory. However, if you want to limit this vsFTP server to anonymous access, you'll need to disable this setting:
Otherwise, users can log in to their individual home directories through that FTP server. If you've provided FTP server access to outside networks, that can be a security breach. The breach can be worse unless you disable this setting, which allows users to write over files on your FTP directory:
If you want to provide reliable downloads for your users, you don't want to allow a cracker to overwrite downloads on your FTP server with the viruses of her choice.
A few advantages of the standard Red Hat/Fedora vsFTP configuration include support for limiting logins by username, for TCP Wrapper security in /etc/hosts.allow and /etc/hosts.deny, and for PAM modules. To enable these forms of security, include the following directives:
userlist_enable=YES tcp_wrappers=YES pam_service_name=vsftpd
Red Hat/Fedora configures a default ftp user in /etc/passwd. That user has a home directory in /var/ftp and a login shell that prevents logins, /sbin/nologin. (Other distributions may use a /bin/false login shell.) To activate and make sure vsFTP starts in the appropriate runlevels, use the following commands:
/etc/init.d/vsftpd start chkconfig vsftpd on
Now you can copy the files that you want others to download to the /var/ftp directory. I've even created a Red Hat/Fedora installation server by copying the files from the installation CDs to that directory.
Log in to this server yourself. Try to log in as a regular user, and check out the result. If you've disabled the local_enable directive, vsFTP will allow only anonymous access.
Once logged in, try the pwd command. While it looks as though you're in the top-level root (/) directory, you're actually in /var/ftp; vsFTP's native chroot jail prevents users from going up to your root (/) directory, limiting any potential damage.
SUSE configures vsFTP as an xinetd Super Server. Its operation and security is governed by the xinted daemon, using settings in /etc/xinetd.d/vsftpd.
If you want your SUSE vsFTP server to run as a typical standalone daemon, associated with a script in the /etc/init.d directory, set the following variable in /etc/vsftpd.conf:
If you set this variable, remember to configure an appropriate script in /etc/init.d, as well as consistent links from individual runlevel directories such as /etc/rc.d/rc3.d.
You can also configure TCP Wrappers security support in /etc/hosts.allow and /etc/hosts.deny with the following command in the vsFTP configuration file:
In the /etc/xinetd.d/vsftpd startup file, you'll need to activate the service and designate an appropriate account. The default version of the startup file includes:
which would lead to problems if a cracker could find a way to force the vsFTP server to let him log in. To support anonymous access, you'll need a dedicated account. For this purpose, the vsFTP service adds the following entry in /etc/passwd:
In other words, to configure vsFTP on SUSE, you need to do three things: change the user directive in /etc/xinetd.d/vsftpd from root to ftp, change the disable directive from no to yes, and restart the xinetd daemon with the /etc/init.d/xinetd restart command. To minimize the risk associated with this account, you should also make sure the login shell for this account in /etc/passwd is one that prevents logins (/sbin/nologin or /bin/false), as described earlier.
As with Red Hat/Fedora, Debian configures an individual vsftpd script in the /etc/init.d directory. It includes an /etc/vsftpd.conf configuration file that's already configured for secure, anonymous-only access. However, you'll need to create an ftp user and appropriate directory before your users can log in to Debian's vsFTP server.
The following commands create a Filesystem Hierarchy Standard (FHS)-compliant vsFTP directory with permissions that prevent all but the root user from writing to that directory.
mkdir /srv/ftp chown root.root /srv/ftp chmod 755 /srv/ftp
Next, you'll need to create an appropriate user, ftp, with /srv/ftp as its home directory. A standard shell (/bin/bash) enables users who log in to your vsFTP server to navigate through its directories:
useradd -d /srv/ftp -s /bin/bash ftp
Now you can fill /srv/ftp with the files that others need to download.
Activate vsFTP to start in the appropriate runlevels with the following commands:
/etc/init.d/vsftpd start update-rc.d -f vsftpd start 20 2 3 4 5 .
Now you can copy the files that you want others to download to the /srv/ftp directory. Log in to this server yourself, and try the pwd command. While it looks like you're in the top-level root (/) directory, you're actually in /srv/ftp, courtesy of vsFTP's native chroot jail.