Configuring the FTP Server

Configuring the FTP Server

CentOS Linux comes with the Very Secure FTP daemon (vsftpd), written by Chris Evans. The executable file for vsftpd is /usr/sbin/vsftpd, and it uses a number of configuration files in the /etc and /etc/vsftpd directories.

In previous versions of CentOS Linux, the vsftpd server was set up to run under xinetd-the Internet super server. This required editing a configuration file in /etc/xinetd.d directory to enable the vsftpd server. However, starting in Rocky Linux, the vsftpd server is configured to run stand-alone and there is an initialization script (or initscript)-/etc/init.d/vsftpd-to start and stop the server. As explained earlier in this chapter, you can start the server with the command: 

service vsftpd start

You can type the following command as root to turn vsftpd on so that it starts at system startup: 

chkconfig --level 35 vsftpd on

After you start the vsftpd server, the default settings should be adequate to begin using the server. However, you should learn about the configuration files in case you need to customize them.

Learning the vsftpd Configuration Files

The vsftpd server consults a number of configuration files located in the /etc directory. These directories control many aspects of the FTP server such as whether it runs standalone, who can download files, and whether to allow anonymous FTP.

Secret

The key configuration files for vsftpd are the following:

  • /etc/vsftpd/vsftpd.conf controls how the vsftpd server works (for example, should it allow anonymous logins, should it allow file uploads, should it run standalone, and so on).

  • /etc/vsftpd.ftpusers lists the names of users who cannot access the FTP server.

  • /etc/vsftpd.user_list lists the names of users who are denied access (not even prompted for password). However, if the userlist_deny option is set to NO in /etc/vsftpd/vsftpd.conf, then these users are allowed to access the FTP server.

You can usually leave most of these configuration files with their default settings. However, just in case you need to change something to make vsftpd suit your needs, the next few sections briefly explain the configuration files.

Understanding the /etc/vsftpd/vsftpd.conf File

To learn what you can have in the /etc/vsftpd/vsftpd.conf file and how these lines affect the vsftpd server's operation, start by looking at the /etc/vsftpd/vsftpd.conf file that's installed by default in CentOS Linux. The comments in this file tell you what each option does.

Insider Insight 

By default, vsftpd allows almost nothing. Through the options in /etc/vsftpd/ vsftpd.conf you can loosen the restrictions so that users can use FTP. It's up to you to decide how loose the settings should be. Note that most of the options are set to YES. That's because most of the default settings are NO. To reverse the intent of an option, just comment out that option by placing a # at the beginning of that line.

Here are the options you can set in /etc/vsftpd/vsftpd.conf:

  • anon_mkdir_write_enable=YES enables anonymous FTP users to create new directories. This is another risky option and you may want to set this to NO, even if you allow anonymous users to upload files.

  • anon_upload_enable=YES means anonymous FTP users can upload files. This option takes effect only if write_enable is already set to YES and the directory has write permissions for everyone. Remember that allowing anonymous users to write on your system can be very risky because someone could fill up the disk or use your disk for their personal storage.

  • anonymous_enable=YES enables anonymous FTP (so users can log in with the user name anonymous and provide their email address as password). Comment out this line if you do not want anonymous FTP.

  • ascii_download_enable=YES enables file downloads in ASCII mode. Unfortun-ately, a malicious remote user can issue the SIZE command with the name of a huge file and essentially cause the FTP server to waste huge amounts of resources opening that file and determining its size. This can be used by malicious users as a denial of service attack.

  • ascii_upload_enable=YES enables file uploads in ASCII mode (for text files).

  • async_abor_enable=YES causes vsftpd to recognize ABOR (abort) requests that arrive at any time. You may need to enable it to allow older FTP clients to work with vsftpd.

  • banned_email_file=/etc/vsftpd.banned_emails specifies the file with the list of banned email addresses (used only if deny_email_enable is set to YES).

  • chown_uploads=YES causes uploaded anonymous files to be owned by a different user specified by the chown_username option. Don't enable this, unless absolutely necessary and don't make the chown_username be root.

  • chown_username=name specifies the user name that would own files uploaded by anonymous FTP users.

  • chroot_list_enable=YES causes vsftpd to confine all users except those on a list specified by the chroot_list_file to their home directories when they log in for FTP service. This prevents these users from getting to any other files besides what's in their home directories.

  • chroot_list_file=/etc/vsftpd.chroot_list is the list of users who are either confined to their home directories or not, depending on the setting of chroot_local_user.

  • connect_from_port_20=YES causes vsftpd to make sure that data transfers occur through port 20 (the FTP data port).

  • data_connection_timeout=120 is the time in seconds after which an inactive data connection is timed out.

  • deny_email_enable=YES causes vsftpd to check a list of banned email addresses and denies access to anyone who tries to log in anonymously with a banned email address as password.

  • dirmessage_enable=YES causes vsftpd to display messages when FTP users change to certain directories.

  • ftpd_banner=Welcome to my FTP service. sets the banner that vsftpd displays when a user logs in. You can change the message to anything you want.

  • idle_session_timeout=600 is the time (in seconds) after which an idle session (refers to the situation where someone connects and does not do anything) times out and vsftpd logs the user out.

  • listen=YES causes vsftpd to listen for connection requests and, consequently, run in standalone mode. Set this to NO if you want to run vsftpd under xinetd.

  • local_enable=YES causes vsftpd to grant local users access to FTP.

  • local_umask=022 means whatever files FTP writes will have a permission of 644 (read access for everyone, but write access for owner only). You can set it to any file permission mask setting you want. For example, if you want no permissions anyone but the owner, change this to 077.

  • ls_recurse_enable=YES enables FTP users to recursively traverse directories using the ls -R command.

  • nopriv_user=ftp identifies a unprivileged user that the FTP server can use.

  • pam_service_name=vsftpd is the name of the Pluggable Authentication Module (PAM) configuration file that is used when vsftpd needs to authenticate a user. By default the PAM configuration files are in /etc/pam.d directory. That means vsftpd's PAM configuration file is /etc/pam.d/vsftpd.

  • userlist_deny=YES causes vsftpd to deny access to the users listed in the /etc/vsftpd.user_list file. These users are not even prompted for a password.

  • write_enable=YES causes vsftpd to allow file uploads to the host.

  • xferlog_enable=YES turns on the logging of file downloads and uploads (always a good idea, but takes disk space).

  • xferlog_file=/var/log/vsftpd.log specifies the full pathname of the vsftpd log file. The default is /var/log/vsftpd.log.

  • xferlog_std_format=YES causes vsftpd to generate log files in a standard format used by other FTP daemons.

Understanding the /etc/vsftpd.ftpusers File

The vsftpd server uses the Pluggable Authentication Module (PAM) to authenticate users when they try to log in (just as the normal login process uses PAM to do the job). The PAM configuration file for vsftpd is /etc/pam.d/vsftpd. That PAM configuration file refers to /etc/vsftpd.ftpusers like this: 

auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

This basically says that anyone listed in the /etc/vsftpd.ftpusers should be denied login. The default /etc/vsftpd.ftpusers file contains the following list of users: 

root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

If you want to deny FTP access to any other user names, simply add those names to the /etc/vsftpd.ftpusers file.

Understanding the /etc/vsftpd.user_list File

If the userlist_deny option is set to YES, vsftpd does not allow users listed in the /etc/vsftpd.user_list file any access to FTP services. It does not even prompt them for a password. However, if userlist_deny is set to NO, the meaning is reversed and these users are the only ones allowed access (but the PAM configuration still denies anyone on the /etc/vsftpd.ftpusers list).