FTP Server (vsftpd)
FTP Server (vsftpd)This section discusses the vsftpd server as supplied by Red Hat. PrerequisitesInstall the following package:
Run chkconfig to cause vsftpd to start when the system enters multiuser mode. # /sbin/chkconfig vsftpd on Start vsftpd: # /sbin/service vsftpd start If you change the vsftpd.conf configuration file, you need to restart vsftpd. NotesThe vsftpd server can run in normal mode (the xinetd daemon [page 425] calls vsftpd each time a client tries to make a connection) or it can run in stand-alone mode (vsftpd runs as a daemon and handles connections directly). Stand-alone mode
Although by default vsftpd runs in normal mode, Red Hat sets it up to run in stand-alone mode by setting the listen parameter (page 615) to YES in the vsftpd.conf file. Under CentOS Linux, with vsftpd running in stand-alone mode, you start and stop the server using service and the vsftpd init script. You must install an xinetd control file (page 425) if you want to run vsftpd in normal mode. A sample file can be found at /usr/share/doc/vsftpd*/vsftpd.xinetd. Copy the sample file to the /etc/xinetd.d directory, rename it vsftpd, and edit the file to change the disable parameter to no. With the listen parameter in vsftpd.conf set to NO, xinetd will take care of starting vsftpd as needed. Security
The safest policy is not to allow users to authenticate against FTP: Use FTP for anonymous access only. If you do allow local users to authenticate and upload files to the server, be sure to put local users in a chroot jail (page 616). Because FTP sends usernames and passwords in cleartext, a malicious user can easily sniff (page 1056) them. With a username and password, the same user can impersonate a local user, upload a Trojan horse (page 1060), and compromise the system. Firewall
An FTP server normally uses TCP port 21. If the FTP server system is running a firewall, you need to open this port. Using the Red Hat graphical firewall tool (page 768), select FTP from the Trusted Services frame to open this port. For more general information see Chapter 25, which details iptables. SELinux
When SELinux is set to use a targeted policy, FTP is protected by SELinux. You can disable this protection if necessary. For more information refer to "Setting the Targeted Policy with system-config-securitylevel" on page 402. JumpStart: Starting a vsftpd ServerBy default, under CentOS Linux vsftpd allows local and anonymous users to log in on the server and does not set up a guest account. When someone logs in as an anonymous user, that person is working in the /var/ftp directory. You do not have to configure anything. Testing the SetupMake sure vsftpd is working by logging in from the system running the server. You can refer to the server as localhost or by using its hostname on the command line. Log in as anonymous; use any password. $ ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.4) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (bravo:alex): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. If you are not able to connect to the server, first make sure the server is running: $ /sbin/service vsftpd status vsftpd (pid 3091) is running... Next check that permissions on /var/ftp, or the home directory of ftp as specified in /etc/passwd, are set to 755. If the ftp user can write to /var/ftp, connections will fail. # ls -ld /var/ftp drwxr-xr-x 4 root root 4096 Aug 27 23:54 /var/ftp Once you are able to log in from the local system, log in from another systemeither one on the LAN or another system with access to the server. On the command line, use the hostname from within the LAN or the FQDN (page 1032) from outside the LAN. The dialog should appear the same as in the previous example. If you cannot log in from a system that is not on your LAN, use ping (page 365) to test the connection and make sure the firewall is set up to allow FTP access. See "FTP connections" on page 602 for a discussion of active and passive modes and the ports that each mode uses. vsftpd.conf: The vsftpd Configuration FileThe configuration file for vsftpd, /etc/vsftpd/vsftpd.conf, lists Boolean, numeric, and string name-value pairs of configuration parameters, called directives. Each name-value pair is joined by an equal sign with no SPACEs on either side. CentOS Linux provides a well-commented /etc/vsftpd/vsftpd.conf file that changes many of the compiled-in defaults. This section covers most of the options, noting their default values and their values as specified in the vsftpd.conf file supplied with CentOS Linux. Set Boolean options to YES or NO and numeric options to a nonnegative integer. Octal numbers, which are useful for setting umask options, must have a leading 0 (zero). Numbers without a leading zero are treated as base 10 numbers. Following are examples from vsftpd.conf of setting each type of option: anonymous_enable=YES local_umask=022 xferlog_file=/var/log/vsftpd.log Descriptions of the directives are broken into the following groups:
Stand-Alone ModeRefer to "Notes" on page 607 for a discussion of normal and stand-alone modes. This section describes the parameters that affect stand-alone mode. listen
YES runs vsftpd in stand-alone mode; NO runs it in normal mode. Default: NO listen_address
In stand-alone mode, specifies the IP address of the local interface that vsftpd listens on for incoming connections. When not set, vsftpd uses the default network interface. listen_port
In stand-alone mode, specifies the port that vsftpd listens on for incoming connections. max_clients
In stand-alone mode, specifies the maximum number of clients. Zero (0) indicates unlimited clients. max_per_ip
In stand-alone mode, specifies the maximum number of clients from the same IP address. Zero (0) indicates unlimited clients from the same IP address. Logging InThree classes of users can log in on a vsftpd server: anonymous, local, and guest. The guest user is rarely used and is not covered in this chapter. Local users log in with their system username and password. Anonymous users log in with anonymous or ftp, using their email address as a password. You can control whether each of these classes of users can log in on the server and what they can do once they log in. You can also specify what a local user can do on a per-user basis; refer to user_config_dir on page 624. Local Usersuserlist_enable
The /etc/vsftpd/user_list file (page 624), or another file specified by userlist_file, contains a list of zero or more users. YES consults this list and takes action based on userlist_deny, either granting or denying users in the list permission to log in on the server. To prevent the transmission of cleartext passwords, access is denied immediately after the user enters her username. NO does not consult the list. For a more secure system, set to NO. Default: NO userlist_deny
YES prevents users listed in /etc/vsftpd/user_list (page 624) from logging in on the server. NO allows only users listed in /etc/vsftpd/user_list to log in on the server. Use userlist_file to change the name of the file that this parameter consults. This parameter is checked only when userlist_enable is set to YES. userlist_file
The name of the file consulted when userlist_enable is set to YES. Default: /etc/vsftpd/user_list local_enable
YES permits local users (users listed in /etc/passwd) to log in on the server. Default: NO Anonymous Usersanonymous_enable
YES allows anonymous logins. no_anon_password
YES skips asking anonymous users for passwords. deny_email_enable
YES checks whether the password (email address) that an anonymous user enters is listed in /etc/vsftpd/banned_emails or other file specified by banned_email_file. If it is, the user is not allowed to log in on the system. NO does not perform this check. Using iptables (page 763) to block specific hosts is generally more productive than using this parameter. banned_email_file
The name of the file consulted when deny_email_enable is set to YES. Default: /etc/vsftpd/banned_emails Working Directory and the chroot JailWhen a user logs in on a vsftpd server, standard filesystem access permissions control which directories and files the user can access and how the user can access them. Three basic parameters control a user who is logged in on a vsftpd server:
By default, the vsftpd server sets the user ID of a local user to that user's username and sets the user ID of an anonymous user to ftp. A local user starts in her home directory and an anonymous user starts in /var/ftp. By default, anonymous users are placed in a chroot jail for security; local users are not. For example, when an anonymous user logs in on a vsftpd server, his home directory is /var/ftp. All that user sees, however, is that his home directory is /. The user sees the directory at /var/ftp/upload as /upload. The user cannot see, or work with, for example, the /home, /usr/local, or /tmp directories. The user is in a chroot jail. For more information refer to "Setting Up a chroot Jail" on page 428. You can use the chroot_local_user option to put each local user in a chroot jail whose root is the user's home directory. You can use chroot_list_enable to put selected local users in chroot jails. chroot_list_enable
Upon login, YES checks whether a local user is listed in /etc/vsftpd/chroot_list (page 624) or another file specified by chroot_list_file. When a user is in the list and chroot_local_user is set to NO, the user is put in a chroot jail in his home directory. Only users listed in /etc/vsftpd/chroot_list are put in chroot jails. When a user is in the list and chroot_local_user is set to YES, that user is not put in a chroot jail. Users not listed in /etc/vsftpd/chroot_list are put in chroot jails. chroot_local_user
See chroot_list_enable. Set to NO for a more open system, but remember to add new users to the chroot_list_file as needed when you add users to the system. Set to YES for a more secure system. New users are automatically restricted unless you add them to chroot_list_file. chroot_list_file
The name of the file consulted when chroot_list_enable is set to YES. Default: /etc/vsftpd/chroot_list passwd_chroot_enable
YES enables you to change the location of the chroot jail that the chroot_list_enable and chroot_local_user settings impose on a local user. The location of the chroot jail can be moved up the directory structure by including a /./ within the home directory string for that user in /etc/passwd. This change has no effect on the standard system login, just as a cd. command has no effect on the working directory. For example, changing the home directory field in /etc/passwd (page 454) for Sam from /home/sam to /home/./sam allows Sam to cd to /home after logging in using vsftpd. Given the proper permissions, Sam can now view files and possibly collaborate with another user. The name of an empty directory that is not writable by the user ftp. The vsftpd server uses this directory as a secure chroot jail when the user does not need access to the filesystem. local_root
After a local user logs in on the server, this directory becomes the user's working directory. No error results if the specified directory does not exist. Downloading and Uploading FilesBy default, any userwhether local or anonymouscan download files from the vsftpd server, assuming proper filesystem access and permissions. You must change write_enable from NO (default) to YES to permit local users to upload files. By default, local_umask is set to 022, giving uploaded files 644 permissions (page 180). Security
Refer to "Security" on page 613 for information on the security hole that is created when you allow local users to upload files. The following actions set up vsftpd to allow anonymous users to upload files:
Download/Upload for Local Userslocal_umask
The umask (page 420) setting for local users. Default: 077 file_open_mode
Uploaded file permissions for local users. The umask (page 420) is applied to this value. Change to 0777 to make uploaded files executable. write_enable
YES permits users to create and delete files and directories (assuming appropriate filesystem permissions). NO prevents users from making changes to the filesystem. Default: NO Anonymous Usersanon_mkdir_write_enable
YES permits an anonymous user to create new directories when write_enable=YES and the anonymous user has permission to write to the parent directory. anon_other_write_enable
YES grants an anonymous user write permission in addition to the permissions granted by anon_mkdir_write_enable and anon_upload_enable. For example, YES allows an anonymous user to delete and rename files, assuming permission to write to the parent directory. Not recommended for secure sites. anon_root
After an anonymous user logs in on the server, this directory becomes the user's working directory. No error results if the specified directory does not exist. anon_umask
The umask (page 420) setting for anonymous users. The default setting gives only anonymous users access to files uploaded by anonymous users; set to 022 to give everyone read access to these files. anon_upload_enable
YES allows anonymous users to upload files when write_enable=YES and the anonymous user has permission to write to the directory. anon_world_readable_only
YES limits the files that a user can download to those that are readable by the owner of the file, members of the group the file is associated with, and others. It may not be desirable to allow one anonymous user to download a file that another anonymous user uploaded. Setting this parameter to YES can avoid this scenario. ascii_download_enable
YES allows a user to download files using ASCII mode. Setting this parameter to YES can create a security risk (page 608). YES allows a user to upload files using ASCII mode (page 608). chown_uploads
YES causes files uploaded by anonymous users to be owned by root (or another user specified by chown_username). chown_username
See chown_uploads. ftp_username
The username of anonymous users. nopriv_user
The name of the user with minimal privileges, as used by vsftpd. To enhance security, because other programs use nobody, replace nobody with the name of a dedicated user such as ftp. MessagesYou can replace the standard greeting banner that vsftpd displays when a user logs in on the system (banner_file and ftpd_banner). You can also display a message each time a user enters a directory (dirmessage_enable and message_file). When you set dirmessage_enable=YES, each time a user enters a directory using cd, vsftpd displays the contents of the file in that directory named .message (or other file specified by message_file). dirmessage_enable
YES displays .message or another file specified by message_file as an ftp user enters a new directory by giving a cd command. Default: NO message_file
See dirmessage_enable. banner_file
The absolute pathname of the file that is displayed when a user connects to the server. Overrides ftpd_banner. ftpd_banner
This string overrides the standard vsftpd greeting banner displayed when a user connects to the server. Default: none; uses standard vsftpd banner DisplayThis section describes parameters that can improve security and performance by controlling how vsftpd displays information. YES lists all users and groups in directory listings as ftp. NO lists the real owners. setproctitle_enable
NO causes ps to display the process running vsftpd as vsftpd. YES causes ps to display what vsftpd is currently doing (uploading and so on). Set to NO to provide a more secure system. text_userdb_names
NO improves performance by displaying numeric UIDs and GIDs in directory listings. YES displays names. use_localtime
NO causes ls, mls, and modtime FTP commands to display UTC (page 1062); YES causes these commands to display the local time. ls_recurse_enable
YES permits users to give ls R commands. Setting this parameter to YES may pose a security risk because giving an ls R command at the top of a large directory hierarchy can consume a lot of system resources. LogsBy default, logging is turned off. However, the vsftpd.conf file distributed with CentOS Linux turns it on. This section describes parameters that control the details and locations of logs. log_ftp_protocol
YES logs FTP requests and responses, provided that xferlog_std_format is set to NO. xferlog_enable
YES maintains a transfer log in /var/log/vsftpd.log (or another file specified by xferlog_file). NO does not create a log. Default: NO xferlog_std_format
YES causes a transfer log (not covering connections) to be written in standard xferlog format, as used by wu-ftpd, as long as xferlog_file is explicitly set. The default vsftpd log format is more readable than xferlog format, but it cannot be processed by programs that generate statistical summaries of xferlog files. Search for xferlog on the Internet for more information. Default: NO xferlog_file
xferlog_enable and xferlog_std_format.
Default: Connection ParametersYou can allow clients to establish passive and/or active connections (page 602). Setting timeouts and maximum transfer rates can improve server security and performance. This section describes parameters that control the types of connections that a client can establish, the length of time vsftpd will wait while establishing a connection, and the speeds of connections for different types of users. Passive (PASV) Connectionspasv_enable
NO prevents the use of PASV connections. pasv_promiscuous
NO causes PASV to perform a security check that ensures that the data and control connections originate from a single IP address. YES disables this check; it is not recommended for a secure system. pasv_max_port
The highest port number that vsftpd will allocate for a PASV data connection; useful in setting up a firewall. pasv_min_port
The lowest port number that vsftpd will allocate for a PASV data connection; useful in setting up a firewall. pasv_address
Specifies an IP address other than the one used by the client to contact the server. Default: none; the address is the one used by the client Active (PORT) Connectionsport_enable
NO prevents the use of PORT connections. port_promiscuous
NO causes PORT to perform a security check that ensures that outgoing data connections connect only to the client. YES disables this check; it is not recommended for a secure system. connect_from_port_20
YES specifies port 20 (ftp-data, a privileged port) on the server for PORT connections, as required by some clients. NO allows vsftpd to run with fewer privileges (on a nonprivileged port). Default: NO ftp_data_port
With connect_from_port_20 set to NO, specifies the port that vsftpd uses for PORT connections. Timeoutsaccept_timeout
The number of seconds the server waits for a client to establish a PASV data connection. connect_timeout
The number of seconds the server waits for a client to respond to a PORT data connection. data_connection_timeout
The number of seconds the server waits for a stalled data transfer to resume before disconnecting. idle_session_timeout
The number of seconds the server waits between FTP commands before disconnecting. local_max_rate
For local users, the maximum data transfer rate in bytes per second. Zero (0) indicates no limit. anon_max_rate
For anonymous users, the maximum data transfer rate in bytes per second. Zero indicates no limit. one_process_model
YES establishes one process per connection, which improves performance but degrades security. NO allows multiple processes per connection. NO is recommended for a more secure system. MiscellaneousThis section describes parameters not discussed elsewhere. pam_service_name
The name of the PAM service used by vsftpd. Default: ftp tcp_wrappers
YES causes incoming connections to use tcp_wrappers (page 427) if vsftpd was compiled with tcp_wrappers support. When tcp_wrappers sets the environment variable VSFTPD_LOAD_CONF, vsftpd loads the configuration file specified by this variable, allowing per-IP configuration. Default: NO user_config_dir
Specifies a directory that contains files named for local users. Each of these files, which mimic vsftpd.conf, contains parameters that override, on a per-user basis, default parameters and parameters specified in vsftpd.conf. For example, assume that user_config_dir is set to /etc/vsftpd/user_conf. If the default configuration file, /etc/vsftpd/vsftpd.conf, sets idlesession_timeout=300 and Sam's individual configuration file, /etc/vsftpd/user_conf/sam, sets idlesession_timeout=1200, all users' sessions, except for Sam's, will time out after 300 seconds of inactivity. Sam's sessions will time out after 1,200 seconds. FilesIn addition to /etc/vsftpd/vsftpd.conf, the following files control the functioning of vsftpd. The directory hierarchy that user_config_dir points to is not included in this list as it has no default name. /etc/vsftpd/ftpusers
Lists users, one per line, who are never allowed to log in on the FTP server, regardless of how userlist_enable (page 615) is set and regardless of the users listed in the user_list file. The default file lists root, bin, daemon, and others. /etc/vsftpd/user_list
Lists either the only users who can log in on the server or the users who are not allowed to log in on the server. The userlist_enable (page 615) option must be set to YES for vsftpd to examine the list of users in this file. Setting userlist_enable to YES and userlist_deny (page 615) to YES (or not setting it) prevents listed users from logging in on the server. Setting userlist_enable to YES and userlist_deny to NO permits only the listed users to log in on the server. /etc/vsftpd/chroot_list
Depending on the chroot_list_enable (page 617) and chroot_local_user (page 617) settings, this file lists either users who are forced into a chroot jail in their home directories or users who are not placed in a chroot jail. /var/log/vsftpd.log
|
FTP Client
|