To start off VSFTP is a FTP server and is considered to be the most secure FTP server. I am configuring this on Gentoo so locations of the configuration files may differ depending on your system.
Contents |
Basic Setup
Installation
- On Gentoo just use 'emerge vsftpd'
- On Debian just use 'apt-get vsftpd'
- Or get the source from here
Configuration
In Gentoo the configuration file is located at /etc/vsftpd/vsftpd.conf Here is a simple configuration.
dirmessage_enable=YES # banner_file=/etc/vsftpd/vsftpd.banner # edit banner first chown_uploads=NO xferlog_enable=YES idle_session_timeout=600 data_connection_timeout=120 ascii_upload_enable=NO ascii_download_enable=NO chroot_list_enable=YES background=YES listen=YES ls_recurse_enable=NO
If you want to allow anonymous read only access to your ftp then add this to your configuration.
anonymous_enable=YES anon_upload_enable=NO anon_mkdir_write_enable=NO
If you want to disable local users access to your ftp add this to your configuration.
local_enable=NO write_enable=NO
Virtual Users Configuration
Virtual Users allow for multiple users access to your ftp with out creating local users for each user. I will be using PAM for Virtual User Authentication opposed to the Berkley DB approach. First you will need to add a user virtual
# useradd -d --FTP DIRECTORY-- virtual
then you will need to add the following to your vsftpd.conf file
anonymous_enable=NO local_enable=YES write_enable=NO anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO chroot_local_user=YES guest_enable=YES guest_username=virtual
That will disable anonymous access to your ftp, disable all write access to your ftp, lock users in the ftp directory, and then setup the Virtual user which is required for this to work. Next you will need to install pam_pwdfile i.e. emerge pam_pwdfile. You will need to add these two lines to your pam ftp configuration in Gentoo it is located at /etc/pam.d/ftp
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd_ftp account required pam_permit.so
Now to add users you just need to add users to the passwd_ftp file in the format username:password. This perl script is used to generate the md5 password hashes.
#! /usr/bin/perl -w
use strict;
# filter "user:cleartext" lines into "user:md5_crypted"
# probably requires glibc
while (<>) {
chomp;
(my $user, my $pass) = split /:/, $_, 2;
my $crypt = crypt $pass, '$1$' . gensalt(8);
print "$user:$crypt\n";
}
sub gensalt {
my $count = shift;
my @salt = ('.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z');
my $s;
$s .= $salt[rand @salt] for (1 .. $count);
return $s;
}
Remember to chmod +x /etc/vsftpd/'scriptName'. To add a user and generate the md5 password hash run these commands
# cd /etc/vsftpd # touch cleartext # chmod go= cleartext # echo john:secret >> cleartext # ./filter cleartext > passwd_ftp
I wrote a bash script which can be used to add users. As arguments it takes the username and then the password
#!/bin/bash
if [ $# != 2 ] ; then
echo "Incorrect number args"
else
cd /etc/vsftpd
touch cleartext
chmod go= cleartext
echo $1:$2 >> cleartext
./filter.pl cleartext > passwd_ftp
fi
