December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories

December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

VSFTP

CentOS 6

vsftpd 2.2.2

su – root

yum install vsftpd

cd /etc/vsftpd/

vi config

anonymous_enable=NO This is set to YES by default.

local_enable=YES This is set to NO by default and change when you want the local users to have ftp access.

xferlog_enable=Yes This is set to NO by default. Your logs will be written to /var/log/xferlog.

Most Linux’s have SELinux installed by default and this gives an error when the installer does not take care of the Selinux policy’s. The error is as follows:

500 OOPS: cannot change directory:/home/someuser

vi /etc/selinux/config

SELINUX=disabled

Setting SELinux for ftp access:

getsebool -a | grep ftp

setsebool -P ftp_home_dir on

chkconfig –levels 345 vsftpd on

service vsftpd start

The virtual users home folders will be under /var/ftp/. You need to have either ‘su’ permissions or ‘root’ access or ‘sudo’ access.

As authentication will be required pam_userdb is a good option and is installed by default. Check with:

yum info db4-utils

yum install db4-utils as necessary

Now cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords.
This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.

cd /etc/vsftpd
mkdir vuser
cd vuser
vim vuser_list

sudhakar
password1
bellamkonda
password2

db_load -T -t hash /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db

vi /etc/pam.d/vsftpd

cd /etc/pam.d/
vi vsftpd

auth sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db
account sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db

vi /etc/vsftpd/vsftpd.conf

guest_enable=YES # activate the virtual users
virtual_use_local_privs=YES # virtual users have local priveleges
user_sub_token=$USER
local_root=/var/ftp/vuser/$USER # specifies a home directory for each virtual user
chroot_local_user=YES # Restricting the user to the FTP area and HOME dir’s only

Create the Virtual User Folders

cd /var/ftp
mkdir vuser
mkdir vuser/sudhakar
mkdir vuser/bellamkonda
chown -R ftp:ftp /etc/ftp/vuser/

/var/ftp/vuser/

mkdir yourlocaluser
chown ftp:ftp yourlocaluser

ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome

service vsftpd start
service vsftpd restart

cd /etc/vsftpd
mkdir vuser

vuserchk – checks the necessary files and folders necessary for these scripts
vuser.conf – the file containing configuration parameters for these scripts
vuseradd – adds a virtual user
vuserdel – delets a virtual user
vuserres – restores a deleted user
vuserpas – changes a virtual user password
vusersho – displays the user password

vsftpd SSL

yum install vsftpd

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout /etc/vsftpd/vsftpd.pem \
-out /etc/vsftpd/vsftpd.pem

Configure vsftpd

To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

/etc/rc.d/init.d/vsftpd restart

FTP Security – Chroot / Jail user (limiting user to own their home directory only)

Step1: Editing /etc/vsftpd/vsftpd.conf.

Option A: chroot all local user

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ /jailed to their /home/user direcory. Go to last line adding in the line
vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

Option B: chroot only selected users

If you want only selected ftp user restricted to their home directory, uncomment/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
vim /etc/vsftpd/vsftpd.conf

91 # You may specify an explicit list of local users to chroot() to their home
92 # directory. If chroot_local_user is YES, then this list becomes a list of
93 # users to NOT chroot().
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list

CentOS Linux FTP Server

FTP Security – Chroot / Jail user (limiting user to own their home directory only)

Local account ftp user has the rights to change to any directory outside from their /home/user by default. Therefore, they can browse any files in any directory in FTP servers. Let’s have a close look at the example below. The user james is browsing the /etc/sysconfig/networking directory and he knows that there are two directories which is devices and profiles. If james has rights on the file outside his /home directory(such as group rights), he can just download these files.
>C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): james
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 “/home/james”
ftp> cd /etc/sysconfig/networking
250 Directory successfully changed.
ftp> pwd
257 “/etc/sysconfig/networking”
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
devices
profiles
226 Directory send OK.
ftp: 19 bytes received in 0.00Seconds 19.00Kbytes/sec.
ftp> bin
200 Switching to Binary mode.
ftp> cd devices
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
ifcfg-eth0
ifcfg-eth0.bak
ifcfg-eth1
ifcfg-eth1.bak
226 Directory send OK.
ftp: 56 bytes received in 0.00Seconds 28.00Kbytes/sec.
ftp> get ifcfg-eth0
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ifcfg-eth0 (117 bytes).
226 File send OK.
ftp: 117 bytes received in 0.00Seconds 117.00Kbytes/sec.

Thus, its always recommended to jail/ restrict FTP user access only to their /home/user direcotory.

Step1: Editing /etc/vsftpd/vsftpd.conf.

Option A: chroot all local user

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ /jailed to their /home/user direcory. Go to last line adding in the line
vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES

Option B: chroot only selected users

If you want only selected ftp user restricted to their home directory, uncomment/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
vim /etc/vsftpd/vsftpd.conf

91 # You may specify an explicit list of local users to chroot() to their home
92 # directory. If chroot_local_user is YES, then this list becomes a list of
93 # users to NOT chroot().
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list

Step2 (if selected option B above): create a file named chroot_list under /etc/vsftpd/

The following example, we are creating chroot_list and insert the user james in the list
cd /etc/vsftpd/

vim chroot_list

james

Step3: Restart vsFTPD services
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>