{"id":194,"date":"2012-06-11T07:49:54","date_gmt":"2012-06-11T07:49:54","guid":{"rendered":"http:\/\/rmohan.com\/?p=194"},"modified":"2012-06-11T07:51:12","modified_gmt":"2012-06-11T07:51:12","slug":"vsftp","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=194","title":{"rendered":"VSFTP"},"content":{"rendered":"

CentOS 6<\/p>\n

vsftpd 2.2.2<\/strong><\/p>\n

su – root<\/p>\n

yum install vsftpd<\/p>\n

cd \/etc\/vsftpd\/<\/p>\n

vi config<\/p>\n

anonymous_enable=NO This is set to YES by default.<\/p>\n

local_enable=YES This is set to NO by default and change when you want the local users to have ftp access.<\/p>\n

xferlog_enable=Yes This is set to NO by default. Your logs will be written to \/var\/log\/xferlog.<\/p>\n

Most Linux’s have SELinux installed by default and this gives an error when the installer does not take care of the Selinux policy’s. The error is as follows:<\/p>\n

500 OOPS: cannot change directory:\/home\/someuser<\/p>\n

vi \/etc\/selinux\/config<\/p>\n

SELINUX=disabled<\/p>\n

Setting SELinux for ftp access:<\/p>\n

getsebool -a | grep ftp<\/p>\n

setsebool -P ftp_home_dir on<\/p>\n

chkconfig –levels 345 vsftpd on<\/p>\n

service vsftpd start<\/p>\n

The virtual users home folders will be under \/var\/ftp\/. You need to have either ‘su’ permissions or ‘root’ access or ‘sudo’ access.<\/p>\n

As authentication will be required pam_userdb is a good option and is installed by default. Check with:<\/p>\n

yum info db4-utils<\/p>\n

yum install db4-utils as necessary<\/p>\n

Now cd to \/etc\/vsftpd and prepare the .txt user file with the usernames and passwords.
\nThis file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.<\/p>\n

cd \/etc\/vsftpd
\nmkdir vuser
\ncd vuser
\nvim vuser_list<\/p>\n

sudhakar
\npassword1
\nbellamkonda
\npassword2<\/p>\n

db_load -T -t hash \/etc\/vsftpd\/vuser\/vuser_list \/etc\/vsftpd\/vuser\/vuser_db.db<\/p>\n

vi \/etc\/pam.d\/vsftpd <\/p>\n

cd \/etc\/pam.d\/
\nvi vsftpd<\/p>\n

auth sufficient pam_userdb.so db=\/etc\/vsftpd\/vuser\/vuser_db
\naccount sufficient pam_userdb.so db=\/etc\/vsftpd\/vuser\/vuser_db<\/p>\n

vi \/etc\/vsftpd\/vsftpd.conf<\/p>\n

guest_enable=YES # activate the virtual users
\nvirtual_use_local_privs=YES # virtual users have local priveleges
\nuser_sub_token=$USER
\nlocal_root=\/var\/ftp\/vuser\/$USER # specifies a home directory for each virtual user
\nchroot_local_user=YES # Restricting the user to the FTP area and HOME dir’s only<\/p>\n

Create the Virtual User Folders<\/p>\n

cd \/var\/ftp
\nmkdir vuser
\nmkdir vuser\/sudhakar
\nmkdir vuser\/bellamkonda
\nchown -R ftp:ftp \/etc\/ftp\/vuser\/<\/p>\n

\/var\/ftp\/vuser\/<\/p>\n

mkdir yourlocaluser
\nchown ftp:ftp yourlocaluser<\/p>\n

ln -s \/var\/ftp\/vuser\/yourlocaluser \/home\/yourlocaluser\/ftphome<\/p>\n

service vsftpd start
\nservice vsftpd restart<\/p>\n

cd \/etc\/vsftpd
\nmkdir vuser<\/p>\n

vuserchk – checks the necessary files and folders necessary for these scripts
\nvuser.conf – the file containing configuration parameters for these scripts
\nvuseradd – adds a virtual user
\nvuserdel – delets a virtual user
\nvuserres – restores a deleted user
\nvuserpas – changes a virtual user password
\nvusersho – displays the user password<\/p>\n

vsftpd SSL <\/p>\n

yum install vsftpd<\/p>\n

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \\
\n -keyout \/etc\/vsftpd\/vsftpd.pem \\
\n -out \/etc\/vsftpd\/vsftpd.pem<\/p>\n

Configure vsftpd<\/p>\n

To configure vsftpd you edit the file \/etc\/vsftpd\/vsftpd.conf and add the following lines:<\/p>\n

ssl_enable=YES
\n allow_anon_ssl=NO
\n force_local_data_ssl=NO
\n force_local_logins_ssl=NO
\n ssl_tlsv1=YES
\n ssl_sslv2=NO
\n ssl_sslv3=NO
\n rsa_cert_file=\/etc\/vsftpd\/vsftpd.pem<\/p>\n

\/etc\/rc.d\/init.d\/vsftpd restart<\/p>\n

FTP Security – Chroot \/ Jail user (limiting user to own their home directory only)<\/p>\n

Step1: Editing \/etc\/vsftpd\/vsftpd.conf.<\/p>\n

Option A: chroot all local user<\/p>\n

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ \/jailed to their \/home\/user direcory. Go to last line adding in the line
\nvim \/etc\/vsftpd\/vsftpd.conf<\/p>\n

chroot_local_user=YES<\/p>\n

Option B: chroot only selected users<\/p>\n

If you want only selected ftp user restricted to their home directory, uncomment\/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
\nvim \/etc\/vsftpd\/vsftpd.conf<\/p>\n

91 # You may specify an explicit list of local users to chroot() to their home
\n92 # directory. If chroot_local_user is YES, then this list becomes a list of
\n93 # users to NOT chroot().
\n94 chroot_list_enable=YES
\n95 # (default follows)
\n96 chroot_list_file=\/etc\/vsftpd\/chroot_list<\/p>\n

CentOS Linux FTP Server<\/p>\n

FTP Security – Chroot \/ Jail user (limiting user to own their home directory only)<\/p>\n

Local account ftp user has the rights to change to any directory outside from their \/home\/user by default. Therefore, they can browse any files in any directory in FTP servers. Let’s have a close look at the example below. The user james is browsing the \/etc\/sysconfig\/networking directory and he knows that there are two directories which is devices and profiles. If james has rights on the file outside his \/home directory(such as group rights), he can just download these files.
\n>C:\\>ftp 192.168.13.145
\nConnected to 192.168.13.145.
\n220 (vsFTPd 2.0.5)
\nUser (192.168.13.145:(none)): james
\n331 Please specify the password.
\nPassword:
\n230 Login successful.
\nftp> pwd
\n257 “\/home\/james”
\nftp> cd \/etc\/sysconfig\/networking
\n250 Directory successfully changed.
\nftp> pwd
\n257 “\/etc\/sysconfig\/networking”
\nftp> ls
\n200 PORT command successful. Consider using PASV.
\n150 Here comes the directory listing.
\ndevices
\nprofiles
\n226 Directory send OK.
\nftp: 19 bytes received in 0.00Seconds 19.00Kbytes\/sec.
\nftp> bin
\n200 Switching to Binary mode.
\nftp> cd devices
\n250 Directory successfully changed.
\nftp> ls
\n200 PORT command successful. Consider using PASV.
\n150 Here comes the directory listing.
\nifcfg-eth0
\nifcfg-eth0.bak
\nifcfg-eth1
\nifcfg-eth1.bak
\n226 Directory send OK.
\nftp: 56 bytes received in 0.00Seconds 28.00Kbytes\/sec.
\nftp> get ifcfg-eth0
\n200 PORT command successful. Consider using PASV.
\n150 Opening BINARY mode data connection for ifcfg-eth0 (117 bytes).
\n226 File send OK.
\nftp: 117 bytes received in 0.00Seconds 117.00Kbytes\/sec.<\/p>\n

Thus, its always recommended to jail\/ restrict FTP user access only to their \/home\/user direcotory.<\/p>\n

Step1: Editing \/etc\/vsftpd\/vsftpd.conf.<\/p>\n

Option A: chroot all local user<\/p>\n

By default, if you are adding in chroot_local_user=YES .All the local users are’ chroot()’ \/jailed to their \/home\/user direcory. Go to last line adding in the line
\nvim \/etc\/vsftpd\/vsftpd.conf<\/p>\n

chroot_local_user=YES<\/p>\n

Option B: chroot only selected users<\/p>\n

If you want only selected ftp user restricted to their home directory, uncomment\/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure that chroot_local_user=YES is removed from your vsftpd.conf file.
\nvim \/etc\/vsftpd\/vsftpd.conf<\/p>\n

91 # You may specify an explicit list of local users to chroot() to their home
\n92 # directory. If chroot_local_user is YES, then this list becomes a list of
\n93 # users to NOT chroot().
\n94 chroot_list_enable=YES
\n95 # (default follows)
\n96 chroot_list_file=\/etc\/vsftpd\/chroot_list<\/p>\n

Step2 (if selected option B above): create a file named chroot_list under \/etc\/vsftpd\/<\/p>\n

The following example, we are creating chroot_list and insert the user james in the list
\ncd \/etc\/vsftpd\/<\/p>\n

vim chroot_list<\/p>\n

james<\/p>\n

Step3: Restart vsFTPD services
\nservice vsftpd restart
\nShutting down vsftpd: [ OK ]
\nStarting vsftpd for vsftpd: [ OK ]<\/p>\n","protected":false},"excerpt":{"rendered":"

CentOS 6<\/p>\n

vsftpd 2.2.2<\/p>\n

su – root<\/p>\n

yum install vsftpd<\/p>\n

cd \/etc\/vsftpd\/<\/p>\n

vi config<\/p>\n

anonymous_enable=NO This is set to YES by default.<\/p>\n

local_enable=YES This is set to NO by default and change when you want the local users to have ftp access.<\/p>\n

xferlog_enable=Yes This is set to NO by default. Your logs will be written […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/194"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=194"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/194\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/194\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}