Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Configuring Vsftpd

/ October 3, 2016 — Network Services

Vsftpd is claimed to be,”Probably the most secure and fastest FTP server for UNIX-like systems.” Well. That makes us want to look at it. What we need in this case, is for users with accounts on our system to have the ability to upload and download files without any other required client utilities; however, we don’t want them to see other files on the system. This article will go through configuration of vsftp to this end. If you want a more secure chrooted environment, check out Building a Chrooted sftp Environment.

The first thing we’ll do is copy the sample configuration file:

root@srv-1 vsftpd # cp vsftpd.conf.sample vsftpd.conf
root@srv-1 vsftpd # pwd
/etc/vsftpd
root@srv-1 vsftpd #

So, what happens if we try and FTP with the default config? Let’s try:

[root@srv-3 root]# ftp srv-1
ftp: connect: Connection refused
ftp> exit

Probably, the service isn’t listening. We had some issues with xinetd, so we’ll use standalone for this. To do this add the following lines to /etc/vsftpd/vsftpd.conf:

background=YES
listen=YES

We’ll have to start vsftpd:

root@srv-1 etc # /etc/init.d/vsftpd start
* Starting vsftpd...                                                     [ ok ]
root@srv-1 etc #

Let’s try again:

[root@srv-3 root]# ftp srv-1
Connected to srv-1 (10.50.100.1).
421 Service not available, remote server has closed connection
ftp>

OK. That is better. We might have to RTFM and configure this. 🙂 Now, we do not want anonymous access, so we need to change these lines in vsftpd.conf:

anonymous_enable=NO
local_enable=YES

Let’s try it again:

[root@srv-3 root]# ftp srv-1
Connected to srv-1 (10.50.100.1).
220 (vsFTPd 1.2.1)
Name (srv-1:root): u-1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /
227 Entering Passive Mode (10,50,100,1,247,49)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 02 05:45 bin
drwxr-xr-x    6 0        0            1024 Jun 01 11:36 boot
drwxr-xr-x    1 0        0               0 Jan 01  1970 dev
.
.
.
drwxrwxrwt   24 0        0            4096 Jul 09 18:00 tmp
drwxr-xr-x   17 0        0            4096 May 30 20:42 usr
drwxr-xr-x   14 0        5            4096 Jan 16 15:45 var
226 Directory send OK.
ftp>

OK. Better, but we don’t want the user to see /. We need to add a couple lines:

chroot_list_enable=YES
chroot_local_user=YES

Let’s restart vsftpd:

root@srv-1 vsftpd # /etc/init.d/vsftpd restart
* Stopping vsftpd...                    [ ok ]
* Starting vsftpd...                    [ ok ]
root@srv-1 vsftpd #

Now:

[root@srv-3 root]# ftp srv-1
Connected to srv-1 (10.50.100.1).
220 (vsFTPd 1.2.1)
Name (srv-1:root): u-1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls /
227 Entering Passive Mode (10,50,100,1,184,245)
150 Here comes the directory listing.
-rw-r--r--    1 1000     100          5497 Jan 20 14:49 000843.html
-rw-r--r--    1 1000     100             0 Feb 10  2003 0615060500
-rw-r--r--    1 1000     100        706169 Aug 09  2003 1.pdf
.
.
.
drwxr-xr-x    2 1000     100          4096 Jan 30  2003 xcircuitlibs
226 Directory send OK.
ftp> pwd
257 "/"
ftp> 
ftp> quit
221 Goodbye.

That is u-1’s home directory, so we are set. The complete vsftpd.conf file is:

anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
nopriv_user=nobody
chroot_list_enable=YES
chroot_local_user=YES
background=YES
listen=YES

Information

About