Linux Home Server HOWTO

Home

Chapter 14 - FTP Server

Version:

- vsftpd 2.0.4

Initial Configuration
Starting The Server
Controlling User Access
Enabling TLS/SSL Encryption

File Transfer Protocol (RFC959) has been around for many years as one of the older more reliable methods for transferring data files and is still being used extensively by many organisations today. The Very Secure FTP Daemon (vsftpd) is one of the more popular and robust FTP servers available for the Linux community. The vsftpd server has had one major design rule from its initial development, enforcing high security requirements. The server can operate in a chroot jail and now supports TLS/SSL encryption (from Version 2).

The initially installed configuration provides full download access for anonymous users. This chapter will cover some of the basic configuration parameters for the server and identify some settings to improve security for authorised access only. It will also look at enabling TLS/SSL encryption to provide a level of safety for your transfer requirements. FTP Security Extensions are discussed in RFC2228.

Initial Configuration

The original configuration file for vsftpd is perfectly suited to a secure anonymous FTP server and makes a good basis to start customising, It should be backed up to ensure any errors can be restored quickly from a known good file.

[bash]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original
[bash]# vi /etc/vsftpd/vsftpd.conf

To display a welcome banner to every new user that connects, set the banner_file parameter and place a suitable welcome message inside the designated file.

banner_file=/etc/vsftpd/welcome.banner

Using the ftpd_banner parameter allows you to quickly set a single line welcome string for when new users connect.

ftpd_banner=Welcome to my vsFTPd Server.

If the banner_file and ftpd_banner are both enabled, then the banner_file is displayed before the ftpd_banner.

If you are doing any FTP mirroring and you host files from several different organisations, you can set an individual message that will be displayed when the user lists the contents of each different directory.

dirmessage_enable=YES

The default message file for each directory is ".message", adjust this setting if you wish to use a different filename.

message_file=.message

If a banner file and directory message are enabled in the FTP server's document root (/var/ftp), then the banner will be displayed immediately followed by the directory message.

The vsftpd server can run in standalone mode or be supported by inetd/xinetd. To enable standalone mode set "listen=YES" (default).

listen=YES

To disable inetd/xinetd server, set "tcp_wrappers=NO" (default).

tcp_wrappers=NO

The umask parameters define the "chmod" value (permissions) of the files when they are uploaded to the FTPs filesystem. To calculate the permission value, start at 777, then substract the umask value. So if a anon_umask value is set at 077, then the file will have the permissions of 700 on the file system (this may prevent the file from later being downloaded depending on filesystem permissions).

anon_umask=077
local_umask=022

The default account for anonymous access, if another system account is needed it can be specified here.

nopriv_user=ftp

This directive puts the FTP server into active mode for the data connection, the default is passive mode ("YES").

pasv_enable=YES

Adjust these to enable transfer logging.

xferlog_enable=YES
xferlog_file=/var/log/xferlog

Specify the name that the Pluggable Authentication Module is to use.

pam_service_name=vsftpd

This is the 'root' directory where your FTP files should be located. It should be an empty directory, and not writeable by "ftp" user (unless you are configuring anonymous upload).

anon_root=/var/ftp

For further configuration details, type "man vsftpd.conf" at the command prompt.

Starting The Server

Now that the FTP server has been configured, the runlevels should be set and checked to ensure the server will start as required.

[bash]# chkconfig --level 345 vsftpd on
[bash]# chkconfig --list vsftpd

The vsftpd daemon can now be started. Besure the check the system log for any initialisation errors.

[bash]# /etc/init.d/vsftpd restart
[bash]# grep vsftpd /var/log/messages

Controlling User Access

In vsftpd's initial state anonymous users are are allowed full download access to all the resources available through the FTP server, and adjustments to the configuration are required to enforce a more secure environment.

Anonymous Users

The default setting for allowing anonymous users is YES. To disable anonymous access it is not enough to comment out the following parameter, it MUST be changed to NO, otherwise anonymous still has access.

anonymous_enable=YES

anonymous_enable=NO

If the FTP server is going to be accessible to the general public, then the anonymous account can be granted the rights to upload files to the server and create new directories inside the FTP root directory. Give serious consideration to these abilities before implementing them.

#anon_upload_enable=YES
#anon_mkdir_write_enable=YES

Always avoid where possible, allowing anonymous users the ability to upload files to the FTP server. This has the potential to allow users of pirate software to abuse your system for further distribution. Always check the files on a regular basis for any sign of abuse.

To restrict the upload rate of connected anonymous users, set the anon_max_rate to an appropriate value for your connection. The rate at which system account users can upload can also be restricted using the local_max_rate parameter. Rates are in bytes per second, "0" is disabled.

anon_max_rate=10485760
local_max_rate=0

You may for some reason decide to limit the amount of users that connect to your server at anytime, and how many simultaneous connections can be maintained from each IP address.

max_clients=500
max_per_ip=4

System Accounts

Normally any user that has an account on the local system can log in using their account details and access their files. As a security measure, not all system accounts should be allowed to do this. Any user account that is listed in the /etc/vsftpd.ftpuser file will not be granted log in access through the server daemon. This file is normally used for system accounts (root, bin etc..) and bad people.

Do not put anonymous in /etc/vsftpd.ftpuser file, it does nothing. Anonymous access must be disabled with "anonymous_enable=NO" parameter.

To create a selective list for system user accounts that can access the FTP server.

userlist_enable=YES
userlist_file=/etc/vsftpd/user_list

If you need to stop all system user accounts from being able to log in to the FTP, then disable the following.

local_enable=YES
write_enable=YES

System user accounts normally have the ability to browse the complete filesystem as though they were logged onto the terminal (depending on directory permissions). To block all users from this activity, they can be chroot jailed into their home directories. This means they will be locked inside their own home directories and can't view or access the rest of the filesystem.

chroot_local_user=YES

Using chroot_local_user is handy for allowing users to access their "public_html" directories on a publicly shared web server.

Users can also be selectively jailed to their home directories.

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

If "chroot_list_enable=YES", then the /etc/vsftpd.chroot_list file contains a selective list of users that are jailed to their home directories. If "chroot_local_user=YES" is also set, then the entries in the /etc/vsftpd.chroot_list are users that are not jailed; the opposite effect.

Enabling TLS/SSL Encryption

The release of vsftpd version 2 brought some major updates to the FTP package and the most notable is the inclusion of TLS/SSL encryption for securing authentication and data transfers between clients and server.

You should only enable TLS/SSL if you really need it. If you only intend to cater for anonymous users on your server, then you should not implement encryption.

To enable the TLS/SSL security controls, the vsftpd version must have been compiled with its support. To find out if your version has been compiled with SSL support, execute the following command at the prompt.

[bash]# ldd /usr/sbin/vsftpd | grep ssl

If the command displays the libssl line in its output, then your version is ready to support TLS/SSL. If libssl is not in the output then your version of vsftpd does not support encryption, you will either have to recompile the source code yourself, or convince your distribution developers to consider it for inclusion.

libssl.so.6 => /lib/libssl.so.6 (0x001bf000)

Before the server is able to do any encryption, it requires the generation of a private key and a digital certificate. During the key generation process you will be asked several questions in regards of server name, organisational name, country code.

PREFERRED METHOD..
[bash]# cd /etc/pki/tls/certs
[bash]# make vsftpd.pem

ALTERNATE METHOD..
[bash]# openssl req -x509 -nodes -days 730 -newkey rsa:1024 \
-keyout /etc/pki/tls/certs/vsftpd.pem \
-out /etc/pki/tls/certs/vsftpd.pem

Both commands above are suitable for creating your certificates. The bottom command creates an X509 SSL certificate with a life of 2 years (-days 730).

Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:QLD
Locality Name (eg, city) [Newbury]:Brisbane
Organization Name (eg, company) [My Company Ltd]:Miles Brennan
Organizational Unit Name (eg, section) []:Home Linux Server
Common Name (eg, your name or your server's hostname) []:galaxy.example.com
Email Address []:[email protected]

If you are using the server for legitimate business use and you want to provide a level of security assurance to your customers, then you should use a key that has been signed by a Certificate Authority.

The contents of the /etc/pki/tls/certs/vsftpd.pem file should be checked to ensure is has a private key and digital certificate. If any of the identifying details in the X509 change or have been entered incorrectly, you can easily regenerate new keys until the details are correct.

The vsftpd.pem file should also be secured so only root has access to the file. This does not affect the server if it is running as a non privileged account, as the keys are loaded before dropping into non privileged mode.

[bash]# cat /etc/pki/tls/certs/vsftpd.pem
[bash]# openssl x509 -in /etc/pki/tls/certs/vsftpd.pem -noout -text

[bash]# chmod 600 /etc/pki/tls/certs/vsftpd.pem

The configuration file now needs to be adjusted to include the support for TSL/SSL encryption. The following details are the recommended parameters required, details of each parameter can be obtained from the "man vsftpd.conf" file.

[bash]# vi /etc/vsftpd/vsftpd.conf

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

The service should now be restarted for the changes to take effect.

[bash]# /etc/init.d/vsftpd restart

For TLS/SSL encryption to be fully implemented, the FTP client application also needs to support secure connections.

TLS/SSL Enabled FTP Clients

The Linux based gFTP client is enabled for TLS/SSL connections, however it initially rejects self-signed server certificates. This can be fixed by disabling the "Verify SSL Peer" setting in options. When making connections, be sure to select the FTPS protocol.

The Windows based SmartFTP client is also enabled for TLS/SSL connections. The FTP server firstly needs to be configured as a "Favourite Site", then the properties need to adjusted to use the "FTP over SSL Explicit" protocol. Save the changes and connect.

Home