Previous Section
 < Day Day Up > 
Next Section


The Very Secure FTP Server

The Very Secure FTP server (vsftpd) is small, fast, easy, and secure. It is designed to avoid the overhead of large FTP server applications like ProFTPD, while maintaining a very high level of security. It can also handle a very large workload, managing high traffic levels on an FTP site. It is perhaps best for sites where many anonymous and guest users will be downloading the same files. Beginning with Red Hat 9, it replaced the Washington University FTP server, WU-FTPD.

The Very Secure FTP server is inherently designed to provide as much security as possible, taking full advantage of Unix and Linux operating system features. The server is separated into privileged and unprivileged processes. The unprivileged process receives all FTP requests, interpreting them and then sending them over a socket to the privileged process, which then securely filters all requests. Even the privileged process does not run with full root capabilities, using only those that are necessary to perform its tasks. In addition, the Very Secure FTP server uses its own version of directory commands like ls, instead of the system's versions.

Running vsftpd

The Very Secure FTP server's daemon is named vsftpd. On Red Hat, it is now designed to be run as a standalone server, which can be started and stopped using the /etc/rc.d/init.d/vsftpd server script. To start, stop, and restart vsftpd, you can use the service command.

service vsftpd start

To have the server start automatically, you can turn it on with the chkconfig command and the on argument, as shown here. Use the off argument to disable the server. If you previously enabled another FTP server such as ProFTPD, be sure to disable it first.

chkconfig vsftpd on

You can also use redhat-config-services to start and stop vsftpd, or to have it started automatically.

Alternatively, you can implement vsftpd to be run by the xinetd, running the server only when a request is made by a user. The use of xinetd for the servers is described in detail in Chapter 20. xinetd will run an xinetd script file called vsftpd located in the /etc/xinetd.d directory.

Initially, the server will be turned off. You can turn it on in xinetd with the chkconfig command and the on argument, as shown here. Use the off argument to disable the server.

chkconfig vsftpd on

Restart xinetd with the service command (or redhat-config-services) to restart the vsftpd server, should you make configuration changes.

service xinetd restart

Configuring vsftpd

You configure vsftpd using one configuration file, /etc/vsftpd/vsftpd.conf. Configuration options are simple and kept to a minimum, making it less flexible than ProFTPD, but much faster (see Table 21-2). The vsftpd.conf file contains a set of directives where an option is assigned a value (there are no spaces around the = sign). Options can be on and off flags assigned a YES or NO value, features that take a numeric value, or ones that are assigned a string. Red Hat installs a default vsftpd.conf file in the /etc/vsftpd directory. This file lists some of the commonly used options available with detailed explanations for each. Those not used are commented out with a preceding # character. Option names are very understandable. For example, anon_upload_enable allows anonymous users to upload files, whereas anon_mkdir_write_enable lets anonymous users create directories. The man page for vsftpd.conf lists all options, providing a detailed explanation for each.

Table 21-2: Configuration Options for vsftpd.conf

Option

Description

listen

Set standalone mode

listen_port

Specify port for standalone mode

anonymous_enable

Enable anonymous user access

local_enable

Enable access by local users

no_anon_password

Specify whether anonymous users must submit a password

anon_upload_enable

Enable uploading by anonymous users

anon_mkdir_write_enable

Allow anonymous users to create directories

aonon_world_readable_only

Make uploaded files read only to all users

idle_session_timeout

Time limit in seconds for idle sessions

data_connection_timeouts

Time limit in seconds for failed connections

dirmessage_enable

Display directory messages

ftpd_banner

Display FTP login message

xferlog_enable

Enable logging of transmission transactions

xferlog_file

Specify log file

deny_email_enable

Enable denying anonymous users whose e-mail addresses are specified in vsftpd.banned

userlist_enable

Deny access to users specified in vsftp.user_list file

userlist_file

Deny or allow users access depending on setting of userlist_deny

userlist_deny

When set to YES, userlist_file list users are denied access. When set to NO, userlist_file list users, and only those users, are allowed access

chroot_list_enable

Restrict users to their home directories

chroot_list_file

Allow users access to home directories. Unless chroot_local_user is set to YES, this file contains list of users not allowed access to their home directories

chroot_local_user

Allow access by all users to their home directories

pam_service_name

Specify PAM script

ls_recurse_enable

Enable recursive listing

Enabling Standalone Access

To run vsftpd as a standalone server, you set the listen option to YES. This instructs vsftpd to continually listen on its assigned port for requests. You can specify the port it listens on with the listen_port option.

listen=YES

Enabling Login Access

In the following example taken from the vsftpd.conf file, anonymous FTP is enabled by assigning the YES value to the anonymous_enable option. The local_enable option allows local users on your system to use the FTP server.

# Allow anonymous FTP?
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES

Should you want to let anonymous users log in without providing a password, you can set no_anon_password to YES.

Local User Permissions

A variety of user permissions control how local users can access files on the server. If you want to allow local users to create, rename, and delete files and directories on their account, you have to enable write access with the write_enable option. This way, any files they upload, they can also delete. Literally, the write_enable option activates a range of commands for changing the file system, including creating, renaming, and deleting both files and directories.

write_enable=YES

You can further specify the permissions for uploaded files using the local_umask option (022 is the default set by Red Hat in vsftpd.conf, read and write for the owner and read only for all other users, 644).

local_umask=022

Though ASCII uploads are disabled by default, you can also enable this feature. ASCII uploads entail certain security risks and are turned off by default. But if you are uploading large text files, you may want to enable them in special cases. Use ascii_upload_enable to allow ASCII uploads.

Anonymous User Permissions

You can also allow anonymous users to upload and delete files, as well as create or remove directories. Uploading by anonymous users is enabled with the anon_upload _enable option. To let anonymous users also rename or delete their files, you set the anon_other_write_enable option. To also let them create directories, you set the anon_mkdir_write_enable option.

anon_upload_enable=YES
anon_other_write_enable=YES
anon_mkdir_write_enable=YES

The anon_world_readable_only option will make uploaded files read only (downloadable), restricting write access to the user that created them. Only the user that uploaded a file could delete it.

All uploaded files are owned by the anonymous FTP user. You can have the files owned by another user, adding greater possible security. In effect, the actual user owning the uploaded files becomes hidden from anonymous users. To enable this option, you use chown_uploads and specify the new user with chown_username. Never make the user an administrative user like root.

chown_uploads=YES
chown_username=myftpfiles

The upload directory itself should be given write permission by other users.

chmod 777 /var/ftp/upload

You can control the kind of access that users have to files with the anon_mask options, setting default read/write permissions for uploaded files. The default is 077, which gives read/write permission to the owner only (600). To allow all users read access, you would set the umask to 022, where the 2 turns off write permission but sets read permission (644). The value 000 would allow both read and write for all users.

Connection Time Limits

To more efficiently control the workload on a server, you can set time limits on idle users and failed transmissions. The idle_session_timeout will cut off idle users after a specified time, and data_connection_timeouts will cut off failed data connections. The defaults are shown here:

idle_session_timeout=600
data_connection_timeout=120

Messages

The dirmessage_enable option will allow a message held in a directory's .message file to be displayed whenever a user accesses that directory. ftpd_banner lets you set up your own FTP login message. The default is shown here.

ftpd_banner=Welcome to blah FTP service.

Logging

A set of xferlog options control logging. You can enable logging, as well as specify the format and the location of the file.

xferlog_enable=YES

Use xferlog_file option to specify the log file you want to use. The default is shown here:

xferlog_file=/var/log/vsftpd.log

vsftpd Access Controls

Certain options control access to the FTP site. As previously noted, the anonymous_enable options allows anonymous users access, and local_enable permits local users to log in to their accounts.

Denying Access

The deny_email_enable option lets you deny access by anonymous users, and the banned_email file option designates the file (usually vstfpd.banned) that holds the e-mail addresses of those users. The vsftpd.ftpusers file lists those users that can never be accessed. These are usually system users like root, mail, and nobody. See Table 21-3 for a list of vsftpd files.

User Access

The userlist_enable option controls access by users, denying access to those listed in the file designated by the userlist_file option (usually vsftpd.user_list). If, instead, you want to restrict access to just certain select users, you can change the meaning and usage of the vsftpd.user_list file to indicate only those users allowed access, instead of those denied access. To do this, you set the userlist_deny option to NO (its default is YES). Only users listed in the vsftpd.user list file will be granted access to the FTP site.

User Restrictions

The chroot_list_enable option controls access by local users, letting them access only their home directories, while restricting system access. The chroot_list_file option designates the file (usually vstfpd.chroot) that lists those users allowed access. You can allow access by all local users with the chroot_local_user option. If this option is set, then the file designated by chroot_list_file will have an inverse meaning, listing those users not allowed access. In the following example, access by local users is limited to those listed in vsftpd.chroot.

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

User Authentication

The vsftpd server makes use of the PAM service to authenticate local users that are remotely accessing their accounts through FTP. In the vsftpd.conf file, the PAM script used for the server is specified with the pam_service_name option.

pam_service_name=vsftpd

In the etc/pam.d directory, you will find a PAM file named vsftpd with entries for controlling access to the vsftpd server. PAM is currently set up to authenticate users with valid accounts, as well as deny access to users in the /etc/vsftpd.ftpusers file. The default /etc/pam.d/vsftpd file is shown here:

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
                 file=/etc/vsftpd.ftpusers onerr=succeed
auth    required  pam_stack.so service=system-auth
auth   required   pam_shells.so
account required  pam_stack.so service=system-auth
session required  pam_stack.so service=system-auth

Command Access

Command usage is highly restricted by vsftpd. Most options for the ls command that lists files are not allowed. Only the asterisk file-matching operation is supported (see Chapter 8). To enable recursive listing of files in subdirectories, you have to enable the use of the -R option by setting the ls_recurse_enable option to YES. Some clients, such as ncftp (see Chapter 14), will assume that the recursive option is enabled.

Table 21-3: Files for vsftpd

File

Description

vsftpd.ftpusers

Users always denied access

vsftpd.user_list

Specified users denied access (allowed access if userlist_deny is NO)

vsftpd.chroot_list

Local users allowed access (denied access if chroot_local_user is on)

/etc/vsftpd/vsftpd.conf

vsftpd configuration file

/etc/pam.d/vsftpd

PAM vsftpd script

/etc/rc.d/init.d/vsftpd

Service vsftpd server script, standalone (Red Hat default)

/etc/xinetd.d/vsftpd

Xinetd vsftpd server script

vsftpd Virtual Hosts

Though the capability is not inherently built in to vsftpd, you can configure and set up the vsftpd server to support virtual hosts. Virtual hosting is where a single FTP server operates as if it has two or more IP addresses. Several IP addresses can then be used to access the same server. The server will then use a separate FTP user directory and files for each host. With vsftpd, this involves manually creating separate FTP users and directories for each virtual host, along with separate vsftpd configuration files for each virtual host in the /etc/vsftpd directory. On Red Hat, vsftpd is configured to run as a standalone service. Its /etc/rc.d/init.d/vsftpd start-up script will automatically search for and read any configuration files listed in the /etc/vsftpd directory.

If, on the other hand, you wish to run vsftpd as a xinetd service, you would have to create a separate xinetd service script for each host in the /etc/xinetd.d directory. In effect, you have several vsftpd services running in parallel for each separate virtual host. The following example uses two IP addresses for an FTP server.

  • First, create an FTP user for each host. Create directories for each host. (You could use the one already set up for one of the users.) For example, for the first virtual host you could use FTP-host1. Be sure to set root ownership and the appropriate permissions.

    useradd -d /var/ftp-host1 FTP-host1
    chown root.root /var/ftp-host1
    chmod a+rx /var/ftp-host1
    umask 022
    mkdir /var/ftp-host1/pub
  • Set up two corresponding vsftpd service scripts in the /etc/xinetd.d directory. On Red Hat, the vsftpd directory in /usr/share/doc has an xinetd example script, vsftpd.xinetd. Within each, enter a bind command to specify the IP address the server will respond to.

    bind  192.168.0.34
  • Within the same scripts, enter a server_args entry specifying the name of the configuration file to use.

    server_args = vsftpd-host1.conf
  • Within the /etc/vsftpd directory, create separate configuration files for each virtual host. Within each, specify the FTP user you created for each, using the ftp_username entry.

    ftp_username = FTP-host1

vsftpd Virtual Users

Virtual users can be implemented by making use of PAM to authenticate authorized users. In effect, you are allowing access to certain users, while not having to actually set up accounts for them on the FTP server system. First create a PAM login database file to use along with a PAM file in the /etc/pam.d directory that will access the database. Then create a virtual FTP user along with corresponding directories that the virtual users will access (see the vsftpd documentation at vsftpd.beasts.org for more detailed information). Then in the vsftpd.conf file, you can disable anonymous FTP:

anonymous_enable=NO
local_enable=YES

and then enable guest access:

guest_enable=YES
guest_username=virtual


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.