< Day Day Up > |
The Very Secure FTP server (vsftpd) is small, fast, easy, and secure. It is designed to avoid the overhead of large FTP server applications like ProFTPD, while maintaining a very high level of security. It can also handle a very large workload, managing high traffic levels on an FTP site. It is perhaps best for sites where many anonymous and guest users will be downloading the same files. Beginning with Red Hat 9, it replaced the Washington University FTP server, WU-FTPD.
The Very Secure FTP server is inherently designed to provide as much security as possible, taking full advantage of Unix and Linux operating system features. The server is separated into privileged and unprivileged processes. The unprivileged process receives all FTP requests, interpreting them and then sending them over a socket to the privileged process, which then securely filters all requests. Even the privileged process does not run with full root capabilities, using only those that are necessary to perform its tasks. In addition, the Very Secure FTP server uses its own version of directory commands like ls, instead of the system's versions.
The Very Secure FTP server's daemon is named vsftpd. On Red Hat, it is now designed to be run as a standalone server, which can be started and stopped using the /etc/rc.d/init.d/vsftpd server script. To start, stop, and restart vsftpd, you can use the service command.
service vsftpd start
To have the server start automatically, you can turn it on with the chkconfig command and the on argument, as shown here. Use the off argument to disable the server. If you previously enabled another FTP server such as ProFTPD, be sure to disable it first.
chkconfig vsftpd on
You can also use redhat-config-services to start and stop vsftpd, or to have it started automatically.
Alternatively, you can implement vsftpd to be run by the xinetd, running the server only when a request is made by a user. The use of xinetd for the servers is described in detail in Chapter 20. xinetd will run an xinetd script file called vsftpd located in the /etc/xinetd.d directory.
Initially, the server will be turned off. You can turn it on in xinetd with the chkconfig command and the on argument, as shown here. Use the off argument to disable the server.
chkconfig vsftpd on
Restart xinetd with the service command (or redhat-config-services) to restart the vsftpd server, should you make configuration changes.
service xinetd restart
You configure vsftpd using one configuration file, /etc/vsftpd/vsftpd.conf. Configuration options are simple and kept to a minimum, making it less flexible than ProFTPD, but much faster (see Table 21-2). The vsftpd.conf file contains a set of directives where an option is assigned a value (there are no spaces around the = sign). Options can be on and off flags assigned a YES or NO value, features that take a numeric value, or ones that are assigned a string. Red Hat installs a default vsftpd.conf file in the /etc/vsftpd directory. This file lists some of the commonly used options available with detailed explanations for each. Those not used are commented out with a preceding # character. Option names are very understandable. For example, anon_upload_enable allows anonymous users to upload files, whereas anon_mkdir_write_enable lets anonymous users create directories. The man page for vsftpd.conf lists all options, providing a detailed explanation for each.
Option |
Description |
---|---|
listen |
Set standalone mode |
listen_port |
Specify port for standalone mode |
anonymous_enable |
Enable anonymous user access |
local_enable |
Enable access by local users |
no_anon_password |
Specify whether anonymous users must submit a password |
anon_upload_enable |
Enable uploading by anonymous users |
anon_mkdir_write_enable |
Allow anonymous users to create directories |
aonon_world_readable_only |
Make uploaded files read only to all users |
idle_session_timeout |
Time limit in seconds for idle sessions |
data_connection_timeouts |
Time limit in seconds for failed connections |
dirmessage_enable |
Display directory messages |
ftpd_banner |
Display FTP login message |
xferlog_enable |
Enable logging of transmission transactions |
xferlog_file |
Specify log file |
deny_email_enable |
Enable denying anonymous users whose e-mail addresses are specified in vsftpd.banned |
userlist_enable |
Deny access to users specified in vsftp.user_list file |
userlist_file |
Deny or allow users access depending on setting of userlist_deny |
userlist_deny |
When set to YES, userlist_file list users are denied access. When set to NO, userlist_file list users, and only those users, are allowed access |
chroot_list_enable |
Restrict users to their home directories |
chroot_list_file |
Allow users access to home directories. Unless chroot_local_user is set to YES, this file contains list of users not allowed access to their home directories |
chroot_local_user |
Allow access by all users to their home directories |
pam_service_name |
Specify PAM script |
ls_recurse_enable |
Enable recursive listing |
To run vsftpd as a standalone server, you set the listen option to YES. This instructs vsftpd to continually listen on its assigned port for requests. You can specify the port it listens on with the listen_port option.
listen=YES
In the following example taken from the vsftpd.conf file, anonymous FTP is enabled by assigning the YES value to the anonymous_enable option. The local_enable option allows local users on your system to use the FTP server.
# Allow anonymous FTP? anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES
Should you want to let anonymous users log in without providing a password, you can set no_anon_password to YES.
A variety of user permissions control how local users can access files on the server. If you want to allow local users to create, rename, and delete files and directories on their account, you have to enable write access with the write_enable option. This way, any files they upload, they can also delete. Literally, the write_enable option activates a range of commands for changing the file system, including creating, renaming, and deleting both files and directories.
write_enable=YES
You can further specify the permissions for uploaded files using the local_umask option (022 is the default set by Red Hat in vsftpd.conf, read and write for the owner and read only for all other users, 644).
local_umask=022
Though ASCII uploads are disabled by default, you can also enable this feature. ASCII uploads entail certain security risks and are turned off by default. But if you are uploading large text files, you may want to enable them in special cases. Use ascii_upload_enable to allow ASCII uploads.
You can also allow anonymous users to upload and delete files, as well as create or remove directories. Uploading by anonymous users is enabled with the anon_upload _enable option. To let anonymous users also rename or delete their files, you set the anon_other_write_enable option. To also let them create directories, you set the anon_mkdir_write_enable option.
anon_upload_enable=YES anon_other_write_enable=YES anon_mkdir_write_enable=YES
The anon_world_readable_only option will make uploaded files read only (downloadable), restricting write access to the user that created them. Only the user that uploaded a file could delete it.
All uploaded files are owned by the anonymous FTP user. You can have the files owned by another user, adding greater possible security. In effect, the actual user owning the uploaded files becomes hidden from anonymous users. To enable this option, you use chown_uploads and specify the new user with chown_username. Never make the user an administrative user like root.
chown_uploads=YES chown_username=myftpfiles
The upload directory itself should be given write permission by other users.
chmod 777 /var/ftp/upload
You can control the kind of access that users have to files with the anon_mask options, setting default read/write permissions for uploaded files. The default is 077, which gives read/write permission to the owner only (600). To allow all users read access, you would set the umask to 022, where the 2 turns off write permission but sets read permission (644). The value 000 would allow both read and write for all users.
To more efficiently control the workload on a server, you can set time limits on idle users and failed transmissions. The idle_session_timeout will cut off idle users after a specified time, and data_connection_timeouts will cut off failed data connections. The defaults are shown here:
idle_session_timeout=600 data_connection_timeout=120
The dirmessage_enable option will allow a message held in a directory's .message file to be displayed whenever a user accesses that directory. ftpd_banner lets you set up your own FTP login message. The default is shown here.
ftpd_banner=Welcome to blah FTP service.
A set of xferlog options control logging. You can enable logging, as well as specify the format and the location of the file.
xferlog_enable=YES
Use xferlog_file option to specify the log file you want to use. The default is shown here:
xferlog_file=/var/log/vsftpd.log
Certain options control access to the FTP site. As previously noted, the anonymous_enable options allows anonymous users access, and local_enable permits local users to log in to their accounts.
The deny_email_enable option lets you deny access by anonymous users, and the banned_email file option designates the file (usually vstfpd.banned) that holds the e-mail addresses of those users. The vsftpd.ftpusers file lists those users that can never be accessed. These are usually system users like root, mail, and nobody. See Table 21-3 for a list of vsftpd files.
The userlist_enable option controls access by users, denying access to those listed in the file designated by the userlist_file option (usually vsftpd.user_list). If, instead, you want to restrict access to just certain select users, you can change the meaning and usage of the vsftpd.user_list file to indicate only those users allowed access, instead of those denied access. To do this, you set the userlist_deny option to NO (its default is YES). Only users listed in the vsftpd.user list file will be granted access to the FTP site.
The chroot_list_enable option controls access by local users, letting them access only their home directories, while restricting system access. The chroot_list_file option designates the file (usually vstfpd.chroot) that lists those users allowed access. You can allow access by all local users with the chroot_local_user option. If this option is set, then the file designated by chroot_list_file will have an inverse meaning, listing those users not allowed access. In the following example, access by local users is limited to those listed in vsftpd.chroot.
chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list
The vsftpd server makes use of the PAM service to authenticate local users that are remotely accessing their accounts through FTP. In the vsftpd.conf file, the PAM script used for the server is specified with the pam_service_name option.
pam_service_name=vsftpd
In the etc/pam.d directory, you will find a PAM file named vsftpd with entries for controlling access to the vsftpd server. PAM is currently set up to authenticate users with valid accounts, as well as deny access to users in the /etc/vsftpd.ftpusers file. The default /etc/pam.d/vsftpd file is shown here:
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
Command usage is highly restricted by vsftpd. Most options for the ls command that lists files are not allowed. Only the asterisk file-matching operation is supported (see Chapter 8). To enable recursive listing of files in subdirectories, you have to enable the use of the -R option by setting the ls_recurse_enable option to YES. Some clients, such as ncftp (see Chapter 14), will assume that the recursive option is enabled.
File |
Description |
---|---|
vsftpd.ftpusers |
Users always denied access |
vsftpd.user_list |
Specified users denied access (allowed access if userlist_deny is NO) |
vsftpd.chroot_list |
Local users allowed access (denied access if chroot_local_user is on) |
/etc/vsftpd/vsftpd.conf |
vsftpd configuration file |
/etc/pam.d/vsftpd |
PAM vsftpd script |
/etc/rc.d/init.d/vsftpd |
Service vsftpd server script, standalone (Red Hat default) |
/etc/xinetd.d/vsftpd |
Xinetd vsftpd server script |
Though the capability is not inherently built in to vsftpd, you can configure and set up the vsftpd server to support virtual hosts. Virtual hosting is where a single FTP server operates as if it has two or more IP addresses. Several IP addresses can then be used to access the same server. The server will then use a separate FTP user directory and files for each host. With vsftpd, this involves manually creating separate FTP users and directories for each virtual host, along with separate vsftpd configuration files for each virtual host in the /etc/vsftpd directory. On Red Hat, vsftpd is configured to run as a standalone service. Its /etc/rc.d/init.d/vsftpd start-up script will automatically search for and read any configuration files listed in the /etc/vsftpd directory.
If, on the other hand, you wish to run vsftpd as a xinetd service, you would have to create a separate xinetd service script for each host in the /etc/xinetd.d directory. In effect, you have several vsftpd services running in parallel for each separate virtual host. The following example uses two IP addresses for an FTP server.
First, create an FTP user for each host. Create directories for each host. (You could use the one already set up for one of the users.) For example, for the first virtual host you could use FTP-host1. Be sure to set root ownership and the appropriate permissions.
useradd -d /var/ftp-host1 FTP-host1 chown root.root /var/ftp-host1 chmod a+rx /var/ftp-host1 umask 022 mkdir /var/ftp-host1/pub
Set up two corresponding vsftpd service scripts in the /etc/xinetd.d directory. On Red Hat, the vsftpd directory in /usr/share/doc has an xinetd example script, vsftpd.xinetd. Within each, enter a bind command to specify the IP address the server will respond to.
bind 192.168.0.34
Within the same scripts, enter a server_args entry specifying the name of the configuration file to use.
server_args = vsftpd-host1.conf
Within the /etc/vsftpd directory, create separate configuration files for each virtual host. Within each, specify the FTP user you created for each, using the ftp_username entry.
ftp_username = FTP-host1
Virtual users can be implemented by making use of PAM to authenticate authorized users. In effect, you are allowing access to certain users, while not having to actually set up accounts for them on the FTP server system. First create a PAM login database file to use along with a PAM file in the /etc/pam.d directory that will access the database. Then create a virtual FTP user along with corresponding directories that the virtual users will access (see the vsftpd documentation at vsftpd.beasts.org for more detailed information). Then in the vsftpd.conf file, you can disable anonymous FTP:
anonymous_enable=NO local_enable=YES
and then enable guest access:
guest_enable=YES guest_username=virtual
< Day Day Up > |
This HTML Help has been published using the chm2web software. |