ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Use VSFTP for a secure FTP server

• Tags:
• Red Hat,
• File Transfer Protocol,
• VSFTP,
• OpenBSD

Scott Lowe

Published: 22 Jan 2003 10:37 GMT

• 
• 
• 
• 
• 

File Transfer Protocol (FTP) servers can be useful for providing files to customers and for exchanging files with partners and business associates. However, FTP can become the bane of existence for the admins who must keep these services secure and operational. Poorly secured FTP services can often result in a successful attack on a server. That's where VSFTP comes in.

VSFTP is a secure, stable, and fast FTP server. It can greatly decrease the chances of an attacker gaining access to a server via FTP exploits. Want evidence? The Red Hat, OpenBSD, and SuSE FTP sites all have one thing in common: They all run on VSFTP. Even SANS recommends VSFTP as the preferred FTP daemon because of its tight security.

VSFTP basics
VSFTP is an FTP server daemon that runs on Linux/UNIX operating systems. Its primary features are security, performance, and stability. VSFTP includes a number of additional attractive features, including: a small system footprint, the ability to handle virtual users, the choice of operating in a standalone configuration or via the inetd daemon, and bandwidth throttling for more site control.

As of this writing, the current version is 1.13, although version 1.2 is a release candidate and may very well be available by the time this article is published. Version 1.13 is a 117-KB archived download.

For this demonstration, I am using VSFTP 1.13 on a Red Hat 8.0 server with version 2.4.18-14 of the kernel.

Installation
Installing VSFTP is much like installing any other application under Linux. To expand the downloaded archive, switch to the directory in which you saved it and type:

gunzip -dc vsftpd-1.1.3.tar.gz | tar xvf -

This will create a directory named vsftpd-1.1.3 and put all of the files into it. Switch to that directory by typing cd vsftpd-1.1.3 at the prompt.

In this example, I am using a standard configuration, which begins by typing make at the command prompt. If you want to make changes to the configuration, you can edit the builddefs.h file in the distribution before compiling with the make command. If the compilation process is successful, a binary file named vasftpd will be placed into this directory. In my testing, the compilation went quickly and was free of errors.

Adding users
VSFTP uses the Linux/UNIX "nobody" user as a part of the default configuration. On most Linux/UNIX operating systems, this user exists by default, but if it doesn't exist on your system(s), you'll need to add it. On my system, I get the following results when I try to add it (which indicates that the user already exists):

[root@rh8lab VSFTP d-1.1.3]# /usr/sbin/useradd nobody

useradd: user nobody exists

In addition, you need to create an FTP user if you want to support anonymous FTP. If you plan to always authenticate the incoming user, you don't have to do this. However, to preserve the security of VSFTP, the anonymous user's home directory must not be owned by the FTP user, and the user should not have any permissions for it. You can use the commands in Table A to accomplish this.

Creating the FTP user and setting appropriate permissions

Next, make sure that the directory /usr/share/empty exists. If not, create it with the mkdir command. Finally, you need to install the executable file, help pages, and so forth, that were previously created during the build process. To do this, change to the directory in which you built vsftpd and type make install. This installs everything you need to begin using VSFTPD except a configuration file. You can copy a sample configuration file to the /etc directory by typing cp vsftpd.conf /etc.

Go to section: Use VSFTP for a secure FTP server Page 2

• 
• 
• 
• 

• Share this article:
• 
• 
• 
• 
• 

• Most Recent
• Most Popular
• Most Discussed