Use VSFTP for a secure FTP server
Scott Lowe
Published: 22 Jan 2003 10:37 GMT
Standalone
If you want to run VSFTP in standalone mode, all you need to do is add a single line to the end of the /etc/vsftpd.conf file that reads "listen=YES" and then execute /usr/local/sbin/vsftpd &. The & tells the program to continue to run but bring you back to a command prompt. Assuming you get no error messages, you can now connect to the FTP server as an anonymous user and get directory listings, transfer files, etc.
Using xinetd
Since I'm doing my testing and demonstration on a Red Hat 8 system (which uses xinetd), I will be focusing on the xinetd installation process.
inetd
If you are running an inetd machine, you can use the installation instructions included with VSFTP for details on how to set up your server. Everything should work if you add the lineftp stream tcp nowait root /usr/local/sbin/vsftpd to /etc/inetd.d and then restart the inetd daemon either via a reboot or kill -SIGHUP {pid of inetd}.Be sure that this is the only "ftp" line in the file.
If you are running on an xinetd machine, a configuration file resides in /etc/xinetd.d named vsftpd. If you can't find this file at that location, you can copy it from the vsftpd.conf example that comes with the VSFTP distribution. When editing this file, you'll see a number of parameters underneath "service ftp" that dictate how the VSFTP server will function. Table B lists these parameters, their defaults, and what they mean.
| socket_type | stream | This is the type of TCP socket to use for this protocol. FTP is a TCP stream. |
| wait | no | This is associated with the ability for the socket to accept messages. |
| user | root | What user should be used to launch this service? Note that VSFTP reduces privileges as soon as possible after starting. |
| server | /usr/local/sbin/vsftpd | This is the location of the server program associated with this configuration file. If you have vsftpd in a different location, you should change this value. |
| nice | 10 | This option modifies the default scheduling priority for the process. 10 is the default with the range being 20 (highest) to 19 (lowest). |
| disable | no | The service is not disabled. In other words, it should be started when xinetd starts up. |
| per_source | No default | This specifies the number of concurrent connections allowed from the same IP address. It's useful for limiting the number of connections from a single site. |
| instances | No default | This limits the maximum number of concurrent FTP connections to the server. It's useful for limiting server load. |
| no_access | No default | This is a list of IP addresses that are not allowed to access this service. |
I will be using the default configuration file and restart xinetd on my Red Hat server by typing /etc/rc.d/init.d/xinetd restart at the command prompt. Note that if you previously configured VSFTP in standalone mode, you need to remove the line "listen=YES" from /etc/vsftpd.conf. If you don't, xinetd will restart, but the vsftpd service will not work. I made that mistake the first time I configured VSFTP.
Once this is done, you should be able to connect to the VSFTP server as an anonymous user and get directory listings, download files, etc.
Enabling controlled access
Setting up an FTP server to distribute software to anyone who connects can be useful in many cases, but you may want to control access to the FTP resources. For example, suppose you want to set up a site just for your customers.
You can do this with VSFTP by making use of PAM. My Red Hat server uses PAM for authentication, as do most Red Hat machines. To determine whether your distribution uses PAM, look for a filename pam.conf or for a directory named pam.d. Since my Red Hat server uses the pam.d directory for its PAM information, I will be demonstrating that installation method only.
VSFTP comes with a sample PAM configuration located in the Red Hat subdirectory of the distribution. This file needs to be renamed and copied to the pam.d directory, which you can do with the command:
cp vsftpd.pam /etc/pam.d/ftp
Next, you need to change the VSFTP configuration to allow local user logins. To do this, edit the file /etc/vsftpd.conf and uncomment the line "local_enable=YES".
Now, when you attempt to connect to the server as a Linux/UNIX user, you will be placed in that user's home directory. Listing A shows the results of my demonstration. As you can see, a directory listing was provided after I logged into the VSFTP server.
Summary
VSFTP powers many of the largest sites in the open source world, including the security-conscious Open BSD project and Red Hat Linux. With its small footprint, ability to handle large loads, security, and flexibility, it makes an ideal FTP server for any organisation that wants file transfer capability but not the major security headaches that typically come with it.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter.
Find out what's where in the new Tech Update with our
Guided Tour.
Tell us what you think in the
Enterprise Mailroom.
Previous
Did you find this article useful?
110 out of 208 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
