Setting up vsftpd on Linux

From Public wiki of Kevin P. Inscoe
Revision as of 15:55, 29 March 2018 by Kinscoe (talk | contribs) (Created page with "=== vsftpd === vsftpd is generally considered the most secure and fastest FTP server for UNIX-like systems. vsftpd supports chroot mode and allows you to control who can acce...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

vsftpd

vsftpd is generally considered the most secure and fastest FTP server for UNIX-like systems. vsftpd supports chroot mode and allows you to control who can access (and not access) the ftp server.

vsftpd lives at https://security.appspot.com/vsftpd.html

The docs are included with the software install and also online at https://security.appspot.com/vsftpd.html#docs

The installed docs on Redhat-like systems are usually stored in /usr/share/doc/vsftpd-n.n.n.

Install

$ sudo yum install vsftpd

vsftpd Files

vsftpd files on Redhat-like systems are generally stored as part of the RPM. To determine this for your system:

$ sudo rpm -qa | grep vsftpd
vsftpd-3.0.2-10.el7.x86_64
$ sudo rpm -ql vsftpd-3.0.2-10.el7.x86_64
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/vsftpd
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd_conf_migrate.sh
/usr/lib/systemd/system-generators/vsftpd-generator
/usr/lib/systemd/system/vsftpd.service
/usr/lib/systemd/system/vsftpd.target
/usr/lib/systemd/system/vsftpd@.service
/usr/sbin/vsftpd
/usr/share/doc/vsftpd-3.0.2
/usr/share/doc/vsftpd-3.0.2/AUDIT
/usr/share/doc/vsftpd-3.0.2/BENCHMARKS
/usr/share/doc/vsftpd-3.0.2/BUGS
/usr/share/doc/vsftpd-3.0.2/COPYING
/usr/share/doc/vsftpd-3.0.2/Changelog
/usr/share/doc/vsftpd-3.0.2/EXAMPLE
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/PER_IP_CONFIG/hosts.allow
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_HOSTS/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/README
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/README.configuration
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/logins.txt
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/vsftpd.conf
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS_2
/usr/share/doc/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS_2/README
/usr/share/doc/vsftpd-3.0.2/FAQ
/usr/share/doc/vsftpd-3.0.2/INSTALL
/usr/share/doc/vsftpd-3.0.2/LICENSE
/usr/share/doc/vsftpd-3.0.2/README
/usr/share/doc/vsftpd-3.0.2/README.security
/usr/share/doc/vsftpd-3.0.2/REWARD
/usr/share/doc/vsftpd-3.0.2/SECURITY
/usr/share/doc/vsftpd-3.0.2/SECURITY/DESIGN
/usr/share/doc/vsftpd-3.0.2/SECURITY/IMPLEMENTATION
/usr/share/doc/vsftpd-3.0.2/SECURITY/OVERVIEW
/usr/share/doc/vsftpd-3.0.2/SECURITY/TRUST
/usr/share/doc/vsftpd-3.0.2/SIZE
/usr/share/doc/vsftpd-3.0.2/SPEED
/usr/share/doc/vsftpd-3.0.2/TODO
/usr/share/doc/vsftpd-3.0.2/TUNING
/usr/share/doc/vsftpd-3.0.2/vsftpd.xinetd
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/var/ftp
/var/ftp/pub


Configure

Edit configuration to allow passive FTP:

RHEL 6 and 7 it is located in /etc/vsftpd/vsftpd.conf

Recommended settings:

Be sure to comment out "pasv_address" in the cloud like AWS since the instance IP address may change over time.

pasv_enable=YES
pasv_min_port=40000
pasv_max_port=41000
port_enable=YES
#pasv_address=<IP Address>

Logging

Two kinds of log files from vsftpd: transfers (xferlog) and ftp operations (log_ftp_protocol).

By default vsftpd uses

xferlog_std_format=YES

for logging. This will show all files moving through the ftp server, but if you want to view all the activity, including FTP connections and commands you need to set add

log_ftp_protocol=YES. 

The problem is that you have to choose between one or the other. This verbose logging, logs everything which you may want when troubleshooting issues.

Edit vsftpd.conf

Recommended settings:

syslog_enable=NO
vsftpd_log_file=/var/log/vsftpd.log
dual_log_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO

Operations

To enable vsftpd to always start at boot:

$ sudo chkconfig vsftpd on

To turn on vsftpd now:

$ sudo service vsftpd on