1. using yum
yum -y install vsftpd db4-utils
2. config
vi /etc/vsftpd/vsftpd.conf
We need to adjust some basic parameters in this file to increase security and establish our connection options.
The first thing we will do is disable anonymous users. While this option may make sense for a large, public facing file dump (like public software repositories), for a personal FTP server, this is almost never a good idea.
anonymous_enable=NO
Since we are disabling anonymous users, we need to provide a way for our system to authenticate our users. We will allow local users, meaning that vsftpd will use our Linux system users and authentication to determine who can sign in.
To enable this, make sure that this option is set:
local_enable=YES
We will also allow them write access, so that they can upload material and modify content:
write_enable=YES
We also want to confine our users to their respective home directories. The option for that is:
chroot_local_user=YES
This is enough for a basic (non-SSL) FTP configuration. We will add the SSL functionality later.
Save and close the file.
This file contains many directives which help to strengthen the security of ftp server, the following are the important directives that already placed in the file.
Directive
In Vsftpd.conf
Uses
anonymous_enable
YES
Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as Anonymous logins.
local_enable
YES
Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enabling for any non-anonymous login to work, including virtual users.
write_enable
YES
This controls whether any FTP commands which change the file system are allowed or not. These commands are: STOR, DELE, RNFR,RNTO, MKD, RMD, APPE and SITE.
local_umask
022
The value that the umask for file creation is set to for local
Users.
anon_upload_enable
YES
But it commented on file, need to uncomment it.
If set to YES, anonymous users will be permitted to upload files Under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on desired upload locations. This setting is also required or virtual users to upload; by default, virtual users are treated with anonymous (i.e. Maximally restricted) privilege.
anon_mkdir_write_enable
YES
But it commented on file, need to uncomment it.
If set to YES, anonymous users will be permitted to create new Directories under certain conditions. For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory.
listen
YES
If enabled, vsftpd will run in standalone mode. This means that Vsftpd must not be run from an inetd of some kind. Instead, the
Vsftpd executable is run once directly. Vsftpd itself will then take care of listening for and handling incoming connections.
The following are the some other options which you can add it in the file for more security.
Directive
options
Description
userlist_enable
YES/NO
If enabled, vsftpd will load a list of usernames, from the file name given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.
chroot_local_user
YES/NO
If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security plications, especially if the users have upload permission, or shell access. Only enable if you know What you are doing. Note that these security implications are Not vsftpd specific. They apply to all FTP daemons which offer To put local users in chroot() jails.
local_max_rate
In kb
Ex:
local_max_rate=1000
The maximum data transfer rate permitted, in bytes per second, for local authenticated users. Default: 0 (unlimited)
anon_max_rate
in kb
Ex:
anon_max_rate=1000
The maximum data transfer rate permitted, in bytes per second, for anonymous clients. Default: 0 (unlimited)
no_anon_password
YES/NO
When enabled, this prevents vsftpd from asking for an anonymous password – the anonymous user will log straight
Create an FTP User
——————————————————————————–
We have selected to use local users and to confine them to their home directories with a chroot environment.
Create a new user with this command:
sudo adduser ftpuser
Assign a password to the new user by typing:
sudo passwd ftpuser
The version of vsftpd in CentOS 6.4 is older, so this portion of the setup is easier than some newer versions.
Configure SSL with vsftpd
——————————————————————————–
The first step towards getting vsftpd to operate with SSL is to create our SSL certificate. We will actually be using TLS, which is a protocol that is a successor to SSL and more secure.
We will create a subdirectory within the SSL directory to store our files:
sudo mkdir /etc/ssl/private
To create the certificate and the key in a single file, we can use this command:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Fill out the questions that it asks. The most important being the “Common Name” of your server, which will be the IP address or domain name that you will use to connect.
Add the SSL Details to the vsftpd Configuration File
——————————————————————————–
Now, we need to alter our configuration to point to the new keys and configure the secure connection.
Open the vsftpd configuration file as root again:
sudo nano /etc/vsftpd/vsftpd.conf
Scroll to the bottom of the file. We will add our SSL/TLS information here.
We need to specify the location of our certificate and key files. We actually combined both pieces of information into a single file, so we will point both options to the same file:
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
Next, we need enable the use of these files and disable anonymous users. We should also force the use of SSL for both data transfer and login routines. This will make the security mandatory:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
Next, we will restrict the type of connection to TLS, which is more secure than SSL. We will do this by explicitly allowing TLS and denying the use of SSL:
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
We’ll add a few more configuration options before finishing:
require_ssl_reuse=NO
ssl_ciphers=HIGH
Save and close the file.
We need to restart vsftpd to enable our changes:
sudo /etc/init.d/vsftpd restart
We will also configure it to start automatically with every reboot:
sudo chkconfig vsftpd on
** 설정 다 했는데 로그인이 안되는 경우.. 특히 useradd시에 user shell을 /sbin/nologin 으로 한 경우는
로그인이 실패를 한다.
이유는 user check시에 /etc/passwd의 shell을 checking 하기 때문..
이를 막기 위해서는
check_shell=NO
옵션을 사용 한다.
( 반드시 /sbin/nologin 사용 다른건 로그인이 안됨 )
1. 공유기에는 TCP 20, 21번 포트 2가지만 서버로 포워딩
2. vsftpd.conf 파일 편집기로 열고 패시브모드 관련 설정 아래와 같이 추가
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50005
패시브포트를 50000~50005까지 쓰게끔 하는 옵션입니다. 서버에 FTP 동시접속자가 그리 많지 않다면 이 정도 범위로 충분합니다. 패시브포트는 5만번대에서 6만번대까지가 좋다고 합니다.
3. iptables 방화벽에서 위 패시브포트로 설정한 포트 범위를 개방
