Vsftpd

vsftpd
vsftpd: - Very Secure Ftp Daemon
 * "vsftpd is a Very Secure FTP daemon. It was written completely from scratch."

Installation
yum install vsftpd

apt-get install vsftpd

Tutorial
Howto: Easy FTP with vsftpd - Ubuntu Forums - http://ubuntuforums.org/showthread.php?t=518293

SFTP
SFTP Shell: /usr/libexec/openssh/sftp-server

To provide SFTP access to linux accounts only (no shell access) change user's shell to: test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

Add to /etc/shells: /bin/sh /bin/bash /sbin/nologin /usr/libexec/openssh/sftp-server

Source: https://help.ubuntu.com/10.04/serverguide/C/ftp-server.html

Configuration Files
/etc/vsftpd/

/etc/vsftpd/vsftpd.conf

banner
Simple banner: ftpd_banner=My FTP

OR more complex banner...

Create warning banners for all FTP users: banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer: NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.

Tutorial

 * Red Hat / CentOS VSFTPD FTP Server Configuration - http://www.cyberciti.biz/tips/rhel-fedora-centos-vsftpd-installation.html
 * Linux Create An FTP User Account - http://www.cyberciti.biz/tips/linux-creating-ftp-account-with-vsftpds.html
 * CentOS / Red Hat Linux Install VSFTPD FTP Server - http://www.cyberciti.biz/faq/rhel-centos-linux-install-ftp-server/

Files
/etc/vsftpd/             # config folder /etc/vsftpd/vsftpd.conf  # config file

/etc/rc.d/init.d/vsftpd  # startup file /usr/sbin/vsftpd         # executable

/etc/vsftpd/ftpusers     # deny ftp users /etc/vsftpd/user_list    # deny user list

/etc/vsftpd/vsftpd.conf
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=002 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES ftpd_banner=My FTP chroot_local_user=YES listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES

Changes from default: anonymous_enable=NO local_umask=002 ftpd_banner=My FTP chroot_local_user=YES

/etc/pam.d/vsftpd: auth   required pam_pwdfile.so pwdfile /etc/htpasswd account required pam_permit.so
 * 1) %PAM-1.0
 * 2) htpasswd access

See Linux PAM and htpasswd

Original /etc/pam.d/vsftpd: session   optional     pam_keyinit.so    force revoke auth      required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth      required     pam_shells.so auth       include      system-auth account   include      system-auth session   include      system-auth session   required     pam_loginuid.so
 * 1) %PAM-1.0

Default
/etc/vsftpd/vsftpd.conf: anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES
 * 1) Example config file /etc/vsftpd/vsftpd.conf
 * 2) The default compiled in settings are fairly paranoid. This sample file
 * 3) loosens things up a bit, to make the ftp daemon more usable.
 * 4) Please see vsftpd.conf.5 for all compiled in defaults.
 * 5) READ THIS: This example file is NOT an exhaustive list of vsftpd options.
 * 6) Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
 * 7) capabilities.
 * 8) Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 * 1) capabilities.
 * 2) Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 * 1) Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 * 1) Uncomment this to allow local users to log in.
 * 1) Uncomment this to allow local users to log in.
 * 1) Uncomment this to enable any form of FTP write command.
 * 1) Uncomment this to enable any form of FTP write command.
 * 1) Default umask for local users is 077. You may wish to change this to 022,
 * 2) if your users expect that (022 is used by most other ftpd's)
 * 1) if your users expect that (022 is used by most other ftpd's)
 * 1) Uncomment this to allow the anonymous FTP user to upload files. This only
 * 2) has an effect if the above global write enable is activated. Also, you will
 * 3) obviously need to create a directory writable by the FTP user.
 * 4) anon_upload_enable=YES
 * 5) Uncomment this if you want the anonymous FTP user to be able to create
 * 6) new directories.
 * 7) anon_mkdir_write_enable=YES
 * 8) Activate directory messages - messages given to remote users when they
 * 9) go into a certain directory.
 * 1) Activate directory messages - messages given to remote users when they
 * 2) go into a certain directory.
 * 1) go into a certain directory.
 * 1) Activate logging of uploads/downloads.
 * 1) Activate logging of uploads/downloads.
 * 1) Make sure PORT transfer connections originate from port 20 (ftp-data).
 * 1) Make sure PORT transfer connections originate from port 20 (ftp-data).
 * 1) If you want, you can arrange for uploaded anonymous files to be owned by
 * 2) a different user. Note! Using "root" for uploaded files is not
 * 3) recommended!
 * 4) chown_uploads=YES
 * 5) chown_username=whoever
 * 6) You may override where the log file goes if you like. The default is shown
 * 7) below.
 * 8) xferlog_file=/var/log/vsftpd.log
 * 9) If you want, you can have your log file in standard ftpd xferlog format
 * 1) xferlog_file=/var/log/vsftpd.log
 * 2) If you want, you can have your log file in standard ftpd xferlog format
 * 1) If you want, you can have your log file in standard ftpd xferlog format
 * 1) You may change the default value for timing out an idle session.
 * 2) idle_session_timeout=600
 * 3) You may change the default value for timing out a data connection.
 * 4) data_connection_timeout=120
 * 5) It is recommended that you define on your system a unique user which the
 * 6) ftp server can use as a totally isolated and unprivileged user.
 * 7) nopriv_user=ftpsecure
 * 8) Enable this and the server will recognise asynchronous ABOR requests. Not
 * 9) recommended for security (the code is non-trivial). Not enabling it,
 * 10) however, may confuse older FTP clients.
 * 11) async_abor_enable=YES
 * 12) By default the server will pretend to allow ASCII mode but in fact ignore
 * 13) the request. Turn on the below options to have the server actually do ASCII
 * 14) mangling on files when in ASCII mode.
 * 15) Beware that on some FTP servers, ASCII support allows a denial of service
 * 16) attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
 * 17) predicted this attack and has always been safe, reporting the size of the
 * 18) raw file.
 * 19) ASCII mangling is a horrible feature of the protocol.
 * 20) ascii_upload_enable=YES
 * 21) ascii_download_enable=YES
 * 22) You may fully customise the login banner string:
 * 23) ftpd_banner=Welcome to blah FTP service.
 * 24) You may specify a file of disallowed anonymous e-mail addresses. Apparently
 * 25) useful for combatting certain DoS attacks.
 * 26) deny_email_enable=YES
 * 27) (default follows)
 * 28) banned_email_file=/etc/vsftpd/banned_emails
 * 29) You may specify an explicit list of local users to chroot to their home
 * 30) directory. If chroot_local_user is YES, then this list becomes a list of
 * 31) users to NOT chroot.
 * 32) chroot_list_enable=YES
 * 33) (default follows)
 * 34) chroot_list_file=/etc/vsftpd/chroot_list
 * 35) You may activate the "-R" option to the builtin ls. This is disabled by
 * 36) default to avoid remote users being able to cause excessive I/O on large
 * 37) sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 * 38) the presence of the "-R" option, so there is a strong case for enabling it.
 * 39) ls_recurse_enable=YES
 * 40) When "listen" directive is enabled, vsftpd runs in standalone mode and
 * 41) listens on IPv4 sockets. This directive cannot be used in conjunction
 * 42) with the listen_ipv6 directive.
 * 1) You may activate the "-R" option to the builtin ls. This is disabled by
 * 2) default to avoid remote users being able to cause excessive I/O on large
 * 3) sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 * 4) the presence of the "-R" option, so there is a strong case for enabling it.
 * 5) ls_recurse_enable=YES
 * 6) When "listen" directive is enabled, vsftpd runs in standalone mode and
 * 7) listens on IPv4 sockets. This directive cannot be used in conjunction
 * 8) with the listen_ipv6 directive.
 * 1) listens on IPv4 sockets. This directive cannot be used in conjunction
 * 2) with the listen_ipv6 directive.
 * 1) This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
 * 2) sockets, you must run two copies of vsftpd whith two configuration files.
 * 3) Make sure, that one of the listen options is commented !!
 * 4) listen_ipv6=YES
 * 1) listen_ipv6=YES

pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES

/etc/pam.d/vsftpd: session   optional     pam_keyinit.so    force revoke auth      required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth      required     pam_shells.so auth       include      system-auth account   include      system-auth session   include      system-auth session   required     pam_loginuid.so
 * 1) %PAM-1.0

Service Start and Stop
service vsftpd start service vsftpd stop service vsftpd restart

Firewall Settings
pasv_enable=YES pasv_min_port=12000 pasv_max_port=12003

-A RH-Firewall-1-INPUT -p tcp --dport 11000:11010 -j ACCEPT

References:
 * http://blog.joshua.net/2006/07/ftps-and-vsftpd-part-2-firewalls.html
 * http://forums.fedoraforum.org/showthread.php?t=97374

Allow Only Specified Users
Append to bottom: anonymous_enable=NO local_umask=002 ftpd_banner=My FTP chroot_local_user=YES userlist_enable=YES userlist_deny=NO
 * 1) ken#

and add your user to "vsftpd/user_list"

check that your user is not in "vsftpd/ftpusers"

Source: How to allow specific user to login Vsftp server - http://www.linuxquestions.org/questions/linux-networking-3/how-to-allow-specific-user-to-login-vsftp-server-446064/

SFTP Server
Server ftp.lindonlabs.com

/etc/vsftpd.conf: (compared to above vsftpd.conf) listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES pam_service_name=vsftpd
 * 1) matching config


 * 1) missing config
 * 2) local_umask=002
 * 3) xferlog_std_format=YES
 * 4) ftpd_banner=My FTP
 * 5) userlist_enable=YES
 * 6) tcp_wrappers=YES

secure_chroot_dir=/var/run/vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key banner_file=/home/ftp2/ftp_banner log_ftp_protocol=yes
 * 1) additional config

ssl_enable=YES allow_anon_ssl=YES force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem
 * 1) SSL Config

The SSL config options do not appear to affect SFTP. Maybe for FTPS?

/etc/pam.d/vsftpd: auth   required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
 * 1) Standard behaviour for ftpd(8).


 * 1) Note: vsftpd handles anonymous logins on its own.  Do not enable
 * 2) pam_ftp.so.

@include common-account @include common-session
 * 1) Standard blurb.

@include common-auth auth   required        pam_shells.so

Debian: /usr/lib/sftp-server

CentOS: /usr/libexec/openssh/sftp-server

Enabling SFTP on CentOS locks out SSH and *FTP* access, but allows SFTP. To allow FTP also, the PAM file will need to be modified.

Firewall
Passing Through a Stateless Firewall
 * The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol (FTP).

Install and configure ftp server in Amazon EC2 instance | Linux Admin Zone - http://linuxadminzone.com/install-and-configure-ftp-server-in-amazon-ec2-instance/

Open a good range of addresses: $ ec2-authorize default -p 20-21 $ ec2-authorize default -p 1024-1048

$ vi /etc/vsftpd/vsftpd.conf pasv_enable=YES pasv_min_port=1024 pasv_max_port=1048 pasv_address=
 * 1) ---Add following lines at the end of file---

chroot - GnuTLS error -15: An unexpected TLS packet was received
Error:	GnuTLS error -15: An unexpected TLS packet was received. Error:	Could not connect to server

chroot was enabled with a writable root. Need to override, or make non writable.