I have finally got vsftp working for external connections after two days of getting almost every error under then sun on both passive and active FTP connection. As a side note before I go into configuration details if you’d like some information about the difference between passive and active FTP systems you can find it here.
Installing vsftpd is rather simple and can be done with zypper using command;
zypper in vsftpd
vsftp should now be install and you can doing some config. The default config file is stored in /etc/vsftpd.conf, so go ahead and open it with your favourite text editor, personally I use vi. You will need root privileges to do this. Here is a sample version of the one I’m using. I’ll give a run-down of the options and what/why each is there.
# ################
# General Settings
# ################
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
ftpd_banner=Welcome James' FTP Server.
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#hide_ids=YES
#
# #######################
# Local FTP user Settings
# #######################
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#local_max_rate=7200
#
# ##########################
# Anonymus FTP user Settings
# ##########################
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#anon_max_rate=7200
#
# Anonymous users will only be allowed to download files which are
# world readable.
anon_world_readable_only=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#anon_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# ############
# Log Settings
# ############
#
# Log to the syslog daemon instead of using an logfile.
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#setproctitle_enable=YES
#
# #################
# Transfer Settings
# #################
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
pasv_enable=YES
#
# PAM setting. Do NOT change this unless you know what you do!
pam_service_name=vsftpd
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
#
# Limit passive ports to this range to assis firewalling
pasv_min_port=8000
pasv_max_port=8050
listen_port=6600
pasv_address=example.dyndns-server.com
pasv_addr_resolve=YES
The first option I have enabled is 
local_enable=YES, this allows you to access the FTP server from the local network. This is optional but is a good option for testing whether problems are the server or the router/network, and obviously good if you want to use it within the local network
The next two options regard chrooting users in their home directory, so they cannot access anything outside their own home directory. I then give them access to other folders via virtual mounting them but I’ll cover that later.
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
The last option there defines a file you will need to create that lets you define users who arn’t chroot’d. The isn’t a necessary option, but I use it to have my own account not chroot’d. This can provide a security risk though so if your account doesn’t need to be able to access anything other than it’s home directory then remove the two options
chroot_list_enable=YES and chroot_list_file=/etc/vsftpd.chroot_list.
The next option I have is
anonymous_enable=NO. This is to disable anonymous access for security. If you really want anonymous access then simply set this option to YES.
The next option,
#connect_from_port_20=YES, I have commented out by adding a # to the start of the line. This is because I’m using a custom port number, rather than default FTP port.
Next is to enable passive mode, as alot of clients require this,
pasv_enable=YES. If your going to be the only one using the server and know your using a client that supports active, you can if you wish disable this option.
This next option makes vsftp run in standalone mode rather than being run via xinetd. This is needed to allow easily configuration of ports etc.
listen=YES.
These following two option are only required if your going to be running a firewall as they help with port forwarding in the firewall.
pasv_min_port=8000
pasv_max_port=8050
You will then need to forward that port range in your firewall. The range can be anything you want really but to ensure properly functionality it needs to be at least 50 ports in size. This is because TCP cannot use the same port instantly after using it previously, so if you try to make connections one after each other you, like in transfer lots of small files, you could run into problems.
Next we define the custom connection port we want to use to connect to the server. I have picked 6600 but this can be anything you want as long as it doesn’t conflict with another applications port.
listen_port=6600. Now be sure to forward this port in your router.
Lastly we add some options for passive mode transfer, so the system returns the right contact details (ip address) to the user. If you want here you can define an IP address and leave out the second option but if you have a dynamic IP, then this would mean the IP would be hard-coded and would need to be changed each time your IP changes. Instead I recommened simply getting a free hostname from dyndns.com (or whatever service you prefer) and entering that. However if you do use a hostname, you will need the second option to tell vsftpd that your using a hostname rather than IP there.
pasv_address=example.dyndns-server.com
pasv_addr_resolve=YES
You can now save your config file and start vsftpd with the command
service vsftpd start
You will then probably want to add it to run at system startup which can be done with
chkconfig -add vsftpd
The last thing to cover is adding virtual directories so users can access areas of the system while still being chroot’d into their home directory. To do this we simply use the mount command with a special option –bind. So for example say you have a folder /media/external that you want to share to a user. First create a directory in the users home folder called external, (or whatever you want really), and then mount /media/external virtually to that location with this command.
mount --bind /media/external /home/USER/external
The contents of external will now be accessible from the users home under external folder but navigating one up from it will simply to them back to their home and not to /media
No comments:
Post a Comment