Top Menu

Saturday, March 22, 2014

Red Hat / CentOS VSFTPD FTP Server Configuration

Vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

1.      Setup vsftpd to provide FTP service.
2.      Configure vsftpd.

3.      Configure Firewalls to protect the FTP server.
4.      Configure vsftpd with SSL/TLS.
5.      Setup vsftpd as downloaded only anonymous internet server.
6.      Setup vsftpd with virtual users and more

VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

1.      Virtual users.
2.      Run as standalone or inetd / xinetd operation.

3.      Virtual IP configurations

4.      Virtual users

5.       Run as standalone or inetd / xinetd operation

6.       Per-user configuration

7.       Bandwidth throttling

8.       Per-source-IP configurability

9.       Per-source-IP limits

10.  IPv6 ready

11.  Encryption support through SSL integration
And much more.
Install Vsftpd FTP Server

Install the vsftpd package via yum command:

# yum install vsftpd
Vsftpd Defaults
1. Default port: TCP / UDP - 21 and 20
2. The main configuration file: /etc/vsftpd/vsftpd.conf
3. Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server
Open the configuration file, type:

# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format:

xferlog_std_format=NO

Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES

Above two directives will enable logging of all FTP transactions. To lock down users to their home directories, edit/append directives as follows:

chroot_local_user=YES

Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
NOTICE TO USERS
Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.

Turn On Vsftpd Service
Turn on vsftpd on boot:

# chkconfig vsftpd on

Start the service:

# service vsftpd start
# netstat –tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:-

# vi /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Open file /etc/sysconfig/iptables-config, enter.

# vi /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"

Save and close the file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log

Sample output:

Sat Apr 22 11:40:31 2009 [pid 42298] FTP response: Client "192.168.1.100", "530 Please login with USER and PASS."

Sat Apr 22 11:40:36 2009 [pid 42298] FTP command: Client "192.168.1.100", "USER vivekda"

Sat Apr 22 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "192.168.1.100", "331 Please specify the password."

Sat Apr 22 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "192.168.1.100", "PASS "

Sat Apr 22 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "192.168.1.100"

Sat Apr 22 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "192.168.1.100", "230 Login successful."

Sat Apr 22 11:40:38 2009 [pid 42299] [vivek] FTP command: Client "192.168.1.100", "SYST"

Sat Apr 22 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "192.168.1.100", "215 UNIX Type: L8"

Sat Apr 22 11:40:39 2009 [pid 42299] [vivek] FTP command: Client "192.168.1.100", "PORT 10,1,3,108,162,253"

Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:


local_enable=NO

Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:


write_enable=NO

Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:


/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:


anon_root=/ftp/ftp/pub