Now let’s get to the point.
sudo apt-get install vsftpd
This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/.
Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case.
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
Now edit the file /etc/vsftpd.conf and change it’s settings as follows.
To disable anonymous login and to enable local users login and give them write permissions:
# No anonymous login anonymous_enable=NO # Let local users login # If you connect from the internet with local users, you should enable TLS/SSL/FTPS local_enable=YES # Write permissions write_enable=YES
NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).
To chroot users
To jail/chroot users (not the vsftpd service), there are three choices. Search for “chroot_local_users” on the file and consider one of the following:
# 1. All users are jailed by default: chroot_local_user=YES chroot_list_enable=NO # 2. Just some users are jailed: chroot_local_user=NO chroot_list_enable=YES # Create the file /etc/vsftpd.chroot_list with a list of the jailed users. # 3. Just some users are "free": chroot_local_user=YES chroot_list_enable=YES # Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
To deny (or allow) just some users to login
To deny some users to login, add the following options in the end of the file:
In the file /etc/vsftpd.denied_users add the username of the users that can’t login. One username per line.
To allow just some users to login:Code:
userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd.allowed_users
In the file /etc/vsftpd.allowed_users add the username of the users that can login.
The not allowed users will get an error that they can’t login before they type their password.
NOTE: you definitely have to use this if you connect from the Internet.
To use vsftpd with encryption (it’s safer), change or add the following options (some options aren’t on the original config file, so add them):
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES # Filezilla uses port 21 if you don't set any port # in Servertype "FTPES - FTP over explicit TLS/SSL" # Port 990 is the default used for FTPS protocol. # Uncomment it if you want/have to use port 990. #listen_port=990
No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it’s installation, the “snake-oil” certificate (openssl package, installed by default). Please don’t be afraid of it’s name!
Install Filezilla (on the repositories), and use the Servertype “FTPES – FTP over explicit TLS/SSL” option to connect to the server with TLS/SSL/FTPS.
Here are some other available options. The values are examples:
# Show hidden files and the "." and ".." folders. # Useful to not write over hidden files: force_dot_files=YES # Hide the info about the owner (user and group) of the files. hide_ids=YES # Connection limit for each IP: max_per_ip=2 # Maximum number of clients: max_clients=20
Apply new configuration settings
Don’t forget that to apply new configurations, you must restart the vsftpd service.
sudo /etc/init.d/vsftpd restart
For those who use webadmin, there is a module for VSFTPD here http://www.webmin.com/third.html.
If you find problems when connecting, set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.
Virtual users with TLS/SSL/FTPS and a common upload directory – Complicated vsftpd
Virtual users are users that do not exist on the system – they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd – or if they do exist, they can login in vsftpd with a non system password – security.
You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can’t access directly to their home directory (if you want).
From the FAQ in vsftpd site:
Note – currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.
This is an example for a work directory where various virtual users can save (upload) their work – in this case it will be /home/work, that must be owned by the guest_username (workers).
Create the system user (workers) and the work directory (/home/work) to be used by the virtual users in vsftpd where they will upload their work in it:
# Don't use -m (--create-home) option. This avoids creating a home # directory based on /etc/skel (.bash* and .profile files). sudo useradd -d /home/work workers sudo mkdir /home/work sudo chown workers /home/work
Create directories to save the virtual users definitions.
sudo mkdir /etc/vsftpd sudo mkdir /etc/vsftpd/vusers
Change the PAM authentication in vsftpd.conf and create a new PAM file that uses the pam_userdb module to provide authentication for the virtual users.
If you still didn’t do it, make a backup copy of your vsftpd.conf or make a backup copy of the default one (it is a very good starting point and it is very well commented, as I previously wrote).
Edit the default /etc/vsftpd.conf:
sudo nano /etc/vsftpd.conf
Change the line anonymous=YES, uncomment local_enable=YES and change pam_service_name=vsftpd:
# Disable anonymous_enable is optional. anonymous_enable=NO ... local_enable=YES ... pam_service_name=ftp
Then add the TLS/SSL/FTPS definitions (from above) in the end of the file and after it also add:
# Enable (only) guests. guest_enable=YES # This is not needed, it's the default. Just here for clarity. guest_username=ftp # Where the guests (virtual) usernames are set. user_config_dir=/etc/vsftpd/vusers
The default settings in vsftpd.conf are restricted just for anonymous user that can download from /home/ftp, are chrooted there and can’t upload nor create directories. Virtual users are treated as anonymous users by vsftpd. We have disabled anonymous logins, enabled local_users (virtual users in this case, authenticated by the PAM file we will create) and enabled guests (local users – guests – will be virtual users).
The rest of the options are the default ones, so nobody can upload and because we set guest_enable=YES, if a username exists and have an empty username file, it will be treated as an anonymous user (“ftp” user). We added the TLS/SSL/FTPS so no cleartext passwords are used in the connections.
Now you will override the vsftpd.conf settings for each username individually with files in the directory /etc/vsftpd/vusers wich was set in “user_config_dir=” option. Lets continue.
Create the new file /etc/pam.d/ftp for the new authentication system:
sudo nano /etc/pam.d/ftp
And add the following content:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
Create a file with the virtual usernames and passwords that can login (one line for username, one line for password and so on for all the users) and call it “logins.txt”:
mike password1 sarah password2
Install libdb3-util, create the login database with the file logins.txt and restrict permissions to the database:
sudo apt-get install libdb3-util sudo db3_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db sudo chmod 600 /etc/vsftpd/vsftpd_login.db # This is not safe, you should delete this file. sudo chmod 600 logins.txt
Create a file for the workers settings (mike and sarah on logins.txt):
sudo nano /etc/vsftpd/workers
Add the new definitions for this users (remember that virtual users are treated as anonymous users by default on vsftpd, default anonymous settings are set on /etc/vsftpd.conf):
write_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_upload_enable=YES local_root=/home/work chroot_local_user=YES dirlist_enable=YES download_enable=YES guest_username=workers
Link this file to the workers usernames in /etc/vsftpd/vusers/, so that any change made at /etc/vsftpd/workers is applied to all workers (after you restart vsftpd).
sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/mike sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/sarah
If this was suppose to be for web development, you would add this directory in apache, make it an available site and enable it as an enabled website.
System users as a virtual user with non-system password
The next example file for one user, like a system user. Add his username and a password – not the system one please, just to be a little bit safer – in logins.txt and repeat the db3_load command. Create a file named after his username inside /etc/vsftpd/vusers/:
sudo nano /etc/vsftpd/vusers/user
And save the following in it:
write_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_upload_enable=YES chroot_local_user=YES # change /home/user to the actual user home directory. local_root=/home/user dirlist_enable=YES download_enable=YES guest_username=user
As you can see, guest_username is important because it will be the user that owns the uploaded files on the directories owned by the guest_username and only files owned by this guest_username can be deleted by him (if you allow it). If you don’t set a guest_username, then the “ftp” user will be the used (default in /etc/vsftpd.conf). If you create an empty file of a username present in /etc/vsftpd/vsftpd_login.db (logins.txt), this user will only have the permissions set to anonymous users in /etc/vsftpd.conf, his default home directory will be /home/ftp/ and the owner of the files he uploads (if you allow him and the directory is owned by ftp) will be “ftp”.
Only usernames in both /etc/vsftpd/vsftpd_login.db (logins.txt) AND with a file in /etc/vsftpd/vusers/ can login. So, the username can’t login if:
– If a file exist in /etc/vsftpd/vusers/ but the username is not in /etc/vsftpd/vsftpd_login.db (logins.txt) – you can add filenames that aren’t on the database, no harm done.
– If the username is in /etc/vsftpd/vsftpd_login.db (logins.txt) but do not exist in /etc/vsftpd/vusers/ – you can disable logins, just (re)move/rename the file(s) and/or link(s).Restart vsftpd.
LINK: Ubuntu Forums