Setup of VSFTPD – another approach

sandajian — Tue, 15 Apr 2008 15:35:51 +0000

In my last article, I described how to setup VSFTPD virtual users. In this article, I will describe another approach to setup VSFTPD, it needs real users on the system.

1. Installation of VSFTPD

For Red Hat, CentOS and Fedora, you may install VSFTPD by the command

# yum install vsftpd

For Debian and Ubuntu,

# apt-get install vsftpd

2. Virtual users and authentication

We may create a real user account for each webmaster. We will only give them FTP access to our server.

First, use `useradd’ command to create user accounts. Something to be specified are:

group: we may specify the group of users to the group HTTP server runs as. In most cases, it is `apache’ for Apache HTTP Server, it is `lighttpd’ for lighttpd.
home directory: we should also specify users’ home directories to their virtual hosts’ DocumentRoot. We should also make these directories writable by HTTP server.
login shell: in order to disallow normal login for these FTP users, we should specify their login shell to `/sbin/nologin’.

For example:

# useradd -g apache -d /var/www/vhosts/mike -s /sbin/nologin mike # chmod g+w /var/www/vhosts/mike # passwd mike Changing password for user mike. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.

3. Configuration of VSFTPD

Create a configuration file /etc/vsftpd/vsftpd-virtual.conf,

# disables anonymous FTP anonymous_enable=NO # enables non-anonymous FTP local_enable=YES # enables uploads and new directories write_enable=YES # authentication of virtual uses pam_service_name=login # the virtual user is restricted to the virtual FTP area chroot_local_user=YES # runs vsftpd in standalone mode listen=YES # listens on this port for incoming FTP connections listen_port=60021 # the minimum port to allocate for PASV style data connections pasv_min_port=62222 # the maximum port to allocate for PASV style data connections pasv_max_port=63333 # controls whether PORT style data connections use port 20 (ftp-data) connect_from_port_20=YES # the umask for file creation local_umask=022

4. Start VSFTPD and test
Now we can start VSFTPD by the command:

# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf

and test the FTP access of a virtual user:

# lftp -u mike -p 60021 192.168.1.101

The virtual user should have full access to his directory.

Setup of VSFTPD virtual users

sandajian — Sat, 05 Apr 2008 08:12:53 +0000

If you are hosting several web sites, for security reason, you may want the webmasters to access their own files only. One of the good way is to give them FTP access by setup of VSFTPD virtual users and directories. This article describes how you can do that easily.
(See also: Setup of VSFTPD virtual users – another approach)

1. Installation of VSFTPD

For Red Hat, CentOS and Fedora, you may install VSFTPD by the command

# yum install vsftpd

For Debian and Ubuntu,

# apt-get install vsftpd

2. Virtual users and authentication

We are going to use pam_userdb to authenticate the virtual users. This needs a username / password file in `db’ format – a common database format. We need `db_load’ program. For CentOS, Fedora, you may install the package `db4-utils’:

# yum install db4-utils

For Ubuntu,

# apt-get install db4.2-util

To create a `db’ format file, first create a plain text file `virtual-users.txt’ with the usernames and passwords on alternating lines:

mary 123456 jack 654321

Then execute the following command to create the actual database:

# db_load -T -t hash -f virtual-users.txt /etc/vsftpd/virtual-users.db

Now, create a PAM file /etc/pam.d/vsftpd-virtual which uses your database:

auth required pam_userdb.so db=/etc/vsftpd/virtual-users account required pam_userdb.so db=/etc/vsftpd/virtual-users

3. Configuration of VSFTPD

Create a configuration file /etc/vsftpd/vsftpd-virtual.conf,

# disables anonymous FTP anonymous_enable=NO # enables non-anonymous FTP local_enable=YES # activates virtual users guest_enable=YES # virtual users to use local privs, not anon privs virtual_use_local_privs=YES # enables uploads and new directories write_enable=YES # the PAM file used by authentication of virtual uses pam_service_name=vsftpd-virtual # in conjunction with 'local_root', # specifies a home directory for each virtual user user_sub_token=$USER local_root=/var/www/virtual/$USER # the virtual user is restricted to the virtual FTP area chroot_local_user=YES # hides the FTP server user IDs and just display "ftp" in directory listings hide_ids=YES # runs vsftpd in standalone mode listen=YES # listens on this port for incoming FTP connections listen_port=60021 # the minimum port to allocate for PASV style data connections pasv_min_port=62222 # the maximum port to allocate for PASV style data connections pasv_max_port=63333 # controls whether PORT style data connections use port 20 (ftp-data) connect_from_port_20=YES # the umask for file creation local_umask=022

4. Creation of home directories

Create each user’s home directory in /var/www/virtual, and change the owner of the directory to the user `ftp’:

# mkdir /var/www/virtual/mary # chown ftp:ftp /var/www/virtual/mary

5. Startup of VSFTPD and test
Now we can start VSFTPD by the command:

# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf

and test the FTP access of a virtual user:

# lftp -u mary -p 60021 192.168.1.101

The virtual user should have full access to his directory.

Linux for Fun » vsftpd

Setup of VSFTPD – another approach

Setup of VSFTPD virtual users