Configuring FTP server VSFTPD
Configure VSFTPD Virtual Users
The document describes how to fine-tune vsftpd and the system to significantly expand the capabilities of vsftpd:- Read-only users.
- Record-Only Users.
- Create an anonymous ftp server, if necessary, only special users with permissions can see the downloaded files.
- Limit FTP speeds for [not] anonymous \ any_ individual users.
- Restrict any necessary users to work only in the subdirectories assigned to them, and users working with all such directories.
- And so on, everything that can be configured in vsftpd, but for each individual virtual user!
Creating a unix-shell user for a new configuration instance.
We will create several vsftpd configurations independent of each other, for each such instance one real unix-shell user and our own set of vsftpd configs will be used. In the example, the username is f_ftp.
# umask 0077; # mkdir -m 0701 /home/ftp_users # useradd -m -d /home/ftp_users/f_ftp f_ftp # chmod 705 /home/ftp_users/f_ftp # mkdir -m 0775 /home/ftp_users/f_ftp/incoming # chown ftp:f_ftp /home/ftp_users/f_ftp/incoming # edquota f_ftp <= assign a common quota for this ftp and all its virtual users.
If you do not plan to give anonymous access, you can not create the incoming directory.
If you want the downloaded files to the incoming directory to be accessible to all anonymous users (anonymous, ftp in the examples below) for downloading only by a "direct link", that is, for those who know the file name, but the list of files in this directory was not displayed, in order to remove the possibility of listing the directory, invoke:# chmod 0375 /home/ftp_users/f_ftp/incoming;
Setting vsftpd's instance. Configure xinetd
Using xinetd we will be able to run several independent vsftpd, each of which will be with its own configuration. Each vsftpd is hung on its own IP. When accessing this IP, xinetd will call the corresponding vsftpd with a specific configuration file:# mkdir -m 700 /etc/xinetd.d/vsftpd_virtual # cat > /etc/xinetd.d/vsftpd_virtual/f_ftp << EOF service ftp { socket_type = stream protocol = tcp user = root wait = no rlimit_as = 16M server = /usr/sbin/vsftpd bind = 192.168.0.33 server_args = /etc/vsftpd/f_ftp/vsftpd.conf disable = no } EOF
192.168.0.33 -- The unique IP stuck behind this instance. Change it.
# echo "includedir /etc/xinetd.d/vsftpd_virtual" >> /etc/xinetd.conf
Setting vsftpd's instance. Vsftpd.conf main configuration file
# mkdir -p -m 0700 /etc/vsftpd/f_ftp # touch /etc/vsftpd/f_ftp/vsftpd.conf; chmod 600 /etc/vsftpd/f_ftp/vsftpd.conf # cat > /etc/vsftpd/f_ftp/vsftpd.conf << EOF anonymous_enable=YES ftp_username=ftp anon_root=/home/ftp_users/f_ftp #chown_username=f_ftp (see bugs section) #chown_uploads=YES (see bugs section) anon_upload_enable=YES anon_mkdir_write_enable=NO anon_other_write_enable=NO anon_world_readable_only=YES anon_umask=022 anon_max_rate=80960 local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES log_ftp_protocol=YES port_enable=YES connect_from_port_20=YES pasv_enable=YES pasv_min_port=49152 pasv_max_port=65535 idle_session_timeout=65 data_connection_timeout=60 accept_timeout=10 connect_timeout=10 max_clients=5 #max_per_ip=2 #<--- 421 There are too many connections from your internet address. max_per_ip=10 nopriv_user=vsftpd async_abor_enable=NO ascii_upload_enable=NO ascii_download_enable=NO ftpd_banner=Welcome to Super Client instance FTP server. ls_recurse_enable=YES hide_ids=YES use_localtime=YES userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd/f_ftp/allowed_list pam_service_name=vsftpd.f_ftp guest_enable=YES guest_username=f_ftp user_config_dir=/etc/vsftpd/f_ftp/users #500 OOPS: vsftpd: refusing to run with writable root inside chroot() allow_writeable_chroot=YES EOFMain settings:
- ftpd_banner -- FTP banner.
- pam_service_name=vsftpd.f_ftp -- see below for setting up PAM.
- guest_username=f_ftp -- The name of the user into which virtual users registered in virtual_users map (see below on Pre-Configuring PAM).
- userlist_file=/etc/vsftpd/f_ftp/allowed_list -- See below about the file allowed_list
- user_config_dir=/etc/vsftpd/f_ftp/users -- See below about 'users' directory
PAM setup
Directive pam_service_name=vsftpd.f_ftp points to a file:# cat > /etc/pam.d/vsftpd.f_ftp << EOF auth required pam_nologin.so auth required pam_userdb.so db=/etc/vsftpd/f_ftp/virtual_users account required pam_userdb.so db=/etc/vsftpd/f_ftp/virtual_users EOF
PAM further configuration . 'virtual_users' file
By this file VSFTPD authorize "users" through PAM, here __only__ virtual users should be indicated:# cat > /etc/vsftpd/f_ftp/virtual_users << EOF vuser1 vpass1 vuser2 vpass2 EOF
Check this file, there should not be empty lines at the beginning and end of the file, there should be no spaces at the end of lines, etc.Then, to generate the .db file (PAM actually use that .db file, not original):
# db_load -T -t hash -f /etc/vsftpd/f_ftp/virtual_users /etc/vsftpd/f_ftp/virtual_users.db
Do not forget to run this command after entering a new virtual user or changing the password to an existing one.Configure VSFTPD. 'allowed_list' file.
Config Directive: userlist_file=/etc/vsftpd/f_ftp/allowed_list
allowed_list -- list of allowed users, __including__ virtual.
There is no need to make this .db file.
# touch /etc/vsftpd/f_ftp/allowed_list; chmod 600 /etc/vsftpd/f_ftp/allowed_list # cat >> /etc/vsftpd/f_ftp/allowed_list << EOF f_ftp vuser1 vuser2 anonymous ftp EOF
Just exclude a user from this list to deny him access.
Exclude usernames anonymous and ftp if you do not plan to give anonymous access.
The users anonymous and ftp are the standard anonymous (guest) usernames of the FTP protocol.
Configure VSFTPD. Directory with configuration files 'users'
Config Directive: user_config_dir=/etc/vsftpd/f_ftp/usersThe vsftpd.conf configuration files directory for each virtual user individually.
When creating a new virtual user, configure his specific parameters.
# mkdir -m 700 /etc/vsftpd/f_ftp/users/Create an anonymous, read-only user with the name vuser1:
# cat > /etc/vsftpd/f_ftp/users/vuser1 << EOF anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO EOFCreate a private user, with the ability to write, with the name vuser2:
# cat > /etc/vsftpd/f_ftp/users/vuser2 << anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_max_rate=0 #local_root=/home/ftp_users/f_ftp/subdir EOF
Directive anon_max_rate=0 Completely removes (equating to zero) a more general speed limit (see above "the main vsftpd.conf configuration file").
Uncomment #local_root=, to limit the user to the ability to work with only one specific [sub] directory.
Using 'f_ftp' Account
Unix-shell user f_ftp cannot log in to the FTP server. You should only set a password for him if you plan to work with account data through, say, SSH (SCP). To set a unix-shell password for a user:# passwd f_ftp
If you want f_ftp to have access to the FTP server with this name, just make another virtual FTP user f_ftp by writing it to allowed_list:
# echo "f_ftp" >>/etc/vsftpd/f_ftp/allowed_listAnd set him a password:
# cat >> /etc/vsftpd/f_ftp/virtual_users << EOF f_ftp f_ftp_user_pass EOF # db_load -T -t hash -f /etc/vsftpd/f_ftp/virtual_users /etc/vsftpd/f_ftp/virtual_users.db
Please note that the password in the virtual_users file for the virtual user f_ftp will be the password by which f_ftp will go to the FTP server, the password of the unix-shell account does not play any role here.
Bugs / Features
When using options:chown_username=f_ftp chown_uploads=YESA file uploaded to incoming using anonymous changes its rights not taking into account anon_umask, but rigidly with 600 rights.
FIXME - requires fixing.
Option anon_max_rate limits all connections of all users, and not just connections with logins anonymous and / or ftp.
Option local_max_rate in this case does not play any role.
Having registered this or that directive in a configuration file of a specific user from "Directories with configuration files 'users'",
we will replace the settings (defaults) declared in "main configuration file 'vsftpd.conf'".
In the examples above, we thus remove the TCP limit for the speed of upload / download of files to a specific user vuser2 by setting the anon_max_rate option to zero, if not - option will play a role for this user anon_max_rate=80960 main configuration file.