Friday, 6 September 2013

Centos 6/RHEL install and configure VSFTPD server

The Very Secure FTP Daemon (VSFTP) is a well known FTP server solution that supports a wide range of features and enables you to upload and distribute large files across a local network
and the internet.


It is the preferred solution for the security concious and we look at why VSFTP represents the first choice for administrators
running a CentOS server.

You should be using a static IP address with one or more system
user accounts.


It is tested here using the Centos Live CD as my usual minimal Fluxbox version is still out of action. 




If you are running a firewall, you will need to confirm that the firewall has been disabled, removed, or the appropriate ports are open. If you are running SELinux, then you should confirm that it has been disabled or it is now running in permissive mode.

First we need to install the relevant dependencies in order to set up VSFTPD

# yum -y install vsftpd ftp

Open the main configuration file in your favourite text editor

# vi /etc/vsftpd/vsftpd.conf

First disable anonymous users, by scrolling down and finding the following line

anonymous_enable=YES

Change it to read

anonymous_enable=NO

Now find the following line

xferlog_std_format=YES

To enable an independent log file change this line to read

xferlog_std_format=NO

Now scroll down to locate the following

#ascii_upload_enable=YES
#ascii_download_enable=YES

Enable ASCII mode, which is useful when transferring single-byte
character based text files. Uncomment the lines as follows

ascii_upload_enable=YES
ascii_download_enable=YES

Now scroll down to find the following for chroot

#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list

Uncomment these lines to enable the chroot environment

chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list

Finally, scroll down to the bottom of the file and add the following line

use_localtime=YES

Save and exit the configuration file and then create a new file to manage the chroot settings and restrict user access to their home directories.

# vi /etc/vsftpd/chroot_list

Now add your local user(s) in the following way

username1
username2
username3
username4

Save and exit the chroot_list file, and enable VSFTPD at boot.

# chkconfig vsftpd on

Finally type the following command to start the FTP service

# service vsftpd start

At this point VSFTP will now be functional and it can be tested with any FTP-based desktop software. Log in using a valid system username and password by connecting to your server's name, domain, or IP address.

Check the status of your FTP service by typing

# service vsftpd status

So VSFTP is not a difficult package to install and
configure but you can expand upon the above by a few extra tasks.

After installing and configuring a basic FTP service you may wonder how to direct users to a specific folder.

First ensure it exists or create a new directory with

# mkdir ftpdir

Open up the config file again

vi /etc/vsftpd/vsftpd.conf

Scroll down to the bottom of the file and add the following line
substitututing <users_local_folder_name> with something more suited to your own needs.

local_root=<users_local_folder_name>

local_root=/home/centoslive/ftpdir

Save and exit the configuration file and restart the server.

# service vsftpd restart
 
Changing the default time-out

When dealing with a large number of users you may want to change the values for a default time-out in order to improve efficiency. To do this, again open the main configuration file in your favorite text editor

# vi /etc/vsftpd/vsftpd.conf

Now scroll down and find the following

# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120

Uncomment the idle_session and data_connection lines and substitute the numeric values as required

# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120

Remember to restart the server 

# service vsftpd restart

Banning a user from the FTP service

By enabling a chroot jail you will be restricting a user's access to the home folder, but if you wanted to ban a specific user from using the FTP service as a whole, you can add the user's name to

 /etc/vsftpd/ftpusers.

Log in as root and type the following command

# echo username >> /etc/vsftpd/ftpusers

Remember to replace username with a value more appropriate

If you ever need to re-enable the user at any time, simply reverse the previous process by removing the user concerned from

 /etc/vsftpd/ftpusers.

Customizing the banner

The default banner values will suit most purposes but sometimes you may want to consider customizing it.

To do this, open the main configuration file in your favorite text editor.

vi /etc/vsftpd/vsftpd.conf

Now scroll down and find the following line

#ftpd_banner=Welcome to blah FTP service

Uncomment this line and alter the message as required For example, you could use

ftpd_banner=Welcome to the new FTP server

Having done this, close any active connection and restart the VSFTPD service by typing

# service vsftpd restart

On the next successful login your users should see the following message

Welcome to the new FTP server

If you happen to encounter the 500 error then you must either disable SELinux or set the appropriate SELinux permissions.

No comments:

Post a Comment