Configure vsftpd SSL/TLS and Jail for Any User Writing as www-data to Web Server
vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License. It supports IPv6 and SSL.
vsftpd supports explicit (since 2.0.0) and implicit (since 2.1.0) FTPS.
vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.
# apt-get install vsftpd
# yum -y install vsftpd
# pacman -S vsftpd
# pkg install vsftpd
FreeBSD to enable vsftpd you would enter:
Add line below to enable and start vsftpd during startup:
# vim /etc/rc.conf
$ sudo /usr/local/etc/rc.d/vsftpd start
Some settings in FreeBSD vsftpd.conf are a little different. I'll create a article specifically for FreeBSD vsftpd.
# emerge vsftpd
Adding and starting Gentoo vsftpd at startup:
# rc-update add vsftpd default
# /etc/init.d/vsftpd start
# systemctl enable vsftpd
# systemctl start vsftpd
Add user to login to the vsftpd server
# adduser ftpuser
# passwd ftpuser
Create a folder for the user we just created in the root or your web server:
# mkdir /var/www/html/ftpuser
Add rights to the directory for the user:
# chmod -R ftpuser:ftpuser /var/www/html/ftpuser
Add the following in:
Add the following lines:
# vim /etc/vsftpd.conf
Save the file if using vi or vim hit : then x.
Change Default vsftpd Port
If you like you can change the vsftpd default ports to non-standard to listen on 1234
# vim /etc/vsftpd.conf
Set this to NO:
Custom vsftpd Logs
# vim /etc/vsftpd.conf
Default log – enable and change for custom location/name
Make sure you disable syslog_enable=NO
This will show all files moving through the webserver, but if you want to view all the activity, including connections and commands you need to add:
After making changes to the ports you need to restart the service
# service vsftpd restart
# netstat -nuptl | grep ftp
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 4136/vsftpd
Options Defined Bellow:-
listen - vsftpd itself will take care of listening and handling incoming connections. Default setting is NO.
anonymous_enable - Allow anonymous FTP? (Beware - allowed by default if you comment this out). Set this to NO
local_enable - Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in.
virtual_use_local_privs - If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).
write_enable - This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE.
connect_from_port_20 - This controls whether PORT style data connections use port 20 (ftp-data) on the server machine.
secure_chroot_dir - This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require filesystem access.
pam_service_name - PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file.
guest_enable - If enabled, all non-anonymous logins are classed as "guest" logins. A guest login is remapped to the user specified in the guest_username setting.
ftp_username - This is the name of the user we use for handling anonymous FTP. The home directory of this user is the root of the anonymous FTP area. Default is ftp.
chmod_enable - When enabled, allows use of the SITE CHMOD command. NOTE! This only applies to local users. Anonymous users never get to use SITE CHMOD.
chown_uploads - If enabled, all anonymously uploaded files will have the ownership changed to the user specified in the setting chown_username. This is useful from an administrative, and perhaps security, standpoint.
chown_username - This is the name of the user who is given ownership of anonymously uploaded files. This option is only relevant if another option, chown_uploads, is set.
guest_username - See the boolean setting guest_enable for a description of what constitutes a guest login. This setting is the real username which guest users are mapped to.
force_dot_files - If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. This override excludes the "." and ".." entries.
pasv_enable - Set to NO if you want to disallow the PASV method of obtaining a data connection.
pasv_promiscuous - Set to YES if you want to disable the PASV security check that ensures the data connection originates from the same IP address as the control connection. Only enable if you know what you are doing! The only legitimate use for this is in some form of secure tunnelling scheme, or perhaps to facilitate FXP support.
pasv_min_port - The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
pasv_max_port - The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
syslog_enable - If enabled, then any log output which would have gone to /var/log/vsftpd.log goes to the system log instead. Logging is done under the FTPD facility.
max_clients - If vsftpd is in standalone mode, this is the maximum number of clients which may be connected. Any additional clients connecting will get an error message.
max_per_ip - If vsftpd is in standalone mode, this is the maximum number of clients which may be connected from the same source internet address. A client will get an error message if they go over this limit.
port_promiscuous - Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing!
port_enable - Set to NO if you want to disallow the PORT method of obtaining a data connection.
listen_port - If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.
ftp_data_port - The port from which PORT style connections originate (as long as the poorly named connect_from_port_20 is enabled).
user_sub_token - This option is useful is conjunction with virtual users. It is used to automatically generate a home directory for each virtual user, based on a template. For example, if the home directory of the real user specified via guest_username is /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user fred logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/fred. This option also takes affect if local_root contains user_sub_token.
hide_ids - If enabled, all user and group information in directory listings will be displayed as "ftp".
user_config_dir - This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.
chroot_local_user - If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.
allow_writeable_chroot - Writeable enabled to specificed location by setting to = YES
seccomp_sandbox - is a computer security facility that provides an application sandboxing mechanism in the Linux kernel. Setting to NO resolves some errors.
SSL Lines Defined Bellow:-
sl_enable - Enables SSL support
rsa_cert_file - Specify localtion of you webserver crt like: /etc/ssl/bundle.crt
rsa_private_key_file - Specify location to /etc/ssl/linuxsecrets.key from webserver.
allow_anon_ssl - Disallow anaymous logins set to NO
force_local_data_ssl - Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.
force_local_logins_ssl - Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send the password.
ssl_tlsv1 - Only applies if ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred.
ssl_sslv2 - Only applies if ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.
ssl_sslv3 - Only applies if ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred.
require_ssl_reuse - If set to yes, all SSL data connections are required to exhibit SSL session reuse (which proves that they know the same master secret as the control channel). Although this is a secure default, it may break many FTP clients, so you may want to disable it.
ssl_ciphers - This option can be used to select which SSL ciphers vsftpd will allow for encrypted SSL connections. See the ciphers man page for further details. Note: that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with.
Start the vsftpd service# service vsftpd start
Verify you have the correct port or custom port assigned and working.
# netstat -nuptl | grep ftp
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 4136/vsftpd