Very Secure FTP Daemon. "Probably the most secure and fastest FTP server for UNIX-like systems."
vsftpd configuration file - /etc/vsftpd/vsftpd.conf
# Local user access
local_enable=YESNO # Local users can login, Shell in /etc/shells,
# 'nologin' and anonymous
write_enable=YES # Allow any form of FTP write, local users can
# upload and create dirs.
# Anonymous user actions
anonymous_enable=YES # Allow anonymous users
write_enable=YES # Needs to be set to YES
anon_upload_enable=YES # Can upload files, directories must be writeable
# for 'ftp' user
anon_mkdir_writable=YES # Can create directories, directories must be
# writable for 'ftp' user
anon_world_readable_only=YES # Can read world readable files
# File ownership
chown_uploads=YES # Uploaded file ownership can be changed
chown_username=<whoever> # ownership of uploaded files to change to
chroot_local_users=YES # Chroot local users as well
chroot_list_enable=YES # If chroot_local_users=YES, this becomes a list
# of users NOT to chroot
guest_enable=YES # Non-anonymous logins are mapped to guest account
# supplied next
guest_username=<user> # Default is 'ftp'
# User access
userlist_deny=YES # Only users listed in the userlist_file will be
# allowed access
userlist_enable=YES # Any user listed in the userlist_ file will be
# denied access
# pasv_enable= # Should the server use the "passive FTP" style in
# which clients initiate ports (helps with firewalls
# on clients).
# tcp_wrappers= # If enabled incoming connections will be fed
# through access control (hosts.allow,/hosts.deny).
ssl_enable=YES # Enables ssl
- Users do not need a password.
- Two special login names to facilitate this, "anonymous" and "ftp", both refer to the same account 'ftp'.
Create user, home directory, directory tree, set permissions and ownership
# adduser ftp (Create user and /home/ftp)
# chown root.root /home/ftp (Make it owned by root)
# chmod 555 /home/ftp (Set it unwriteable by anyone, allow subdirs)
# cd /home/ftp
# mkdir bin etc lib pub (Create needed sub directories)
# chmod 511 bin etc lib (Set it unwritable by anyone)
# chmod 555 pub (Set it unwritable by anyone, allow subdirs)
# mkdir pub/incoming (Upload directory)
Copy required libraries and commands to the soon to be chrooted environment
# cd /home/ftp
# cp /bin/ls /home/ftp/bin/
# chmod 111 /home/ftp/bin/ls (Make executable only)
# ldd /bin/ls (Determine which libraries/modules 'ls' needs)
librt.so.1 => /lib/librt.so.1 (0x4001e000)
libc.so.6 => /lib/libc.so.6 (0x40030000)
libpthread.so.0 => /lib/libpthread.so.0 (0x40153000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/librt.so.1 /home/ftp/lib/
# cp /lib/libc.so.6 /home/ftp/lib/
# cp /lib/libpthread.so.0 /home/ftp/lib/
# cp /lib/ld-linux.so.2 /home/ftp/lib/
# chmod 555 /home/ftp/lib/* (Make readable and executable)
# chown root.root /home/ftp/lib/* (Make them all owned by root)
Secure ftp server.
- UIDs and GIDs (not names) displayed on login
- If anonymous FTP users see UID, GID numbers instead of names it is because libnss_files.so library hasn't been installed.
Three kinds of FTP logins
Logs in with the username 'anonymous' and usually email address as password
Log in with a real username and password, level of access based on user privileges
Logs in with a real username and password, but the user is chroot'ed to his home directory
Guest users are constrained to their home directory. As a result they do not have access to some necessary commands e.g. '/bin/ls'. Therefore need to set up a local minimalist environment providing the necessary tools as you would for a chroot environment.
wu-ftpd guest user configuratipn - /etc/wu-ftpd/ftpaccess
A sample configuration for 'guest' user - /etc/wu-ftpd/ftpaccess
# wu-ftp configuration file
deny-uid %-99 %65534- # Don't allow system accounts to log in over ftp
deny-gid %-99 %65534-
class all real,guest * # Deny anonymous ftp logins
#class all real,guest,anonymous * # Allow anonymous ftp logins
banner /etc/wu-ftpd/welcome.msg # Welcome message for all ftp users
# Welcome message and readme for Anonymous users # <type> <filename> <when to display>
message /welcome.msg login # /welcome.message = /home/ftp/welcome.message
readme README* login
# Directory specific messages and readme
message .message cwd=* # .message = /$PWD/.message
readme README* cwd=*
compress yes all
tar yes all
chmod no guest,anonymous
delete no anonymous # Anonymous cannot delete files
overwrite no anonymous # Anonymous cannot overwrite files
rename no anonymous # Anonymous cannot rename files
delete yes guest # Guest can delete files
overwrite yes guest # Guest can overwrite files
rename yes guest # Guest can rename files
umask no guest # Do not set the default umask for guest
log transfers anonymous,real inbound,outbound # What to log
passwd-check rfc822 warn
# Control what can be uploaded. File names may consist
# of letters (a-z, A-Z), numbers (0-9), an under score
# ("_"), dash ("-") or period (".") only.
# The file name may not begin with a period or dash.
# Message displayed (/etc/pathmsg) if file name is
# invalid: "You have tried to upload a file with an inappropriate name"
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
limit all 2
# Control what can be downloaded
noretrieve passwd .htaccess core # Disallow users to download files of these names
limit-time * 20
byte-limit in 5000 # Limit file size
guestuser * # Set system user default as a "guest",
# system.Guestuser is chrooted
realgroup remote-supp # Assign real user privileges to members of
# group "remote-supp"
realuser mark # Assign real user privileges to user id "mark"
wu-ftpd access control
wu-ftpd does not care if the file /etc/nologin exists. The two files that control access are:
Controls user access
Lists of users that may NOT log in via FTP
Restrict specific users to their home directories - /etc/wu-ftpd/ftpaccess
guestgroup <groupname> [<groupname> ...]
guestuser <username> [<username> ...]
Prevent host ftp connections - /etc/wu-ftpd/ftpaccess
# Format: deny <addrglob> <message_file>
# Deny access to all users from the exodous.net domain and display
# the message contained in the /home/ftp/.message_ deny file.
deny *.exodous.net /home/ftp/.message_deny
deny - Always deny access to hosts that match a given address
<addrglob> - A regex field that contains a list of addresses, either numeric or a DNS name.
- Can also be a filename - must be an absolute pathname i.e. starting with '/'.
- To ensure IP to domain name mapping use the !nameserver parameter
Prevent specific users or groups from using ftp - /etc/ftpuser
wu-ftpd anonymous ftp user
- Add deny-uid and/or deny-gid lines to /etc/wu-ftpd/ftpaccess OR
- Add username to /etc/ftpusers
Done during the install process - sets
user = ftp
homedir = /home/ftp
ftp user home directory structure
/home/ftp/etc (Copies of '/etc/group and /etc/passwd'
group with any password replaced with a '*')
passwd (Doing this will present user and group names
pathmsg to the 'ftp' user as opposed to UIDs and GIDs.)
'/home/ftp/etc' contains copies of '/etc/group' and '/etc/passwd' with any password replaced with a '*'. This will present an 'ftp' user with user and group names instead of UIDs and GIDs.
If users are allowed to upload data into an incoming directory, do not allow the creation of sub-directories in that directory.