Re: Howto: Easy FTP with vsftpd
I am now testing vsftpd. I have done this by either running it as a service or from the command line:
I can connect to the host, but am unable to log in using my virtual user. I have included my configuration files below:
/etc/vsftpd
Code:
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default. These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd.virtual
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# This option specifies the location of the RSA key file to use for SSL
# encrypted connections.
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#
# Mods from: http://ubuntuforums.org/showthread.php?p=3138955
#
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
# listen_port=990
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=2
# Maximum number of clients:
max_clients=2
#
# Enable (only) guests.
guest_enable=YES
# This is not needed, it's the default. Just here for clarity.
guest_username=ftp
# Where the guests (virtual) usernames are set.
user_config_dir=/etc/vsftpd/vusers
pasv_min_port=12000
pasv_max_port=12100
#check_shell=NO
Now for the vsftpd.pem file that I created using:
Code:
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Apparently, under maverick there is no snakeoil.pem file just a key file:
Code:
#sudo ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 887 2009-12-16 10:21 ssl-cert-snakeoil.key
/etc/pam.d/vsftpd.virtual (it didn't work named ftp either)
Code:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
# session required /lib/security/pam_loginuid.so
/etc/vsftpd/workers:
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/work/$USER
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES
guest_username=workers
/etc/vsftpd/vusers/BossHog
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
chroot_local_user=YES
# change /home/user to the actual user home directory.
local_root=/home/work/BossHog
dirlist_enable=YES
download_enable=YES
guest_username=user
Code:
ls -lR /etc/vsftpd
/etc/vsftpd:
total 24
-rw------- 1 root root 12288 2011-10-12 21:53 vsftpd_login.db
-rw-r--r-- 1 root root 2319 2011-10-12 23:07 vsftpd.pem
drwxr-xr-x 2 root root 4096 2011-10-13 13:34 vusers
-rw-r--r-- 1 root root 208 2011-10-13 12:29 workers
/etc/vsftpd/vusers:
total 4
-rw-r--r-- 1 root root 262 2011-10-13 01:00 BossHog
lrwxrwxrwx 1 root root 19 2011-10-12 21:06 Brian -> /etc/vsftpd/workers
Code:
ls -l /etc/pam.d/vsftpd*
-rw-r--r-- 1 root root 321 2011-10-12 23:52 /etc/pam.d/vsftpd
-rw-r--r-- 1 root root 143 2011-10-13 13:56 /etc/pam.d/vsftpd.virtual
Currently, I get this ssl error message when try to connect:
ssl_getc: SSL_read failed -1 = 0
421 service not available, removte server has closed connection
login failed
Re: Howto: Easy FTP with vsftpd
I am now testing vsftpd. I have done this by either running it as a service or from the command line:
I can connect to the host, but am unable to log in using my virtual user. I have included my configuration files below:
/etc/vsftpd
Code:
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default. These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd.virtual
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# This option specifies the location of the RSA key file to use for SSL
# encrypted connections.
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#
# Mods from: http://ubuntuforums.org/showthread.php?p=3138955
#
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
# listen_port=990
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=2
# Maximum number of clients:
max_clients=2
#
# Enable (only) guests.
guest_enable=YES
# This is not needed, it's the default. Just here for clarity.
guest_username=ftp
# Where the guests (virtual) usernames are set.
user_config_dir=/etc/vsftpd/vusers
pasv_min_port=12000
pasv_max_port=12100
#check_shell=NO
Now for the vsftpd.pem file that I created using:
Code:
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Apparently, under maverick there is no snakeoil.pem file just a key file:
Code:
#sudo ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 887 2009-12-16 10:21 ssl-cert-snakeoil.key
/etc/pam.d/vsftpd.virtual (it didn't work named ftp either)
Code:
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
# session required /lib/security/pam_loginuid.so
/etc/vsftpd/workers:
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/work/$USER
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES
guest_username=workers
I removed $USER. Now I login with user Brian! yeah. and mkdir now time to work on other bugaboos
/etc/vsftpd/vusers/BossHog
Code:
write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
chroot_local_user=YES
# change /home/user to the actual user home directory.
local_root=/home/work/BossHog
dirlist_enable=YES
download_enable=YES
guest_username=user
oops above needs corrected.
Code:
ls -lR /etc/vsftpd
/etc/vsftpd:
total 24
-rw------- 1 root root 12288 2011-10-12 21:53 vsftpd_login.db
-rw-r--r-- 1 root root 2319 2011-10-12 23:07 vsftpd.pem
drwxr-xr-x 2 root root 4096 2011-10-13 13:34 vusers
-rw-r--r-- 1 root root 208 2011-10-13 12:29 workers
/etc/vsftpd/vusers:
total 4
-rw-r--r-- 1 root root 262 2011-10-13 01:00 BossHog
lrwxrwxrwx 1 root root 19 2011-10-12 21:06 Brian -> /etc/vsftpd/workers
Code:
ls -l /etc/pam.d/vsftpd*
-rw-r--r-- 1 root root 321 2011-10-12 23:52 /etc/pam.d/vsftpd
-rw-r--r-- 1 root root 143 2011-10-13 13:56 /etc/pam.d/vsftpd.virtual
Currently, I get this ssl error message when try to connect:
ssl_getc: SSL_read failed -1 = 0
421 service not available, removte server has closed connection
login failed
Re: Howto: Easy FTP with vsftpd
Hi, i can help you with virtual users by posting my whole steps of configuring...
I had same problems, and most of all are because of outdated and in most cases not complete quides. I also had problem with snakeoil and ssl, so i didnt do that because i had little time and i had to finish it because that was part of my specialization work for school.
I can't remebmer where i was stucked with snakeoil and ssl, but if u succeed with that part pls let me how u do that.
Re: Howto: Easy FTP with vsftpd
alfamuzjak,
I currently have a semi working setup. However, I can connect from my dyndns domain name, but get error messages regarding a bad (local) ip address being passed back or a failed to get certificate message especially in passive mode. So I'm curious as to how you got your setup to work from the internet? What should I change in the vsftpd.conf file? I'll include the latest below:
Code:
# Current config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
virtual_use_local_privs=YES
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to Tz FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#chroot_list_enable=NO
##
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Debian customization
#
# Some of vsftpd's settings don't fit the Debian filesystem layout by
# default. These settings are more Debian-friendly.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd.virtual
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# This option specifies the location of the RSA key file to use for SSL
# encrypted connections.
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#
# Mods from: http://ubuntuforums.org/showthread.php?p=3138955
#
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
# listen_port=990
listen_port=10021
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=2
# Maximum number of clients:
max_clients=10
#
# Enable (only) guests.
guest_enable=YES
# This is not needed, it's the default. Just here for clarity.
guest_username=ftp
# Where the guests (virtual) usernames are set.
user_config_dir=/etc/vsftpd/vusers
pasv_min_port=12000
pasv_max_port=12100
#check_shell=NO
debug_ssl=YES
log_ftp_protocol=YES
Regards
Re: Howto: Easy FTP with vsftpd
alfamuzjak,
I got it working now. I added:
Code:
pasv_promiscuous=YES
to the vsftpd.conf file. Connected my virtual user and
Code:
ftp> binary
ftp> passive
and was able to do what I needed to do. Whew! :D
Thanks again for your replies.
Regards
Quote:
Originally Posted by
alfamuzjak
Hi, i can help you with virtual users by posting my whole steps of configuring...
I had same problems, and most of all are because of outdated and in most cases not complete quides. I also had problem with snakeoil and ssl, so i didnt do that because i had little time and i had to finish it because that was part of my specialization work for school.
I can't remebmer where i was stucked with snakeoil and ssl, but if u succeed with that part pls let me how u do that.
Re: Howto: Easy FTP with vsftpd
I've tried everything to set up my own vsftpd server as well, but i can't get SSL to work. Which is imperative, because some users will prbably be logging in over the internet.
When i try to connect to my server i get an ECONNREFUSED error. Disabling SSL entirely in my config file resolves the problem, so it's definitely SSL related.
I'm using the latest (windows) Filezilla to connect to my server (locally) and my ports are all forwarded.
Here is my .conf file: (note that SSL is currently disabled)
Code:
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
#local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
vsftpd_log_file=/var/log/vsftpd.log
log_ftp_protocol=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=GOOD LORD IT'S A CHEESEBURGER! A DOUBLE!
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=YES
#force_local_logins_ssl=YES
#ssl_tlsv1=YES
#ssl_sslv2=YES
#ssl_sslv3=YES
#rsa_cert_file=/etc/ssl/private/ssl-cert-snakeoil.key
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=4
# Maximum number of clients:
max_clients=10
#ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
pasv_min_port=15000
pasv_max_port=15000
Can anyone help me with this? I've tried looking up my log files, but they all appear to be either empty, are just not reporting something useful. Can anyone help? Thanks in advance!
Re: Howto: Easy FTP with vsftpd
I have set up basic vsftpd servers with ubuntu plenty in the past however I can not get it running on my system after i upgraded from 11.04 to 11.10 my log shows successful logins on the day before I upgraded then the next day nothing I can't get in. I have removed vsftpd and conf and reinstalled it but I still can't login. i get a 530 error. any Idea I am not using ssl. what could have changed in the upgrade that would cause this?
Re: Howto: Easy FTP with vsftpd
I apologize for being off-topic but it makes me smile that the title for this thread is "Easy FTP with vsftpd" & we have 10 pages of responses so far :-k
P.S. I'm not knocking anyone. I do love the Ubuntu community. :P
Re: Howto: Easy FTP with vsftpd
Is this possible: vsftpd+virtual users+ssl?
This works for me: vsftpd+virtual users
This wprks for me: vsftpd+ssl+normal users
I can't seem to combine them...
So has anybody got vsftpd+virtual users+ssl running?
FYI about gnutls error -12
I have setup ubuntu server (11.10) which differs in regards to installing vsftpd as compared to 10.4. I copied all the settings from my 10.4 to 11.10 but was having connection issue when I use Filezilla.
If you are getting this error
Quote:
GnuTLS error -12: A TLS fatal alert has been received. Could not connect to server
Add this line to your vsftpd.conf file. restart. It should connect.
Quote:
ssl_ciphers=AES128-SHA or ssl_ciphers=HIGH