Page 1 of 14 12311 ... LastLast
Results 1 to 10 of 138

Thread: Howto: Easy FTP with vsftpd

  1. #1
    Join Date
    Nov 2005
    Location
    Portugal
    Beans
    638
    Distro
    Lubuntu

    Howto: Easy FTP with vsftpd

    I like vsftpd. It's very very simple to configure.

    Now let's get to the point.

    Installation
    Code:
    sudo apt-get install vsftpd
    This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/.

    Configuration

    Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case.
    Code:
    sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
    Now edit the file /etc/vsftpd.conf and change it's settings as follows.

    Basic Setup

    To disable anonymous login and to enable local users login and give them write permissions:
    Code:
    # No anonymous login
    anonymous_enable=NO
    # Let local users login
    # If you connect from the internet with local users, you should enable TLS/SSL/FTPS
    local_enable=YES
    
    # Write permissions
    write_enable=YES
    NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).

    To chroot users

    To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:
    Code:
    # 1. All users are jailed by default:
    chroot_local_user=YES
    chroot_list_enable=NO
    
    # 2. Just some users are jailed:
    chroot_local_user=NO
    chroot_list_enable=YES
    # Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
    
    # 3. Just some users are "free":
    chroot_local_user=YES
    chroot_list_enable=YES
    # Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
    To deny (or allow) just some users to login

    To deny some users to login, add the following options in the end of the file:
    Code:
    userlist_deny=YES
    userlist_file=/etc/vsftpd.denied_users
    In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.

    To allow just some users to login:
    Code:
    userlist_deny=NO
    userlist_enable=YES
    userlist_file=/etc/vsftpd.allowed_users
    In the file /etc/vsftpd.allowed_users add the username of the users that can login.

    The not allowed users will get an error that they can't login before they type their password.

    TLS/SSL/FTPS

    NOTE: you definitely have to use this if you connect from the Internet.

    To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):
    Code:
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=YES
    ssl_sslv3=YES
    # Filezilla uses port 21 if you don't set any port
    # in Servertype "FTPES - FTP over explicit TLS/SSL"
    # Port 990 is the default used for FTPS protocol.
    # Uncomment it if you want/have to use port 990.
    #listen_port=990
    No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default). Please don't be afraid of it's name!

    Install Filezilla (on the repositories), and use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS.

    Additional Options

    Here are some other available options. The values are examples:
    Code:
    # Show hidden files and the "." and ".." folders.
    # Useful to not write over hidden files:
    force_dot_files=YES
    
    # Hide the info about the owner (user and group) of the files.
    hide_ids=YES
    
    # Connection limit for each IP:
    max_per_ip=2
    
    # Maximum number of clients:
    max_clients=20

    Apply new configuration settings

    Don't forget that to apply new configurations, you must restart the vsftpd service.
    Code:
    sudo /etc/init.d/vsftpd restart
    Webmin Module

    For those who use webadmin, there is a module for VSFTPD here http://www.webmin.com/third.html.

    Firewall Problems

    If you find problems when connecting, set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.
    Code:
    pasv_min_port=12000
    pasv_max_port=12100
    Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd

    Virtual users are users that do not exist on the system - they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security.

    You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want).

    The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples in this forum that can be found here and here.

    From the FAQ in vsftpd site:
    Note - currently there is a restriction that with guest_enable enabled, local
    users also get mapped to guest_username.
    This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.

    The workshop

    This is an example for a work directory where various virtual users can save (upload) their work - in this case it will be /home/work, that must be owned by the guest_username (workers).

    Create the system user (workers) and the work directory (/home/work) to be used by the virtual users in vsftpd where they will upload their work in it:
    Code:
    # Don't use -m (--create-home) option. This avoids creating a home
    # directory based on /etc/skel (.bash* and .profile files).
    sudo useradd -d /home/work workers
    sudo mkdir /home/work
    sudo chown workers /home/work
    Create directories to save the virtual users definitions.
    Code:
    sudo mkdir /etc/vsftpd
    sudo mkdir /etc/vsftpd/vusers
    Change the PAM authentication in vsftpd.conf and create a new PAM file that uses the pam_userdb module to provide authentication for the virtual users.

    If you still didn't do it, make a backup copy of your vsftpd.conf or make a backup copy of the default one (it is a very good starting point and it is very well commented, as I previously wrote).

    Edit the default /etc/vsftpd.conf:
    Code:
    sudo nano /etc/vsftpd.conf
    Change the line anonymous=YES, uncomment local_enable=YES and change pam_service_name=vsftpd:
    Code:
    # Disable anonymous_enable is optional.
    anonymous_enable=NO
    ...
    local_enable=YES
    ...
    pam_service_name=ftp
    Then add the TLS/SSL/FTPS definitions (from above) in the end of the file and after it also add:
    Code:
    # Enable (only) guests.
    guest_enable=YES
    # This is not needed, it's the default. Just here for clarity.
    guest_username=ftp
    # Where the guests (virtual) usernames are set.
    user_config_dir=/etc/vsftpd/vusers
    The default settings in vsftpd.conf are restricted just for anonymous user that can download from /home/ftp, are chrooted there and can't upload nor create directories. Virtual users are treated as anonymous users by vsftpd. We have disabled anonymous logins, enabled local_users (virtual users in this case, authenticated by the PAM file we will create) and enabled guests (local users - guests - will be virtual users).

    The rest of the options are the default ones, so nobody can upload and because we set guest_enable=YES, if a username exists and have an empty username file, it will be treated as an anonymous user ("ftp" user). We added the TLS/SSL/FTPS so no cleartext passwords are used in the connections.

    Now you will override the vsftpd.conf settings for each username individually with files in the directory /etc/vsftpd/vusers wich was set in "user_config_dir=" option. Lets continue.

    Create the new file /etc/pam.d/ftp for the new authentication system:
    Code:
    sudo nano /etc/pam.d/ftp
    And add the following content:
    Code:
    auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
    account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
    Create a file with the virtual usernames and passwords that can login (one line for username, one line for password and so on for all the users) and call it "logins.txt":
    Code:
    mike
    password1
    sarah
    password2
    Install libdb3-util, create the login database with the file logins.txt and restrict permissions to the database:
    Code:
    sudo apt-get install libdb3-util
    sudo db3_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
    sudo chmod 600 /etc/vsftpd/vsftpd_login.db
    # This is not safe, you should delete this file.
    sudo chmod 600 logins.txt
    Create a file for the workers settings (mike and sarah on logins.txt):
    Code:
    sudo nano /etc/vsftpd/workers
    Add the new definitions for this users (remember that virtual users are treated as anonymous users by default on vsftpd, default anonymous settings are set on /etc/vsftpd.conf):
    Code:
    write_enable=YES
    anon_mkdir_write_enable=YES
    anon_other_write_enable=YES
    anon_upload_enable=YES
    local_root=/home/work
    chroot_local_user=YES
    dirlist_enable=YES
    download_enable=YES
    guest_username=workers
    Link this file to the workers usernames in /etc/vsftpd/vusers/, so that any change made at /etc/vsftpd/workers is applied to all workers (after you restart vsftpd).
    Code:
    sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/mike
    sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/sarah
    If this was suppose to be for web development, you would add this directory in apache, make it an available site and enable it as an enabled website.

    Restart vsftpd.

    System users as a virtual user with non-system password

    The next example file for one user, like a system user. Add his username and a password - not the system one please, just to be a little bit safer - in logins.txt and repeat the db3_load command. Create a file named after his username inside /etc/vsftpd/vusers/:
    Code:
    sudo nano /etc/vsftpd/vusers/user
    And save the following in it:
    Code:
    write_enable=YES
    anon_mkdir_write_enable=YES
    anon_other_write_enable=YES
    anon_upload_enable=YES
    chroot_local_user=YES
    # change /home/user to the actual user home directory.
    local_root=/home/user
    dirlist_enable=YES
    download_enable=YES
    guest_username=user
    As you can see, guest_username is important because it will be the user that owns the uploaded files on the directories owned by the guest_username and only files owned by this guest_username can be deleted by him (if you allow it). If you don't set a guest_username, then the "ftp" user will be the used (default in /etc/vsftpd.conf). If you create an empty file of a username present in /etc/vsftpd/vsftpd_login.db (logins.txt), this user will only have the permissions set to anonymous users in /etc/vsftpd.conf, his default home directory will be /home/ftp/ and the owner of the files he uploads (if you allow him and the directory is owned by ftp) will be "ftp".

    Only usernames in both /etc/vsftpd/vsftpd_login.db (logins.txt) AND with a file in /etc/vsftpd/vusers/ can login. So, the username can't login if:
    - If a file exist in /etc/vsftpd/vusers/ but the username is not in /etc/vsftpd/vsftpd_login.db (logins.txt) - you can add filenames that aren't on the database, no harm done.
    - If the username is in /etc/vsftpd/vsftpd_login.db (logins.txt) but do not exist in /etc/vsftpd/vusers/ - you can disable logins, just (re)move/rename the file(s) and/or link(s).
    Restart vsftpd.

    EDIT1: removed SFTP reference in TLS/SSL/FTPS section
    EDIT2: added virtual users configuration.
    EDIT3: added allow/deny userlist.
    Last edited by ruibernardo; November 14th, 2007 at 06:26 PM. Reason: added allow/deny userlist

  2. #2
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Howto: Easy FTP with vsftpd

    Here is the link of the outdated vsftpd tutorial just for the record :
    http://ubuntuforums.org/showthread.php?t=91887

    Thanks for this up to date guide

  3. #3
    Join Date
    Feb 2007
    Location
    Michigan
    Beans
    24
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: Howto: Easy FTP with vsftpd

    Oh awesome. I spent about two hours yesterday trying to get FTP working on my new vonbox/ubuntu server, with no luck. I'll have to give this a shot tonight and post the results. Thanks!

  4. #4
    Join Date
    Feb 2006
    Beans
    65

    Re: Howto: Easy FTP with vsftpd

    I've used vsftpd for 2 years and never had a problem.

  5. #5
    Join Date
    May 2005
    Location
    San Francisco, CA
    Beans
    40

    Angry Re: Howto: Easy FTP with vsftpd

    I enjoy vsftpd but i've been having one hell of time getting it to work with accounts through NIS. Can someone please add to these wonderfully straight forward directions; setting up vsftpd with NIS? I understand it's more about PAM talking to NIS in general but vsftpd is the only app that requires this (for me) as sshd works just fine for me, right out of the box. This is a total bummer. My NIS Master is FreeBSD 6, if that makes any difference.
    Last edited by motionsiren; August 7th, 2007 at 09:03 PM. Reason: gramarrr
    When the going gets weird, the weird turn pro. - Hunter S. Thompson

  6. #6
    Join Date
    Nov 2005
    Location
    Portugal
    Beans
    638
    Distro
    Lubuntu

    Re: Howto: Easy FTP with vsftpd

    Thank you all for finding this howto useful.

    I've made it some months ago (in portuguese) just to make the installation of a FTP server for common use in Ubuntu the painless as it can be.

    Motionsiren, I've never used PAM and NIS. On vsftpd FAQ it says:

    "If you are not using PAM, then vsftpd will do its own check for a valid user shell in /etc/shells. You may need to disable this if you use an invalid shell to disable logins other than FTP logins. Put check_shell=NO in your /etc/vsftpd.conf."

    Don't know if this is helps you in any way.

    I'll be glad to had your findings to the howto.

    The howto is very simple (it was it's objective) and it could be improved with some more functions.

    Cheers.

  7. #7
    Join Date
    Jan 2007
    Location
    Belgium (Dutch)
    Beans
    13

    Re: Howto: Easy FTP with vsftpd

    My vsftpd is running but I can't figure out how I can share specific folders...

    I'd like to share these folders:

    /media/hda1/HL
    /media/sda1/#MP3

    How can I do this?

    Thanks!

  8. #8
    Join Date
    Jan 2007
    Location
    Belgium (Dutch)
    Beans
    13

    Re: Howto: Easy FTP with vsftpd

    Is this even possible with vsftpd

  9. #9
    Join Date
    Nov 2005
    Location
    Portugal
    Beans
    638
    Distro
    Lubuntu

    Re: Howto: Easy FTP with vsftpd

    Quote Originally Posted by ungluun View Post
    I'd like to share these folders:

    /media/hda1/HL
    /media/sda1/#MP3

    How can I do this?

    Hi ungluun,

    I suppose you want a "mp3" user for this. If it is, the simplest way to do it is to create a user which its home folder in /media/sda1/MP3:

    Code:
    sudo groupadd mp3
    sudo useradd -c "FTP mp3" -d /media/sda1/MP3 -g mp3 mp3
    Set his password:

    Code:
    sudo passwd mp3
    And restart vsftpd:

    Code:
    sudo /etc/init.d/vsftpd restart
    If you have all users chrooted, it will work with no more changes.

    Hope this works for you.

  10. #10
    Join Date
    Jan 2007
    Location
    Belgium (Dutch)
    Beans
    13

    Re: Howto: Easy FTP with vsftpd

    Hi,

    That solution works only for one folder..

    Windows has many ftp servers. In almost all of them you can simply add folders you'd like to share. How is this done in vsftpd?



    I'd like to create virtual paths to those folders. So that every user on my ftp can access those directories.
    I think I could do this by mounting the dirs (with fstab) under my ftp folder, but that's a weird solution, no?

Page 1 of 14 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •