How to configure a FTP Server using vsftpd in redhat rhel5 or centos linux

In this document we are going to discuss about installing and configuring a FTP Server using vsftpd software. We will discuss the main variables in the configuration file and some security parameters. We are configuring this in a redhat rhel5 system and it can be done in other distros also. 

Server Details:

IP 192.168.0.21

OS Red Hat Enterprise Linux Server release 5.4 (Tikanga)

[root@vm1 ftp]# uname -a

Linux vm1.lap.work 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux

Installation:

#yum install vsftpd

Starting the service:

#service vsftpd start

Ports:

ftp uses two ports 20 and 21

Port 21 is used for establishing connection.

Port 20 is used for data transfer.

Verifying the ports:

Using nmap:

[root@vm1 upload_normal_users]# nmap 192.168.0.21

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-25 15:17 IST

Interesting ports on vm1.lap.work (192.168.0.21):

Not shown: 1676 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

111/tcp open rpcbind

786/tcp open concert

Nmap finished: 1 IP address (1 host up) scanned in 0.249 seconds

[root@vm1 upload_normal_users]#

Using netstat:

[root@vm1 upload_normal_users]# netstat -paultn

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2684/portmap

tcp 0 0 0.0.0.0:786 0.0.0.0:* LISTEN 2724/rpc.statd

tcp 0 0 0.0.0.0:16851 0.0.0.0:* LISTEN 3126/modclusterd

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 10697/vsftpd

tcp 0 0 192.168.0.21:21 192.168.0.19:56609 ESTABLISHED 10709/vsftpd

tcp 0 0 :::22 :::* LISTEN 2967/sshd

<----Output Truncated----->

Creating chkconfig entry:

#chkconfig vsftpd --level 35 on

Main configuration file:

/etc/vsftpd/vsftpd.conf

Anonymous User:

Anonymous user can login to the ftp server by default. He can only download the files. anonymous user doesnt have a password. We can give anything as password.

There will be a line like shown below in the main configuration file

anonymous_enable=YES

important ftp commands

get -> to download

put -> toupload

ls -> list the files in server directories.

!ls -> list the files in local client directory.

cd -> change directory inside server.

lcd -> change the directory locally.

Donloading files as anonymous user:

Logging to ftp server as anonymous user.

[root@server ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): anonymous

331 Please specify the password.

Password: #I just hit enter key. You can give whatever you want.

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

#Now we are logged in. We are now on /var/ftp directory of ftp server.

To list the files in the /var/ftp directory of ftp server.

ftp> ls

227 Entering Passive Mode (192,168,0,21,176,64)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 46 Jun 25 07:30 anonymous_download.txt

drwxr-xr-x 2 0 0 4096 May 13 2009 pub

drwxrwx--- 2 0 50 4096 Jun 25 07:47 test_upload

226 Directory send OK.

ftp>

To download the file anonymous_download.txt to local directory:

ftp> get anonymous_download.txt #get is the command to download the files

local: anonymous_download.txt remote: anonymous_download.txt

227 Entering Passive Mode (192,168,0,21,56,26)

150 Opening BINARY mode data connection for anonymous_download.txt (46 bytes).

226 File send OK.

46 bytes received in 0.00026 seconds (1.7e+02 Kbytes/s)

ftp> !ls #!ls listing files in local directory.

abc.txt anonymous_download.txt Desktop install.log.syslog

anaconda-ks.cfg anonymous_upload.txt install.log

ftp>

Enabling anonymous user upload files:

First we have to create a dircetory under /var/ftp for users to upload files

[root@vm1 ftp]# mkdir test_upload

[root@vm1 ftp]# chown root:ftp test_upload/ #Making the group to ftp

[root@vm1 ftp]# chmod 775 test_upload/ #Giving write permission to root.

[root@vm1 ftp]# ll -d test_upload/

drwxrwxr-x 2 root ftp 4096 Jun 25 13:34 test_upload

Now open the configuration file

[root@vm1 ftp]# vi /etc/vsftpd/vsftpd.conf

anon_upload_enable=YES

Reload the service.

[root@vm1 ftp]# service vsftpd reload

Shutting down vsftpd: [ OK ]

Starting vsftpd for vsftpd: [ OK ]

[root@vm1 ftp]#

Now upload the file:

ftp> ls

227 Entering Passive Mode (192,168,0,21,118,47)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 46 Jun 25 07:30 anonymous_download.txt

drwxr-xr-x 2 0 0 4096 May 13 2009 pub

drwxrwx--- 2 0 50 4096 Jun 25 07:47 test_upload

226 Directory send OK.

ftp> cd test_upload #Changing to uploadable directory in server.

250 Directory successfully changed.

ftp> !ls #listing the files in local client directory.

abc.txt anonymous_download.txt Desktop install.log.syslog

anaconda-ks.cfg anonymous_upload.txt install.log

ftp> put anonymous_upload.txt #Uploading anonymous_upload.txt file.

local: anonymous_upload.txt remote: anonymous_upload.txt

227 Entering Passive Mode (192,168,0,21,88,24)

150 Ok to send data.

226 File receive OK.

40 bytes sent in 0.00015 seconds (2.6e+02 Kbytes/s)

ftp> ls

227 Entering Passive Mode (192,168,0,21,57,169)

150 Here comes the directory listing.

-rw------- 1 14 50 40 Jun 25 08:04 anonymous_upload.txt

226 Directory send OK.

ftp>

You can see the files uploaded by anonymous user will be having permission 700/600. Its because the default umask is 077. You can change this by adding following entry in main configuration file.

anon_umask=022

ftp> ls

227 Entering Passive Mode (192,168,0,21,162,227)

150 Here comes the directory listing.

-rw------- 1 14 50 40 Jun 25 08:04 anonymous_upload.txt

226 Directory send OK.

ftp> put anonymous_upload_changed_umask.txt #uploading after changed umask

local: anonymous_upload_changed_umask.txt remote: anonymous_upload_changed_umask.txt

227 Entering Passive Mode (192,168,0,21,118,24)

150 Ok to send data.

226 File receive OK.

40 bytes sent in 0.00017 seconds (2.3e+02 Kbytes/s)

ftp> ls #Listing

227 Entering Passive Mode (192,168,0,21,64,219)

150 Here comes the directory listing.

-rw------- 1 14 50 40 Jun 25 08:04 anonymous_upload.txt #Old file

-rw-r--r-- 1 14 50 40 Jun 25 08:22 anonymous_upload_changed_umask.txt

#see now newly uploaded file got 644 permission. 666-022=644

226 Directory send OK.

ftp>

Giving permission for normal users to create directories:

in mail configuration file, give the following entry

anon_mkdir_write_enable=YES

Reload the service.

Now:

ftp> cd test_upload

250 Directory successfully changed.

ftp> mkdir shinto #Creating directory as a anonymous user.

257 "/test_upload/shinto" created

ftp> ls #Listing

227 Entering Passive Mode (192,168,0,21,125,248)

150 Here comes the directory listing.

-rw------- 1 14 50 40 Jun 25 08:04 anonymous_upload.txt

-rw-r--r-- 1 14 50 40 Jun 25 08:22 anonymous_upload_changed_umask.txt

-rw-r--r-- 1 14 50 40 Jun 25 08:32 anonymous_upload_changed_umask2.txt

drwxr-xr-x 2 14 50 4096 Jun 25 08:47 shinto

226 Directory send OK.

ftp>

Normaly the files and directories created by anonymous user will have ownership as ftp.

[root@vm1 test_upload]# ll #Listing the upload directory in FTP Server.

total 16

-rw-r--r-- 1 ftp ftp 40 Jun 25 14:02 anonymous_upload_changed_umask2.txt

-rw-r--r-- 1 ftp ftp 40 Jun 25 13:52 anonymous_upload_changed_umask.txt

-rw------- 1 ftp ftp 40 Jun 25 13:34 anonymous_upload.txt

drwxr-xr-x 2 ftp ftp 4096 Jun 25 14:19 shinto

If you want to change this, for example, if you want the owner to be root, you can change as shown below. But its not recomented.

in the main configuration file

chown_uploads=YES

chown_username=root

Reload the service.

ftp> put anonymous_upload_with_changed_owner.txt

local: anonymous_upload_with_changed_owner.txt remote: anonymous_upload_with_changed_owner.txt

227 Entering Passive Mode (192,168,0,21,86,59)

150 Ok to send data.

226 File receive OK.

ftp> ls #Listing

227 Entering Passive Mode (192,168,0,21,200,196)

150 Here comes the directory listing.

-rw------- 1 14 50 40 Jun 25 08:04 anonymous_upload.txt

-rw-r--r-- 1 14 50 40 Jun 25 08:22 anonymous_upload_changed_umask.txt

-rw-r--r-- 1 14 50 40 Jun 25 08:32 anonymous_upload_changed_umask2.txt

-rw------- 1 0 50 0 Jun 25 09:04 anonymous_upload_with_changed_owner.txt

#see the uid changed to zero, i.e the root

drwxr-xr-x 2 14 50 4096 Jun 25 08:49 shinto

226 Directory send OK.

[root@vm1 test_upload]# ll #Listing from the server

total 16

-rw-r--r-- 1 ftp ftp 40 Jun 25 14:02 anonymous_upload_changed_umask2.txt

-rw-r--r-- 1 ftp ftp 40 Jun 25 13:52 anonymous_upload_changed_umask.txt

-rw------- 1 ftp ftp 40 Jun 25 13:34 anonymous_upload.txt

-rw------- 1 root ftp 0 Jun 25 14:34 anonymous_upload_with_changed_owner.txt

#see the owner changed to root

drwxr-xr-x 2 ftp ftp 4096 Jun 25 14:19 shinto

For normal users:

Enabling normal users

In the main configuration file add the following entry

local_enable=YES

Then the normal users will be able to log in. Normal users will have download/upload permissions by default.

Creating an upload directory for normal users:

[root@vm1 ftp]# mkdir upload_normal_users

[root@vm1 ftp]# chown root:ftp upload_normal_users/

[root@vm1 ftp]# chmod 775 upload_normal_users/

[root@vm1 ftp]# ll -d upload_normal_users/

drwxrwxr-x 2 root ftp 4096 Jun 25 14:05 upload_normal_users/

By logging in normal user will get to his home directory by default

[root@server ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): randeep #Username is randeep

331 Please specify the password.

Password: #Give randeep's password.

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/home/randeep"

ftp>

Checking the download permission for the normal user:

ftp> pwd #position in FTP Server

257 "/home/randeep"

ftp> !pwd #position in local machine

/root

ftp> ls

227 Entering Passive Mode (192,168,0,21,43,139)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 0 Jun 25 09:17 randeep.txt

226 Directory send OK.

ftp> get randeep.txt #Downloading

local: randeep.txt remote: randeep.txt

227 Entering Passive Mode (192,168,0,21,201,49)

150 Opening BINARY mode data connection for randeep.txt (0 bytes).

226 File send OK.

ftp> !ls #Listing in local directory.

abc.txt anonymous_upload_changed_umask.txt install.log

anaconda-ks.cfg anonymous_upload.txt install.log.syslog

anonymous_download.txt anonymous_upload_with_changed_owner.txt randeep.txt # See normal user can able to download

anonymous_upload_changed_umask2.txt Desktop

Now checking the upload permission for normal users:

ftp> pwd

257 "/home/randeep" #Randeep's home dir in FTP Server

ftp> ls

227 Entering Passive Mode (192,168,0,21,251,60)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 0 Jun 25 09:17 randeep.txt

226 Directory send OK.

ftp> !ls #Listing files in local directory

anaconda-ks.cfg Desktop install.log install.log.syslog uploaded_by_randeep.txt

ftp> put uploaded_by_randeep.txt #Uploading a file to his home directory.

local: uploaded_by_randeep.txt remote: uploaded_by_randeep.txt

227 Entering Passive Mode (192,168,0,21,205,66)

150 Ok to send data.

226 File receive OK.

ftp> ls #Now Listing

227 Entering Passive Mode (192,168,0,21,253,182)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 0 Jun 25 09:17 randeep.txt

-rw-r--r-- 1 500 500 0 Jun 25 09:26 uploaded_by_randeep.txt

#Normal user can able to upload by default.

226 Directory send OK.

Uploading permission for normal user to a directory other than his home directory.

Normal user can also upload to the uploadable directory in /var/ftp

ftp> cd /var/ftp

250 Directory successfully changed.

ftp> ls

227 Entering Passive Mode (192,168,0,21,253,150)

150 Here comes the directory listing.

-rw-r--r-- 1 0 0 46 Jun 25 07:30 anonymous_download.txt

drwxr-xr-x 2 0 0 4096 May 13 2009 pub

drwxrwxr-x 3 0 50 4096 Jun 25 09:04 test_upload

drwxrwxr-x 2 0 50 4096 Jun 25 08:35 upload_normal_users

226 Directory send OK.

ftp> cd upload_normal_users

250 Directory successfully changed.

ftp> ls

227 Entering Passive Mode (192,168,0,21,85,49)

150 Here comes the directory listing.

226 Directory send OK.

ftp> put uploaded_by_randeep.txt

local: uploaded_by_randeep.txt remote: uploaded_by_randeep.txt

227 Entering Passive Mode (192,168,0,21,215,158)

150 Ok to send data.

226 File receive OK.

ftp> ls #Listing

227 Entering Passive Mode (192,168,0,21,96,56)

150 Here comes the directory listing.

-rw-r--r-- 1 500 500 0 Jun 25 09:28 uploaded_by_randeep.txt

#see the owner is randeep uid=500

226 Directory send OK.

If you want to change the permissions for the file/dir uploaded by normal users, there is an entry in main config file

local_umask=022

You can change it.

Showing a Banner/Message when getting to a directory:

Suppose you want to show a message while a user get to one directory. you can do as shown below.

Give the following entry in main configuration file. By default it will be as below.

dirmessage_enable=YES

reastart the service if needed.

Goto the directory you want to put the message in a file named ".message"

[root@vm1 upload_normal_users]# pwd

/var/ftp/upload_normal_users

Create a file named ".message" and write some content in that.

[root@vm1 upload_normal_users]# cat .message

This is the common upload directory for the normal users.

[root@vm1 upload_normal_users]#

Reload the service.

Now getting to that directory through ftp we'll get that message.

Now checking:

ftp> cd upload_normal_users #Changing to the directory.

250-This is the common upload directory for the normal users.

#See we got the message here.

250 Directory successfully changed.

ftp>

The default log file of vsftpd is /var/log/xferlog

The corresponding entry in the config file is

xferlog_enable=YES

#xferlog_file=/var/log/xferlog

xferlog_std_format=YES

You can change the timeout settings for the login sessions with following entries in main config file.

#idle_session_timeout=600

#data_connection_timeout=120

For giving a Login Banner

ftpd_banner=Welcome to FTP Server Spartansit.com Pvt Ltd

Reload the service.

Now testing:

[root@server ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 Welcome to FTP Server Spartansit.com Pvt Ltd #got a login banner message.

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root):

Normaly by default the normal users will get to their home directories while loggin in. To change it, in the configuration file,

Give the following entries.

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

Now only the users listed in /etc/vsftpd/chroot_list will get their home directory when logging in. Others will get into "/".

[root@vm1 ~]# cat /etc/vsftpd/chroot_list

nibul

suresh

So users Nibul and suresh should be chrooted to their home directories and user randeep should not be as he is not listed in /etc/vsftpd/chroot_list

[root@nessus ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 Welcome to FTP Server Spartansit.com Pvt Ltd

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): nibul

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/home/nibul"

ftp>

[root@nessus ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 Welcome to FTP Server Spartansit.com Pvt Ltd

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): randeep

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp>

Preventing a user from logging in:

You can prevent a user from logging into FTP Server in two ways.

1. Listing in /etc/vsftpd/ftpusers
2. Listing in /etc/vsftpd/user_list

By listing in /etc/vsftpd/ftpusers:

Here you have to just give the username of user you want to delete in this file.

An example is shown below.

[root@vm1 ~]# cat /etc/vsftpd/ftpusers

# Users that are not allowed to login via ftp

root

bin

***Output Truncated***

operator

games

nobody

shinto

[root@vm1 ~]#

Tying to login as shinto:

[root@nessus ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 Welcome to FTP Server Spartansit.com Pvt Ltd

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): shinto

331 Please specify the password.

Password:

530 Login incorrect.

Login failed.

ftp>

By listing in /etc/vsftpd/user_list:

[root@vm1 ~]# cat /etc/vsftpd/user_list

# vsftpd userlist

# If userlist_deny=NO, only allow users in this file

# If userlist_deny=YES (default), never allow users in this file, and

# do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

root

bin

***Output Truncated***

games

inobody

remil

[root@vm1 ~]#

Trying to login as remil:

[root@nessus ~]# ftp 192.168.0.21

Connected to 192.168.0.21.

220 Welcome to FTP Server Spartansit.com Pvt Ltd

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.0.21:root): remil

530 Permission denied.

Login failed.

ftp>

There are a lot of other options in vsftpd.conf. You can check the man page for more.

[root@vm1 ~]# man 5 vsftpd.conf

Thats it. Have fun!