Step 1: installing vsftpd
The easiest was to install the vsftpd package is to retrieve it from the source...
pkg_add -r vsftpd
If for some reason you cannot remotely retrieve packages, you can download and install the packages directly...
wget http://www.vsftpdrocks.org/downloads/vsftpd-1.2.1_3.tgz
pkg_add vsftpd-1.2.1_3.tgz
Step 2: Startup and test in "standalone" mode
First, let's tell vsftpd to run in "standalone" mode.
vi /usr/local/etc/vsftpd.conf
Add the following line, or if the line is already present make sure it reads as follows:
listen=YES
Now let's start up vsftpd...
/usr/local/libexec/vsftpd &
Now try to ftp to your server. A successful ftp session should look like this:
[root@somehost]ftp
1.2.3.4 (Don't
be an idiot. Use your server's IP address here.)
Connected to localhost.localdomain.
220 (vsFTPd 1.2.1)
Name (localhost:admin): bobsmith (obviously,
you will want to use a valid user on your server for the login name)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
150
Here comes the directory listing.
-rw-r--r-- 1 1001 1001 25372 Jan 17 18:50 somefile.tar.gz
drwx------ 2 1001 1001 512 Jan 16 19:16 index.htm
226 Directory send OK.
ftp> quit
221 Goodbye.
[root@somehost]
If you got a response similar to the one above, you're all set! If you would rather run your ftp server out of either inetd or xinetd, then you will want to continue with the next test. I recommend running vsftpd out of either inetd or xinetd.
Step 3: Configuration for inetd/xinetd operation:
To configure vsftpd for inetd or xinetd operation, do the following:
First, let's edit the /etc/vsftpd.conf file and tell it not to run in "standalone" mode:
vi /etc/vsftpd.conf
Make sure the following line exists and is set to "NO":
listen=NO
If you are running inetd, do the following: vi /etc/inetd.conf If there are any existing and active ftp service lines, comment them out or delete them and then add the following line: ftp stream tcp nowait root /usr/local/libexec/vsftpd vsftpd Save and exit. Now restart inetd: killall inetd /usr/sbin/inetd -wW |
If you are running xinetd, do the following: Add this following entry to /etc/xinetd.conf. If there is already an "ftp" service block, replace it with this one: service
ftp Save and exit. Now stop and restart xinetd... /usr/loca/etc/rc.d/xinetd.sh stop /usr/loca/etc/rc.d/xinetd.sh start or killall -HUP xinetd |
Now let's test the inetd/xinetd ftp server:
[root@somehost]ftp
1.2.3.4 (Again,
use your server's IP address here.)
Connected to localhost.localdomain.
220 (vsFTPd 1.2.1)
Name (localhost:admin): bobsmith (obviously,
you will want to use a valid user on your server for the login name)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 25372 Jan 17 18:50 somefile.tar.gz
drwx------ 2 1001 1001 512 Jan 16 19:16 index.htm
226 Directory send OK.
ftp> quit
221 Goodbye.
[root@somehost]
If you got a response similar to the one above, you're all set! Congratulations, your FTP server is alive! In the next steps, we will tweak the configuration of the vsftpd server for the best performance.
Step 4: The vsftpd master configuration file
The master vsftp configuration should be located at /etc/vsftpd.conf. This file is going to determine how your vsftpd FTP server operates. You will find that the vsftpd.conf file contains loads of configuration options. I'm not going to cover every single option, but the most important ones are listed here:
anonymous_enable=NO/YES
Turns on or off anonymous FTP access. If you turn it on, the anonymous server config info outlined in step 3 of this install will apply. If you are unsure about what an anonymous FTP server is, it's best to set this option to "NO".
ocal_enable=NO/YES
This options activates or deactivated the ability of local system users to be able to FTP to your server. Typical FTP servers will have this option set to "YES". The only time I can think of a "NO" situation would be for an strictly anonymous FTP server where you have no need to systemic user FTP sessions.
write_enable=NO/YES
Activates or deactivates FTP write ability. In most cases, you will want this set to "YES".
local_umask=022 (or whatever you want it to be)
The default vsftpd umask is 077. Here you can establish a custom umask if you so desire.
xferlog_enable=YES
This options activates logging of uploads & downloads.
ftpd_banner=Welcome to blah FTP service
Not a critical option in any way, but it does allow you to have friendly, customizes ftp greetings for your users.
chroot_list_enable=NO/YES
chroot_list_file=/usr/local/etc/vsftpd.chroot_list
This rather important and usefull option enables the "chroot" abilities of vsftpd. With "chroot_list_enable" set to "YES", vsftpd then looks for a "chroot_list_file" whose location is specified on the next line. Any user that is listed in the "/etc/vsftpd.chroot_list" file is then automatically "chrooted" to their home directory. This prohibits the user from going anywhere outside of his/her FTP home directory. Very useful in shared FTP environments or just a a general layer of security and privacy.
userlist_enable=NO/YES
userlist_deny=NO/YES
The "userlist_enable" option instructs vsftpd to either consult or not consult either of 2 files: vsftpd.ftpusers and vsftpd.user_list. If this option is set to "YES", the 2 files serve as lists of users that are allowed to FTP to the server. However, when coupled with the "userlist_deny=YES"" option, the 2 files serve as list of users who are NOT allowed to FTP to the server. This option is very useful in completely denying FTP access to critical system users such as "root" or "apache" or "www". A very nice layer of security for your FTP server.
Step 5: The vsftpd.ftpusers, vsftpd.user_list configuration files
These 2 files tie directly into the "userlist_enable" and "userlist_deny" options in the /usr/local/etc/vsftpd.conf config file. When the "userlist_enable" option is set to "YES", these 2 files serve as lists of users that are allowed the FTP the the server. However, when coupled with the "userlist_deny=YES"" option, the 2 files serve as list of users who are NOT allowed to FTP to the server. When the "userlist_deny" option is used, the nature of the denial of FTP service that a prohibited user received differs depending on which of the 2 files they are listed in.
If a user is listed in the "vsftpd.user_list" file and the "userlist_deny" option is activated, users will not even get prompted for a password when they attemp to ftp to the server. They get rejected from the start.
If a user is listed in the "vsftpd.ftpusers" file and the "userlist_deny" option is activated, users will get prompted for a password but will neer be able to log in.
Personally, I like to use the "vsftpd.user_list" configuration to establish a list of users (root, apache, www, nobody etc.) who will never even get prompted for a password should an ftp connection be initiated on their behalf.
Step 6: The vsftpd.chroot_list configuration file
The "vsfrtpd.chroot_list" file, when used with an activated "chroot_list_enable" option, establishes a list of FTP users who will be "chrooted" to the home FTP directory. These users will not be able to change directories past their own home directory. This is a nice feature in shared FTP environments where privacy is needed.
Anytime you make config file changes, make sure you restart vsftpd!
That's it. There are a host of other config options that you can add if you so desire, but by and large at this point you should have a secure and functional FTP server.
