vsftpd setup and configuration

vsftpd setup and configuration

vsftpd is an FTP server for Linux that will allow anonymous downloads in the default configuration.  

to install vsftp use yum or rpm

# yum -y install vsftpd

to configure vsftpd edit /etc/vsftpd/vsftpd.conf 

to disable anonymous access change:
    anonymous_enable=NO

to enable anonymous uploads:
    anon_upload_enable=YES  #and see check SELinux below if it is enabled
also, create an upload directory with 730 permissions for example, /var/ftp/inbound/ and make ftp the group owner
    cd /var/ftp
    mkdir inbound
    chown root.ftp inbound
    chmod 730 inbound
    chcon -t public public_content_rw_t inbound # only required if selinux is enabled

There are a couple types of user access files for vsftpd, /etc/vsftpd/ftpusers and /etc/vsftpd/user_list.  

  • all users in ftpusers file are denied ftp access
  • if userlist_enable=YES is set in vsftpd.conf then user_list file is evaluated:
  • if userlist_deny=YES then all users in file are denied
  • if userlist_deny=NO then all users in file are allowed provided that they are not also in ftpusers file.
  • users must pass both files requirements before ftp access is granted

Example vsftpd.conf for anonymous uploads:
    anon_upload_enable=YES
    chown_uploads=YES
    chown_username=daemon
    anon_umask=077

To allow traffic from network add a line like the following to /etc/hosts.allow

    vsftpd:  10.1.4.

vsftpd is selinux aware and authenticated users are not permitted to access home directories by default when selinux is on

see man page for exhaustive list of vsftpd.conf options

enable ip_conntrack_ftp and/or ip_nat_ftp in /etc/sysconfig/iptables-config for iptables to allow ftp traffic

also add just after the ESTABLISHED,RELATED entry:
    -A FIREWALL-INPUT -s 10.1.4.0/24 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    making sure to have a line for each subnet you would like to have access and substituting 10.1.4.0/24 with your own network info

Check SELinux
getsebool -a |grep ftp
to permit anonymous uploads with selinux:
setsebool -P allow_ftpd_anon_write on

configure pam in /etc/pam.d/vsftpd

service vsftpd start # starts the service
chkconfig vsftpd on #makes service auto shutdown/start during init

check logs in /var/log/xferlog

No comments: