Warm Diwali wishes friends!
Was wondering as what should I do on this festive day which is already spoiled by incessant rain, then felt like lets document something useful. So, here is one;VSFTPD! Passive or Active, too much confusion? Here is how to set up both on a CentOS-6x system (should work on RHEL, Fedora based systems as well);
A. Installation is a breeze using YUM, do it like;
# yum install vsftpd -y
B. Some custom configuration
You may do the following in the "/etc/vsftpd/vsftpd.conf" file;
1. No anonymous login:
anonymous_enable=NO
2. I needed the full log like connection details of clients:
xferlog_std_format=NO
3. Add this;
log_ftp_protocol=YES
4. The following is to restrict FTP users to their directories. Not a good
thing to allow them to peep into others' :-)
chroot_local_user=YES
6. I wanted specific users to have FTP access, thus I listed the users in
"/etc/vsftpd/user_list" commenting the default ones;
userlist_deny=NO
(to make use of the file /etc/vsftpd/user_list, include only those users
who needs FTP service)
7. Active OR Passive?
A. Specific to Active FTP:
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
pasv_enable=NO
B. Specific to Passive FTP (open the passive port range in the
firewall):
##For passive ftp mode
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50999
port_enable=YES
pasv_addr_resolve=YES
pasv_address=xxx.xxx.xxx.xxx (Public IP of your FTP server,
may be it is needed as this Openstack instance is behind a NAT)
8. SELinux !
(Modify the SELinux Boolean if you encounter "500 OOPS: cannot
change directory:/home/
A. Grab the values:
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> on
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
B. Change the Home directory specific boolean value:
# setsebool -P ftp_home_dir On
(Do a man page for options)
C. Test the FTP server
Create a FTP user (a system user) and set his login shell as /sbin/nologin (to
deny him SSH access). Test your FTP server using command line FTP
client or GUI based Filezilla (or any other client of your choice)
No comments:
Post a Comment