Archive for August, 2010

Configuring vsftpd in Ubuntu : Example #1

August 2, 2010

vsftpd is one Linux package to create an FTP server. Through this article, I try to give a simple example in configuring vsftpd in Ubuntu. FTP server that will be built this using a real username of Linux system and not encrypted.

Please follow the steps below.

  1. Information schema.
       [eth1]                            [eth0]
         ||                                ||
     [Internet]--------[vsftpd]--------[Intranet]
                          ||
                    [tcp_wrappers]
  2. Installing vsftpd for the first time.

    ~# apt-get install vsftpd

  3. Make sure the configuration files in “/etc/vsftpd.conf”, at least as the following lines.

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    idle_session_timeout=600
    data_connection_timeout=120
    ftpd_banner=BLAH-FTP
    chroot_local_user=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    local_root=/home
    hide_ids=YES
    syslog_enable=YES
    max_clients=20
    max_per_ip=5
    pasv_min_port=5000
    pasv_max_port=5999
    tcp_wrappers=YES
    # Optional
    # deny_file={*.iso,*.lnk,*.3gp,*.3gpp}
    # cmds_allowed=PASV,RETR,QUIT

  4. Add the following rules in IPTables.

    ~# iptables -A INPUT -j ACCEPT -p tcp –dport 20:21 -m state –state NEW,RELATED,ESTABLISHED
    ~# iptables -A OUTPUT -j ACCEPT -p tcp

  5. Prevent the user cannot login into the Linux shell.

    ~# echo “/usr/sbin/nologin” >> /etc/shells

    To add users or change the Linux shell of an existing user can be done in the following way.

    ~# useradd -g ftp -s /usr/sbin/nologin -m johnson
    ~# / -OR- /
    ~# chsh -s /usr/sbin/nologin johndoe

  6. Prevent certain users to use FTP server.

    ~# echo “sysadmin” >> /etc/ftpusers

  7. Here is a simple step to securing your FTP server using “tcp_wrappers”.

    7.1. Make sure the file “/etc/hosts.deny” contains only the following.

    ALL: ALL

    7.2. Create file “/etc/hosts.sandbox” to accommodate the IP or network address will be blocked.

    ~# echo “224.” >> /etc/hosts.sandbox
    ~# echo “240.” >> /etc/hosts.sandbox
    ~# echo “248.” >> /etc/hosts.sandbox

    7.3. Add the following line into the file “/ etc / hosts.allow”.

    vsftpd: ALL EXCEPT /etc/hosts.sandbox

  8. To test whether the “tcp_wrapper” is already well underway, you can add an IP workstation to the file “/etc/hosts.sandbox”.

    If using the shell command “tcpdchk -v” to check the configuration “tcp_wrappers”, then appears an error message “no such process name in /etc/inetd.conf”.

    Please add the following line into the file “/ etc / inetd.conf”.

    ~# echo “ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd” >> /etc/inetd.conf

    This is not absolute, because without adding the following line, the function “tcp_wrappers” You keep running well.

    Information about file “/ etc / inetd.conf” which was removed by Ubuntu, can you read here.

  9. Finish.

Again, this is a simple example, and you can customize to your own tastes.

Advertisements