Saturday, September 1, 2012

VSFTP ---- Configuration on SUSE

FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain:

FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.
FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.
Though vsftpd runs on any Linux kernel, yet the installation instructions may differ per distribution. Here  we will discuss how to install and configure it on SUSE, For Suse, I simply opened Yast, choose the "Add software option", and selected the vsftpd package to install.
Security
I wanted to create a separate user for ftp administration access, so I did. This user will have full access to it's own home directory, which will be the shared FTP root directory. Log in as root user, and execute the following commands in the console:
# create the FTP root dir
mkdir /srv/ftp
# create a FTP user group
groupadd ftp-users
# make the new FTP root dir accessible for ftp-users
chmod 750 /srv/ftp
chown root:ftp-users /srv/ftp
# add new ftpadmin user to group and set its home dir to the FTP root
useradd -g ftp-users -d /srv/ftp ftpadmin
# set password of new ftpadmin user
passwd testing
# give read/write access to the FTP root dir
chmod 770 /srv/ftp
Configuration
This is the most important step. It consists of creating a few configuration files. The most important file is vsftpd.conf, which you should create in the /etc directory. Below is my listing of this file, included with comments:
#disallow anonymous ftp access
anonymous_enable=NO

# allow local users to log in
local_enable=YES

# allow FTP write commands
write_enable=YES

# umask for local users, (022 is used by most other ftpd's)
local_umask=022

# make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

# disable chmod, default is YES
chmod_enable=NO

# login banner string
ftpd_banner=Welcome to the s3maphor3 FTP service

# enable/specifiy list of local users to chroot() to their home directory.
# if chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

# authentication service
pam_service_name=vsftpd

# disable user list
userlist_enable=NO

# enable for standalone mode
listen=YES
We have specified to "chroot" users. This means that authenticated FTP users will be directed to the home dir specified in the user account. Since we have this set this up for the ftpadmin account, this is what we want. The list of users to chroot is maintained in a file called vsftp.chroot_list in the /etc directory. Mine looks like this:
ftpadmin
Finally, a third file is needed to complete the configuration. We want the FTP server to start when the system is started, and to be stopped when the system is shutdown. To realize this, we need to create a script file named vsftpd in the /etc/init.d diectory:
#!/bin/sh
case "$1" in
start)
echo "Starting vsftpd ..."
/usr/sbin/vsftpd &
;;
stop)
echo "Stopping vsftpd ..."
killall vsftpd
;;
*)
echo "Usage: 'basename $0' {start|stop}" >&2
exit 64
;;
esac
exit 0
This completes the configuration of vsftpd. Let's test it.
Local test
Before trying to access the FTP server from a remote machine, it is wise to do a local test, to see if your configuration is working without the worries of a firewall. First make sure the vsftpd service is started. It should run automatically when you have rebooted, but you can also kick it manually. Since I run vsftp in stand-alone mode (outside of the xinet network service), the command to start it would be:
/usr/sbin/vsftpd &
The command to stop it is:
killall vsftpd
Now that the service is started, let's do a local test. Here's my successfull FTP session, based on the configuration above:
linux:~ # ftp localhost
Trying 127.0.0.1...
Connected to localhost.
220 Welcome to the palpankaj FTP service
Name (localhost:root): ftpadmin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Firewall settings
Many Linux distributions by default have their firewall enabled. This is a good thing. I found out that Suse does not allow FTP traffic from a remote machine. The way to configure it to allow FTP traffic may differ per distribution. I have used the Yast control panel, security section, firewall, advanced dialog and added port 21 (FTP control) and port 20 (FTP data) to the TCP ports.
Remote test
The last step in the process is testing remote FTP access. For this purpose I have simply used a command prompt as FTP client on my Windows machine. Here's my successfull remote FTP session output:
C:\>ftp 192.168.8.27
Connected to 192.168.8.27.
220 Welcome to the s3maphor3 FTP service
User (192.168.8.27:(none)): ftpadmin
331 Please specify the password.
Password:
230 Login successful.
Where 192.168.8.27 is the IP address of your FTP server. You can check the address in Linux using the ifconfig command (look for inet addr in the output)
Note that this document comes without warranty of any kind. But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmaster_at admin@linuxhowto.in

Copyright © 2012 LINUXHOWTO.IN


3 comments:

  1. Replies
    1. This explanation helped with setting up vsftpd in SUSE where the default aurthentication for some reason was ftp instead of vsftpd. Without this change only anonymous could log in.

      Delete