Jump to content

Configuring VSFTPd Server


Recommended Posts

I read the gentoo-wiki on installing and running vsftpd and whenever I ftp localhost and login, I can't get a directory listing of my ftp! (/var/ftp)

 

tux ftp # ftp localhost

Connected to localhost.

220 (vsFTPd 2.0.3)

Name (localhost:stenro): ftp

530 Please login with USER and PASS.

SSL not available

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

226 Transfer done (but failed to open directory)

 

 

Why can't I get a directory i have my distro files in there and a screeny :(? any help would be appreciated, thank you.

Link to post
Share on other sites

This is probably a permissions issue...

 

$ ls -ld /var{,/ftp,/ftp/*}
drwxr-xr-x  16 root root	 4096 Jan 14 01:41 /var
dr-xr-xr--   3 ftp  ftp	  4096 Nov 17 19:49 /var/ftp
dr-xrwxr--   4 ftp  portage 98304 Feb 20 00:22 /var/ftp/distfiles

 

So, you will need:

/var - 755

/var/ftp - 554

 

This is an oddity just for me because I host the gentoo distfiles locally (i.e. one area stores all the distfiles)

/var/ftp/distfiles - 574

So portage needs rwx on the dir..

 

 

Hopefully the permissions alterations will do it ^_^

Link to post
Share on other sites

I got

 

ls -ld /var{,/ftp,/ftp/*}														     
drwxr-xr-x  13 root root  	4096 Feb 21 01:40 /var
dr-xr-xr--   3 ftp  ftp       4096 Feb 21 04:07 /var/ftp
drwxrwxr-x   4 root portage  16384 Feb 26 23:27 /var/ftp/distfiles
-rw-r--r--   1 root root	143458 Feb 21 04:07 /var/ftp/gentoo-fluxbox-idesk-screenshot.jpg
lrwxrwxrwx   1 root root		17 Feb 21 01:41 /var/ftp/packages -> /var/ftp/packages

 

is this chmod 755 /var

chmod 554 /var/ftp

?

Link to post
Share on other sites

ls -ld /var{,/ftp,/ftp/*}														 
drwxr-xr-x  13 root root	  4096 Feb 21 01:40 /var
dr-xr-xr--   3 ftp  ftp	   4096 Feb 21 04:07 /var/ftp
drwxrwxr-x   4 root portage  16384 Feb 26 23:27 /var/ftp/distfiles
-rw-r--r--   1 root root	143458 Feb 21 04:07 /var/ftp/gentoo-fluxbox-idesk-screenshot.jpg
lrwxrwxrwx   1 root root		17 Feb 21 01:41 /var/ftp/packages -> /var/ftp/packages

 

The permissions are fine.. however look at the ownership!

 

This should fix you up.. (notice the rm.. you have a cyclic link there :P)

chown ftp:portage /var/ftp/distfiles
chown ftp:ftp /var/ftp/*.jpg
rm /var/ftp/packages

 

^_^

Link to post
Share on other sites

/etc/init.d/vsftpd/vsftpd start

*Calculating service dependencies .... [ok ]

*Starting vsftpd.....

500 OOPS: bad bool value in config file for: ssl_enable [!!]

 

im following the howto on gentoo wiki for using ssl to secure ftp but no luck...

FTP-less

 

Also, when I ftp localhost I get Ftp: connecT: connection refusde

 

lame :(

Link to post
Share on other sites
find the config and paste the line that has the ssl_enable

 

okay. Heres what I have in /etc/vsftpd/vsftpd.conf

 

dirmessage_enable=YES
# banner_file=/etc/vsftpd/vsftpd.banner # edit banner first
chown_uploads=NO
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
chroot_list_enable=YES
background=YES
listen=YES
ls_recurse_enable=NO
anonymous_enable=YES
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
download_enable=YES
cmds_allowed=YES
ssl_enable=YES						  #this is important
allow_anon_ssl=YES					 #choose what you like, if you accept anon-connections
guest_enable=YES					  # you may want to enable this
force_local_data_ssl=NO			   #choose what you like,
force_local_logins_ssl=YES			  #choose what you like

ssl_tlsv1=YES						   #you should at least enable this if you enable ssl...
ssl_sslv2=YES						   #choose what you like
ssl_sslv3=YES						   #choose what you like
rsa_cert_file=/etc/ssl/certs/vsftpd.pem #give the correct path to
									#your currently generated *.pem file

pam_service_name=vsftpd
guest_enable=YES
pam_service_name=vsftpd

Link to post
Share on other sites

Easy enough, you cannot comment after options with vsftpd.conf :)

 

dirmessage_enable=YES
# edit banner first
# banner_file=/etc/vsftpd/vsftpd.banner
chown_uploads=NO
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
chroot_list_enable=YES
background=YES
listen=YES
ls_recurse_enable=NO
anonymous_enable=YES
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
download_enable=YES
cmds_allowed=YES

#this is important
ssl_enable=YES
#choose what you like, if you accept anon-connections
allow_anon_ssl=YES
# you may want to enable this
guest_enable=YES
#choose what you like
force_local_data_ssl=NO
#choose what you like
force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

pam_service_name=vsftpd
guest_enable=YES
pam_service_name=vsftpd

 

Should do it

Link to post
Share on other sites

After a bit of discussion...

 

/etc/init.d/vsftpd stop
/etc/init.d/vsftpd zap
/etc/init.d/vsftpd start

 

did this clear it?

Link to post
Share on other sites

If its working then its probably that you have the ftp files in the wrong place? The default directory under gentoo is /home/ftp .. so thats where you should place your files? Either that or link the more correct FHS dir /var/ftp back to it.. like this:

 

rmdir /home/ftp
mkdir /var/ftp
chown ftp:ftp /var/ftp
ln -s /var/ftp /home/

Thanks to Gentoo-Wiki

Link to post
Share on other sites
  • 3 weeks later...

hi guys,

 

ive formatted my windows 2003 server and now have installed fedora core release 4 on it instead (on the first hdd)

 

i've also formatted the remaining three hdd's using ext3 filesystem and they are all blank with the intention of filling them up again to store files as a ftp server.

 

ive installed vsftpd and i can ftp in no problems locally, what i'd like to know is how can i make the ftp login more secure than standard ftp ? on my windows box i had implicit SSL as the login method, but i dont think i have such an option on vsftpd,

 

any ideas ?

 

also if i log in as a local user i can browse /home/user and even /home and /

 

it lists the files in there and lets my change dir, why ? and how can i force the user (s) to specific dirs only ?

 

thanks in advance

 

cheers

anyweb

Link to post
Share on other sites

Hi,

 

Anyweb the first option you can set in vsftpd is chroot_local_user

 

chroot_local_user

If set to YES, local users will be (by default) placed in a chroot() jail in their home directory

after login. Warning: This option has security implications, especially if the users have upload

permission, or shell access. Only enable if you know what you are doing. Note that these security

implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users

in chroot() jails.

 

Default: NO

Here are some security options for vsftpd:

 

force_local_logins_ssl

Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use

a secure SSL connection in order to send the password.

 

Default: YES

 

ssl_enable

If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure connections via

SSL. This applies to the control connection (including login) and also data connections. You

Link to post
Share on other sites

thanks !

 

the chroot works perfectly however when i enable the ssl stuff i get connection refused on the ftp server

 

i'm ftp'ing via command line from another linux box if that helps

 

cheers

 

anyweb

Link to post
Share on other sites

FTP over SSL is not needed really for personal home use.. use sftp instead. If you need a secure large scale FTP .. then ftps is useful.

 

sftp user@host

 

It comes with the basic SSH install on all systems. Anyone who can login with ssh .. can sftp too. You might be interested in scp too ^_^

Link to post
Share on other sites
  • 1 month later...
FTP over SSL is not supported very well in Linux at all. Clients are almost non-existant

 

gFTP support FTP SSL.

 

anyweb if you do the following you can enable SSL in vsftpd:

 

1) Make sure you have a SSL certificate e.g. server.key and server.crt

 

2) Enable SSL in the vsftpd.conf file by adding the following:

 

ssl_enable=YES

 

3) Concaternate the server key and server cert into one file:

 

cat server.key server.crt > /etc/vsftpd/vsftpd.pem

 

Once thats done add to the vsftpd.conf file the following:

 

rsa_cert_file=/etc/vsftpd/vsftpd.pem

 

4) Restart vsftpd and bam you have SSL support :D

Link to post
Share on other sites
  • 1 year later...

Hi, I'm getting into Linux and I'm kind of a guy that sometimes need to use FTP services since I share a lot of personal music files that I want my friends across the globe to download. In Windows environment this wasn't an issue, really, it was quite easy obtaining an easy-to-understand (yet powerful!) FTP server sofware than enabled me to create accounts, assigning different parts of my computer and read/write rights to individual users with no headache whatsoever. But in Linux everything is so different.

 

Somewhere I read that VSFTPD is a good way setting a FTP server up. I've read man-pages, some webpages too, and I pretty much have an idea what to do. However, I don't like the approach and administration of this thing. Please correct me if I'm wrong but from what I've understood, the only way of adding FTP-users that would connect to my computer through a FTP-client software is to create real OS-based user accounts on my computers. For instance; useradd -d /home/FTP-downloader -g ftp username . But I don't like this. I guess it's good in one sense but not for my personal needs.

 

I need a more simple (yet quite secure) FTP-server software that simply enables me creating user account for the application itself (not the whole system) and gives me possibility to assign any folder/drive on the system I want - to the user in particular. It would be good if this app could run as a daemon from system boot so I don't need to logon to the computer. Is there any program like that in Linux or do I really need to create real user accounts on the system? Kind of annoying seeing name of FTP client users on the userlogon screen every time you start Fedora, don't you think ? smile.gif

 

Thanks in advance!

M.

Link to post
Share on other sites

You still want to use vsftpd but you want to setup something called "virtual users". This is basically a user that is only for the ftp and not for the system (i.e. exactly what you want!).

 

Check out these two pages as example:

ftp://vsftpd.beasts.org/users/cevans/unta.../VIRTUAL_USERS/

 

And:

http://gentoo-wiki.com/HOWTO_vsftpd#Virtual_Users

 

I can suggest the first method: pam_userdb as being the best.

 

I use vsftpd with virtual users :)

Link to post
Share on other sites
  • 2 weeks later...
  • 3 weeks later...

i set this up today, and had a few issues (fedora 7).

 

firstly, the db_load it refers to here

 

db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

 

doesn't exist in a vanilla install of F7.

 

to get access to this, you'll need to install the db4-utils package

 

yum install db4-utils

 

next, when i followed this bit >

 

cp vsftpd.pam /etc/pam.d/ftp

 

(Note - if you set pam_service_name to e.g. vsftpd instead, you'll need to copy

to /etc/pam.d/vsftpd).

 

it didn't work at all (virtual users).

 

the reason why is I had to rename the file vsftpd.pam to just vsftpd, even if that's what it says above, it wasn't clear to me, so no doubt some other noob will also have that issue.

 

once I finally got conencted i wanted to read/write using my virtual user, but that wasnt possible until i changed

 

write_enable=NO

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

anon_world_readable_only=NO

 

to

 

write_enable=YES

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_world_readable_only=NO

 

cheers

anyweb

Link to post
Share on other sites
  • 4 months later...

Currently have vsftpd running, got an ftp account for web adminstration (uploading files etc to our sites). No need with virtuals there since we're hosting our own and develop them for ourselves as well...

 

Ok so then they tell me they need an account to just upload crap, PDFs, presentations, videos and the like... Took me some time (I'm not the one that set up this stuff in the first place and I've only really used a unix system in school and then all I did was java code and compiling that stuff... )

Anyway I got it running, having the ftp account for web stuff not being chrooted and promted to /vars/www/html on login and having the new "presentations" account being chrooted in it's home directory for the people to upload their stuff...

 

Now the next thing they wanted was like usr fullrights got access to "pressrelease dir" and usr readrights got access to "pressrelease dir" (guessing you can see the difference between them based on the names ; ). First I thought fine I'll try this virtual user thing then. Created new user fullrights, changed vsftpd.conf with

guest_enable=YES

guest_username=fullrights

 

created a password file, added a few lines to the /etc/pam.d/vsftpd file...

 

restart ftp and nothing worked... XD

 

Ok, so basically changing back to the same settings as before but adding the

guest_enable=YES

to vsftpd.conf somehow messed up my chroot_list. It wanted all users chrooted in their home dir so the ftp login for webadministration got messed up and locked in a "void" directory, the presentation account worked fine.

 

Now did the chroot mess up because I couldn't get the other parts working or is it something else?

 

Currently I solved the issue just creating 2 new users with the same homedir and changing the permissions cleverly ;D

 

Will once I find the time start creating multiple .conf files depending on username.

So I had a question about that as well... Can every conf file have their own virtual users as well? Like, binding virtual_x to usr x and virtual_y to usr y? :S

 

Might not be easy to understand what I mean but I'm in a hurry atm so no time to fix that now, but if anyone can answer anything of this it's all good to me... =)

 

Cheers and have a nice weekend everyone.

Link to post
Share on other sites
  • 1 year later...

Hi,

I'm a newbie to linux i'm using RHEL 5 x64

 

I have managed to configure vsftpd i'm able to connect from my ftp client but i am getting the below error .

 

Status: Connecting to *.*.*.*:21...

Status: Connection established, waiting for welcome message...

Response: 220 ContiWeb Welcomes you

Command: USER user1

Response: 331 Please specify the password.

Command: PASS ************

Response: 230 Login successful.

Command: SYST

Response: 215 UNIX Type: L8

Command: FEAT

Response: 211-Features:

Response: EPRT

Response: EPSV

Response: MDTM

Response: PASV

Response: REST STREAM

Response: SIZE

Response: TVFS

Response: 211 End

Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/home/ftp-docs"

Command: TYPE I

Response: 200 Switching to Binary mode.

Command: PASV

Response: 227 Entering Passive Mode (*,*,*,*,56,4)

Command: LIST

Error: Connection timed out

Error: Failed to retrieve directory listing

 

 

somebody please help!!!

Link to post
Share on other sites

What are the permissions set on /home/ftp-docs?

 

For example, if you do:

 

ls -l /home

 

what output do you get?

Link to post
Share on other sites

have you any firewall rules setup ? ftp on the default ports requires both port 20 and 21 open (TCP) plus additional ports open for PASV

 

cheers

anyweb

Link to post
Share on other sites
Command: PASV

Response: 227 Entering Passive Mode (*,*,*,*,56,4)

Command: LIST

Error: Connection timed out

Error: Failed to retrieve directory listing

Try configuring your client to use PORT mode, not PASV.

 

PASV requires the client to specify a port to the FTP server, and this port then needs to be open on the server itself (read: firewall rules).

 

Using PORT means that both 20 and 21 are used - ensure these are open.

 

For more information, check the vsftp logs (/var/log/vsftpd or /var/log/xfer) to see what they say.

Link to post
Share on other sites
  • 9 months later...

I've got a CentOS 5.2 box and I need to allow FTPS access to a user with Implicit SSL over port 990.

 

I need to do this because we have a client who is already uploading files onto a windows server using this method and they want to use the same method to upload to my Linux/Apache server.

 

I've discovered that CentOS doesn't have a version of VSFTP new enough to do this correctly, so I downloaded, patched and installed version 2.1 from a Fedora source. It seemed to work correctly, but I still can't seem to get the implicit SSL to work correctly. I've tried putting "Implicit_SSL=YES" but I get this error:

 

Starting vsftpd for vsftpd: 500 OOPS: unrecognised variable in config file: Implicit_SSL

 

There just don't seem to be any good resources online for this....maybe it won't work how I think it will. Any ideas? Thanks.

Link to post
Share on other sites
  • 2 weeks later...

There are other settings that need to be added. Firstly, have you created a certificate? The path to this one needs to be specified, for example:

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

I don't use VSFTPD much, but have configured FTPS and SFTP successfully using Pure-ftpd (I found it much easier to use).

Link to post
Share on other sites
  • 10 years later...
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...