Cloud

Use VSFTP for a secure, reliable FTP server

Get a basic review of how to install VSFTP, add users, and use the tool in stand-alone mode or inetd/xinetd mode.


File Transfer Protocol (FTP) servers can be useful for providing files to customers and for exchanging files with partners and business associates. However, FTP can become the bane of existence for the admins who must keep these services secure and operational. Poorly secured FTP services can often result in a successful attack on a server. That's where VSFTP comes in.

VSFTP is a secure, stable, and fast FTP server. It can greatly decrease the chances of an attacker gaining access to a server via FTP exploits. Want evidence? The Red Hat, OpenBSD, and SuSE FTP sites all have one thing in common: They all run on VSFTP. Even SANS recommends VSFTP as the preferred FTP daemon because of its tight security.

VSFTP basics
VSFTP is an FTP server daemon that runs on Linux/UNIX operating systems. Its primary features are security, performance, and stability. VSFTP includes a number of additional attractive features, including: a small system footprint, the ability to handle virtual users, the choice of operating in a standalone configuration or via the inetd daemon, and bandwidth throttling for more site control.

As of this writing, the current version is 1.13, although version 1.2 is a release candidate and may very well be available by the time this article is published. Version 1.13 is a 117-KB archived download.

For this demonstration, I am using VSFTP 1.13 on a Red Hat 8.0 server with version 2.4.18-14 of the kernel.

Installation
Installing VSFTP is much like installing any other application under Linux. To expand the downloaded archive, switch to the directory in which you saved it and type:
gunzip-dc vsftpd-1.1.3.tar.gz | tar xvf -

This will create a directory named vsftpd-1.1.3 and put all of the files into it. Switch to that directory by typing cdvsftpd-1.1.3 at the prompt.

In this example, I am using a standard configuration, which begins by typing make at the command prompt. If you want to make changes to the configuration, you can edit the builddefs.h file in the distribution before compiling with the make command. If the compilation process is successful, a binary file named vasftpd will be placed into this directory. In my testing, the compilation went quickly and was free of errors.

Adding users
VSFTP uses the Linux/UNIX "nobody" user as a part of the default configuration. On most Linux/UNIX operating systems, this user exists by default, but if it doesn’t exist on your system(s), you'll need to add it. On my system, I get the following results when I try to add it (which indicates that the user already exists):
[root@rh8lab VSFTP d-1.1.3]# /usr/sbin/useradd nobody
useradd: user nobody exists

In addition, you need to create an FTP user if you want to support anonymous FTP. If you plan to always authenticate the incoming user, you don't have to do this. However, to preserve the security of VSFTP, the anonymous user’s home directory must not be owned by the FTP user, and the user should not have any permissions for it. You can use the commands in Table A to accomplish this.

Table A
mkdir/var/ftp/ Creates a directory named /var/ftp.
/usr/sbin/useradd -d /var/ftp ftp Creates a user named "ftp" with the home directory /var/ftp. On many systems, this user will already exist.
chownroot.root /var/ftp Changes ownership of the /var/ftp directory to the root user.
chmodog-w /var/ftp Removes the write permission from others and groups.
Creating the FTP user and setting appropriate permissions

Next, make sure that the directory /usr/share/empty exists. If not, create it with the mkdir command. Finally, you need to install the executable file, help pages, and so forth, that were previously created during the build process. To do this, change to the directory in which you built vsftpd and type make install. This installs everything you need to begin using VSFTPD except a configuration file. You can copy a sample configuration file to the /etc directory by typing cp vsftpd.conf /etc.

Xinetdor stand-alone mode
VSFTP can be run in two modes: stand-alone mode and inetd/xinetd mode. Running the product through the inetd (or xinetd) daemon can give you more control over how it works and is the recommended method. Another thing to keep in mind is that as configured, VSFTP will accept only anonymous connections, assuming that you created the FTP user previously. If you want to allow local users to authenticate, you will also need to configure Pluggable Authentication Modules (PAM), which I will demonstrate shortly.

Standalone
If you want to run VSFTP in standalone mode, all you need to do is add a single line to the end of the /etc/vsftpd.conf file that reads "listen=YES" and then execute /usr/local/sbin/vsftpd &. The & tells the program to continue to run but bring you back to a command prompt. Assuming you get no error messages, you can now connect to the FTP server as an anonymous user and get directory listings, transfer files, etc.

Using xinetd
Since I’m doing my testing and demonstration on a Red Hat 8 system (which uses xinetd), I will be focusing on the xinetd installation process.

inetd
If you are running an inetd machine, you can use the installation instructions included with VSFTP for details on how to set up your server. Everything should work if you add the lineftp stream tcpnowait root /usr/local/sbin/vsftpd to /etc/inetd.d and then restart the inetd daemon either via a reboot or kill -SIGHUP {pid of inetd}.Be sure that this is the only "ftp" line in the file.

If you are running on anxinetd machine, a configuration file resides in /etc/xinetd.d named vsftpd. If you can’t find this file at that location, you can copy it from the vsftpd.conf example that comes with the VSFTP distribution. When editing this file, you'll see a number of parameters underneath "service ftp" that dictate how the VSFTP server will function. Table B lists these parameters, their defaults, and what they mean.

Table B
socket_type stream This is the type of TCP socket to use for this protocol. FTP is a TCP stream.
wait no This is associated with the ability for the socket to accept messages.
user root What user should be used to launch this service? Note that VSFTP reduces privileges as soon as possible after starting.
server /usr/local/sbin/vsftpd This is the location of the server program associated with this configuration file. If you have vsftpd in a different location, you should change this value.
nice 10 This option modifies the default scheduling priority for the process. 10 is the default with the range being 20 (highest) to 19 (lowest).
disable no The service is not disabled. In other words, it should be started when xinetd starts up.
per_source No default This specifies the number of concurrent connections allowed from the same IP address. It's useful for limiting the number of connections from a single site.
instances No default This limits the maximum number of concurrent FTP connections to the server. It's useful for limiting server load.
no_access No default This is a list of IP addresses that are not allowed to access this service.

I will be using the default configuration file and restart xinetd on my Red Hat server by typing /etc/rc.d/init.d/xinetd restart at the command prompt. Note that if you previously configured VSFTP in standalone mode, you need to remove the line "listen=YES" from /etc/vsftpd.conf. If you don’t, xinetd will restart, but the vsftpd service will not work. I made that mistake the first time I configured VSFTP.

Once this is done, you should be able to connect to the VSFTP server as an anonymous user and get directory listings, download files, etc.

Enabling controlled access
Setting up an FTP server to distribute software to anyone who connects can be useful in many cases, but you may want to control access to the FTP resources. For example, suppose you want to set up a site just for your customers.

You can do this with VSFTP by making use of PAM. My Red Hat server uses PAM for authentication, as do most Red Hat machines. To determine whether your distribution uses PAM, look for a filename pam.conf or for a directory named pam.d. Since my Red Hat server uses the pam.d directory for its PAM information, I will be demonstrating that installation method only.

VSFTP comes with a sample PAM configuration located in the Red Hat subdirectory of the distribution. This file needs to be renamed and copied to the pam.d directory, which you can do with the command:
cpvsftpd.pam /etc/pam.d/ftp

Next, you need to change the VSFTP configuration to allow local user logins. To do this, edit the file /etc/vsftpd.conf and uncomment the line "local_enable=YES".

Now, when you attempt to connect to the server as a Linux/UNIX user, you will be placed in that user’s home directory. Listing A shows the results of my demonstration. As you can see, a directory listing was provided after I logged into the VSFTP server.

Summary
VSFTP powers many of the largest sites in the open source world, including the security-conscious Open BSD project and Red Hat Linux. With its small footprint, ability to handle large loads, security, and flexibility, it makes an ideal FTP server for any organization that wants file transfer capability but not the major security headaches that typically come with it.


Editor's Picks