vsftp setup

[RussOSU]

I have read through every post I could find on vsftp over the last 2 days. I have my ftp server up and running for anonymous users. So I know the ports are open and working. I am running this ftp for a couple people who are working with me on some webpage development. So they will really never be any big transfers occuring. These are very trusted friends so I do not worry about them having access to the complete system. I wouldd like to have their home dir being the /var/www/ though. I went to the vsftpd/beasts/org site and tried to follow their info in setting up virtual users however after following it (I thought correctly and exactly 2 times) I keep getting a vsftpd dead subsys locked. I am a newbie to linux and haven't really used anything except the M$ interfaces since my 286. Could someone help explain the steps I need to follow and a little info on how to complete the steps. I am about ready to kick this server but I dont' have any shoes on right now.

Russ

 

[thedaver]

file /etc/ftpusers contains users that you DO NOT want to login to vsftpd

file /etc/vsftpd.conf on my system reads
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES
connect_from_port_20=NO
one_process_model=NO
nopriv_user=ftp
ftpd_banner=FTP server ready
chroot_local_user=yes

create a group 'ftp' so that /etc/group contains
ftp:x:24:

create a user 'ftp' so that /etc/passwd contains
ftp:x:24:24:FTP Server:/home/ftp:/bin/false

create local users as ftp account users so that /etc/passwd contains something LIKE:
billybob:x:511:511::/var/

http://www:/bin/false

SECURITY REMINDER: It's not that you can't trust your friends, it's whether you can trust your friends' friends, their enemies, passing strangers, or wire-sniffers. Those people may not be so scrupulous. Remember, FTP passwords are sent IN THE CLEAR on an untrusted network (the Internet). end soapbox.



Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[sleipnir214]

thedaver:
Amen.

RussDogg:

I have my ftp server up and running for anonymous users

You're not allowing anonymous writing to your FTP server are you?

You do not want anonymous write to your system. There are lots of snot-noses out there that have nothing better to do than to portscan for open FTP servers and try to get into them. The last thing you want is for some some mother's darling in Finland to be using your server to share "wAr3z" with his buddies.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[RussOSU]

sleipnir214 no I don't have anonymous write up. I am not going to allow for anonymous users however I needed to check and make sure it was running so I just left it at default files.

thedaver who do I create the group users and local users you are talking?

Russ

 

[thedaver]

as 'root' user you use the "groupadd" and "useradd" commands. I presumed that you have no local users. If you have local users with home directories other than /var/

http://www then

you'll have to turn off the chroot_user option(s) so that the user can traverse your server from their home dir to /var/www, etc.

Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[sabbathunter]

hope all this helps

here is an excellent link for ftp set up.

http://www.linuxhomenetworking.com/linux-hn/ftp-server.htm#_Toc32304968

and here is a copy of my vsftp config file. if you use redhat 9.0 it will work directly. other versions linux might need tweaking of it.

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are very paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
#
# Allow anonymous FTP?
anonymous_enable=no
#
anon_upload_enable=yes
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
#chown_username=anonymous
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)

#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
chroot_local_user=yes
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
#userlist_enable=YES
#enable for standalone mode
listen=YES