vsftpd is one Linux package to create an FTP server. Through this article, I try to give a simple example in configuring vsftpd in Ubuntu. FTP server that will be built this using a real username of Linux system and not encrypted.
Please follow the steps below.
- Information schema.
[eth1] [eth0] || || [Internet]--------[vsftpd]--------[Intranet] || [tcp_wrappers]
- Installing vsftpd for the first time.
~# apt-get install vsftpd
- Make sure the configuration files in “/etc/vsftpd.conf”, at least as the following lines.
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
ftpd_banner=BLAH-FTP
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
local_root=/home
hide_ids=YES
syslog_enable=YES
max_clients=20
max_per_ip=5
pasv_min_port=5000
pasv_max_port=5999
tcp_wrappers=YES
# Optional
# deny_file={*.iso,*.lnk,*.3gp,*.3gpp}
# cmds_allowed=PASV,RETR,QUIT - Add the following rules in IPTables.
~# iptables -A INPUT -j ACCEPT -p tcp –dport 20:21 -m state –state NEW,RELATED,ESTABLISHED
~# iptables -A OUTPUT -j ACCEPT -p tcp - Prevent the user cannot login into the Linux shell.
~# echo “/usr/sbin/nologin” >> /etc/shells
To add users or change the Linux shell of an existing user can be done in the following way.
~# useradd -g ftp -s /usr/sbin/nologin -m johnson
~# / -OR- /
~# chsh -s /usr/sbin/nologin johndoe - Prevent certain users to use FTP server.
~# echo “sysadmin” >> /etc/ftpusers
- Here is a simple step to securing your FTP server using “tcp_wrappers”.
7.1. Make sure the file “/etc/hosts.deny” contains only the following.
ALL: ALL
7.2. Create file “/etc/hosts.sandbox” to accommodate the IP or network address will be blocked.
~# echo “224.” >> /etc/hosts.sandbox
~# echo “240.” >> /etc/hosts.sandbox
~# echo “248.” >> /etc/hosts.sandbox7.3. Add the following line into the file “/ etc / hosts.allow”.
vsftpd: ALL EXCEPT /etc/hosts.sandbox
- To test whether the “tcp_wrapper” is already well underway, you can add an IP workstation to the file “/etc/hosts.sandbox”.
If using the shell command “tcpdchk -v” to check the configuration “tcp_wrappers”, then appears an error message “no such process name in /etc/inetd.conf”.
Please add the following line into the file “/ etc / inetd.conf”.
~# echo “ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd” >> /etc/inetd.conf
This is not absolute, because without adding the following line, the function “tcp_wrappers” You keep running well.
Information about file “/ etc / inetd.conf” which was removed by Ubuntu, can you read here.
- Finish.
Again, this is a simple example, and you can customize to your own tastes.