Debian ftp server guide

Installing and configuring FTP server vsftpd

This article aims to show in details the steps to set up an FTP (for File Transfer Protocol, witch is a network protocol that was once widely used for moving files between a client and server), using vsftpd (Very Secure FTP Daemon).

vsftpd is an FTP (file transfer protocole) server for UNIX systems, including Linux. It is probably the most secure system, lightweight and also extremely fast. It is stable.

Introduction

Despite being small for purposes of speed and security, many more complicated FTP setups are achievable with vsftpd (Very Secure FTP Daemon), vsftpd will handle the following features:

IPv6
Per-source-IP configurability
Per-source-IP limits
Virtual IP configurations
Virtual users
Standalone or inetd operation
Powerful per-user configurability
Bandwidth throttling
Encryption support through SSL integration
and more.

Installation

the installation is very simple with apt-get or Aptitude. The commands in this tutorial require root privileges.:

aptitude install vsftpd

apt-get install vsftpd

After installing, the server starts automatically and listens on TCP port 21 by default.

You can check it within netstat:

# netstat -npl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      22468/vsftpd

If your host does not have a firewall, it is recommended to stop vsftpd before configuring.

/etc/init.d/vsftpd stop

You can also open up the configuration file using vim.

vim /etc/vsftpd.conf

Configuration

The configuration file for this server is /etc/vsftpd.conf. You can find example configuration files in /usr/share/doc/vsftpd/example1.

If certain options are not present in the configuration file, the server will be use default parameters (see man vsftpd.conf).

The configuration file has three option types:

NUMERIC OPTIONS – e.g. time in seconds, port number
BOOLEAN OPTIONS – can be YES or NO;
STRING OPTIONS – path to directory or file /var/run/vsftpd/;

Anonymous access

By default, anonymous connections are not allowed.

If you enable this, only access to directory /srv/ftp/ is allowed:

anonymous_enable=YES

For enabling anonymous uploading, set:

anon_upload_enable – allow file uploads from anonymous users (under certain conditions).
anon_mkdir_write_enable – allow directory creation.
anon_root=/data/directory – allow to change the default directory.

For enabling changes to ownership, set:

chown_uploads=YES
chown_username=username

User access control

Access is enabled for authorized local users by default. To disable:

local_enable=NO

To enable write access:

write_enable=YES

Save the file and close your text editor. Then, start vsftpd as a daemon:

service vsftpd start

At this point, you can log in your ftp server from your local computer.

Extras

If you want to prevent all local users from leaving their home directory, you need to uncomment this line from /etc/vsftpd.conf:

chroot_local_user=YES

As of vsftpd 2.3.5, the chroot directory must not be writable. You can change the permissions of this folder with the following command:

chmod a-w /home/user

Remember to restart the vsftpd daemon after editing vsftpd.conf.

service vsftpd restart

User Management

Containment of users

User accounts can access files of the whole system which is not always desirable and can help to compromise the machine, they can be confined by changing vsftpd.conf :

chroot_local_user=YES

The root of their FTP will be their home directory.

Nevertheless, an account can be used to connect outside of ftp: ssh, getty (terminal login) are examples . It will then still have access to the rest of the system by the shell. You can configure the services given as examples to block the account or to contain it, but the main solution is to disable the shell for the user.

For that we assign the user’s shell to false , a simple binary which returns an error signal :