FTP Server, Linux services, , , ,

Generally, it’s very easy to setup an FTP server! Let’s make one now that supports basic features and secure (TLS) transfers, without anonymous access: First, let’s install vsftpd (all from stadard Centos repos):

yum install vsftpd

And now, let’s see what’s in the config file:

vi /etc/vsftpd/vsftpd.conf

Around line #12, it should be set:

anonymous_enable=NO

around line #39 and on:

xferlog_enable=YES
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
nopriv_user=ftpsecure
ascii_upload_enable=NO
ascii_upload_enable=NO

With the lines above, told vsftpd that we want the log file and that it should be in xferlog_file(s), told the server about data and idle session timeouts, that vsftpd should be run under an unprivileged user named ftpsecure (don’t forget to create this one – useradd -r ftpsecure), and disable ASCII up/downloads which amongst all the other troubles make the server response time signifficantly slow.

And now, do you want to let your ftp users out of their root/home directories and possibbly walk around the server’s system folders and make a mess there? I guess not. Then we need to chroot them!
This means that they won’t be able to leave their given root/home directory.

Around line #95:

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
user_list=/etc/vsftpd/user_list

Let’s be clear here. In the setup above, you are going to use unix users as ftp users, with pam authentication – meaning that the ftp users and passwords will be the same as the login credentials of the users you created on your linuxbox, and that they will be chrooted to their $home directory (usually /home/username if you create users with default parameters – please mind that they do have to have a home direcory, unlike the ftpsecure user we created for the vsftpd daemon).
If there is any user that you do not want to chroot (lock in his home dir), you will have to list him up in the /etc/vsftpd/chroot_list file (just write the username there), and make it readable for the vsftpd user (ftpsecure in this case). Othervise just leave the file empty.
Also, since you’re using unix users for loging in, you might want a list of users that do not have permission to log in (like root, apache, etc…). You can put that list in the /etc/vsftpd/user_list file – also, don’t forget to make it readable for ftpsecure, by altering permissions or ownership. These users will be denied to log in before even asked for password.
Finally (but not chronologically), we told the server to listen to IPv4 address, not to IPv6. Apparently at the moment these two options exclude each other in vsftp, so you can’t switch both on.

Now, the server should be set up for basic functionality, let’s see if it works! Let’s save the config file we modified, quit vi (or whichever text editor you were using) and try to start it and make sure it starts on bootup:

service vsftpd start
chkconfig vsftpd on

Now you can log in the FTP with a client using some existing linux user, or create a new one:

useradd <username>
passwd <password>

It’s home directory will be /home/<username> as I said before.

If the server starts up without an error, and you still can’t connect to the FTP server, please check your firewall. Ports 20 and 21 should be open for an active FTP connection.
In common case (without NAT-ing), on a Centos linuxbox it would look like this:

iptables -I INPUT -p tcp -m multiport –dports 20,21 -j ACCEPT

and if you wish to save the rule:

service iptables save

Making secure (TLS) connections possibble

Since we have the basic setup done and hopefuly working 🙂 we might want to make secure (FTPs) connections possibble, just in the case if we’re in a situation to use our FTP service from some public (wifi) place and we want to be sure that the communication would be encrypted and (quite) hard to track/record.
Let’s edit the vsftpd.conf file again and add a few lines at the end, if the lines are alredy there, just modify them:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

With these instructions, we told the server that we want to enable SSL/TLS secure connections, we want to use TLSv1, where to look for the certificate (if already have it, please enter the right filename with path in the rsa_cert line, otherwise read on!), and that we do not want to force a secure connection – otherwise you’ll be stuck with secure connections only, and some of your gadgets might not support that, or will have a problem with self-signed certificates. These issues are still common, but fell free to play around and try.

Now, the other news is, that secure connections must come to the server as passive (PASV). You can find loads of articles where active vs. passive FTP connections are explained, so I’ll leave the diging part to you. The point here is, that PASV connections beside ports 20 and 21, by default use a wide range of ports – to be exact from 1023 up to 65535, for data transfer.
We might not want this, since we might have planned to use some of the ports in the high range for some services in the future. Let’s see what we can do. Paste the folloving lines below the TLS setting in the vsftpd.conf file:

pasv_min_port=30000
pasv_max_port=35000
pasv_enable=YES
pasv_address=<the ip address of your server>

So, we enabled passive FTP mode and told the server that he has a range of 5000 ports, starting from port 30000 (you can use any range that suits you, starting anywehere, with minimun 2 ports, just mind that you must open that range in the firewall, if you have one).
And finally, enter the (public) IP adress of your FTP server in the pasv_address line. For my case, yes I tried with the URL address but it didn’t work, only with the IP address.

Now, if you already have a certificate created you’re done configuring it, otherwise here’s a simple first aid how to create one:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

(note: the above shoul be pasted in one single line)

This will generate a 2048bit certificate (which is quite secure) right where we want it. Now we have all set up, and ready to restart: service vsftpd restart and if there are no errors, you’re ready to go.

Just a reminder

Since we do not force secure connectons in this scenario, this means that your ftp connections won’t be automatically safe and encrypted. It’s you who have to tell your FTP client to use SSL instead of plain connections (also don’t forget to enable PASV mode too, as I said FTP(S) insists on it). Then it will whine about the self-signed certificate, and when you accept it, you’re definitely done all the work.

Enjoy Your secure FTP server!

For any other aid, the vsftpd.conf file is heavily and quite reasonably commented. Use it, or comment me! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.