wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


addons:vsftpd:start

Very Secure FTP Server

Stop! The Very Secure FTP Server (vsftps) Addon package was discontinued as of Core Update 117

The vsftps is a FTP server for UNIX and Linux and licensed under the GPL. He is secure, extreme fast and also very stable. The configuration takes place in the vsftps config file under /etc/vsftps.conf. You can edit the file comfortably via “nano” or “vi”.

Installation

For the first step you can easily install vsftps over Pakfire or you make this by the way over the Console with a

pakfire install -y vsftpd

Step by step instruction for setting up an FTP user

To simplify, let's take the following example scenario:

FTP-user named “ftpuser”

The home directory is placed in “/var/ftp/ftpuser” .

First create the directories with a:

mkdir /var/ftp/
mkdir /var/ftp/ftpuser 

By default, local user logins are allowed. To apply now a local user enter the following lines into the Console

useradd ftpuser -d /var/ftp/ftpuser -s /bin/false

FTP users can be named arbitrary, but you have to take care that no system users like “root”, “samba” ( or some likely!!) will be taken:

The “-s /bin/false” disable the possibility for the ftpuser to connect over ssh, this should also not be possible even for any FTP user.

You can apply the user password with a:

passwd ftpuser

Now you should lock up the user into his home directory, therefor use the following command line in the Console:

chown -R ftpuser /var/ftp/ftpuser

A small step is still necessary to give the applied user access. Edit the file /etc/vsftpd_user.list and attach the user name to the end of the file. You can do this with the Midnight Commander, which is also available over Pakfire or type simply a

echo ftpuser >> /etc/vsftpd.user_list

into the Console.

At the end start vsftpd with a:

/etc/init.d/vsftpd start

SSL

Following these instructions (at this time only in german available but a english translation should be follow on that site) the SSL encryption will be activated in the steps below.

First, a SSL certificate must be applied:

openssl req -new -x509 -days 365 -keyout vsftp.key -out vsftp.crt

Thereafter, the passphrase must be removed from the key, to run vsftpd without password authentication.

openssl rsa -in vsftp.key -out vsftp_clear.key

Then the certificate and the key should be copied to a file and will be stored for vsftpd in /etc :

cat vsftp.crt vsftp_clear.key > /etc/vsftpd.pem

Now the configuration file /etc/vsftpd.conf will be edit and it should be inserted the following lines.

vsftpd.conf
  ssl_enable=YES
  force_local_data_ssl=YES
  force_local_logins_ssl=YES
  rsa_cert_file=/etc/vsftpd.pem

Who wants also allow some client connections without SSL, needs to set “force_local_data_ssl” and “force_local_login_ssl” to =NO . Save then this file and restart vsftpd with a

/etc/init.d/vsftpd restart

that the changes takes effect.

Important! If the FTP server should be reachable from outside with SSL, the passive port must be set correct in addition to the port were vsftpd are listening (default: 21), this can be done with the following procedure:

Edit the following into /etc/vsftpd.conf:

vsftpd.conf
  pasv_min_port=2000
  pasv_max_port=2020
  listen_port=21

In this example the FTP server are listening on the standard port 21 and the amount of 20 passive ports are also available, this should be quite sufficient for 5 users. You should only open the really needed amount of ports.

Now you have to open the destination port: 21 and also the passive destination ports: 2000:2020 in the web interface under firewall → External Access

Don't forget to restart vsftpd with a

/etc/vsftpd restart

that the changes takes affect.

Issues with Filezilla 3.5.(2-3)

However, Filezilla has got a bug when connecting to SSL secured FTP servers such as described above. The error message is as follows:

Status:	Initializing TLS...
Error:	GnuTLS error -12: A TLS fatal alert has been received.
Error:	Could not connect to server

This error can be worked around by adding the following line to vsftpd.conf:

ssl_ciphers=HIGH

More information can be found in the Filezilla bugtracker: http://trac.filezilla-project.org/ticket/7873

Some helpful information

If you have created a Samba user via the web interface, you can apply this user for the usage of vsftpd. You only need to give him a password which should be the same like in the “sambauser” configuration and don't forget to write it into /etc/vsftpd_user.list .

Who have problems behind a router or with the passive transmission should take a look in here .

Example config

# Default config for vsftpd on ipfire

## Run in daemon mode
background=YES
listen=YES
#
## User to run daemon as
nopriv_user=vsftpd
#
## Ftp ports
pasv_min_port=2000
pasv_max_port=2020
connect_from_port_20=YES
listen_port=21
#
## SSL
ssl_enable=YES
# If not forced edit to NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd.pem
require_ssl_reuse=NO
#
## Timeout
idle_session_timeout=600
data_connection_timeout=120
#
## Information messages
ftpd_banner=Welcome on ftp.ipfire.org
dirmessage_enable=YES
#
## Allow local user access?
local_enable=YES
write_enable=YES
local_umask=022
# Chown 
#chown_uploads=YES
#chown_username=whoever
# Chroot
chroot_local_user=YES
#chroot_list_enable=YES
secure_chroot_dir=/var/ftp/empty
#
## Anonymous login?
#anonymous_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#
## Logging
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#
## Timeout
idle_session_timeout=600
data_connection_timeout=120
# 
## Preferences
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ls_recurse_enable=YES
#
## Userlist
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
#
## Max. failed logins
max_login_fails=3
#
addons/vsftpd/start.txt · Last modified: 2018/10/07 03:01 by Jon