FTP/sFTP

vsFTPd

Written by LukeS on .

This guide will go through installing and configuring vsFTPd on CentOS. The guide will also cover chrooting users.

Quick Links:
Installing vsFTPd
Configuring vsftpd.conf
Configuring vsftpd chroot
Firewall rules
Adding a new user
Modifying a user
Creating an FTP group
Upload Permissions

 

Installing

yum install vsftpd

chkconfig vsftpd on

Configuring /etc/vsftpd/vsftpd.conf

You should edit your /etc/vsftpd/vsftpf.conf file similar to the following:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# the below lines may need to be manually added
pasv_min_port=60000
pasv_max_port=65000


Chrooting User

If you would like to chroot the users you can add the following line to the bottom of /etc/vsftpd/vsftpd.conf

#for chrooting users add the following lines:
chroot_local_user=NO
chroot_list_enable=NO
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

The line: chroot_local_user=YES will chroot users in their home directory
You will then need to create the following file /etc/vsftpd/vsftpd.chroot_list even if you leave it empty. If you change chroot_list_enable to yes then you will need to put users in vsftpd.chroot_list that you wish NOT to be chrooted as everyone will be by default.

Note: you will need to create the file even if you leave it empty
/etc/vsftpd/vsftpd.chroot_list

Once you have done this you should start vsftpd with service vsftpd start

 

Firewall Rules:
iptables -I INPUT -p tcp –dport 21 -m comment –comment “FTP” -j ACCEPT

iptables -I INPUT -p tcp -m multiport –dports 60000:65000 -m comment –comment “FTP passive mode ports” -j ACCEPT

/etc/init.d/iptables save

You should then edit /etc/sysconfig/iptables-sysconfig and make sure the following lines look like:

IPTABLES_MODULES="nf_conntrack_ftp"


Adding and modifying Users

useradd -m -s /sbin/nologin username will create a user without the access to ssh into the server which is more secure if the user is only being used for FTP (they will still be able to user FTP + vsFTPd, NOT sFTP)

useradd –home /home/directory/ username this adds a user with a specific home directory. This is good for chrooting a user to a specific directory.

Adding a new user straight into a group useradd -G {group-name} username

Alternivately you are able to use the following command to add a new user straight into a group you have created with a home directory of /var/www/html and NO shell login (only useable as FTP user)

useradd -G groupname –home /var/www/testftp/ -m -s /sbin/nologin newusername

Don’t forget to set the password for the user with:

passwd username

you will then be prompted to change the password for the user

 

Modifying an existing user

If the user is already created you can change the home directory of a user

usermod -d  /directory/to/chroot/ username

Disable shell login for user that is already created with usermod -s /sbin/nologin username

adding a user to an FTP group

 

Creating an FTP group (useful for multiple FTP users with the same home directory)

groupadd groupname

Once you have created and added users to a group you are able to then change the ownership of a directory to the FTP group. This allows multiple FTP users the ability to edit files in a directory. You can change ownership using the chown command similar to:

chown -R user:ftpgroup /path/to/directory

You can view the users in a group by running the following command:

cat /etc/passwd | grep groupname

You should then see an output similar to:

FTPgroup:x:503:luketest1,luketest2

You can also view an group a user is in with the command

id username

 

Upload permissions

By default when you upload a file using vsFTPd the permissions on the file will be 644. You are able to change this if you wish in /etc/vsftpd/vsftpd.conf and change the umask settings

umask default is 022 and this will result in uploaded files having the permissions 644.

You can change the umask. If you change it to 002 the files uploaded by an sftpd user will have 664 permissions.

Umask can be calculated using the following:

  • 0 : read, write and execute
  • 1 : read and write
  • 2 : read and execute
  • 3 : read only
  • 4 : write and execute
  • 5 : write only
  • 6 : execute only
  • 7 : no permissions