vsftp

Ubuntu endorses use of vsftp as the default ftp server. It's gaining in popularity in many places, including Red Hat. Time to switch to it. 

The best approach for small scale is to use:
  • local user accounts for password management (but no log in shell), combined with:
  • chroot'd home directories so they can only access the files you want them to.

Install and configure the server

sudo apt-get install vsftpd
sudo nano /etc/vsftpd.conf
 
 (search for the relevant sections in the config file before adding them if they do not exist) 

Set to only accept TLS security and turn up the default ciphers while your at it. Anonymous access is off by default.

ssl_enable=Yes
force_local_logins_ssl=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
ssl_ciphers=HIGH

Limit the port range so that it works with your router (assuming you are port-forwarding this range to your server)

pasv_min_port=4500
pasv_max_port=4600
pasv_addr_resolve=YES
pasv_address=my.server.org

Allow only users with passwords, point them to chroot directories, but to allow them to upload based on file perms.

write_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

Add yourself to the chroot exception list

sudo echo "userName" >> /etc/vsftpd.chroot_list

Lastly, generate a cert if you don't already have one by issuing this command. (note: this puts the private key and public cert in one file)

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 9999

Add Users

In order for users to have FTP access, but no shell, you must tell your system that such a thing is OK. (this has to do with PAM on most systems)

sudo echo /usr/sbin/nologin >> /etc/shells

Now you can add users and set their home directory to the root of your FTP area

sudo useradd -s /usr/sbin/nologin -d /mnt/crypt-part/ftp-downloads someUser





Comments