apt-get -y install vsftpd or
yum -y install vsftpd
/etc/vsftpd/chroot_list
Depends configuration , this is the file user jailed.
/etc/vsftpd/vsftpd.conf
Configuration VSFTPD.
file /etc/vsftpd/chroot_list doesn´t exist,
touch /etc/vsftpd/chroot_list
service vsftpd start
service vsftpd restart
service vsftpd stop
Add to Sistem Linux StartUp
chkconfig vsftpd on
Modify ur firewall.
.
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 20 -j ACCEPT
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 30300:30309 -j ACCEPT
if down´t work or have some problems change “-A” for “-I” , some times RHES puts added rules
service iptables save
Or add to file /etc/sysconfig/iptables:
-A INPUT -m state –state NEW -m tcp -p tcp –dport 20 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 30300:30309 -j ACCEPT
and then restat Service iptables:
service iptables restart
HowTo Vsftpd
setsebool -P ftpd_use_passive_mode 1
this is up to u.. Permit anonimous users to write with ftp connections:
setsebool -P allow_ftpd_anon_write 1
Create Start Dir for local account users ftp_home_dir:
setsebool -P ftp_home_dir 1
make SELinux permit local users acces all FS:
setsebool -P allow_ftpd_full_access 1
Permit vsftpd use Remote CIFS FS.
setsebool -P allow_ftpd_use_cifs 1
setsebool -P allow_ftpd_use_nfs 1
anonymous_enable.
YES or NO is up to you.
anonymous_enable=YES
local_enable.
Permit local users YES or NO .
local_enable=YES
write_enable.
write_enable=YES
anon_upload_enable AND anon_mkdir_write_enable
anon_upload_enable enable anonimous users upload contents to server with ftp usually is NO
anon_upload_enable=NO
anon_mkdir_write_enable enable anonimous user to create dir, as usual NO.
anon_mkdir_write_enable=NO
Notes.
to enable anonimous users upload files to FTP Server leave with YES both Options /etc/vsftpd/vsftpd.conf and then create
/var/ftp/incoming, that belongs to ftp user and group and SELinux public_content_rw_t.
mkdir /var/ftp/incoming
chown ftp:ftp /var/ftp/incoming
chcon -R -t public_content_rw_t /var/ftp/incoming
Is better if /var/ftp/incoming is assigned to separated partition or quota applied to disk to avoid and abuse (attack) that could
fill Server FS.
ftpd_banner.
ftpd_banner=Test & Not Official Corp. Server FTP .
Jail Users: chroot_local_user & chroot_list_file.
chroot_local_user enables chroot(
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
Every user will access personal DIR and contents.
creates file /etc/vsftpd/chroot_list if not, wont works and no access vsftpd.
Notes.
funtion chroot(
required to makes some changes:
chmod 755 /home/ninja2ls
chown root:root /home/ninja2ls
mkdir /home/ninja2ls/uploads
chown ninja2ls:nnjtools /home/ninja2ls/uploads
usermod -s /sbin/nologin ninja2ls
since versión 3.0 vsftpd, unable defaults mode to access with chroot(
pasv_min_port & pasv_max_port.
both not exist by default /etc/vsftpd/vsftpd.conf. add lines at End Of File .
Eneables to establish passive connectionswith a range for ports between 1024 and 65535 , same that have to be speciefied
on the firewall. Next use 30300 and 30309 passive connections-
pasv_min_port=30300
pasv_max_port=30309
Max Rate.
there is not option for MAx rate on /etc/vsftpd/vsftpd.conf. Se
to limits transfer rates per second on anonimous users ofr that ftp public servers.
for 500 Kb per second
anon_max_rate=524288
local_max_rate.
there is no option for local Max Rate /etc/vsftpd/vsftpd.conf. make same for last max rate.
for limits to 1Mb rates
local_max_rate=1048576
max_clients.
either is not on /etc/vsftpd/vsftpd.conf.
limits access to 20 simultaneous clients.
max_clients=20
max_per_ip.
max_per_ip=10
Rafal Zdziech 