CUSTOMIZING THE FTP SERVER

CUSTOMIZING THE FTP SERVER
The default out-of-the-box behavior of vsftpd is probably not what you want for your
production FTP server. So in this section we will walk through the process of custom-
izing some of the FTP server’s options to suit certain scenarios.
Setting Up an Anonymous-Only FTP Server
First we’ll set up our FTP server so that it does not allow access to users that have regular
user accounts on the system. This type of FTP server is useful for large sites that have
files that they want to make available to the general public via FTP. In such a scenario, it
is, of course, impractical to create an account for every single user when users can poten-
tially number into the thousands.
Fortunately for us, vsftpd is ready to serve as an anonymous FTP server out of the
box. But we’ll examine the configuration options in the vsftpd.conf file that ensure this
and also disable the options that are not required.
With any text editor of your choice, open up the /etc/vsftpd/vsftpd.conf file for edit-
ing. Look through the file and make sure that, at a minimum, the directives listed next
are present (if the directives are present but commented out, you might need to remove
the comment symbol [#] or change the value of the option).
listen=YES
xferlog_enable=YES
anonymous_enable=YES
local_enable=NO
write_enable=NO
You will find that the options in the preceding listing are sufficient to enable your
anonymous-only FTP server, and so you may choose to overwrite the existing /etc/ vsftpd/
vsftpd.conf file and enter just the options shown. This will help keep the configuration
file simple and uncluttered.
[root@serverA ~]# getent passwd ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
  If you don’t get output similar to this, you can quickly create the FTP system account with the
useradd command. To create a suitable ftp user, type
[root@serverA ~]# useradd -c "FTP User" -d /var/ftp -r -s /sbin/nologin ftp
If you had to make any modifications to the /etc/vsftpd/vsftpd.conf file, you need to
restart the vsftpd service. Type
[root@fedora-serverA ~]# service vsftpd restart
If the service command is not available on your Linux distribution, you may be
able to control the service by directly executing its run control script. For example, you
may be able to restart vsftpd by issuing the command
[root@serverA ~]# /etc/init.d/vsftpd restart
Setting Up an FTP Server with Virtual Users
Virtual users are users that do not actually exist; i.e., these users do not have any privi-
leges or functions on the system besides those for which they were created. This type of
FTP setup serves as a midway point between enabling users with local system accounts
access to the FTP server and enabling only anonymous users. If there is no way to guaran-
tee the security of the network connection from the user end (FTP client) to the server end
(FTP server), it will be foolhardy to allow users with local system accounts to log into the
FTP server. This is because the FTP transaction between both ends usually occurs in plain
text. Of course, this is only relevant if the server contains any data of value to its owners!
The use of virtual users will allow a site to serve content that should be accessible
to untrusted users, but still make the FTP service accessible to the general public. In the
event that the credentials of the virtual user(s) ever become compromised, one can at
least rest assured that only minimal damage can occur.
In this section we are going to create two sample virtual users named “ftp-user1”
and “ftp-user2.” These users will not exist in any form in the system’s user database (the
/etc/passwd file). These steps detail the process:
  1. First we’ll create a plain-text file that will contain the username and password
combinations of the virtual users. Each username with its associated password
will be on alternating lines in the file. For example, for the user ftp-user1, the
password will be “user1,” and for the user ftp-user2, the password will be
“user2.” We’ll name the file plain_vsftpd.txt. Use any text editor of your choice
to create the file. Here we use vi:
[root@serverA ~]# vi plain_vsftpd.txt
  2. Enter this text into the file:
ftp-user1
user1
ftp-user2
user2
  3. Save the changes to the file, and exit the text editor.
  4. Convert the plain-text file that was created in Step 2 into a Berkeley DB format
(db) that can be used with the pam_userdb.so library. The output will be saved
in a file called hash_vsftpd.db stored under the /etc directory. Type
[root@serverA ~]# db_load -T -t hash -f plain_vsftpd.txt /etc/hash_vsftpd.db
5. Restrict access to the virtual users database file by giving it more restrictive
 permissions. This will ensure that it cannot be read by any casual user on the
system. Type
[root@serverA ~]# chmod 600 /etc/hash_vsftpd.db
6. Next we need to create a PAM file that the FTP service will use as the new vir-
tual users database file. We’ll name the file virtual-ftp and save it under the
/etc/pam.d/ directory. Use any text editor to create the file.
[root@serverA ~]# vi /etc/pam.d/virtual-ftp
  7. Enter this text into the file:
auth required /lib/security/pam_userdb.so db=/etc/hash_vsftpd
account required /lib/security/pam_userdb.so db=/etc/hash_vsftpd
These entries tell the PAM system to authenticate users using the new database
stored in the hash_vsftpd.db file.
  8. Save the changes into a file named virtual-ftp under the /etc/pam.d/ directory.
  9. Let’s create a home environment for our virtual FTP users. We’ll cheat and use
the existing directory structure of the FTP server to create a subfolder that will
store the files that we want the virtual users to be able to access. Type
[root@serverA ~]# mkdir -p /var/ftp/private
10. Now we’ll create our custom vsftpd.conf file that will enable the entire setup.
With any text editor of your choice, open the /etc/vsftpd/vsftpd.conf file for edit-
ing. Look through the file and make sure that, at a minimum, the directives
listed next are present (if the directives are present but commented out, you may
need to remove the comment sign or change the value of the option). Comments
have been added to explain the less-obvious directives.
listen=YES
#We do NOT want to allow users to log in anonymously
anonymous_enable=NO
xferlog_enable=YES
#This is for the PAM service that we created that was named virtual-ftp
pam_service_name=virtual-ftp
#Enable the use of the /etc/vsftpd.user_list file
userlist_enable=YES
#Do NOT deny access to users specified in the /etc/vsftpd.user_list file
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
tcp_wrappers=YES
local_enable=YES
#This activates virtual users.
guest_enable=YES
#Map all the virtual users to the real user called "ftp"
guest_username=ftp
#Make all virtual users root ftp directory on the server to be /var/ftp/
private/local_root=/var/ftp/private/
11. We’ll need to create (or edit) the /etc/vsftpd.user_list file that was referenced in
the configuration in Step 10. To create the entry for the first virtual user, type
[root@serverA ~]# echo ftp-user1 > /etc/vsftpd.user_list
 12. To create the entry for the second virtual user, type
[root@serverA ~]# echo ftp-user2 >> /etc/vsftpd.user_list
 13. We are ready to fire up or restart the FTP server now. Type
[root@serverA ~]# service vsftpd restart
 14. We will next verify that the FTP server is behaving the way we want it to by con-
necting to it as one of the virtual FTP users. Connect to the server as ftp-user1
(remember that the FTP password for that user is “user1”).
[root@serverA vsftpd]# ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.8)
Name (localhost:root): ftp-user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
227 Entering Passive Mode (127,0,0,1,94,124).
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd /boot
550 Failed to change directory.
ftp> bye
221 Goodbye.
15. We’ll also test to make sure that anonymous users cannot log into the server.
[root@serverA vsftpd]# ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.8)
Name (localhost:root): ftp
530 Permission denied.
Login failed.
 16. We’ll finally verify that local users (e.g., the user Ying Yang) cannot log into the
server.
[root@serverA vsftpd]# ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.8)
Name (localhost:root): yyang
530 Permission denied.
Login failed.
Everything looks fine