Paranoid Penguin - Secure Anonymous FTP with vsftpd

To keep your FTP site secure, stick to anonymous access only and run an FTP dæmon with minimal complexity.

Can you believe that in nearly four years of Paranoid Penguin columns, I've never talked about how to configure FTP services? This month I fix that, using my new favorite FTP server, Chris Evans' excellent vsftpd (Very Secure FTP Dæmon). Because my space here is limited and the best use of FTP is anonymous FTP, we focus on anonymous FTP. The FTP protocol's use of clear-text authentication makes it a terrible choice for anything but anonymous file transfer. But anonymous FTP is still plenty useful.

vsftpd is increasingly popular and is included with recent versions of Debian, SuSE, Fedora, Red Hat and other Linux distributions. This inclusion probably is because vsftpd provides a unique combination of security and convenience. It is easy to get up and running in a hurry, without having to make ugly security-vs.-expedience trade-offs.

Chris Evans created vsftpd with security as a central design goal, and its track record so far is impressive. In the nearly four years it's been available, as of this writing, vsftpd has had zero significant security vulnerabilities. Regardless of whether that's still true by the time you read this article, it speaks to vsftpd's excellent design philosophy, which borrows from OpenBSD's “secure by default, extra features disabled by default, minimal complexity overall” motto.

How minimalist is vsftpd? Its entire source tree is just over 1MB in size, fully uncompressed. The vsftpd executable itself is 80K.

Getting and Installing vsftpd

As I mentioned, vsftpd now is a standard package on many Linux distributions. The usual advantages of binary packages apply: convenience, easy patching and minimal impact on other system software. In Debian, SuSE, Fedora and Red Hat, the package you need predictably is named vsftpd. It has no particularly exotic dependencies. Most users probably will be perfectly happy with their distribution's stock vsftpd package.

If your distribution of choice doesn't provide a binary package for vsftpd, or if you need a later version than the one your distribution provides, compile vsftpd from its source code tarball, which is available at vsftpd.beasts.org. The build process is decidedly old school. If you aren't already, become root. Then, unpack the tarball and change your working directory to its root, like this:

# tar -xf vsftpd-1.2.1.tar.gz; cd vsftpd-1.2.1

Next, enter the command make without arguments. If it succeeds, there should be a vsftp executable in the current directory. Make sure the user nobody exists; if it doesn't, create it. vsftpd runs on this account.

Create the directory /usr/share/empty if it doesn't exist already. It should be owned by root and be neither group- nor world-writable—it will be used as the default vsftpd chroot jail.

Create a home directory for the anonymous FTP user. SuSE conventionally uses /srv/ftp, and other distributions use /var/ftp, but it can be whatever you like. Again, this directory should be owned by root and should not be writable by anyone else.

Create an anonymous FTP user account, such as ftp, and make sure its home directory is set to the one you created in the previous step. Your system already may have such an account. The anonymous ftp user should not be able to write in its home directory, and it should never own any files or directories.

Now you're ready to copy vsftpd and the vsftpd(8) and vsftpd.conf(5) man pages into more useful locations, so enter the command make install. Manually copy the sample vsftpd.conf file into /etc.

If you want to run vsftpd as a standalone dæmon, create a startup script for vsftpd in /etc/init.d. Otherwise, configure either inetd or xinetd to start it up as needed (see the Standalone Dæmon vs. inetd/xinetd section).

If you're running vsftpd as a standalone dæmon, enable the startup script with chkconfig if you use an RPM-based Linux distribution or with update-rc.d if you run Debian GNU/Linux. Alternatively, if you install vsftpd from an RPM or deb package, all these steps are executed automatically, with the probable exception of the last one. Did I mention that binary packages are much more convenient? Some distributions require manual intervention to enable newly installed packages. For example, on my SuSE 9.0 system, although the SuSE vsftpd RPM automatically installed /etc/init.d/vsftpd, I had to issue the commands chkconfig --add vsftpd and chkconfig --level 35 vsftpd on to enable the script.

vsftpd's Documentation

Before I begin a discussion of vsftpd that focuses narrowly on running it as a standalone dæmon serving up only anonymous FTP, I should point out some valuable, much more complete, sources of vsftpd documentation. First, vsftpd comes with an EXAMPLE/ directory containing sample configurations for a variety of FTP scenarios, including running standalone, running with xinetd, serving anonymous users only and serving local users. If you installed vsftpd from source code, EXAMPLE is a subdirectory of your vsftpd source code tarball. If you installed vsftpd from a binary package, it's probably been copied to your system somewhere under /user/share/doc. It is /usr/share/doc/packages/vsftpd/EXAMPLE on SuSE systems.

As I mentioned in the previous section, vsftpd has man pages, vsftpd(8) and vsftpd.conf(5). Finally, the default (sample) vsftpd.conf file itself is well commented. It doesn't contain all vsftpd options, but it does illustrate the most commonly used ones. I've successfully gotten vstpd to work several times with only minimal tweaking to the sample vsftpd.conf file.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Setting up ftp site

Anonymous's picture

Hi,

I would like to setup a site where people can just click the installer that they want to download the automatically the prompt asking to open or save the file will appear.(no need for any username or email address) The installers are located in a linux server. I have already installed vsftpd the problem is I don't know how to configure my ftp to this setup.

chown based on user

Dustin's picture

Is it possible to have uploaded files have ownership set to the name of the user that uploaded them? For example, if user 'user1' uploads a file, the owner should be 'user1' instead of 'ftp' (the default). Additionally, if 'user2' logs in (and is placed in a different root directory - which I have working fine), the owner of files should be 'user2'. Is this easily possible (and within one vsftpd.conf)? Thank you.

vsftpd

ehsan's picture

hi
i want to anynom users can visit /myftp folder and download some files.

then i want to users lik u1,u2,u3 can login to ftp
and can upload,change files in /myftp sub folders.

u1 should have access to /myftp/folder1
u2 should have access to /myftp/folder1 and /myftp/folder2
u3 should have access to /myftp/ all folders
anonym should not access to /myftp/folder3 !

is it possible?

HEPL PLZ!

Problems when starting vsftpd daemon on redhat 4

T. Hoang's picture

1. Very good and detailed article about secure ftp
2. Problems:
When I tried to start "vsftpd &" on Redhat 4, I got the following error:
"./vsftpd: error while loading shared libraries: libssl.so.6: cannot open shared object file: No such file or directory"

On my server, I only have "/lib/libssl.so.4". Please help.

Thanks,
T. Hoang

How

Anonymous's picture

Thanks Mick ,
It is a very nice article. I think it will help many in configuring
vsftpd in the correct way.
My query is regarding how to configure the server so that my server
support privileged ports. I have enabled the option

connect_from_port_20=YES

but still I am getting the error.

"" Your ftp bounce server doesn't allow privileged ports, skipping
them.""

Please clarify me what options I have to enable so that my server
supports privileged port...

With thanks in advance.....

vsftpd: does not run standalone, must be started from inetd

Anonymous's picture

please help me rectify this problem

quota per viretual user

Anonymous's picture

Is there a way to set quota for virtual user?

disk quotas for anmonymous ftp users

Anonymous's picture

Yes you can, but with a separate package not related to vsftpd but to Linux. Check Red Hat for info. It is similar for all Linux versions.
It is not difficult but a bit laborious for the first setup. After that it's transparent.

IP Based access permission using vsftpd

UDIT's picture

hi i have established a vsftp server on my fedora core 3 m/c. now i want to have restriction on the ips that access my server. How could i set permission and access rights based on the ips of the systems.

setup iptables to control

Anonymous's picture

setup iptables to control who can access particular ip and ftp port. The rest can be done through config file, since every virtual ftp server has its own config file.

IP Based access permission using vsftpd

sam chester's picture

I've the same problem. How can we set permission and access rights based on the ip of systems?? Help plz.

anon_umask, I think!

pcoleman's picture

I have everything working fine except when anonymous writes a file it always gets the permissions 600. No matter what I do to the anon_umask it stays the same. Does anyone have any idea how to change this and make it upload a file with different permissions?

Thanks.

Pat.

anon_umask, I think!

Anonymous's picture

I have the same problem. Did you ever get an answer to this?

exactly same problem, still

Anonymous's picture

exactly same problem, still no answer

Name Based Vhost ?

Rakotomandimby Mihamina's picture

How about name based virtual host please? Is it possible?

500 OOPS: Could not bind listening IPv4 socket

Anonymous's picture

i am using Fedora Core 3 and installed VSFTPD, but when i try to check my FTP server i always get 500 OOPS: Could not bind listening IPv4 socket. I have followed the steps to setup VSFTPD but still i got this error, What could be my problem?

Check your vsftpd.conf file.

Dan's picture

Check your vsftpd.conf file. If the command "listen=YES" is not commented out, then comment it out. For some reason, the example file seems to enable it by default. When enabled, it can only run in the "stand-alone" mode, not from xinetd.

Re:500 OOPS: Could not bind listening IPv4 socket

Anonymous's picture

Hi,
I just stopped the inetd service, and the started the indivdual VSFTPD service, and it worked fine for me

Regds,
Deepak

Re:500 OOPS: Could not bind listening IPv4 socket

Deepak Naik's picture

Sorry, the xinetd service I stopped, not the inetd service

Might be the firewall!

Laurin's picture

I had the same problem. Dont know why, the ipconfig-firewall closed port 20 & 21 to the inner systen. (SUSE 9.2 prof) Guard from inner system (or how it is called like in English) is NOT activated.

Solution: Do NOT open the ports 20 & 21 in the experts-firewall-settings. Does not work.
You have to type there "ftp" - and make your vsftpd listen to your inner system only (if you want it to), using listen_at=(IP) in standalone-mode.

Happy computing — Laurin.

hi Modify the /etc/vsftpd/vs

Anonymous's picture

hi
Modify the /etc/vsftpd/vsftpd.conf
Rem the line #Listen=YES
Restart xinetd
#services xinetd restart

works for me on fedora core 3

OOPS error

Mika's picture

worked with OpenSuSE 10.1 aswell.

Thanks a lot!

This worked for me as well.

Dlogan's picture

This worked for me as well. Centos 4.0.

500 OOPS: vsftpd: refusing to run with writable anonymous root

Markus Merz's picture

500 OOPS: vsftpd: refusing to run with writable anonymous root

This very common error appears when the FTP root directory is writable.

I found the simple solution in an Oracle manual

To avoid this error:
500 OOPS: vsftpd: refusing to run with writable anonymous root

# chmod u-w /srv/ftp
# mkdir /srv/ftp/pub
# chown ftp:ftp /srv/ftp/pub

The first line takes care of the root directory being not writable.
The second line creates a directory.
The third line changes the owner to the user and group ftp.

The ftp root directory MUST NOT be owned by ftp for security reasons (it should be root:root).

I just had to find out about this solution yesterday 15.2.05 - so I hope it helps somebody else.

best regards

Markus

Thank you for the tip

MarbolanGos's picture

It is an old tip you gave but it saved me, I was trying to find the solution sincze a month when someone pointed me that topic.

Thanks !

anonymous user still cannot upload files

peter's picture

Dear markus,
I followed your steps as
# chmod u-w /srv/ftp
# mkdir /srv/ftp/pub
# chown ftp:ftp /srv/ftp/pub

Just changed srv to var. It does not work for me. I cannot figure out
what "chown ftp:ftp /srv/ftp/pub" means.

I believe my vsftpd.conf is ok.
Thanks.
peter

chown changes owner to usr

Anonymous's picture

chown changes owner to usr ftp, group frp for the file /srv/ftp/pub. Anyway, man chown would have answered your question straight.

Exactly why is this in an

Strykar's picture

Exactly why is this in an Oracle handbook.
You saved me many hours of grief Markus, thanks a ton.

500 OOPS: vsftpd: refusing to run with writable anonymous root

Stan Omoregie's picture

Thanks Markus for the tip. It saved my day...

Anonymous FTP Write permissions with vsftpd

KC's picture

500 OOPS: vsftpd: refusing to run with writable anonymous root.

My FTP root was not readable, so vsftpd would start, but I couldn't get it to allow anonymous uploads, no matter what I did. I looked for hours for the answer! Why is it not spelled out a little more clearly in the docs?? Why do you have to look at an Oracle Manual to find an obvious VSFTPD config issue??

Markus, you have HUGE props in my book for putting that info down...too bad it took a few hours of goolge, change config, get frustrated, repeat before I came across this post.

I think I'll drop by vsftpdrocks.org and relay this info. Thanks again.

More anonymous FTP uploading problems

Stu Hill's picture

Gah! I am also trying to get anonymous to be able to write. I have got this working on one fedora8 box, but on another fedora8 I cannot get it to allow me to write, the clues on the non-working machine are :

yum list|grep vsftpd
vsftpd.i386 2.0.5-19.fc8 installed
system-config-vsftpd.noarch 0.5.1-1.fc8 updates-newkey
vsftpd.i386 2.0.5-21.fc8 updates-newkey

vsftpd.conf contains (copied from the working machine) ::
listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=YES
anon_root=/var/ftp
anon_max_rate=2048000
xferlog_enable=YES
ftp_username=ftp
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
ftpd_banner=(woohooo2!!)
log_ftp_protocol=YES
no_anon_password=YES

ls -l /var
drwxr-xr-x 3 root root 4096 2009-09-26 21:12 ftp

ls -l /var/ftp
drwxr-xr-x 2 ftp ftp 4096 2009-09-26 21:12 pub

grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

FTP allows me to login and cd into pub but then i am unable to create a directory !!!

What else can i check for, as like i said it is working on one machine but not another...

Anonymous FTP Write permissions with vsftpd

Nico's picture

Hello,

And what if you want to have the FTP root filesystem writable by the anonymous user in order to have file uploads processed by automation from another system that connects as anonymous ?

If someone knows...

Thanks

anonymous ftp

Anonymous's picture

set in vsftp.conf
anon_root=/srv/ftp/pub

giving the pub write access

that just takes you back to

fluxdude's picture

that just takes you back to the beginning of having a root that is writeable by anonymous...

make the root some dir and then create a pub dir inside that and chown that pub directory to the ftp user.

Anonymous must then ftp, cd to pub and then upload.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix