Paranoid Penguin - Secure Anonymous FTP with vsftpd

To keep your FTP site secure, stick to anonymous access only and run an FTP dæmon with minimal complexity.
Virtual Servers

If you want to have multiple virtual FTP servers residing on the same physical host, one with multiple IP addresses, vsftpd can do this easily. All you need to do is run multiple instances of the vsftpd dæmon, each with its own vsftpd.conf file specifying on which IP address to listen and which directory to use as its anonymous root.

For example, suppose I've got two IP addresses assigned to my machine, 1.2.3.4 and 1.2.3.5, registered in DNS to the names knusper and rover, respectively. In that case, I could have two configuration files for vsftpd, say, /etc/vsftpd.knusper and /etc/vsftpd.rover. Listings 2 and 3 show these files.

Notice my possibly foolish use of the local_enable parameter in Listing 3. It's dangerous to set this to YES, because FTP logon credentials are sent in clear text. You never want to expose real system credentials to eavesdropping, especially if your server is Internet-connected. The real reason I show it here is to illustrate that because each virtual server uses its own configuration file, you can specify completely different behaviors for each. One virtual server may have a public uploads directory that anonymous users write to, whereas another may be a strictly read-only FTP site. Conversely, you need to take care that settings you consider to be important in preserving overall system security are set consistently between different virtual servers running on the same machine.

Besides creating different configuration files for each virtual FTP server you want vsftpd to serve up, you also need to alter your startup script accordingly. The startup script on my sample server, represented by Listings 2 and 3, would need something equivalent to these two lines:

vsftpd /etc/vsftpd.knusper
vsftpd /etc/vsftpd.rover

If you run Red Hat or Fedora, this already has been taken care of for you. The /etc/init.d/vsftpd script included with those distributions' vsftpd RPM packages automatically parses the directory /etc/vsftpd for as many configuration files as you care to put there, so long as the filename of each ends with .conf. This strikes me as an excellent bit of foresight on the part of the Red Hat team.

That's all you need to know about setting up a simple and secure anonymous FTP server with vsftpd. As I mentioned, I've only covered a subset of what vsftpd is capable of doing. Despite its minimalist design philosophy, this is a powerful FTP server indeed. Fortunately, it's also well documented, so it's really no cop-out for me to refer you to the vsftpd.conf(5) man page and the EXAMPLE/ directory for information on the many other uses of vsftpd.

Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. He's the author of Building Secure Servers With Linux (O'Reilly & Associates, 2002).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Setting up ftp site

Anonymous's picture

Hi,

I would like to setup a site where people can just click the installer that they want to download the automatically the prompt asking to open or save the file will appear.(no need for any username or email address) The installers are located in a linux server. I have already installed vsftpd the problem is I don't know how to configure my ftp to this setup.

chown based on user

Dustin's picture

Is it possible to have uploaded files have ownership set to the name of the user that uploaded them? For example, if user 'user1' uploads a file, the owner should be 'user1' instead of 'ftp' (the default). Additionally, if 'user2' logs in (and is placed in a different root directory - which I have working fine), the owner of files should be 'user2'. Is this easily possible (and within one vsftpd.conf)? Thank you.

vsftpd

ehsan's picture

hi
i want to anynom users can visit /myftp folder and download some files.

then i want to users lik u1,u2,u3 can login to ftp
and can upload,change files in /myftp sub folders.

u1 should have access to /myftp/folder1
u2 should have access to /myftp/folder1 and /myftp/folder2
u3 should have access to /myftp/ all folders
anonym should not access to /myftp/folder3 !

is it possible?

HEPL PLZ!

Problems when starting vsftpd daemon on redhat 4

T. Hoang's picture

1. Very good and detailed article about secure ftp
2. Problems:
When I tried to start "vsftpd &" on Redhat 4, I got the following error:
"./vsftpd: error while loading shared libraries: libssl.so.6: cannot open shared object file: No such file or directory"

On my server, I only have "/lib/libssl.so.4". Please help.

Thanks,
T. Hoang

How

Anonymous's picture

Thanks Mick ,
It is a very nice article. I think it will help many in configuring
vsftpd in the correct way.
My query is regarding how to configure the server so that my server
support privileged ports. I have enabled the option

connect_from_port_20=YES

but still I am getting the error.

"" Your ftp bounce server doesn't allow privileged ports, skipping
them.""

Please clarify me what options I have to enable so that my server
supports privileged port...

With thanks in advance.....

vsftpd: does not run standalone, must be started from inetd

Anonymous's picture

please help me rectify this problem

quota per viretual user

Anonymous's picture

Is there a way to set quota for virtual user?

disk quotas for anmonymous ftp users

Anonymous's picture

Yes you can, but with a separate package not related to vsftpd but to Linux. Check Red Hat for info. It is similar for all Linux versions.
It is not difficult but a bit laborious for the first setup. After that it's transparent.

IP Based access permission using vsftpd

UDIT's picture

hi i have established a vsftp server on my fedora core 3 m/c. now i want to have restriction on the ips that access my server. How could i set permission and access rights based on the ips of the systems.

setup iptables to control

Anonymous's picture

setup iptables to control who can access particular ip and ftp port. The rest can be done through config file, since every virtual ftp server has its own config file.

IP Based access permission using vsftpd

sam chester's picture

I've the same problem. How can we set permission and access rights based on the ip of systems?? Help plz.

anon_umask, I think!

pcoleman's picture

I have everything working fine except when anonymous writes a file it always gets the permissions 600. No matter what I do to the anon_umask it stays the same. Does anyone have any idea how to change this and make it upload a file with different permissions?

Thanks.

Pat.

anon_umask, I think!

Anonymous's picture

I have the same problem. Did you ever get an answer to this?

exactly same problem, still

Anonymous's picture

exactly same problem, still no answer

Name Based Vhost ?

Rakotomandimby Mihamina's picture

How about name based virtual host please? Is it possible?

500 OOPS: Could not bind listening IPv4 socket

Anonymous's picture

i am using Fedora Core 3 and installed VSFTPD, but when i try to check my FTP server i always get 500 OOPS: Could not bind listening IPv4 socket. I have followed the steps to setup VSFTPD but still i got this error, What could be my problem?

Check your vsftpd.conf file.

Dan's picture

Check your vsftpd.conf file. If the command "listen=YES" is not commented out, then comment it out. For some reason, the example file seems to enable it by default. When enabled, it can only run in the "stand-alone" mode, not from xinetd.

Re:500 OOPS: Could not bind listening IPv4 socket

Anonymous's picture

Hi,
I just stopped the inetd service, and the started the indivdual VSFTPD service, and it worked fine for me

Regds,
Deepak

Re:500 OOPS: Could not bind listening IPv4 socket

Deepak Naik's picture

Sorry, the xinetd service I stopped, not the inetd service

Might be the firewall!

Laurin's picture

I had the same problem. Dont know why, the ipconfig-firewall closed port 20 & 21 to the inner systen. (SUSE 9.2 prof) Guard from inner system (or how it is called like in English) is NOT activated.

Solution: Do NOT open the ports 20 & 21 in the experts-firewall-settings. Does not work.
You have to type there "ftp" - and make your vsftpd listen to your inner system only (if you want it to), using listen_at=(IP) in standalone-mode.

Happy computing — Laurin.

hi Modify the /etc/vsftpd/vs

Anonymous's picture

hi
Modify the /etc/vsftpd/vsftpd.conf
Rem the line #Listen=YES
Restart xinetd
#services xinetd restart

works for me on fedora core 3

OOPS error

Mika's picture

worked with OpenSuSE 10.1 aswell.

Thanks a lot!

This worked for me as well.

Dlogan's picture

This worked for me as well. Centos 4.0.

500 OOPS: vsftpd: refusing to run with writable anonymous root

Markus Merz's picture

500 OOPS: vsftpd: refusing to run with writable anonymous root

This very common error appears when the FTP root directory is writable.

I found the simple solution in an Oracle manual

To avoid this error:
500 OOPS: vsftpd: refusing to run with writable anonymous root

# chmod u-w /srv/ftp
# mkdir /srv/ftp/pub
# chown ftp:ftp /srv/ftp/pub

The first line takes care of the root directory being not writable.
The second line creates a directory.
The third line changes the owner to the user and group ftp.

The ftp root directory MUST NOT be owned by ftp for security reasons (it should be root:root).

I just had to find out about this solution yesterday 15.2.05 - so I hope it helps somebody else.

best regards

Markus

Thank you for the tip

MarbolanGos's picture

It is an old tip you gave but it saved me, I was trying to find the solution sincze a month when someone pointed me that topic.

Thanks !

anonymous user still cannot upload files

peter's picture

Dear markus,
I followed your steps as
# chmod u-w /srv/ftp
# mkdir /srv/ftp/pub
# chown ftp:ftp /srv/ftp/pub

Just changed srv to var. It does not work for me. I cannot figure out
what "chown ftp:ftp /srv/ftp/pub" means.

I believe my vsftpd.conf is ok.
Thanks.
peter

chown changes owner to usr

Anonymous's picture

chown changes owner to usr ftp, group frp for the file /srv/ftp/pub. Anyway, man chown would have answered your question straight.

Exactly why is this in an

Strykar's picture

Exactly why is this in an Oracle handbook.
You saved me many hours of grief Markus, thanks a ton.

500 OOPS: vsftpd: refusing to run with writable anonymous root

Stan Omoregie's picture

Thanks Markus for the tip. It saved my day...

Anonymous FTP Write permissions with vsftpd

KC's picture

500 OOPS: vsftpd: refusing to run with writable anonymous root.

My FTP root was not readable, so vsftpd would start, but I couldn't get it to allow anonymous uploads, no matter what I did. I looked for hours for the answer! Why is it not spelled out a little more clearly in the docs?? Why do you have to look at an Oracle Manual to find an obvious VSFTPD config issue??

Markus, you have HUGE props in my book for putting that info down...too bad it took a few hours of goolge, change config, get frustrated, repeat before I came across this post.

I think I'll drop by vsftpdrocks.org and relay this info. Thanks again.

More anonymous FTP uploading problems

Stu Hill's picture

Gah! I am also trying to get anonymous to be able to write. I have got this working on one fedora8 box, but on another fedora8 I cannot get it to allow me to write, the clues on the non-working machine are :

yum list|grep vsftpd
vsftpd.i386 2.0.5-19.fc8 installed
system-config-vsftpd.noarch 0.5.1-1.fc8 updates-newkey
vsftpd.i386 2.0.5-21.fc8 updates-newkey

vsftpd.conf contains (copied from the working machine) ::
listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=YES
anon_root=/var/ftp
anon_max_rate=2048000
xferlog_enable=YES
ftp_username=ftp
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
ftpd_banner=(woohooo2!!)
log_ftp_protocol=YES
no_anon_password=YES

ls -l /var
drwxr-xr-x 3 root root 4096 2009-09-26 21:12 ftp

ls -l /var/ftp
drwxr-xr-x 2 ftp ftp 4096 2009-09-26 21:12 pub

grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

FTP allows me to login and cd into pub but then i am unable to create a directory !!!

What else can i check for, as like i said it is working on one machine but not another...

Anonymous FTP Write permissions with vsftpd

Nico's picture

Hello,

And what if you want to have the FTP root filesystem writable by the anonymous user in order to have file uploads processed by automation from another system that connects as anonymous ?

If someone knows...

Thanks

anonymous ftp

Anonymous's picture

set in vsftp.conf
anon_root=/srv/ftp/pub

giving the pub write access

that just takes you back to

fluxdude's picture

that just takes you back to the beginning of having a root that is writeable by anonymous...

make the root some dir and then create a pub dir inside that and chown that pub directory to the ftp user.

Anonymous must then ftp, cd to pub and then upload.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix