Tuesday, April 15, 2008

Setup of VSFTPD - another approach

If you are hosting several web sites, for security reason, you may want the webmasters to access their own files only. One of the good way is to give them FTP access by setup of VSFTPD virtual users and directories.

In my last article, I described how to setup VSFTPD virtual users. In this article, I will describe another approach to setup VSFTPD, it needs real users on the system.

1. Installation of VSFTPD

For Red Hat, CentOS and Fedora, you may install VSFTPD by the command
# yum install vsftpd
For Debian and Ubuntu,
# apt-get install vsftpd
2. Virtual users and authentication

We may create a real user account for each webmaster. We will only give them FTP access to our server.

First, use `useradd' command to create user accounts. Something to be specified are:
  • group: we may specify the group of users to the group HTTP server runs as. In most cases, it is `apache' for Apache HTTP Server, it is `lighttpd' for lighttpd.

  • home directory: we should also specify users' home directories to their virtual hosts' DocumentRoot. We should also make these directories writable by HTTP server.

  • login shell: in order to disallow normal login for these FTP users, we should specify their login shell to `/sbin/nologin'.
For example:
# useradd -g apache -d /var/www/vhosts/mike -s /sbin/nologin mike
# chmod g+w /var/www/vhosts/mike
# passwd mike
Changing password for user mike.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
3. Configuration of VSFTPD

Create a configuration file /etc/vsftpd/vsftpd-virtual.conf,
# disables anonymous FTP
anonymous_enable=NO
# enables non-anonymous FTP
local_enable=YES
# enables uploads and new directories
write_enable=YES
# authentication of virtual uses
pam_service_name=login
# the virtual user is restricted to the virtual FTP area
chroot_local_user=YES
# runs vsftpd in standalone mode
listen=YES
# listens on this port for incoming FTP connections
listen_port=60021
# the minimum port to allocate for PASV style data connections
pasv_min_port=62222
# the maximum port to allocate for PASV style data connections
pasv_max_port=63333
# controls whether PORT style data connections use port 20 (ftp-data)
connect_from_port_20=YES
# the umask for file creation
local_umask=022
4. Start VSFTPD and test
Now we can start VSFTPD by the command:
# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf
and test the FTP access of a virtual user:
# lftp -u mike -p 60021 192.168.1.101
The virtual user should have full access to his directory.

4 comments:

  1. I know, I'm nitpicking ... but these are not virtual users, but system users with restricted access.

    While real virtual users are only known by the ftp server, these users are known by the linux system.

    Often enough this solution would be enough secure and somehow more feasible.
    But if you want to add security, use *real* virtual users.

    Its a small difference - but a difference.

    ReplyDelete

  2. Excellent article, the example above induced very good. But as well as alternative solutions I want to draw your attention to the possibility of using for such purposes cloud server dataroom services

    ReplyDelete