Build a Secure FTP Dropbox with vsftpd - Page 2
Creating An Upload Directory
Suppose you want your customers to FTP large files to you instead of gumming up your mail server with gigantic attachments. You probably don't want these files to be publicly accessible, and you really don't want to hassle with setting up special directories for every customer. No problem, there is a simple way to manage this.
First create a special upload directory. Mode 2733 allows write access only, and sets group ownership on all uploaded files to "nogroup." So users can upload files, but they cannot download files, or even see a directory listing:
# mkdir -m 2733 /home/ftp/upload
Then uncomment these lines in /etc/vsftpd.conf:
write_enable=YES
anon_upload_enable=YES
Restart vsftpd with /etc/init.d/vsftpd restart, then try it for yourself- you can put a file, but not get a file. Now all kinds of strange people can upload files to you, but only you can retrieve and read them. And even though you enabled write access, no one can FTP files to your root directory, because the download directory permissions are read-only. So you now have a download-only directory, and an upload-only directory. For the sake of tidiness and sensible organization, it's good to also create a downloads subdirectory, rather than using the root directory.
Refinements
Usually a site like this is low-risk -- it's not likely that l33t hax0rs or other Internet vermin will find it and do mischief, because you're not advertising it to the world. But vsftpd comes with some simple access controls which can come in handy. The secure_email_list_enable=YES directive lets you set up a list of email passwords. The login is still "anonymous," but allowed users must enter their email address for the password. The default password file is /etc/vsftpd.email_passwords. List one password per line with no whitespaces.
Conversely, use the deny_email_enable=YES directive to deny access to certain email passwords. The default banned password file is /etc/vsftpd.banned_emails.
dirmessage_enable=YES looks for a .message file in each directory. This lets you greet users with a custom message, which is useful for giving instructions, warnings, lessons in philosophy, your latest spam haiku, whatever you like.
The ftpd_banner=[text] directive lets you write a custom banner, which is displayed at login. The default banner is the boring "(vsFTPd 2.0.1)." To get really fancy and display elaborate ASCII art, create a file containing all of your creativity and call it using the banner_file=[filename] directive.
Next week we'll take a detailed look at Linux and Windows FTP clients, and how to configure them for convenience and security.
Resources
Check out the vsftpd home page for downloads and documentation.
