Build a Secure FTP Dropbox with vsftpd
Best of ENP: Secure FTP, Part 1: Providing secure services for your users is a tough balancing act between best practice and ease of use. With vsftpd, you can set up a hardened ftp server quickly and easily. And come back next week for tips on handling the client side.
FTP (define) servers are wonderful things. They are quick to set up and endlessly useful. It's a quick and easy way for users to share files. Businesses that depend on large file transfers, such as printers and design houses, should use FTP. You can set up an upload directory for customers in the hopes of training them to transfer huge files via FTP, instead of attached to email. And believe it or not, this is usually successful. The key to getting reluctant users to use FTP is to help them set up their FTP clients so that they can transfer files with just a few mouse clicks. (Y'all be sure to come next week for a detailed look at FTP clients.)
The tricky part about running an FTP server is keeping it secure. FTP is an insecure protocol -- all traffic is sent in cleartext. So don't use it for sensitive documents.
Of greater concern to hardworking sysadmins is the possibility of an attacker exploiting FTP server weaknesses to gain control of the entire system. For example WU-FTPD, one of the most popular FTP servers, has a long history of being compromised. And WU-FTPD is not alone -- all FTP servers have experienced security troubles at one time or another.
Source tarball, RPM, apt-get, Yum, whatever -- you know the drill. Even if you install it from a package, be sure to visit the online source tree to read example configurations and all the READMEs. Then start it up to test that it installed correctly:
# /etc/init.d/vsftpd start
And test that it's running:
# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
Confirm that /etc/vsftpd.conf has these two settings:
And that's it. Your anonymous server is ready for use.
Log In To Your Anonymous FTP Server
By default, vsftpd installs as an anonymous FTP server. Go ahead and log in:
$ ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.1)
Name (localhost:carla): anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
You must use "anonymous" as the login name, but anything will work for the password- just hit the return key or type random gibberish. The usual convention is to use an email address. If you run the ls command, you'll see there are no files yet. Because you must put them there. The default ftp directory is /home/ftp. Go ahead, put some files in there, then run ls to see them.
Just for fun, copy some files into your nice new vsftpd server by grabbing some random files and plunking them down in /home/ftp. Then log in, display a directory listing, and download a file:
229 Entering Extended Passive Mode (27401|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 65534 23256 Nov 10 03:16 sthelens8.jpg
-rw-r--r-- 1 0 65534 10821 Nov 10 03:16 lord-hints
-rw-r--r-- 1 0 65534 26777 Nov 10 03:16 sthelens9.jpg
226 Directory send OK.
ftp> get lord-hints
local: lord-hints remote: lord-hints
229 Entering Extended Passive Mode (6219|)
150 Opening BINARY mode data connection for lord-hints (10821 bytes).
100% |****************| 10821 843.43 KB/s 00:00 ETA
226 File send OK.
10821 bytes received in 00:00 (824.41 KB/s)
See? As easy as falling asleep. Now try uploading a file:
ftp> put testfile.txt
local: testfile.txt remote: testfile.txt
229 Entering Extended Passive Mode (55468|)
550 Permission denied.
You can't do it, because vsftpd is looking out for you. It will allow uploads only if you configure it do so.