Build a Secure FTP Dropbox with vsftpd

By Enterprise Networking Planet Staff | Nov 10, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3434071/Build-a-Secure-FTP-Dropbox-with-vsftpd.htm

FTP (define) servers are wonderful things. They are quick to set up and endlessly useful. It's a quick and easy way for users to share files. Businesses that depend on large file transfers, such as printers and design houses, should use FTP. You can set up an upload directory for customers in the hopes of training them to transfer huge files via FTP, instead of attached to email. And believe it or not, this is usually successful. The key to getting reluctant users to use FTP is to help them set up their FTP clients so that they can transfer files with just a few mouse clicks. (Y'all be sure to come next week for a detailed look at FTP clients.)

The tricky part about running an FTP server is keeping it secure. FTP is an insecure protocol -- all traffic is sent in cleartext. So don't use it for sensitive documents.

Of greater concern to hardworking sysadmins is the possibility of an attacker exploiting FTP server weaknesses to gain control of the entire system. For example WU-FTPD, one of the most popular FTP servers, has a long history of being compromised. And WU-FTPD is not alone -- all FTP servers have experienced security troubles at one time or another.

vsftpd

Enter vsftpd, "very secure ftpd," which was built from the ground up to be secure. vsftpd bills itself as "Probably the most secure and fastest FTP server for UNIX-like systems." It's certainly the most confident. vsftpd boasts a stellar list of users: Red Hat, SuSE, Debian, Gnome, Kernel.org, and many other F/OSS (free/open source) luminaries run their public FTP repositories with vsftpd.

Installation

Source tarball, RPM, apt-get, Yum, whatever -- you know the drill. Even if you install it from a package, be sure to visit the online source tree to read example configurations and all the READMEs. Then start it up to test that it installed correctly:

# /etc/init.d/vsftpd start

And test that it's running:

# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN

Confirm that /etc/vsftpd.conf has these two settings:

anonymous_enable=YES
listen=YES

And that's it. Your anonymous server is ready for use.

Log In To Your Anonymous FTP Server

By default, vsftpd installs as an anonymous FTP server. Go ahead and log in:

$ ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.1)
Name (localhost:carla): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

You must use "anonymous" as the login name, but anything will work for the password- just hit the return key or type random gibberish. The usual convention is to use an email address. If you run the ls command, you'll see there are no files yet. Because you must put them there. The default ftp directory is /home/ftp. Go ahead, put some files in there, then run ls to see them.

Test Drive

Just for fun, copy some files into your nice new vsftpd server by grabbing some random files and plunking them down in /home/ftp. Then log in, display a directory listing, and download a file:

ftp> ls
229 Entering Extended Passive Mode (27401|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 65534 23256 Nov 10 03:16 sthelens8.jpg
-rw-r--r-- 1 0 65534 10821 Nov 10 03:16 lord-hints
-rw-r--r-- 1 0 65534 26777 Nov 10 03:16 sthelens9.jpg
226 Directory send OK.
ftp> get lord-hints
local: lord-hints remote: lord-hints
229 Entering Extended Passive Mode (6219|)
150 Opening BINARY mode data connection for lord-hints (10821 bytes).
100% |****************| 10821 843.43 KB/s 00:00 ETA
226 File send OK.
10821 bytes received in 00:00 (824.41 KB/s)
ftp>

See? As easy as falling asleep. Now try uploading a file:

ftp> put testfile.txt
local: testfile.txt remote: testfile.txt
229 Entering Extended Passive Mode (55468|)
550 Permission denied.
ftp>

You can't do it, because vsftpd is looking out for you. It will allow uploads only if you configure it do so.

Continued on page 2: Creating An Upload Directory

Continued From Page 1

Creating An Upload Directory

Suppose you want your customers to FTP large files to you instead of gumming up your mail server with gigantic attachments. You probably don't want these files to be publicly accessible, and you really don't want to hassle with setting up special directories for every customer. No problem, there is a simple way to manage this.

First create a special upload directory. Mode 2733 allows write access only, and sets group ownership on all uploaded files to "nogroup." So users can upload files, but they cannot download files, or even see a directory listing:

# mkdir -m 2733 /home/ftp/upload

Then uncomment these lines in /etc/vsftpd.conf:

write_enable=YES
anon_upload_enable=YES

Restart vsftpd with /etc/init.d/vsftpd restart, then try it for yourself- you can put a file, but not get a file. Now all kinds of strange people can upload files to you, but only you can retrieve and read them. And even though you enabled write access, no one can FTP files to your root directory, because the download directory permissions are read-only. So you now have a download-only directory, and an upload-only directory. For the sake of tidiness and sensible organization, it's good to also create a downloads subdirectory, rather than using the root directory.

Refinements

Usually a site like this is low-risk -- it's not likely that l33t hax0rs or other Internet vermin will find it and do mischief, because you're not advertising it to the world. But vsftpd comes with some simple access controls which can come in handy. The secure_email_list_enable=YES directive lets you set up a list of email passwords. The login is still "anonymous," but allowed users must enter their email address for the password. The default password file is /etc/vsftpd.email_passwords. List one password per line with no whitespaces.

Conversely, use the deny_email_enable=YES directive to deny access to certain email passwords. The default banned password file is /etc/vsftpd.banned_emails.

dirmessage_enable=YES looks for a .message file in each directory. This lets you greet users with a custom message, which is useful for giving instructions, warnings, lessons in philosophy, your latest spam haiku, whatever you like.

The ftpd_banner=[text] directive lets you write a custom banner, which is displayed at login. The default banner is the boring "(vsFTPd 2.0.1)." To get really fancy and display elaborate ASCII art, create a file containing all of your creativity and call it using the banner_file=[filename] directive.

Next week we'll take a detailed look at Linux and Windows FTP clients, and how to configure them for convenience and security.

Resources

Check out the vsftpd home page for downloads and documentation.