Build a Secure FTP Dropbox with vsftpd - Page 2

Best of ENP: Secure FTP, Part 1: Providing secure services for your users is a tough balancing act between best practice and ease of use. With vsftpd, you can set up a hardened ftp server quickly and easily. And come back next week for tips on handling the client side.

Print Article

Continued From Page 1

Creating An Upload Directory

Suppose you want your customers to FTP large files to you instead of gumming up your mail server with gigantic attachments. You probably don't want these files to be publicly accessible, and you really don't want to hassle with setting up special directories for every customer. No problem, there is a simple way to manage this.

First create a special upload directory. Mode 2733 allows write access only, and sets group ownership on all uploaded files to "nogroup." So users can upload files, but they cannot download files, or even see a directory listing:

# mkdir -m 2733 /home/ftp/upload

Then uncomment these lines in /etc/vsftpd.conf:


Restart vsftpd with /etc/init.d/vsftpd restart, then try it for yourself- you can put a file, but not geta file. Now all kinds of strange people can upload files to you, but only you can retrieve and read them. And even though you enabled write access, no one can FTP files to your root directory, because the download directory permissions are read-only. So you now have a download-only directory, and an upload-only directory. For the sake of tidiness and sensible organization, it's good to also create a downloads subdirectory, rather than using the root directory.


Usually a site like this is low-risk -- it's not likely that l33t hax0rs or other Internet vermin will find it and do mischief, because you're not advertising it to the world. But vsftpd comes with some simple access controls which can come in handy. The secure_email_list_enable=YES directive lets you set up a list of email passwords. The login is still "anonymous," but allowed users must enter their email address for the password. The default password file is /etc/vsftpd.email_passwords. List one password per line with no whitespaces.

Conversely, use the deny_email_enable=YES directive to deny access to certain email passwords. The default banned password file is /etc/vsftpd.banned_emails.

dirmessage_enable=YES looks for a .messagefile in each directory. This lets you greet users with a custom message, which is useful for giving instructions, warnings, lessons in philosophy, your latest spam haiku, whatever you like.

The ftpd_banner=[text] directive lets you write a custom banner, which is displayed at login. The default banner is the boring "(vsFTPd 2.0.1)." To get really fancy and display elaborate ASCII art, create a file containing all of your creativity and call it using the banner_file=[filename]directive.

Next week we'll take a detailed look at Linux and Windows FTP clients, and how to configure them for convenience and security.


Check out the vsftpd home page for downloads and documentation.

This article was originally published on Nov 10, 2004
Get the Latest Scoop with Networking Update Newsletter