Security Configuration of vsftpd in Linux

Project Introduction
At present, the main FTPserver has three vsftpd and ProFTPd, among which wu-ftpd has high security and better performance. No detailed adjustments have been made. Incorrect adjustments are also possible and can be corrected at any time)
Websites that primarily use it:
* Using * ftp.suse.com * ftp.debian.org * ftp.openbsd.org * ftp.freebsd.org * ftp.gnu.org * ftp.gnome.org * ftp.kde.org * ftp.kernel.org * rpmfind.net * ftp.linux.org. uk * ftp.gimp.org * ftp-stud.fht-esslingen.de * gd. tuwien. ac. at * ftp. sunet. se * ftp.ximian.com * ftp.engardelinux.org * ftp.sunsite.org. uk * ftp.isc.org
If these famous sites use it, I can be confident.
Main Configuration
Basic metrics
To enable local users to use FTP, each user can only see his/her own directory, which only needs to configure the vsftpd. conf file. The configuration file must be described in English.
Chroot_list_enable = YESchroot_list_file =/etc/vsftpd. chroot_listvsftpd.chroot_list.
Users not in the LIST are restricted to their HOME directories.
Master
Using Virtual users, these users exist in the system as a user name, you can set different home dir,
1) create a guest user
Groupadd virtualuseradd-d/home/ftpsite-m virtual can check the/etc/passwd file to ensure that the virtual user's shell is/bin/false, in this way, ssh or telnet and local login are prohibited.
2) generate a virtual user

apt-get install libdb3-util

Note that db3_load must be used to generate the hash file, instead of the default db4.2 _ load file.

Cat login.txt usera123userb456db3_load-T hash-f login.txt/etc/vsftpd. login. dbchmod 600/vsftpd. login. db can only be read by ROOT. Zless/usr/share/doc/vsftpd/EXAMPLE/VIRTUAL_USERS/README.gz

The content is as follows:

NOTE： Many systems have multiple versions of "db" installed， so you mayneed to use e.g. db3_load for correct operation. This is known to affectsome Debian systems. The core issue is that pam_userdb expects its logindatabase to be a specific db version often db3， whereas db4 may be installedon your system）

3) generate the/etc/pam. d/vsftpd. vu file with the following content:

auth required /lib/security/pam_userdb.so db=/etc/vsftpd.loginaccount required /lib/security/pam_userdb.so db=/etc/vsftpd.login

Note that there is no db suffix.
4) modify the vsftpd. conf file with the following content:
Listen = YES # listen_port = 10021 // you can specify the listening port here, or use the default connect_from_port_20 = YESftpd_banner = Welcome to virtual FTP service. anonymous_enable = NO // do not allow anonymous login local_enable = YES // allow local users to log on to write_enable = NOanon_upload_enable = NO // set the virtual user permission to the lowest anon_mkdir_write_enable = NO // then, set the corresponding permission token = NOchroot_local_user = YESguest_enable = YES // to allow virtual users to log on to guest_username = virtualpasv_min_port = 30000pasv_max_port = 30999pam_service_name = vsftpd. vu // here pam is based on step 3, set user_config_dir =/etc/vsftpd_user_conf // specify the directory xferlog_enable = YES // set the log file xferlog_file =/var/log/vsftpd. log
5) user permission Configuration
Note that it is best to use chmod 600 to set all files to only the root read/write mode.
Anon_world_readable_only = NO // open the Browse permission write_enable = YES // open the write permission anon_upload_enable = YES // upload permission anon_mkdir_write_enable = YES // create a directory permission authorization = YES // change and delete permissions local_root =/tmp is used to change root.
These can be combined.
Settings required for uploading, downloading, and deleting:

anon_world_readable_only=NOwrite_enable=YESanon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YESlocal_root=/usr/www/kjcroot/yangliudi

Only files that cannot be deleted can be uploaded:

anon_world_readable_only=NOwrite_enable=YESanon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=NOlocal_root=/usr/www/kjcroot/yangliudi

Only download:

anon_world_readable_only=YESwrite_enable=NOanon_upload_enable=NOanon_mkdir_write_enable=NOanon_other_write_enable=NOlocal_root=/usr/www/kjcroot/yangliudi

6)/etc/init. d/vsftpd start

Related Articles]

• Simple VSFTPD server Construction

• Create a virtual user using vsftpd

• Vsftpd Listener Remote Denial of Service Vulnerability