Ubuntu under VSFTPD Virtual User Configuration

The following experiments are all performed on Ubuntu server 14.04 X64.

Business requirements:

Now requires the creation of an FTP account User1, the account can only be logged into the/www directory, cannot switch to the parent directory. At the same time security considerations also require that the account upload file permissions of 644, that is, the uploaded file has a readable writable permission, but no executable permissions.

One: Installation vsftpd

sudo apt-get-y install vsftpd

View the files that are installed in the VSFTPD

Dpkg-l vsftpd |tac

II:VSFTPD configuration

1. Create the user as follows:

sudo useradd-m-s/bin/bash ftpuser

Note: The user created by Ftpuser is now unable to log on to the system because the user is not set a password. Here, we do not need to Ftpuser login to the system, which is relatively safe.

After the user is created, we create the corresponding directory and modify the user to which it belongs, as follows:

sudo mkdir/www

sudo chown-r ftpuser:ftpuser/www/

After the user-related configuration is over, we begin to set the user and password file login.txt for login vsftp. As follows:

sudo mkdir/etc/vsftpd/

sudo vim/etc/vsftpd/login.txt

User1

Password1

After the login.txt is set up, we will encrypt it using Db_load. and db_load need to db-util this software. So we need to install Db-util now, as follows:

sudo apt-get-y install Db-util

Once the Db-util has been installed, the Loginx.txt is now encrypted using Db_load. As follows:

sudo db_load-t-t hash-f/etc/vsftpd/login.txt/etc/vsftpd/login.db

After Loginx.txt encryption is complete, we will now start configuring Pam validation for VSFTPD.

2. PAM Authentication Configuration

VSFTPD Pam Authentication, where I did not use the/etc/pam.d/vsftpd file that was generated when the VSFTPD was installed.

Create the validation file as follows:

sudo vim/etc/pam.d/vsftpd.virtual

Auth Required pam_userdb.so Db=/etc/vsftpd/login

Account Required Pam_userdb.so Db=/etc/vsftpd/login

The contents of the Vsftpd.virtual file can also be adjusted according to the OS version. I am using Ubuntu x64, so I can also fill in the following:

Auth required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login

Account Required/lib/x86_64-linux-gnu/security/pam_userdb.so Db=/etc/vsftpd/login

3. vsftp Permissions Configuration

According to business requirements vsftpd.conf configuration content is as follows:

Grep-ve "^#|^$"/etc/vsftpd.conf

Listen=yes

Listen_ipv6=no

Anonymous_enable=no

Local_enable=yes

Write_enable=yes

local_umask=022

Dirmessage_enable=yes

Use_localtime=yes

Xferlog_enable=yes

Connect_from_port_20=yes

Xferlog_file=/var/log/vsftpd.log

Xferlog_std_format=yes

Chroot_local_user=yes

Chroot_list_enable=no

Allow_writeable_chroot=yes

Secure_chroot_dir=/var/run/vsftpd/empty

Pam_service_name=vsftpd

Rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

Rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Ssl_enable=no

Guest_enable=yes

Pam_service_name=vsftpd.virtual

user_config_dir=/Etc/vsftpd/vu

Pasv_enable=yes

pasv_min_port=30000

pasv_max_port=31000

You need to add and merge by default to:

#listen =yes
Listen_ipv6=no
#anonymous_enable =no
#local_enable =yes
Write_enable=yes
local_umask=022
#dirmessage_enable =yes
#use_localtime =yes
#xferlog_enable =yes
#connect_from_port_20 =yes
Xferlog_file=/var/log/vsftpd.log
Xferlog_std_format=yes
Chroot_local_user=yes
Chroot_list_enable=no
Allow_writeable_chroot=yes
#secure_chroot_dir =/var/run/vsftpd/empty
#pam_service_name =vsftpd
#rsa_cert_file =/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file =/etc/ssl/private/ssl-cert-snakeoil.key
Ssl_enable=no
Guest_enable=yes
Pam_service_name=vsftpd.virtual
User_config_dir=/etc/vsftpd/vu
Pasv_enable=yes
pasv_min_port=30000
pasv_max_port=31000

In the above configuration file, there are several points that need to be highlighted.

Local_enable=yes

Write_enable=yes

local_umask=022

These are the write permissions that enable the system user. In particular, the Write_enable=yes key must be enabled, otherwise vsftpd virtual users will not be able to log on vsftpd.

Why would that be? Because the virtual user is dependent on the system user.

Chroot_local_user=yes

Chroot_list_enable=no

Allow_writeable_chroot=yes

These three items are configured VSFTPD users to disable the ability to switch the parent directory.

Guest_enable=yes

Pam_service_name=vsftpd.virtual

User_config_dir=/etc/vsftpd/vu

These three items are enabled for VSFTPD virtual and virtual user account configuration directory.

Pasv_enable=yes

pasv_min_port=30000

pasv_max_port=31000

These three items are enabled VSFTPD Passive mode and related ports.

3.4 Virtual user-related configuration

After the VSFTPD configuration file has been modified, the permissions for the virtual user are now being configured. As follows:

sudo mkdir/etc/vsftpd/vu

sudo vim/etc/vsftpd/vu/user1

Guest_username=ftpuser

local_root=/www/

Virtual_use_local_privs=yes

anon_umask=133

The above configuration parameters, where Guest_username=ftpuser represents the set FTP corresponding to the system user as Ftpuser

local_root=/www/represents the default directory when you log on to FTP with a local user.

Virtual_use_local_privs=yes virtual users and local users have the same permissions.

Anon_umask represents the default mask for file uploads. The calculation is 777 minus Anon_umask is the right to upload the file. Here we set the 133, that is, after uploading the file permissions are 644. That is, the uploaded file has only read and write permissions for the owning user, and no execute permission.

After all the above configuration is complete, we will restart VSFTPD as follows:

sudo service vsftpd restart

Three iptables configuration

In the actual production environment, we usually turn on the firewall for the sake of safety.

On Ubuntu, we can also use iptables for protection.

The iptables configuration is as follows:

sudo iptables-save >/home/ilanni/iptables.rule

sudo iptables-restore

sudo iptables-nl

sudo vim/etc/network/interfaces

Pre-up Iptables-restore

Post-down Iptables-save </Home/ilanni/iptables.rule

Ubuntu under VSFTPD Virtual User Configuration