Security Configuration of vsftpd in Linux

Article Title: Security Configuration of vsftpd in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Project Introduction

At present, the main FTPserver has three vsftpd and ProFTPd, among which wu-ftpd has high security and better performance. (No detailed adjustments have been made. It is also possible to make corrections at any time if they are incorrect)

Websites that primarily use it:

* Ftp.redhat.com * ftp.suse.com * ftp.debian.org * ftp.openbsd.org * ftp.freebsd.org * ftp.gnu.org * ftp.gnome.org * ftp.kde.org * ftp.kernel.org * rpmfind.net * linux. uk "> ftp.linux.org. uk * ftp.gimp.org * ftp-stud.fht-esslingen.de * gd. tuwien. ac. at * ftp. sunet. se * ftp.ximian.com * ftp.engardelinux.org * ftp.sunsite.org. uk * ftp.isc.org

If these famous sites use it, I can be confident.

　Main Configuration

Basic metrics

To enable local users to use FTP, each user can only see his/her own directory, which only needs to configure the vsftpd. conf file. The configuration file must be described in English.

Chroot_list_enable = YESchroot_list_file =/etc/vsftpd. chroot_listvsftpd.chroot_list.

Users not in the LIST are restricted to their HOME directories.

Master

Using Virtual users, these users exist in the system as a user name, you can set different home dir,

1) create a guest user

Groupadd virtualuseradd-d/home/ftpsite-m virtual can check the/etc/passwd file to ensure that the virtual user's shell is/bin/false, in this way, ssh or telnet and local login are prohibited.

2) generate a virtual user

Apt-get install libdb3-util

Note that db3_load must be used to generate the hash file, instead of the default db4.2 _ load file.

Cat login.txt usera123userb456db3_load-T hash-f login.txt/etc/vsftpd. login. dbchmod 600/vsftpd. login. db can only be read by ROOT.

Zless/usr/share/doc/vsftpd/EXAMPLE/VIRTUAL_USERS/README.gz

NOTE: Your systems have multiple versions of "db" installed, so you mayneed to use e.g. db3_load for correct operation. this is known to affectsome Debian systems. the core issue is that pam_userdb expects its logindatabase to be a specific db version (often db3, whereas db4 may be installedon your system)

3) generate the/etc/pam. d/vsftpd. vu file with the following content:

Auth required/lib/security/pam_userdb.so db =/etc/vsftpd. loginaccount required/lib/security/pam_userdb.so db =/etc/vsftpd. login note that there is no suffix for db.

4) modify the vsftpd. conf file with the following content:

Listen = YES # listen_port = 10021 // you can specify the listening port here, or use the default connect_from_port_20 = YESftpd_banner = Welcome to virtual FTP service. anonymous_enable = NO // do not allow anonymous login local_enable = YES // allow local users to log on to write_enable = NOanon_upload_enable = NO // set the virtual user permission to the lowest anon_mkdir_write_enable = NO // then, set the corresponding permission token = NOchroot_local_user = YESguest_enable = YES // to allow virtual users to log on to guest_username = virtualpasv_min_port = 30000pasv_max_port = 30999pam_service_name = vsftpd. vu // here pam is based on step 3, set user_config_dir =/etc/vsftpd_user_conf // specify the directory xferlog_enable = YES // set the log file xferlog_file =/var/log/vsftpd. log

5) user permission Configuration

Note that it is best to use chmod 600 to set all files to only the root read/write mode.

Anon_world_readable_only = NO // open the Browse permission write_enable = YES // open the write permission anon_upload_enable = YES // upload permission anon_mkdir_write_enable = YES // create a directory permission authorization = YES // change and delete permissions local_root =/tmp is used to change root.

These can be combined.

Settings required for uploading, downloading, and deleting:

Anon_world_readable_only = NOwrite_enable = YESanon_upload_enable = YESanon_mkdir_write_enable = YESanon_other_write_enable = YESlocal_root =/usr/www/kjcroot/yangliudi

Only files that cannot be deleted can be uploaded:

Anon_world_readable_only = NOwrite_enable = YESanon_upload_enable = YESanon_mkdir_write_enable = YESanon_other_write_enable = NOlocal_root =/usr/www/kjcroot/yangliudi

Only download:

Anon_world_readable_only = YESwrite_enable = NOanon_upload_enable = NOanon_mkdir_write_enable = NOanon_other_write_enable = NOlocal_root =/usr/www/kjcroot/yangliudi

6)/etc/init. d/vsftpd start