|
|
This document is available in: English ChineseGB Deutsch Italiano Nederlands Turkce Polish |
by Mario M. Knopf <netzmeister/at/neo5k/dot/org> About the author: Mario enjoys to keep busy with Linux, networks and other topics concerning security related issues. In his spare time he takes care of two webpages: neo5k.org and linuxwallpapers.de. Translated to English by: Jürgen Pohl <sept.sapins/at/verizon.net> Content: |
vsftpd - An Introduction to the Very Secure FTP DaemonAbstract:
This article gives a basic introduction to the "Very Secure FTP
Daemon". I am beginning with a general description of FTP and
vsftpd. After that we will have a look at the installation,
configuration and start options of the vsftp daemon. We are
closing with a short functions test.
|
The FTP is using is the connection controlling TCP (Transmission Control Protocol) as transmission protocol which assures the arrival of the data at the recipient. Therefore there is no need for FTP to be concerned about paket loss or error checking during the data transfer. Simply expressed TCP makes sure that each data paket is arriving only once - without errors and in the correct sequence.
Data transmission differentiates between three different types of transfer whereas the completion of the stream mode is marked by an end-of-file (EOF) and in the two other transfer modii with an end-of-record (EOR) marker.
In addition there are two different transfer modes:
The ASCII-mode is being used for the transfer of text files, the binary mode is being used to transfer programs and similar data. The user does not need to select the transfer mode specifically since by now all FTP clients switch to the recognized type of file to be transfered.
Since the user recognicion and the password of the authentification are not encrypted it is very important to point out this potential security risk. This is the reason for some thoughts about the security of the FTP. In October 1997 RFC 2228[2] was finally published, which defined security specific addendums to the File Transfer Protocol.
The name vsftpd stands for "very secure FTP daemon", which is one of the primary concerns of developer Chris Evans. From the very beginning of the development and the design of the FTP server high security was one of the concerns.
One example is the fact that vsftpd is operated in chroot mode, which means a program (in this case vsftpd) is assigned a new root directory (l), it can no longer access programs or files outside of that directory - it is so to speak 'locked up'. Should a FTP-server be compromised the potential attacker will be isolated from the rest of the system and extensive damage will be prevented. More information on chroot can be found in the the artikel under [3]. Article[4] is recommended for those interested in the specific security mechanism of vsftpd
With the many features - of which the requirements for the security of the FTP-service should be the highest priority - vsftpd elevates itself significantly above the other FTP-servers. WU-FTPD[5] may be mentioned here as a negative example due to a variety of numerous security gaps in the past couple of years.
After getting the source unpack the tarball, go to the directory created and execute make. Here is a demonstration of the necessary commands:
neo5k@phobos> tar xzvf
vsftpd-x.x.x.tar.gz
neo5k@phobos> cd vsftpd-x.x.x
neo5k@phobos> make
neo5k@phobos> mkdir /var/ftp
neo5k@phobos> useradd -d /var/ftp ftp
neo5k@phobos> chown root.root /var/ftp
neo5k@phobos> chmod og-w /var/ftp
neo5k@phobos> make install
The manpages and the program should now be copied to the correct location in the data system. In case of unexpected complications manual copying of the files should do the job.neo5k@phobos> cp vsftpd /usr/sbin/vsftpd
neo5k@phobos> cp vsftpd.conf.5 /usr/share/man/man5
neo5k@phobos> cp vsftpd.8 /usr/share/man/man8
neo5k@phobos> cp vsftpd.conf /etc
# Comment line
# Anonymus FTP-access permitted?
YES/NO
anonymous_enable=NO
# Permit anonymus upload? YES/NO
anon_upload_enable=NO
# Permission for anonymus users to make new directories?
YES/NO
anon_mkdir_write_enable=NO
# Permission for anonymus users to do other write operations
- like renaming or deleting? YES/NO
anon_other_write_enable=NO
# Log on by local users permitted? YES/NO
local_enable=YES
# Shall local users be locked into their home directory?
YES/NO
chroot_local_user=YES
# Highest permitted data transfer rate in bytes per second
for local logged on users. Default = 0 (unlimited)
local_max_rate=7200
# General write permission? YES/NO
write_enable=YES
# Enable messages when changing directories? YES/NO
dirmessage_enable=YES
# Welcome banner at users logon.
ftpd_banner="Welcome to neo5k's FTP service."
# Activate logging? YES/NO
xferlog_enable=YES
# Logging of all FTP activities? YES/NO
# Careful! This can generate large quantities of
data.
log_ftp_protocol=NO
# Confirm connections are established on port 20 (ftp data)
only. YES/NO
connect_from_port_20=YES
# Timeout during idle sessions
idle_session_timeout=600
# Data connection timeout
data_connection_timeout=120
# Access through Pluggable Authentication Modules
(PAM)
pam_service_name=vsftpd
# Standalone operation? YES/NO - depending on operation mode
(inetd, xinetd, Standalone)
# The author's FTP service is being startet with xinetd,
therefore the value here is NO.
listen=NO
neo5k@phobos> vi /etc/inetd.conf
# ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd ftp stream tcp nowait root /usr/sbin/tcpd vsftpd
# vsftp daemon. service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/vsftpd per_source = 5 instances = 200 no_access = 192.168.1.3 banner_fail = /etc/vsftpd.busy_banner log_on_success += PID HOST DURATION log_on_failure += HOST nice = 10 }
# Shall the vsftp daemon run in standalone
operation? YES/NO
listen=YES
neo5k@phobos> /usr/sbin/vsftpd &
If the search path has been entered correctly this entry will do the startneo5k@phobos> vsftpd &
With the next entry we can check if the search path was entered correctly:neo5k@phobos> echo $PATH
/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin
neo5k@phobos> ftp phobos Connected to phobos 220 "Welcome to neo5k's FTP service." Name (phobos:neo5k): testuser 331 Please specify the password. Password: 230 Login successful Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -l 229 Entering Extended Passive Mode 150 Here comes the directory listing drwxr-xr-x 11 500 100 400 May 07 16:22 docs drwxr-xr-x 9 500 100 464 Feb 01 23:05 hlds drwxr-xr-x 39 500 100 4168 May 10 09:15 projects 226 Directory send OK. ftp>
Of course, this introduction offers only a small glimpse into the environment offered by vsftpd, since the FTP server is offering numerous possibilities of configuration. Those of you who would like to research vsftpd more in depth should visit the project page[6] and review the extensive documentation.
|
Webpages maintained by the LinuxFocus Editor team
© Mario M. Knopf, FDL LinuxFocus.org |
Translation information:
|
2004-06-15, generated by lfparser version 2.46