{ "created": "2015-12-20T19:56:41Z", "hierarchy": [ { "name": "ROOT", "type": "folder", "uri": "/ROOT" }, { "name": "VsFTPd Notes", "type": "article", "uri": "VsFTPd_Notes" } ], "html": "\n\n \n \n \n \n \n \n \n \n \n \n \n VsFTPd Notes – Nikhil's Personal Wiki\n \n \n \n \n \n
\n
\n \n
\n
\n \n \n\n

VsFTPd Notes\n \n

\n

[TOC]

\n

Pre-Install notes

\n

The “Very Secure FTP Daemon” is highly configurable package in many
\naspects. These include virtual users, SSL transfers, chrooting, and so
\non. This guide sets up VSFTP with the following features:

\n\n

Download and install VSFTPD and associated packages

\n
yum install vsftpd db4-utils db4\n
\n

The last two packages are for the Berkeley DB which PAM uses to look up
\nvirtual users and their passwords.

\n

Basic configuration

\n

The config file is found at /etc/vsftpd/vsftpd.conf Here are the
\npertinent directives which have changed from the original file (which
\nI’m assuming you will back up before trying this stuff.)

\n
anonymous_enable=NO  \ndirmessage_enable=NO  \nxferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log  \nftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged.  \n  \n# Comment this directive (we will be using another for virtual users)  \npam_service_name=vsftpd\n
\n

Managing virtual users

\n

Create the database

\n

You will need to create a text file which has the usernames and
\npasswords on newlines. E.g.

\n
user1  \npassword1  \nuser2  \npassword2\n
\n

In this case, I’m going to create a user called tempuser with the
\npassword tempuserpass. So I create a file called “userlist.txt” with
\nthe following contents:

\n
tempuser  \ntempuserpass\n
\n

Now I can create the database for the PAM using this:

\n
db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db\n
\n

Configure the home directory

\n

Since the FTP root is /tempftpdir, you will need to add a home directory
\nthat tempuser can be chrooted to.

\n
mkdir /tempftpdir/tempuser  \nchown -R ftp:ftp /tempftpdir\n
\n

It should be obvious why ftp:ftp owns this directory; tempuser is
\na virtual user and so does not have any entry in /etc/passwd!

\n

Tell PAM about the database

\n

Head over to /etc/pam.d/ and create a file
\ncalled vsftpd.withvirtualusers The filename
\ncan be anything you want. You will need to remember it later!

\n

Add the following to the new file:

\n
#%PAM-1.0  \nauth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user  \naccount    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user  \nsession    required     pam_loginuid.so\n
\n

Configuring VSFTPD to have virtual users

\n

Append the following to the configuration file:

\n
# Allow virtual users  \nvirtual_use_local_privs=YES  \nguest_enable=YES  \nuser_sub_token=$USER  \n  \n# Change the FTP root   \nlocal_root=/tempftpdir/$USER  \nchroot_local_user=YES  \nhide_ids=YES  \n  \n# Use the new file we just created; this is why it was commented earlier!  \npam_service_name=vsftpd.withvirtualusers  \n  \n# Define passive ports  \npasv_min_port=12000  \npasv_max_port=12003\n

At this point, you should be ready to start the service. However, you
\nneed to poke a hole in your firewall to allow FTP connections

\n

Configuring IPTABLES to allow FTP

\n
# Allow VSFTPD and associated passive connections  \n-A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT  \n-A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT\n
\n

Restart the iptables service (do it properly and use iptables-save
\nand iptables-restore)

\n

Start the service

\n
service vsftpd start\n
\n

Check if it’s listening to port 21 by trying this…

\n
netstat -tulpn | grep :21\n
\n

… and seeing something like this:

\n
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd\n
\n

Try it out by logging in as tempuser with tempuserpass. All should go well :)

\n

Securing VSFTPD with SSL

\n

Assuming things have been amazing thus far, you can now SSL enable the
\nservice for logins and transfers.

\n

Generate an RSA certificate

\n
cd /etc/vsftpd  \nopenssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem\n
\n

Here’s the standard output of this command:

\n
Generating a 1024 bit RSA private key\n.......++++++  \n........................................++++++  \nwriting new private key to '/etc/vsftpd/vsftpd.pem'  \n-----  \nYou are about to be asked to enter information that will be incorporated  \ninto your certificate request.  \nWhat you are about to enter is what is called a Distinguished Name or a DN.  \nThere are quite a few fields but you can leave some blank  \nFor some fields there will be a default value,  \nIf you enter '.', the field will be left blank.  \n-----  \nCountry Name (2 letter code) [GB]:US  \nState or Province Name (full name) [Berkshire]:Iowa  \nLocality Name (eg, city) [Newbury]:Iowa City  \nOrganization Name (eg, company)  [My Company Ltd]:Coordinated Laboratory for Computational Genomics  \nOrganizational Unit Name (eg, section) []:  \nCommon Name (eg, your name or your server's hostname) []:ftp.example.com  \nEmail Address []:clcg.it@gmail.com  \n
\n

SSL-enable VSFTPD

\n

Open up /etc/vsftpd/vsftpd.conf and append the following:

\n
# Enable SSL  \nssl_enable=YES  \nforce_local_data_ssl=YES  \nforce_local_logins_ssl=YES  \nssl_tlsv1=YES  \nssl_sslv2=NO  \nssl_sslv3=NO  \nrsa_cert_file=/etc/vsftpd/vsftpd.pem\n
\n

Your certificate must be in PEM format and include both the public and
\nprivate keys. Here’s an example of what it would look like:

\n
-----BEGIN CERTIFICATE-----  \nMIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx  \nDTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl  \nIFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh  \nYm9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1  \ncHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu  \ndWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ  \nBgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0  \neSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm  \nb3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93  \nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs  \n7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl  \nTLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX  \nqYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI  \n1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R  \nN+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA  \nAaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl  \nZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn  \nVW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN  \nBgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0  \nZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri  \nKir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys  \nIA==  \n-----END CERTIFICATE-----  \n-----BEGIN RSA PRIVATE KEY-----  \nMIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc  \n9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V  \nllOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp  \nznSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3  \nE8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L  \ndaxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI  \nLouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI  \nGM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS  \n++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp  \nurSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv  \nRRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl  \nYumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q  \ngtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9  \n042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr  \n9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk  \nXr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA  \noBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1  \nqhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN  \n9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw  \nNhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3  \n3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW  \nvQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3  \nvhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+  \nxTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U=  \n-----END RSA PRIVATE KEY-----\n
\n

Restart the service

\n
service vsftpd condrestart\n
\n

You can now use an FTP client which supports implicit SSL (Transmit and
\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary
\nftp won’t work and will give you the
\nfollowing error:

\n
Connected to ftp.example.com.  \n220 Welcome to the FTP droppoint. Please note that all activity is logged.  \nName (ftp.example.com:tech): tempuser  \n530 Non-anonymous sessions must use encryption.\n
\n

If you’re a command-line freak like I am, you can always use
\nftp-ssl

\n

Other notes

\n\n

Resources

\n

Script to add users to database

\n
#!/bin/bash\n\n# Add a virtual FTP user to VsFTPd's Berkeley DB\n# by Nikhil Anand,  Mon Feb 22 09:30:45 CST 2010\n\n# Paths to config path and custom FTP directory\nVSFTPDPATH="/etc/vsftpd"\nDROPPOINT="/data/ftp"\n\n# Usage information\nif [ $# -ne 2 ]; then\n  echo -e "USAGE: `basename $0` <username> <password>\\n"\n  echo -e "       Using this without the parameters will refresh the DB used by the VsFTP daemon"\n  db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n  echo -e "       Database refreshed."\n  echo -e "       Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users."\n  echo -e "       Run this script again when you're done."\n  exit\nfi\n\n# Define username and password \nUSERNAME="$1"\nPASSWORD="$2"\n\n# Add username and password to flat text file\necho $USERNAME   >> $VSFTPDPATH/userlist.txt\necho "$PASSWORD" >> $VSFTPDPATH/userlist.txt\necho -e "Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt"\n\n# Refresh the Berkeley DB to reflect these additions\ndb_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\necho -e "Reloaded database \\"vsftpd-virtual-user.db\\""\n\n# Create a home directory inside the FTP directory\nmkdir $DROPPOINT/$USERNAME\nchown -R ftp:ftp $DROPPOINT/$USERNAME\necho -e "Created and changed permissions for $DROPPOINT/$USERNAME"\n

Relevant web URIs

\n\n\n\n
\n \n
\n \n \n \n \n \n\n", "id": "027caa4d-6ae2-5b31-98af-e829ebb3bb66", "modified": "2023-05-03T20:33:13Z", "revisions": [ { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2023-05-03T20:33:13Z", "id": "13fd9aa2c17070823012a12dd946d050e3ed6bf3", "shortId": "13fd9aa2", "subject": "Initial commit\n", "content": "[TOC]\n\nPre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n* A modified FTP root at `/tempftpdir`\n* A sample virtual user called `tempuser`\n* The user will be chrooted to `/tempftpdir/tempuser`\n* All transactions will take place over implicit SSL\n* The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n yum install vsftpd db4-utils db4\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at `/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n anonymous_enable=NO \n dirmessage_enable=NO \n xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log \n ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged. \n \n # Comment this directive (we will be using another for virtual users) \n pam_service_name=vsftpd\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n user1 \n password1 \n user2 \n password2\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n tempuser \n tempuserpass\n\nNow I can create the database for the PAM using this:\n\n db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will need to add a home directory \nthat `tempuser` can be chrooted to.\n\n mkdir /tempftpdir/tempuser \n chown -R ftp:ftp /tempftpdir\n\nIt should be obvious why `ftp:ftp` owns this directory; `tempuser` is \na *virtual* user and so does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n #%PAM-1.0 \n auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n session    required     pam_loginuid.so\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n```bash\n# Allow virtual users \nvirtual_use_local_privs=YES \nguest_enable=YES \nuser_sub_token=$USER \n \n# Change the FTP root  \nlocal_root=/tempftpdir/$USER \nchroot_local_user=YES \nhide_ids=YES \n \n# Use the new file we just created; this is why it was commented earlier! \npam_service_name=vsftpd.withvirtualusers \n \n# Define passive ports \npasv_min_port=12000 \npasv_max_port=12003\n```\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n # Allow VSFTPD and associated passive connections \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT\n\nRestart the iptables service (do it properly and use `iptables-save` \nand `iptables-restore`)\n\nStart the service\n-----------------\n\n service vsftpd start\n\nCheck if it's listening to port 21 by trying this...\n\n netstat -tulpn | grep :21\n\n... and seeing something like this:\n\n tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd\n\nTry it out by logging in as `tempuser` with `tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n cd /etc/vsftpd \n openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem\n\nHere's the standard output of this command:\n\n```\nGenerating a 1024 bit RSA private key\n.......++++++ \n........................................++++++ \nwriting new private key to '/etc/vsftpd/vsftpd.pem' \n----- \nYou are about to be asked to enter information that will be incorporated \ninto your certificate request. \nWhat you are about to enter is what is called a Distinguished Name or a DN. \nThere are quite a few fields but you can leave some blank \nFor some fields there will be a default value, \nIf you enter '.', the field will be left blank. \n----- \nCountry Name (2 letter code) [GB]:US \nState or Province Name (full name) [Berkshire]:Iowa \nLocality Name (eg, city) [Newbury]:Iowa City \nOrganization Name (eg, company)  [My Company Ltd]:Coordinated Laboratory for Computational Genomics \nOrganizational Unit Name (eg, section) []: \nCommon Name (eg, your name or your server's hostname) []:ftp.example.com \nEmail Address []:clcg.it@gmail.com \n```\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append the following:\n\n # Enable SSL \n ssl_enable=YES \n force_local_data_ssl=YES \n force_local_logins_ssl=YES \n ssl_tlsv1=YES \n ssl_sslv2=NO \n ssl_sslv3=NO \n rsa_cert_file=/etc/vsftpd/vsftpd.pem\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n -----BEGIN CERTIFICATE----- \n MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx \n DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl \n IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh \n Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1 \n cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu \n dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ \n BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0 \n eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm \n b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93 \n DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs \n 7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl \n TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX \n qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI \n 1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R \n N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA \n AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl \n ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn \n VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN \n BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0 \n ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri \n Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys \n IA== \n -----END CERTIFICATE----- \n -----BEGIN RSA PRIVATE KEY----- \n MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc \n 9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V \n llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp \n znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3 \n E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L \n daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI \n LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI \n GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS \n ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp \n urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv \n RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl \n YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q \n gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9 \n 042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr \n 9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk \n Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA \n oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1 \n qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN \n 9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw \n NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3 \n 3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW \n vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3 \n vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+ \n xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U= \n -----END RSA PRIVATE KEY-----\n\n### Restart the service\n\n service vsftpd condrestart\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n Connected to ftp.example.com. \n 220 Welcome to the FTP droppoint. Please note that all activity is logged. \n Name (ftp.example.com:tech): tempuser \n 530 Non-anonymous sessions must use encryption.\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n* The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n* VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n* Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n```bash\n#!/bin/bash\n\n# Add a virtual FTP user to VsFTPd's Berkeley DB\n# by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n# Paths to config path and custom FTP directory\nVSFTPDPATH=\"/etc/vsftpd\"\nDROPPOINT=\"/data/ftp\"\n\n# Usage information\nif [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\nfi\n\n# Define username and password \nUSERNAME=\"$1\"\nPASSWORD=\"$2\"\n\n# Add username and password to flat text file\necho $USERNAME >> $VSFTPDPATH/userlist.txt\necho \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\necho -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n# Refresh the Berkeley DB to reflect these additions\ndb_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\necho -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n# Create a home directory inside the FTP directory\nmkdir $DROPPOINT/$USERNAME\nchown -R ftp:ftp $DROPPOINT/$USERNAME\necho -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n```\n\n### Relevant web URIs\n\n* [Good explanation of Active and Passive mode FTP](http://slacksite.com/other/ftp.html)\n* [VSFTPD documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-28T17:19:15Z", "id": "559adc3731d81f3885a2ab467505f5117a0f480e", "shortId": "559adc37", "subject": "Merge branch 'master' of github.com:afreeorange/wiki.nikhil.io.articles\n", "content": "[TOC]\n\nPre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n* A modified FTP root at `/tempftpdir`\n* A sample virtual user called `tempuser`\n* The user will be chrooted to `/tempftpdir/tempuser`\n* All transactions will take place over implicit SSL\n* The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n yum install vsftpd db4-utils db4\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at `/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n anonymous_enable=NO \n dirmessage_enable=NO \n xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log \n ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged. \n \n # Comment this directive (we will be using another for virtual users) \n pam_service_name=vsftpd\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n user1 \n password1 \n user2 \n password2\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n tempuser \n tempuserpass\n\nNow I can create the database for the PAM using this:\n\n db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will need to add a home directory \nthat `tempuser` can be chrooted to.\n\n mkdir /tempftpdir/tempuser \n chown -R ftp:ftp /tempftpdir\n\nIt should be obvious why `ftp:ftp` owns this directory; `tempuser` is \na *virtual* user and so does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n #%PAM-1.0 \n auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n session    required     pam_loginuid.so\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n```bash\n# Allow virtual users \nvirtual_use_local_privs=YES \nguest_enable=YES \nuser_sub_token=$USER \n \n# Change the FTP root  \nlocal_root=/tempftpdir/$USER \nchroot_local_user=YES \nhide_ids=YES \n \n# Use the new file we just created; this is why it was commented earlier! \npam_service_name=vsftpd.withvirtualusers \n \n# Define passive ports \npasv_min_port=12000 \npasv_max_port=12003\n```\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n # Allow VSFTPD and associated passive connections \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT\n\nRestart the iptables service (do it properly and use `iptables-save` \nand `iptables-restore`)\n\nStart the service\n-----------------\n\n service vsftpd start\n\nCheck if it's listening to port 21 by trying this...\n\n netstat -tulpn | grep :21\n\n... and seeing something like this:\n\n tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd\n\nTry it out by logging in as `tempuser` with `tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n cd /etc/vsftpd \n openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem\n\nHere's the standard output of this command:\n\n```\nGenerating a 1024 bit RSA private key\n.......++++++ \n........................................++++++ \nwriting new private key to '/etc/vsftpd/vsftpd.pem' \n----- \nYou are about to be asked to enter information that will be incorporated \ninto your certificate request. \nWhat you are about to enter is what is called a Distinguished Name or a DN. \nThere are quite a few fields but you can leave some blank \nFor some fields there will be a default value, \nIf you enter '.', the field will be left blank. \n----- \nCountry Name (2 letter code) [GB]:US \nState or Province Name (full name) [Berkshire]:Iowa \nLocality Name (eg, city) [Newbury]:Iowa City \nOrganization Name (eg, company)  [My Company Ltd]:Coordinated Laboratory for Computational Genomics \nOrganizational Unit Name (eg, section) []: \nCommon Name (eg, your name or your server's hostname) []:ftp.example.com \nEmail Address []:clcg.it@gmail.com \n```\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append the following:\n\n # Enable SSL \n ssl_enable=YES \n force_local_data_ssl=YES \n force_local_logins_ssl=YES \n ssl_tlsv1=YES \n ssl_sslv2=NO \n ssl_sslv3=NO \n rsa_cert_file=/etc/vsftpd/vsftpd.pem\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n -----BEGIN CERTIFICATE----- \n MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx \n DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl \n IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh \n Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1 \n cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu \n dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ \n BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0 \n eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm \n b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93 \n DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs \n 7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl \n TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX \n qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI \n 1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R \n N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA \n AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl \n ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn \n VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN \n BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0 \n ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri \n Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys \n IA== \n -----END CERTIFICATE----- \n -----BEGIN RSA PRIVATE KEY----- \n MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc \n 9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V \n llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp \n znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3 \n E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L \n daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI \n LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI \n GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS \n ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp \n urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv \n RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl \n YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q \n gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9 \n 042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr \n 9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk \n Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA \n oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1 \n qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN \n 9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw \n NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3 \n 3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW \n vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3 \n vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+ \n xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U= \n -----END RSA PRIVATE KEY-----\n\n### Restart the service\n\n service vsftpd condrestart\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n Connected to ftp.example.com. \n 220 Welcome to the FTP droppoint. Please note that all activity is logged. \n Name (ftp.example.com:tech): tempuser \n 530 Non-anonymous sessions must use encryption.\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n* The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n* VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n* Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n```bash\n#!/bin/bash\n\n# Add a virtual FTP user to VsFTPd's Berkeley DB\n# by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n# Paths to config path and custom FTP directory\nVSFTPDPATH=\"/etc/vsftpd\"\nDROPPOINT=\"/data/ftp\"\n\n# Usage information\nif [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\nfi\n\n# Define username and password \nUSERNAME=\"$1\"\nPASSWORD=\"$2\"\n\n# Add username and password to flat text file\necho $USERNAME >> $VSFTPDPATH/userlist.txt\necho \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\necho -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n# Refresh the Berkeley DB to reflect these additions\ndb_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\necho -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n# Create a home directory inside the FTP directory\nmkdir $DROPPOINT/$USERNAME\nchown -R ftp:ftp $DROPPOINT/$USERNAME\necho -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n```\n\n### Relevant web URIs\n\n* [Good explanation of Active and Passive mode FTP](http://slacksite.com/other/ftp.html)\n* [VSFTPD documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-27T07:27:56Z", "id": "5a5b1a32f41081d062ab86f8869a961bcad79668", "shortId": "5a5b1a32", "subject": "Fix Markdown conversion\n\nSaw half a season of The Office\n", "content": "[TOC]\n\nPre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n* A modified FTP root at `/tempftpdir`\n* A sample virtual user called `tempuser`\n* The user will be chrooted to `/tempftpdir/tempuser`\n* All transactions will take place over implicit SSL\n* The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n yum install vsftpd db4-utils db4\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at `/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n anonymous_enable=NO \n dirmessage_enable=NO \n xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log \n ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged. \n \n # Comment this directive (we will be using another for virtual users) \n pam_service_name=vsftpd\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n user1 \n password1 \n user2 \n password2\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n tempuser \n tempuserpass\n\nNow I can create the database for the PAM using this:\n\n db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will need to add a home directory \nthat `tempuser` can be chrooted to.\n\n mkdir /tempftpdir/tempuser \n chown -R ftp:ftp /tempftpdir\n\nIt should be obvious why `ftp:ftp` owns this directory; `tempuser` is \na *virtual* user and so does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n #%PAM-1.0 \n auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n session    required     pam_loginuid.so\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n```bash\n# Allow virtual users \nvirtual_use_local_privs=YES \nguest_enable=YES \nuser_sub_token=$USER \n \n# Change the FTP root  \nlocal_root=/tempftpdir/$USER \nchroot_local_user=YES \nhide_ids=YES \n \n# Use the new file we just created; this is why it was commented earlier! \npam_service_name=vsftpd.withvirtualusers \n \n# Define passive ports \npasv_min_port=12000 \npasv_max_port=12003\n```\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n # Allow VSFTPD and associated passive connections \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT\n\nRestart the iptables service (do it properly and use `iptables-save` \nand `iptables-restore`)\n\nStart the service\n-----------------\n\n service vsftpd start\n\nCheck if it's listening to port 21 by trying this...\n\n netstat -tulpn | grep :21\n\n... and seeing something like this:\n\n tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd\n\nTry it out by logging in as `tempuser` with `tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n cd /etc/vsftpd \n openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem\n\nHere's the standard output of this command:\n\n```\nGenerating a 1024 bit RSA private key\n.......++++++ \n........................................++++++ \nwriting new private key to '/etc/vsftpd/vsftpd.pem' \n----- \nYou are about to be asked to enter information that will be incorporated \ninto your certificate request. \nWhat you are about to enter is what is called a Distinguished Name or a DN. \nThere are quite a few fields but you can leave some blank \nFor some fields there will be a default value, \nIf you enter '.', the field will be left blank. \n----- \nCountry Name (2 letter code) [GB]:US \nState or Province Name (full name) [Berkshire]:Iowa \nLocality Name (eg, city) [Newbury]:Iowa City \nOrganization Name (eg, company)  [My Company Ltd]:Coordinated Laboratory for Computational Genomics \nOrganizational Unit Name (eg, section) []: \nCommon Name (eg, your name or your server's hostname) []:ftp.example.com \nEmail Address []:clcg.it@gmail.com \n```\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append the following:\n\n # Enable SSL \n ssl_enable=YES \n force_local_data_ssl=YES \n force_local_logins_ssl=YES \n ssl_tlsv1=YES \n ssl_sslv2=NO \n ssl_sslv3=NO \n rsa_cert_file=/etc/vsftpd/vsftpd.pem\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n -----BEGIN CERTIFICATE----- \n MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx \n DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl \n IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh \n Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1 \n cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu \n dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ \n BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0 \n eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm \n b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93 \n DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs \n 7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl \n TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX \n qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI \n 1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R \n N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA \n AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl \n ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn \n VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN \n BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0 \n ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri \n Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys \n IA== \n -----END CERTIFICATE----- \n -----BEGIN RSA PRIVATE KEY----- \n MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc \n 9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V \n llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp \n znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3 \n E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L \n daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI \n LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI \n GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS \n ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp \n urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv \n RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl \n YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q \n gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9 \n 042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr \n 9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk \n Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA \n oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1 \n qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN \n 9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw \n NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3 \n 3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW \n vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3 \n vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+ \n xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U= \n -----END RSA PRIVATE KEY-----\n\n### Restart the service\n\nservice vsftpd condrestart\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n Connected to ftp.example.com. \n 220 Welcome to the FTP droppoint. Please note that all activity is logged. \n Name (ftp.example.com:tech): tempuser \n 530 Non-anonymous sessions must use encryption.\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n* The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n* VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n* Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n```bash\n#!/bin/bash\n\n# Add a virtual FTP user to VsFTPd's Berkeley DB\n# by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n# Paths to config path and custom FTP directory\nVSFTPDPATH=\"/etc/vsftpd\"\nDROPPOINT=\"/data/ftp\"\n\n# Usage information\nif [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\nfi\n\n# Define username and password \nUSERNAME=\"$1\"\nPASSWORD=\"$2\"\n\n# Add username and password to flat text file\necho $USERNAME >> $VSFTPDPATH/userlist.txt\necho \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\necho -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n# Refresh the Berkeley DB to reflect these additions\ndb_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\necho -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n# Create a home directory inside the FTP directory\nmkdir $DROPPOINT/$USERNAME\nchown -R ftp:ftp $DROPPOINT/$USERNAME\necho -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n```\n\n### Relevant web URIs\n\n* [Good explanation of Active and Passive mode FTP](http://slacksite.com/other/ftp.html)\n* [VSFTPD documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-21T02:30:47Z", "id": "3f2c54b1d767218fcb4855fbac306b015afaf551", "shortId": "3f2c54b1", "subject": "Incremental\n", "content": "Pre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n- A modified FTP root at `/tempftpdir`\n- A sample virtual user called `tempuser`\n- The user will be chrooted to\n `/tempftpdir/tempuser`\n- All transactions will take place over implicit SSL\n- The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n` yum install vsftpd db4-utils db4`\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at\n`/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n`  anonymous_enable=NO` \n`  dirmessage_enable=NO` \n`  xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log` \n`  ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged.` \n`  ` \n`  # Comment this directive (we will be using another for virtual users)` \n`  pam_service_name=vsftpd`\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n`  user1` \n`  password1` \n`  user2` \n`  password2`\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n`  tempuser` \n`  tempuserpass`\n\nNow I can create the database for the PAM using this:\n\n` db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db`\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will\nneed to add a home directory that `tempuser`\ncan be chrooted to.\n\n` mkdir /tempftpdir/tempuser` \n` chown -R `[`ftp:ftp`](ftp:ftp)` /tempftpdir`\n\nIt should be obvious why `ftp:ftp` owns this\ndirectory; `tempuser` is a *virtual* user and\nso does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n`  #%PAM-1.0` \n`  auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user` \n`  account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user` \n`  session    required     pam_loginuid.so`\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n`  # Allow virtual users` \n`  virtual_use_local_privs=YES` \n`  guest_enable=YES` \n`  user_sub_token=$USER` \n`  ` \n`  # Change the FTP root ` \n`  local_root=/tempftpdir/$USER` \n`  chroot_local_user=YES` \n`  hide_ids=YES` \n`  ` \n`  # Use the new file we just created; this is why it was commented earlier!` \n`  pam_service_name=vsftpd.withvirtualusers` \n`  ` \n`  # Define passive ports` \n`  pasv_min_port=12000` \n`  pasv_max_port=12003` \n`  `\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n`  # Allow VSFTPD and associated passive connections` \n`  -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT` \n`  -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT`\n\nRestart the iptables service (do it properly and use\n`iptables-save` and\n`iptables-restore`)\n\nStart the service\n-----------------\n\n` service vsftpd start`\n\nCheck if it's listening to port 21 by trying this...\n\n` netstat -tulpn | grep :21`\n\n... and seeing something like this:\n\n` tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd`\n\nTry it out by logging in as `tempuser` with\n`tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n`  cd /etc/vsftpd` \n`  openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem`\n\nHere's the standard output of this command:\n\n`  Generating a 1024 bit RSA private key` \n`  .......++++++` \n`  ........................................++++++` \n`  writing new private key to '/etc/vsftpd/vsftpd.pem'` \n`  -----` \n`  You are about to be asked to enter information that will be incorporated` \n`  into your certificate request.` \n`  What you are about to enter is what is called a Distinguished Name or a DN.` \n`  There are quite a few fields but you can leave some blank` \n`  For some fields there will be a default value,` \n`  If you enter '.', the field will be left blank.` \n`  -----` \n`  Country Name (2 letter code) [GB]:US` \n`  State or Province Name (full name) [Berkshire]:Iowa` \n`  Locality Name (eg, city) [Newbury]:Iowa City` \n`  Organization Name (eg, company) [My Company Ltd]:Coordinated Laboratory for Computational Genomics` \n`  Organizational Unit Name (eg, section) []:` \n`  Common Name (eg, your name or your server's hostname) []:ftp.example.com` \n`  Email Address []:clcg.it@gmail.com` \n`  `\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append\nthe following:\n\n` # Enable SSL` \n` ssl_enable=YES` \n` force_local_data_ssl=YES` \n` force_local_logins_ssl=YES` \n` ssl_tlsv1=YES` \n` ssl_sslv2=NO` \n` ssl_sslv3=NO` \n` rsa_cert_file=/etc/vsftpd/vsftpd.pem`\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n`   -----BEGIN CERTIFICATE-----` \n`   MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx` \n`   DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl` \n`   IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh` \n`   Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1` \n`   cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu` \n`   dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ` \n`   BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0` \n`   eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm` \n`   b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93` \n`   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs` \n`   7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl` \n`   TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX` \n`   qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI` \n`   1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R` \n`   N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA` \n`   AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl` \n`   ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn` \n`   VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN` \n`   BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0` \n`   ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri` \n`   Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys` \n`   IA==` \n`   -----END CERTIFICATE-----` \n`   -----BEGIN RSA PRIVATE KEY-----` \n`   MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc` \n`   9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V` \n`   llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp` \n`   znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3` \n`   E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L` \n`   daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI` \n`   LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI` \n`   GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS` \n`   ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp` \n`   urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv` \n`   RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl` \n`   YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q` \n`   gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9` \n`   042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr` \n`   9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk` \n`   Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA` \n`   oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1` \n`   qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN` \n`   9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw` \n`   NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3` \n`   3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW` \n`   vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3` \n`   vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+` \n`   xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U=` \n`   -----END RSA PRIVATE KEY-----`\n\n### Restart the service\n\n`service vsftpd condrestart`\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n` Connected to ftp.example.com.` \n` 220 Welcome to the FTP droppoint. Please note that all activity is logged.` \n` Name (ftp.example.com:tech): tempuser` \n` 530 Non-anonymous sessions must use encryption.`\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n- The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n- VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n- Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n #!/bin/bash\n\n # Add a virtual FTP user to VsFTPd's Berkeley DB\n # by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n # Paths to config path and custom FTP directory\n VSFTPDPATH=\"/etc/vsftpd\"\n DROPPOINT=\"/data/ftp\"\n\n # Usage information\n if [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\n fi\n\n # Define username and password \n USERNAME=\"$1\"\n PASSWORD=\"$2\"\n\n # Add username and password to flat text file\n echo $USERNAME >> $VSFTPDPATH/userlist.txt\n echo \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\n echo -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n # Refresh the Berkeley DB to reflect these additions\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n # Create a home directory inside the FTP directory\n mkdir $DROPPOINT/$USERNAME\n chown -R ftp:ftp $DROPPOINT/$USERNAME\n echo -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n\n### Relevant web URIs\n\n- [Good explanation of Active and Passive mode\n FTP](http://slacksite.com/other/ftp.html)\n- [VSFTPD\n documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-20T19:56:41Z", "id": "b1c7a8996eb6703aa9b5e5f9bbc4fecb87aa5947", "shortId": "b1c7a899", "subject": "VsFTPd Notes : First Draft", "content": "Pre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n- A modified FTP root at `/tempftpdir`\n- A sample virtual user called `tempuser`\n- The user will be chrooted to\n `/tempftpdir/tempuser`\n- All transactions will take place over implicit SSL\n- The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n` yum install vsftpd db4-utils db4`\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at\n`/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n`  anonymous_enable=NO` \n`  dirmessage_enable=NO` \n`  xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log` \n`  ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged.` \n`  ` \n`  # Comment this directive (we will be using another for virtual users)` \n`  pam_service_name=vsftpd`\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n`  user1` \n`  password1` \n`  user2` \n`  password2`\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n`  tempuser` \n`  tempuserpass`\n\nNow I can create the database for the PAM using this:\n\n` db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db`\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will\nneed to add a home directory that `tempuser`\ncan be chrooted to.\n\n` mkdir /tempftpdir/tempuser` \n` chown -R `[`ftp:ftp`](ftp:ftp)` /tempftpdir`\n\nIt should be obvious why `ftp:ftp` owns this\ndirectory; `tempuser` is a *virtual* user and\nso does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n`  #%PAM-1.0` \n`  auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user` \n`  account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user` \n`  session    required     pam_loginuid.so`\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n`  # Allow virtual users` \n`  virtual_use_local_privs=YES` \n`  guest_enable=YES` \n`  user_sub_token=$USER` \n`  ` \n`  # Change the FTP root ` \n`  local_root=/tempftpdir/$USER` \n`  chroot_local_user=YES` \n`  hide_ids=YES` \n`  ` \n`  # Use the new file we just created; this is why it was commented earlier!` \n`  pam_service_name=vsftpd.withvirtualusers` \n`  ` \n`  # Define passive ports` \n`  pasv_min_port=12000` \n`  pasv_max_port=12003` \n`  `\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n`  # Allow VSFTPD and associated passive connections` \n`  -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT` \n`  -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT`\n\nRestart the iptables service (do it properly and use\n`iptables-save` and\n`iptables-restore`)\n\nStart the service\n-----------------\n\n` service vsftpd start`\n\nCheck if it's listening to port 21 by trying this...\n\n` netstat -tulpn | grep :21`\n\n... and seeing something like this:\n\n` tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd`\n\nTry it out by logging in as `tempuser` with\n`tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n`  cd /etc/vsftpd` \n`  openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem`\n\nHere's the standard output of this command:\n\n`  Generating a 1024 bit RSA private key` \n`  .......++++++` \n`  ........................................++++++` \n`  writing new private key to '/etc/vsftpd/vsftpd.pem'` \n`  -----` \n`  You are about to be asked to enter information that will be incorporated` \n`  into your certificate request.` \n`  What you are about to enter is what is called a Distinguished Name or a DN.` \n`  There are quite a few fields but you can leave some blank` \n`  For some fields there will be a default value,` \n`  If you enter '.', the field will be left blank.` \n`  -----` \n`  Country Name (2 letter code) [GB]:US` \n`  State or Province Name (full name) [Berkshire]:Iowa` \n`  Locality Name (eg, city) [Newbury]:Iowa City` \n`  Organization Name (eg, company) [My Company Ltd]:Coordinated Laboratory for Computational Genomics` \n`  Organizational Unit Name (eg, section) []:` \n`  Common Name (eg, your name or your server's hostname) []:ftp.example.com` \n`  Email Address []:clcg.it@gmail.com` \n`  `\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append\nthe following:\n\n` # Enable SSL` \n` ssl_enable=YES` \n` force_local_data_ssl=YES` \n` force_local_logins_ssl=YES` \n` ssl_tlsv1=YES` \n` ssl_sslv2=NO` \n` ssl_sslv3=NO` \n` rsa_cert_file=/etc/vsftpd/vsftpd.pem`\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n`   -----BEGIN CERTIFICATE-----` \n`   MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx` \n`   DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl` \n`   IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh` \n`   Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1` \n`   cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu` \n`   dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ` \n`   BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0` \n`   eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm` \n`   b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93` \n`   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs` \n`   7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl` \n`   TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX` \n`   qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI` \n`   1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R` \n`   N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA` \n`   AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl` \n`   ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn` \n`   VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN` \n`   BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0` \n`   ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri` \n`   Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys` \n`   IA==` \n`   -----END CERTIFICATE-----` \n`   -----BEGIN RSA PRIVATE KEY-----` \n`   MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc` \n`   9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V` \n`   llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp` \n`   znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3` \n`   E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L` \n`   daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI` \n`   LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI` \n`   GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS` \n`   ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp` \n`   urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv` \n`   RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl` \n`   YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q` \n`   gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9` \n`   042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr` \n`   9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk` \n`   Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA` \n`   oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1` \n`   qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN` \n`   9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw` \n`   NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3` \n`   3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW` \n`   vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3` \n`   vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+` \n`   xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U=` \n`   -----END RSA PRIVATE KEY-----`\n\n### Restart the service\n\n`service vsftpd condrestart`\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n` Connected to ftp.example.com.` \n` 220 Welcome to the FTP droppoint. Please note that all activity is logged.` \n` Name (ftp.example.com:tech): tempuser` \n` 530 Non-anonymous sessions must use encryption.`\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n- The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n- VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n- Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n #!/bin/bash\n\n # Add a virtual FTP user to VsFTPd's Berkeley DB\n # by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n # Paths to config path and custom FTP directory\n VSFTPDPATH=\"/etc/vsftpd\"\n DROPPOINT=\"/data/ftp\"\n\n # Usage information\n if [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\n fi\n\n # Define username and password \n USERNAME=\"$1\"\n PASSWORD=\"$2\"\n\n # Add username and password to flat text file\n echo $USERNAME >> $VSFTPDPATH/userlist.txt\n echo \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\n echo -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n # Refresh the Berkeley DB to reflect these additions\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n # Create a home directory inside the FTP directory\n mkdir $DROPPOINT/$USERNAME\n chown -R ftp:ftp $DROPPOINT/$USERNAME\n echo -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n\n### Relevant web URIs\n\n- [Good explanation of Active and Passive mode\n FTP](http://slacksite.com/other/ftp.html)\n- [VSFTPD\n documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n\n[Category:Nikhil's Notes](Category:Nikhil's_Notes \"wikilink\")\n[Category:Installation Logs](Category:Installation_Logs \"wikilink\")\n[Category:From a past sysadmin\nlife](Category:From_a_past_sysadmin_life \"wikilink\")\n" } ], "sizeInBytes": 11972, "source": "[TOC]\n\nPre-Install notes\n-----------------\n\nThe \"Very Secure FTP Daemon\" is highly configurable package in many\naspects. These include virtual users, SSL transfers, chrooting, and so\non. This guide sets up VSFTP with the following features:\n\n* A modified FTP root at `/tempftpdir`\n* A sample virtual user called `tempuser`\n* The user will be chrooted to `/tempftpdir/tempuser`\n* All transactions will take place over implicit SSL\n* The daemon will run as a standalone service (i.e. will not\n involve xinetd)\n\nDownload and install VSFTPD and associated packages\n---------------------------------------------------\n\n yum install vsftpd db4-utils db4\n\nThe last two packages are for the Berkeley DB which PAM uses to look up\nvirtual users and their passwords.\n\n### Basic configuration\n\nThe config file is found at `/etc/vsftpd/vsftpd.conf` Here are the\npertinent directives which have changed from the original file (which\nI'm assuming you will back up before trying this stuff.)\n\n anonymous_enable=NO \n dirmessage_enable=NO \n xferlog_file=/var/log/vsftpd.xferlog.tempftpdir.log \n ftpd_banner=Welcome to the CLCG FTP droppoint. Please note that all activity is logged. \n \n # Comment this directive (we will be using another for virtual users) \n pam_service_name=vsftpd\n\nManaging virtual users\n----------------------\n\n### Create the database\n\nYou will need to create a text file which has the usernames and\npasswords on newlines. E.g.\n\n user1 \n password1 \n user2 \n password2\n\nIn this case, I'm going to create a user called **tempuser** with the\npassword **tempuserpass**. So I create a file called \"userlist.txt\" with\nthe following contents:\n\n tempuser \n tempuserpass\n\nNow I can create the database for the PAM using this:\n\n db_load -T -t hash -f userlist.txt vsftpd-virtual-user.db\n\n### Configure the home directory\n\nSince the FTP root is `/tempftpdir`, you will need to add a home directory \nthat `tempuser` can be chrooted to.\n\n mkdir /tempftpdir/tempuser \n chown -R ftp:ftp /tempftpdir\n\nIt should be obvious why `ftp:ftp` owns this directory; `tempuser` is \na *virtual* user and so does not have any entry in `/etc/passwd`!\n\n### Tell PAM about the database\n\nHead over to `/etc/pam.d/` and create a file\ncalled `vsftpd.withvirtualusers` The filename\ncan be anything you want. You will need to remember it later!\n\nAdd the following to the new file:\n\n #%PAM-1.0 \n auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user \n session    required     pam_loginuid.so\n\n### Configuring VSFTPD to have virtual users\n\nAppend the following to the configuration file:\n\n```bash\n# Allow virtual users \nvirtual_use_local_privs=YES \nguest_enable=YES \nuser_sub_token=$USER \n \n# Change the FTP root  \nlocal_root=/tempftpdir/$USER \nchroot_local_user=YES \nhide_ids=YES \n \n# Use the new file we just created; this is why it was commented earlier! \npam_service_name=vsftpd.withvirtualusers \n \n# Define passive ports \npasv_min_port=12000 \npasv_max_port=12003\n```\n\nAt this point, you should be ready to start the service. However, you\nneed to poke a hole in your firewall to allow FTP connections\n\nConfiguring IPTABLES to allow FTP\n---------------------------------\n\n # Allow VSFTPD and associated passive connections \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 21 -j ACCEPT \n -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 12000:12003 -j ACCEPT\n\nRestart the iptables service (do it properly and use `iptables-save` \nand `iptables-restore`)\n\nStart the service\n-----------------\n\n service vsftpd start\n\nCheck if it's listening to port 21 by trying this...\n\n netstat -tulpn | grep :21\n\n... and seeing something like this:\n\n tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      29790/vsftpd\n\nTry it out by logging in as `tempuser` with `tempuserpass`. All should go well :)\n\nSecuring VSFTPD with SSL\n------------------------\n\nAssuming things have been amazing thus far, you can now SSL enable the\nservice for logins and transfers.\n\n### Generate an RSA certificate\n\n cd /etc/vsftpd \n openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem\n\nHere's the standard output of this command:\n\n```\nGenerating a 1024 bit RSA private key\n.......++++++ \n........................................++++++ \nwriting new private key to '/etc/vsftpd/vsftpd.pem' \n----- \nYou are about to be asked to enter information that will be incorporated \ninto your certificate request. \nWhat you are about to enter is what is called a Distinguished Name or a DN. \nThere are quite a few fields but you can leave some blank \nFor some fields there will be a default value, \nIf you enter '.', the field will be left blank. \n----- \nCountry Name (2 letter code) [GB]:US \nState or Province Name (full name) [Berkshire]:Iowa \nLocality Name (eg, city) [Newbury]:Iowa City \nOrganization Name (eg, company)  [My Company Ltd]:Coordinated Laboratory for Computational Genomics \nOrganizational Unit Name (eg, section) []: \nCommon Name (eg, your name or your server's hostname) []:ftp.example.com \nEmail Address []:clcg.it@gmail.com \n```\n\n### SSL-enable VSFTPD\n\nOpen up `/etc/vsftpd/vsftpd.conf` and append the following:\n\n # Enable SSL \n ssl_enable=YES \n force_local_data_ssl=YES \n force_local_logins_ssl=YES \n ssl_tlsv1=YES \n ssl_sslv2=NO \n ssl_sslv3=NO \n rsa_cert_file=/etc/vsftpd/vsftpd.pem\n\nYour certificate must be in PEM format and include *both* the public and\nprivate keys. Here's an example of what it would look like:\n\n -----BEGIN CERTIFICATE----- \n MIIEHTCCA4agAwIBAgIBFjANBgkqhkiG9w0BAQUFADCB1zELMAkGA1UEBhMCVVMx \n DTALBgNVBAgTBElvd2ExEjAQBgNVBAcTCUlvd2EgQ2l0eTEfMB0GA1UEChMWVGhl \n IFVuaXZlcnNpdHkgb2YgSW93YTE+MDwGA1UECxM1VGhlIENvb3JkaW5hdGVkIExh \n Ym9yYXRvcnkgZm9yIENvbXB1dGF0aW9uYWwgR2Vub21pY3MxHjAcBgNVBAMTFXN1 \n cHBvcnQuZW5nLnVpb3dhLmVkdTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbmcu \n dWlvd2EuZWR1MB4XDTEyMDQyNzE4MDgwMFoXDTIyMDQyNTE4MDgwMFowgb8xCzAJ \n BgNVBAYTAlVTMQ0wCwYDVQQIEwRJb3dhMR8wHQYDVQQKExZUaGUgVW5pdmVyc2l0 \n eSBvZiBJb3dhMT4wPAYDVQQLEzVUaGUgQ29vcmRpbmF0ZWQgTGFib3JhdG9yeSBm \n b3IgQ29tcHV0YXRpb25hbCBHZW5vbWljczEaMBgGA1UEAxMRcWluLmVuZy51aW93 \n DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCYdLYqvSJ4XYiJwl2Bcmc7A/bs \n 7RbmeEqmdCBEF/ORZ1Qz3PZkAgDiaSNCdNU8/Z1RMzK8yxQpNTlUO0rTTxmEpCkl \n TLMfvGL5+ef8dry9+dT9VZZTncW9GizQpAlKd9Bix3I7XHN/1MdjWs4zmvjgxARX \n qYGKCLrwBX8VueimV2h1ac50ngAxMHMjQGF6LvdqkGJcwOfg/ArWU5dlu1U9DkAI \n 1QvhTqu0+GfvPKbdVp3VdxPJwbCxBFRbiao7QgrnHBSwnhExR6engcPMMcto3b+R \n N+1CJ5RyMmpPVRF9dx+ey3WsZkZBmpCpMMUM8UqMrGyRE36OVnloOPRC3WkCAwEA \n AaOBijCBhzAJBgNVHRMEAjAAMDoGCWCGSAGG+EIBDQQtFitDTENHIEdlbmVyYXRl \n ZCBDZXJ0aWZpY2F0ZSAoT3BlblNTTCB2MC45LjYpMB0GA1UdDgQWBBTKWGxGUSgn \n VW1NrP/04akS1qXtBDAfBgNVHSMEGDAWgBSMMdfJB8d71bkJ62WSA8T2X2GrBTAN \n BgkqhkiG9w0BAQUFAAOBgQAhJpwbcbUS7pLYEahppPin5+6DDtPNqTjVvpHHjpL0 \n ZMYEw1E8STzc96FlWO1r/NrHrB1R3qqn5Ptynk7hEH0IrIJjWhv36GCDEvTxpQri \n Kir4Qt3i5hFWiSJnB5/BrRcqnHFYKhcwZvF72Da3B1oxQPI9J0eaAxHLiYfUVfys \n IA== \n -----END CERTIFICATE----- \n -----BEGIN RSA PRIVATE KEY----- \n MIIEpQIBAAKCAQEA0Jh0tiq9InhdiInCXYFyZzsD9uztFuZ4SqZ0IEQX85FnVDPc \n 9mQCAOJpI0J01Tz9nVEzMrzLFCk1OVQ7StNPGYSkKSVMsx+8Yvn55/x2vL351P1V \n llOdxb0aLNCkCUp30GLHcjtcc3/Ux2NazjOa+ODEBFepgYoIuvAFfxW56KZXaHVp \n znSeADEwcyNAYXou92qQYlzA5+D8CtZTl2W7VT0OQAjVC+FOq7T4Z+88pt1WndV3 \n E8nBsLEEVFuJqjtCCuccFLCeETFHp6eBw8wxy2jdv5E37UInlHIyak9VEX13H57L \n daxmRkGakKkwxQzxSoysbJETfo5WeWg49ELdaQIDAQABAoIBAQCPiakeRXCajKsI \n LouB3naD1JdYzhYjoPn7nGjiXxkAMPkidwHAxnaedy4T5kIRDgQSwfJyInm36NdI \n GM8oIRoYHC7+ZT1PMTJoBU3TNeXa4PtOdfj0FZvGmuatGfEWt5iU27QUxgZLMBaS \n ++8Joqb6k5M3pfbuA0wtf083EN/mz20pIC2q/EEWd7Za8PPb7+t8iWMnLECg5Ulp \n urSj37X9p7M5b3Spf3FksL5YKG/tzvHa7+9hRFScpldt+dKDtN5SKxanlObD10Dv \n RRFqzVwBAoGBAO1YJRnTfYFqCl+Bt311Vtm8TDqYRBNlfaZjX+dG20zEX8LjLbXl \n YumrdD62uii+KhJVzLyIwh++cKB5MCR2PZZwPX+WAJ5vGk7pfHEi+/5dPttM5k0q \n gtirDlwaGJjTa4lVQTP/x0uxGMT03b8+q9qzDcdisx+7EMtS3EZuNWvpAoGBAOD9 \n 042RpbyTNXfa38Bl2Or2wuuB5Z2T9Zu9+WlnqdwrXNx9ocRl2XyYJVwfL7DY9nSr \n 9VJF/aWe5Bmc9/um6/IGry0auw7M4vGBSRNIFFx5411DIheVdsuZPZT+Hop6woUk \n Xr91AtJhpOci4uErmgq9HM8OA3NAWShRLDIDFnWBAoGBAMhGOcBKMrxyQ2CF79SA \n oBHJDzXeaItJd7ZgYnug0co8ZmXoFxlG/6kXkVaeEAXzOUMRfVqVt+DbbOQsftA1 \n qhB4k5xGci0+qR9vbB93mtXvzut0P11cAt9bsBlNt/W1aSeQdh2vtncLcFA6I6eN \n 9avsrTLS+T1MN4aqW89ejduJAoGBAKrTLa+cOQkvf/YrYZ1z9rmXd7FWI997uoxw \n NhE4mvhGmC/010EFz5ZQ8nS6XPxaDu3Qree0qnv4Ytmrm4EfYJ+XQaPuWr5HA7w3 \n 3CLepE7+YImr8hOT8OluxRn9w3SC9nQehC27itPvPUQc8cPi1gd3RItU6Xu1DLyW \n vQaP35qBAoGAbfJUtnAk/FuFFQ3bUmOyqC44lURYXqpDBWlTCiA6cXoZ5ciudcW3 \n vhIGg1EPda+fliy1LolV1AjG73+vnDgykggu8H1fOKEv7MfvsaLwGUovsz5MeXN+ \n xTI8WOKyrAg8ON1DI3uWVhb07HBUGcWS1vUxESXqa9K4+bAbRYFT/9U= \n -----END RSA PRIVATE KEY-----\n\n### Restart the service\n\n service vsftpd condrestart\n\nYou can now use an FTP client which supports implicit SSL (Transmit and\nFugu for OS X, FileZilla, etc) and try out the connection. The ordinary\n`ftp` won't work and will give you the\nfollowing error:\n\n Connected to ftp.example.com. \n 220 Welcome to the FTP droppoint. Please note that all activity is logged. \n Name (ftp.example.com:tech): tempuser \n 530 Non-anonymous sessions must use encryption.\n\nIf you're a command-line freak like I am, you can always use\n`ftp-ssl`\n\nOther notes\n-----------\n\n* The passive ports *must* be defined! Not doing so will result in a\n very long delay between initiating a connection and viewing a\n directory listing.\n* VSFTPD can be configured for anonymous logins whereby a user can\n download a file but not upload anything (like the CentOS mirrors.)\n* Add `listen_address=127.0.0.1` to listen on a given address.\n\nResources\n---------\n\n### Script to add users to database\n\n```bash\n#!/bin/bash\n\n# Add a virtual FTP user to VsFTPd's Berkeley DB\n# by Nikhil Anand, Mon Feb 22 09:30:45 CST 2010\n\n# Paths to config path and custom FTP directory\nVSFTPDPATH=\"/etc/vsftpd\"\nDROPPOINT=\"/data/ftp\"\n\n# Usage information\nif [ $# -ne 2 ]; then\n echo -e \"USAGE: `basename $0` \\n\"\n echo -e \" Using this without the parameters will refresh the DB used by the VsFTP daemon\"\n db_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\n echo -e \" Database refreshed.\"\n echo -e \" Edit $VSFTPDPATH/userlist.txt to make any changes to virtual users.\"\n echo -e \" Run this script again when you're done.\"\n exit\nfi\n\n# Define username and password \nUSERNAME=\"$1\"\nPASSWORD=\"$2\"\n\n# Add username and password to flat text file\necho $USERNAME >> $VSFTPDPATH/userlist.txt\necho \"$PASSWORD\" >> $VSFTPDPATH/userlist.txt\necho -e \"Added ( $USERNAME : $PASSWORD ) to $VSFTPDPATH/userlist.txt\"\n\n# Refresh the Berkeley DB to reflect these additions\ndb_load -T -t hash -f $VSFTPDPATH/userlist.txt $VSFTPDPATH/vsftpd-virtual-user.db\necho -e \"Reloaded database \\\"vsftpd-virtual-user.db\\\"\"\n\n# Create a home directory inside the FTP directory\nmkdir $DROPPOINT/$USERNAME\nchown -R ftp:ftp $DROPPOINT/$USERNAME\necho -e \"Created and changed permissions for $DROPPOINT/$USERNAME\"\n```\n\n### Relevant web URIs\n\n* [Good explanation of Active and Passive mode FTP](http://slacksite.com/other/ftp.html)\n* [VSFTPD documentation](http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-ftp-servers-vsftpd.html)\n", "title": "VsFTPd Notes", "untracked": false, "uri": "/VsFTPd_Notes", "relativePath": "VsFTPd Notes.md" }