Sunday, August 06, 2006

Server Building, Part 4 (vsftpd configuration)

Here is some information on configuring vsftpd 2.0.3 on Ubuntu 5.10 (Breezy Badger):

The settings for this program are in /etc/vsftpd.conf There is a short manpage for vsftpd ("man vsftpd" is the command) but the manpage for the file ("man vsftpd.conf") gives a more exhaustive description of options that vsftpd offers. Options are set in option=value form in the config file (example: "anonymous_enable=YES"). Most settings are not enabled if they are not found in the config file but there is some default behavior if some settings are not found. Check the manpage and FAQ for details. I'm mostly concerned with setting up access so that only I can get access to this machine. There are a few types of users in the FTP server paradigm: local users (that have an account on the machine), anonymous users (just anyone on the net) and root. Here are some simple options to set to achieve what I want to do:

Anonymous users:
  • anonymous_enable -- allows anonymous login, on by default
  • anon_upload_enable -- allows anonymous users to upload files... keep this off unless you want a lot of porn on your server (so they say)
  • anon_mkdir_write_enable -- allows anonymous users to use any form of the ftp write command
  • no_anon_password -- allow anonymous users to login without a password... probably a good idea to enable this, since the password is just "anonymous" otherwise

Local users:
  • local_enable -- allows local users to log in... I enable this so I can log in as myself
  • chroot_local_user -- restrict local users to their home directories (apparently a security risk... read the vsftpd FAQ for details)
  • chroot_list_enable -- enables a list of users that can use the chroot() command
  • chroot_list_file -- the location of the file that specifies the users that can use the chroot() command... with my settings, the users listed in this file have full access to the system whereas the users not listed are restricted to their home directories

  • ftpd_banner -- the message users see when they login
  • write_enable -- enable any form of FTP write (allow users to put stuff on server)

To restart vsftpd with an edited config file (that is, to see the changes you just made to the file put into effect) use this command: /etc/init.d/vsftpd restart

No comments: