Site Tools


linux:ubuntu:vsftpd

This is an old revision of the document!


Fail2Ban

Installation

apt-get install vsftpd

Configuration

Add a ftp user

Add a user for ftp (or use an existing one on the next step)

useradd <username> --shell /bin/false --home <ftp rootdir>
passwd <username>

Add the created user to allowed your vsftpd. Create the following file:

<your ftp user>

Configure vsftpd

Configure the following settings in /etc/vsftpd.conf

# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
 
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
 
# Uncomment this to allow local users to log in.
local_enable=YES
#local_enable=YES
 
# Uncomment this to enable any form of FTP write command.
write_enable=YES
 
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
 
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
 
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
 
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
 
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
 
# Activate logging of uploads/downloads.
xferlog_enable=YES
 
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
 
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=NO
 
# You may change the default value for timing out an idle session.
idle_session_timeout=600
 
# You may change the default value for timing out a data connection.
data_connection_timeout=120
 
# You may fully customise the login banner string:
ftpd_banner=Welcome to Lunetikks FTP
 
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
 
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
 
# This string is the name of the PAM service vsftpd will use.
#pam_service_name=vsftpd
pam_service_name=ftp
 
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 
allow_writeable_chroot=YES
 
# only allow login by users in /etc/vsftpd.users
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.users
 
#split the log into two files (needed for fail2ban)
dual_log_enable=YES

Troubleshooting

530 Login incorrect

Trying to connect fails with the following message:

530 Login incorrect

Reason:
Wrong pam name on Ubuntu 14 and lower.Fix:
Change the “pam_service_name” parameter in your /etc/vsftpd.conf from <code>pam_service_name=vsftpd</code> to <code>pam_service_name=ftp</code> and restart your service <code>service vsftpd restart</code> https://askubuntu.com/questions/413677/vsftpd-530-login-incorrect

linux/ubuntu/vsftpd.1527081972.txt.gz · Last modified: 2018/05/23 15:26 by lunetikk