Setup FTP Sever (VSFTPD)
Setting vsftpd just involved a few simple steps. First of all, we must check if the vsftpd already installed at our system. If your system already installed vftpd, by entering the "rpm -qa | grep vsftpd" command, you should see the version and the package name installed as below.
Step1 : Install vsftpd package
| rpm -qa | grep vsftpd vsftpd-2.0.5-12.el5 |
If there is no package vsftpd package installed.
we can either run the vsftpd installation
(Option A) via CentOS installation media as below
cd /media/dvd/CentOS/rpm -qip vsftpd-2.0.5-12.el5.i386.rpm warning: vsftpd-2.0.5-12.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID e8 562897 Name : vsftpd Relocations: (not relocatable) Version : 2.0.5 Vendor: CentOS Release : 12.el5 Build Date: Sat 24 May 2008 12:05:45 PM EDT Install Date: (not installed) Build Host: builder16.centos.org Group : System Environment/Daemons Source RPM: vsftpd-2.0.5-12.el5.src. rpm Size : 289673 License: GPL Signature : DSA/SHA1, Sat 14 Jun 2008 07:41:45 PM EDT, Key ID a8a447dce8562897 URL : http://vsftpd.beasts.org/ Summary : vsftpd - Very Secure Ftp Daemon Description : vsftpd is a Very Secure FTP daemon. It was written completely from scratch.rpm -iUvh vsftpd-2.0.5-12.el5.i386.rpm warning: vsftpd-2.0.5-12.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID e8562897 Preparing... ########################################### [100%] 1:vsftpd ########################################### [100%]rpm -qa vsftpd vsftpd-2.0.5-12.el5 |
(option B) via installing the vsftpd packager from internet using "yum install command". The following "yum -y install" means assume that the answer to any question which would be asked during yum installation operation
| yum -y install vfstpd |
Step2 : Start the vsftp daemon/service
First we start the vsftpd daemon using "service vsftpd start" command". Next we want the vsftpd service/daemon started in level 3,4, and 5 by using "chkconfig vsftpd on". You can check the services "chkconfig --list" and ftp port status using "netstat -anp" command.
Below example, show the vsftpd is started and port is licensing at 21
| service vsftpd start Starting vsftpd for vsftpd: [ OK ]chkconfig vsftpd onchkconfig --list vsftpd vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:offnetstat -anp | grep vsftpd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 10203/vsftpd |
you can do further test, just to test if the vstpd service is start and running. Let us stop the iptables for a while. Take note that we are using "root" to access ftp and it returen permission denied. why? because root account is not allowd to login vsftpd b y default.
| service iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] ftp 127.0.0.1 Connected to 127.0.0.1. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (127.0.0.1:root): root 530 Permission denied. Login failed. ftp> |
Now, let us try on another machine (a Windows 7 machine). The following example, we are using jane account to login and showing her current directory using "pwd" (default directory for user is /home/user)
| C:\Users\OptNote>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): jane 331 Please specify the password. Password: 230 Login successful. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. Desktop 226 Directory send OK. ftp: 9 bytes received in 0.00Seconds 9.00Kbytes/sec. ftp> pwd 257 "/home/jane" ftp> |
Step3 : Configure vsftpd configuration file (/etc/vsftpd/vsftpd.conf)
Now, let us customize the setting for vsftpd service. The configuration of vsftpd is stored at /etc/vsftpd/vsftpd.conf.
| vim /etc/vsftpd/vsftpd.conf |
Most are default settings are perfectly configured. We are only need to focus 5 lines ofconfiguration here. The configuration format for vsftpd.conf is very simple. It look this:-
configuration category = Value [YES or NO]
| # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES# Uncomment this to enable any form of FTP write command. write_enable=YES # Activate logging of uploads/downloads. xferlog_enable=YES # Uncomment this to allow local users to log in. local_enable=YES # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES |
Basically, these are the areas that you need to focus on the vsftpd configuration, please read further on security chapter to tighten down vsftpd services.
Allowing Anonymous Upload
Before we proceed with anonymous file upload, please make sure that you have following setting at /etc/vsftpd/vsftpd.conf
| # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES |
Lets check if the anonymous access to our FTP serve is ok? Can they upload files?
The following example shows that anonymous access is allowed (just press
| C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): anonymous 331 Please specify the password. Password: 230 Login successful. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 May 24 2008 pub 226 Directory send OK. ftp: 61 bytes received in 0.01Seconds 7.63Kbytes/sec. ftp> bin 200 Switching to Binary mode. ftp> put signature.txt 200 PORT command successful. Consider using PASV. 550 Permission denied. ftp> |
Step1: Editing /etc/vsftpd/vsftpd.conf.
Remove the # sign in front of anon_upload_enable=YES. This is the option that to allow the anonymous FTP user to upload files to our FTP servre
| 12 anonymous_enable=YES 13 # 14 # Uncomment this to allow local users to log in. 15 local_enable=YES 16 # 17 # Uncomment this to enable any form of FTP write command. 18 write_enable=YES 19 # 20 # Default umask for local users is 077. You may wish to change this to 022, 21 # if your users expect that (022 is used by most other ftpd's) 22 local_umask=022 23 # 24 # Uncomment this to allow the anonymous FTP user to upload files. This only 25 # has an effect if the above global write enable is activated. Also, you will 26 # obviously need to create a directory writable by the FTP user. 27 anon_upload_enable=YES28 # |
Step2: Make a anonymous FTP folder
Make a unloadable folder at /var/ftp, and change ownership to ftp.ftp
| cd /var/ftp mkdir upload chown ftp.ftp upload/ chmod 755 upload/ ls -l total 16 drwxr-xr-x 2 root root 4096 May 24 2008 pub drwxr-xr-x 2 ftp ftp 4096 Dec 2 18:30 upload |
Step3: Restart vsFTPD services
| service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] |
Step4: verify your setting and test the anonymous file upload
In the following example, we are uploading a file name signature.txt to /var/ftp/upload.
| C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): anonymous 331 Please specify the password. Password: 230 Login successful. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 May 24 2008 pub drwxr-xr-x 2 14 50 4096 Dec 02 23:30 upload 226 Directory send OK. ftp: 125 bytes received in 0.00Seconds 125.00Kbytes/sec. ftp> cd upload 250 Directory successfully changed. ftp> pwd 257 "/upload" ftp> bin 200 Switching to Binary mode. ftp> put signature.txt 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 File receive OK. ftp: 243 bytes sent in 0.06Seconds 4.34Kbytes/sec. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. signature.txt 226 Directory send OK. ftp: 15 bytes received in 0.00Seconds 15000.00Kbytes/sec. ftp> |
FTP Security- Restricting Local User Access
There are few ways to tighten down your FTP access. I found the easiest way is just to add any 'blacklist' users into /etc/vsftpd/ftpusers. This will block any local user accountthat
Let's have a quick check on /etc/vsftpd/ftpusers, the users below are not allowed to login via ftp.
| [root@srv2 vsftpd]# cat /etc/vsftpd/ftpusers # Users that are not allowed to login via ftp root bin daemon adm lp sync shutdown halt news uucp operator games nobody |
In the following scenario, we want to block Jane from ftp to our FTP server. Let's check if she has access right before we edit /etc/vsftpd/ftpusers.
| C:\Users\OptNote>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): jane 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/home/jane" ftp> bye 221 Goodbye. |
Step1: edit the /etc/vsftpd/ftpusers
| [root@srv2 vsftpd]# vim vsftpd.conf |
Step2: Add the user you want to block in /etc/vsftpd/ftpusers file
We are add user jane
| root bin daemon adm lp sync shutdown halt news uucp operator games nobodyjane |
Step3: Verify the setting and user access
Now, have a quick check on the Jane's access. This following confirmed that Jane has no access right to our FTP server.
| C:\Users\OptNote>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): jane 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> quit 221 Goodbye. |
FTP Security - Chroot / Jail user (limiting user to own their home directory only)
Local account ftp user has the rights to change to any directory outside from their /home/user by default. Therefore, they can browse any files in any directory in FTP servers. Let's have a close look at the example below. The user james is browsing the /etc/sysconfig/networking directory and he knows that there are two directories which is devices and profiles. If james has rights on the file outside his /home directory(such as group rights), he can just download these files.
| >C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): james 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/home/james" ftp> cd /etc/sysconfig/networking 250 Directory successfully changed. ftp> pwd 257 "/etc/sysconfig/networking" ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. devices profiles 226 Directory send OK. ftp: 19 bytes received in 0.00Seconds 19.00Kbytes/sec. ftp> bin 200 Switching to Binary mode. ftp> cd devices 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. ifcfg-eth0 ifcfg-eth0.bak ifcfg-eth1 ifcfg-eth1.bak 226 Directory send OK. ftp: 56 bytes received in 0.00Seconds 28.00Kbytes/sec. ftp> get ifcfg-eth0 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for ifcfg-eth0 (117 bytes). 226 File send OK. ftp: 117 bytes received in 0.00Seconds 117.00Kbytes/sec. |
Thus, its always recommended to jail/ restrict FTP user access only to their /home/user direcotory.
Step1: Editing /etc/vsftpd/vsftpd.conf.
Option A: chroot all local user
By default, if you are adding in chroot_local_user=YES .All the local users are' chroot()' /jailed to their /home/user direcory. Go to last line adding in the line
| vim /etc/vsftpd/vsftpd.confchroot_local_user=YES |
Option B: chroot only selected users
If you want only selected ftp user restricted to their home directory, uncomment/delete the # sign at line 94 and 96. If chroot_local_user=YES was previously added , make sure thatchroot_local_user=YES is removed from your vsftpd.conf file.
| vim /etc/vsftpd/vsftpd.conf91 # You may specify an explicit list of local users to chroot() to their home 92 # directory. If chroot_local_user is YES, then this list becomes a list of 93 # users to NOT chroot(). 94 chroot_list_enable=YES 95 # (default follows) 96 chroot_list_file=/etc/vsftpd/chroot_list |
Step2 (if selected option B above): create a file named chroot_list under /etc/vsftpd/
The following example, we are creating chroot_list and insert the user james in the list
| cd /etc/vsftpd/ vim chroot_list james |
Step3: Restart vsFTPD services
| service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] |
Step4
(For Option A only) : Verify your setting
Since we chroot() all the users, both Jane and James will not have any rights to access to other folders
| C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): james 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/" ftp> cd /etc 550 Failed to change directory. ftp> quit 221 Goodbye. C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): jane 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/" ftp> cd /etc 550 Failed to change directory. ftp> quit 221 Goodbye. |
(For Option B only) : Verify your setting
Below shows that the chroot setting is correct, because we only James' access right restricted
| C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): james 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/" ftp> cd /var/log 550 Failed to change directory. ftp> quit 221 Goodbye. C:\>ftp 192.168.13.145 Connected to 192.168.13.145. 220 (vsFTPd 2.0.5) User (192.168.13.145:(none)): jane 331 Please specify the password. Password: 230 Login successful. ftp> pwd 257 "/home/jane" ftp> cd /var/log 250 Directory successfully changed. ftp> pwd 257 "/var/log" ftp> |
TCP Wrapper
Using TCP wrapper is the easiest way to filter unauthorized access to your system. It is the host-based Access Control List that enable the host itself to filter IP based traffic to yourserver service such ass FTP, rsync, email etc. TCP wrappers utilizes both inetd and xinetd services to monitor on /etc/host.deny and /etc/host.allow.
For CentOS machines, TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services.
Does all the services support TCP wrapper?
The answer is NO.
NOT all the TCP services that supported by TCP wrapper. Basically those services/application that not support/linked to TCP Wrapper library(/usr/lib/libwrap.a) are not able to monitored by TCP wrapper.
To determine if a network service binary is linked to libwrap.a, type the following command as the root user. The example below clearly shows that ssh is support TCP wrapper, while httpd is not able to support TCP wrapper.
| [root@srv1 ~]# ldd $(which sshd ) |grep libwrap libwrap.so.0 => /lib/libwrap.so.0 (0x00c07000) [root@srv1 ~]# ldd $(which httpd ) |grep libwrap [root@srv1 ~]# |
For the following example, I am going to show you how to configure TCP wrapper so that we only allow our network 192.168.1.0/24 to VSFTP services
step1: configure /etc/host.allow with your favorite text editor
| # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ##allow all the access from 192.168.1.0/24 access to the server ALL:192.168.1. #allow the clients from 192.168.1.0/24 to use vsftp services. vfstpd:192.168.1. |
Step2: configure /etc/host.deny to restrict all IP network (other than 192.168.1.0/24) forusing services than we specified at /etc/host.allow
| # #hosts.deny This file describes the names of the hosts which are #*not* allowed to use the local INET services, as decided #by the '/usr/sbin/tcpd' server. # #The portmap line is redundant, but it is left to remind you that #the new secure portmap uses hosts.deny and hosts.allow. In particular #you should know that NFS uses portmap! ALL:ALL |
Now I want to check if any hacker do a port scanning on my system. Can I use TCP wrapper to perform some addition security features? Yes.
In your /etc/host.deny put the following
vsftpd : ALL: spawn (echo "security notice from host $(/bin/hostname)" ;\
echo; /usr/sbin/safe_finger @%h ) | \
/bin/mail -s "%d-%h security" adminuser & \
: twist ( /bin/echo -e "\n\nWARNING connection not allowed.\n\n" )
|