Understanding the etcvsftpdvsftpdconf File

To learn what you can have in the /etc/vsftpd/vsftpd.conf file and how these lines affect the vsftpd server's operation, start by looking at the /etc/vsftpd/vsftpd.conf file that's installed by default. The comments in this file tell you what each option does.

By default, vsftpd allows almost nothing. Through the options in /etc/vsftpd/ vsftpd.conf you can loosen the restrictions so that users can use FTP. It's up to you to decide how loose the settings should be. Note that most of the options are set to YES. That's because most of the default settings are NO. To reverse the intent of an option, just comment out that option by placing a # at the beginning of that line.

insider insight

Here are the options you can set in /etc/vsftpd/vsftpd.conf:

♦ anon_mkdir_write_enable=YES enables anonymous FTP users to create new directories. This is a risky option and you may want to set this to NO, even if you allow anonymous users to upload files.

♦ anon_upload_enable=YES means anonymous FTP users can upload files. This option takes effect only if write_enable is already set to YES and the directory has write permissions for everyone. Remember that allowing anonymous users to write on your system can be very risky because someone could fill up the disk or use your disk for their personal storage.

♦ anonymous_enable=YES enables anonymous FTP (so users can log in with the user name "anonymous" and provide their email address as password). Comment out this line if you do not want anonymous FTP.

♦ ascii_download_enable=YES enables file downloads in ASCII mode. Unfortunately, a malicious remote user can issue the SIZE command with the name of a huge file and essentially cause the FTP server to waste huge amounts of resources opening that file and determining its size. This can be used by malicious users as a denial of service attack.

♦ ascii_upload_enable=YES enables file uploads in ASCII mode (for text files).

♦ async_abor_enable=YES causes vsftpd to recognize ABOR (abort) requests that arrive at any time. You may need to enable it to allow older FTP clients to work with vsftpd.

♦ banned_email_file=/etc/vsftpd/banned_emails specifies the file with the list of banned email addresses (used only if deny_email_enable is set to YES).

♦ chown_uploads = YES causes uploaded anonymous files to be owned by a different user specified by the chown_username option. Don't enable this, unless absolutely necessary and don't make the chown_username be root.

♦ chown_username=name specifies the user name that would own files uploaded by anonymous FTP users.

♦ chroot_list_enable=YES causes vsftpd to confine all users except those on a list specified by the chroot_list_file to their home directories when they log in for FTP service. This prevents these users from getting to any other files besides what's in their home directories.

♦ chroot_list_file=/etc/vsftpd/chroot_list is the list of users who are either confined to their home directories or not, depending on the setting of chroot_local_user.

♦ chroot_local_user=YES confines local users to their home directory (in other words, their home directory becomes their root directory /).

♦ connect_from_port_20=YES causes vsftpd to make sure that data transfers occur through port 20 (the FTP data port).

♦ data_connection_timeout=120 is the time in seconds after which an inactive data connection is timed out.

♦ deny_email_enable=YES causes vsftpd to check a list of banned email addresses and denies access to anyone who tries to log in anonymously with a banned email address as password.

♦ dirmessage_enable=YES causes vsftpd to display messages when FTP users change to certain directories.

♦ ftpd_banner=Welcome to my FTP service sets the banner that vsftpd displays when a user logs in. You can change the message to anything you want.

♦ i dle_session_timeout=600 is the time (in seconds) after which an idle session (refers to the situation where someone connects and does not do anything) times out and vsftpd logs the user out.

♦ listen=YES causes vsftpd to listen for connection requests and, consequently, run in standalone mode. Set this to NO if you want to run vsftpd under xinetd.

♦ local_enable=YES causes vsftpd to grant local users access to FTP.

♦ local_umask=022 means whatever files FTP writes will have a permission of 644 (read access for everyone, but write access for owner only). You can set it to any file permission mask setting you want. For example, if you want no permissions for anyone but the owner, change this to 077.

♦ ls_recurse_enable=YES enables FTP users to recursively traverse directories using the ls -R command.

♦ nopriv_user=ftp identifies an unprivileged user that the FTP server can use.

♦ pam_service_name=vsftpd is the name of the Pluggable Authentication Module (PAM) configuration file that is used when vsftpd needs to authenticate a user. By default the PAM configuration files are in /etc/pam.d directory. That means vsftpd's PAM configuration file is /etc/pam.d/vsftpd.

♦ tcp_wrappers=YES enables support for access control through the TCP wrapper that consults the files /etc/hosts.allow and /etc/hosts.deny. (For more information about the TCP wrapper, see Chapter 22.)

♦ userlist_deny=YES causes vsftpd to deny access to the users listed in the /etc/vsftpd/user_list file. These users are not even prompted for a password.

♦ write_enable=YES causes vsftpd to allow file uploads to the host.

♦ xferlog_enable=YES turns on the logging of file downloads and uploads (always a good idea, but takes disk space).

♦ xferlog_file=/var/log/vsftpd.log specifies the full pathname of the vsftpd log file. The default is /var/log/vsftpd.log.

♦ xferlog_std_format=YES causes vsftpd to generate log files in a standard format used by other FTP daemons.


Understanding the /etc/vsftpd/ftpusers File

The vsftpd server uses the Pluggable Authentication Module (PAM) to authenticate users when they try to log in (just as the normal login process uses PAM to do the job). The PAM configuration file for vsftpd is /etc/pam.d/vsftpd. That PAM configuration file refers to /etc/vsftpd/ftpusers like this:

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed continued

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook

Post a comment