Halo Linux Services

Vsftpd as an Anonymous FTP Server

An FTP server is most commonly used as a server for anonymous downloads. We look at this setup first.

An anonymous FTP server is a server that allows anyone to log in with the username ftp or anonymous and download files. If you use a browser to access an anonymous FTP site, the browser passes the login information to the site without the user having to think about it. User FTP, which we consider later, refers to an FTP server on which specified users have accounts that they can access with their username and password. Traditionally, Unix and Linux systems ran an FTP server by default, and any user could access their home directory remotely by FTP. For the security reasons discussed previously, this is no longer normal practice except on a trusted internal network.

vsftpd is typically run from xinetd. If vsftpd is installed, you now need to enable it as a service to be started from xinetd. This can easily be done using YaST: Network Services O Network Services (inetd). The xinetd daemon itself should be enabled, and the FTP service should be toggled to on (see Figure 22-1). Now whenever the system boots into runlevel 3 or 5, the xi netd daemon will run and will start the vsftpd FTP daemon.

Note The xinetd daemon is the extended Internet services daemon, sometimes described as a super-server. The purpose of xi netd is to control the starting of various network services, which are not started at boot time, but remain dormant until a request for the particular service arrives, at which point xinetd passes the request on the relevant program (in our case vsftpd). Each service that can be handled by xinetd has a corresponding file in the directory /etc/xinetd.d/. These files control how xinetd starts the service; the actual configuration file is elsewhere. So the file to edit to control the behavior of vsftpd is /etc/vsftpd.conf, not /etc/xinetd.d/vsftpd. The easiest way to control which services xinetd manages is through YaST's Network Services module as described in the main text.

Figure 22-1: Configuring vsftpd in YaST's xinetd editor

The behavior of vsftpd is controlled by the file /etc/vsftpd.conf. The comment at the top of the file reads:

# Example config file /etc/vsftpd.conf

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

# If you do not change anything here you will have a minimum setup for an

# anonymous FTP server.

And so once you have enabled vsftpd, you should be able to connect by FTP as follows:

[email protected]: /home/user $ ftp bible Connected to bible. 220 (vsFTPd 1.2.1) Name (bible:user):

Notice that the FTP server assumes a default username the same as that on the client. At this point, if you accept the default and press Return, or enter another username known to the system bible, you will see this:

530 This FTP server is anonymous only.

ftp: Login failed.

ftp>

But if you log in with either of the usernames ftp or anonymous, you can offer any password (traditionally this should be a valid email address, but the server will accept anything, including an empty password), and you are logged in.

[email protected]: /home/user > ftp bible

Connected to bible.

Name (bible:user):ftp

331 Please specify the password.

Password:

230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>

If you now type ls to list files on the FTP server, you will (not surprisingly) find that there is nothing there:

ftp> ls

229 Entering Extended Passive Mode (|||37477|) 150 Here comes the directory listing. 226 Directory send OK. ftp>

The location on the server that acts as the FTP server's root for anonymous FTP is /srv/ftp/ (just as the Apache web server's root is normally /srv/www/). So whatever files and directories you place there will be visible to FTP clients. If you now copy a file to /srv/ftp/, you will be able to download it by FTP by using the FTP get command:

ftp> get afile local: afile remote: afile

229 Entering Extended Passive Mode (|||19160|) 150 Opening BINARY mode data connection for afile (4096 bytes). 226 File send OK. ftp>

If you look at /var/log/messages on the server, you will see that vsftpd has logged the login:

Jul 25 16:41:06 bible vsftpd: Sun Jul 25 16:41:06 2004 [pid 23139] CONNECT: Client "192.168.2.3"

Jul 25 16:41:13 bible vsftpd: Sun Jul 25 16:41:13 2004 [pid 23138] [ftp] OK LOGIN: Client "192.168.2.3", anon password "password"

Each download is also logged.

Note that you can force vsftpd to write its logs to its own log file by making a small change to /etc/vsftpd.conf. Simply make sure that the following lines are present:

log_ftp_protocol=YES

xferlog_enable=YES

vsftpd_log_file=/var/log/vsftpd.log and comment out or remove the line:

syslog_enable=YES

You can create a customized "FTP banner" by including a line like this in the configuration file:

ftpd_banner="Welcome to our very fine FTP service."

When users log in using text mode FTP or a dedicated FTP client, they will see the message before the login prompt:

220 "Welcome to our very fine FTP service." Name (localhost:user):

This can be used to offer service messages, but is not useful for users connecting with a browser. It may be useful to include files README and/or README.html, which these users can click.

You can also place a file named .message in /srv/ftp/ or any of its subdirectories. When the user changes to a directory with such a file in it, the file's contents will be displayed.

ftp> cd pub

250-This directory contains useful files 250 Directory successfully changed. ftp>

The file /srv/ftp/pub/.message contained just the line:

This directory contains useful files vsftpd allows passive FTP connections unless you set pasv_enable=NO

in the configuration file. You almost certainly want to allow passive connections, as otherwise many clients connecting from behind a firewall will be unable to connect.

Note Active FTP operates on both server port 20 (for data transfers) and port 21 (for control com mands) and involves a reply connection from the server to the client, which may be blocked by a firewall behind which the client is sitting. Passive FTP involves only server port 21 and is unlikely to cause problems with a standard firewall configuration that allows established connections. For more on firewall configuration, see Chapter 23.

Note that all options in the configuration file are specified in the form:

option=value and that there should be no white space before or after the = sign.

For a standard anonymous Internet FTP download server, you have done all you need to do.