The Very Secure FTP Service
Before configuring the vsFTP server, you need to install it. One method is with the following command:
$ sudo apt-get install vsftpd
|
FTP Server |
Description |
|
Advanced TFTP (atftpd) |
A multi-threaded TFTP server for multiple connections |
|
Netkit FTP (ftpd) |
An FTP server with an SSL option; other FTP servers are preferred in the Ubuntu documentation |
|
Secure FTP (krb5-ftpd) |
An FTP server that uses Kerberos for authentication |
|
A complex FTP server with support for chroot directories, quotas, and more | |
|
Trivial FTP (tftpd) |
The standard TFTP server, sometimes used for terminal servers |
|
TwoFTPd (twoftpd) |
A two-part FTP server, including an authenticating front-end without code |
|
WU-FTPD (wu-ftpd) |
A popular FTP server that hasn't been maintained since 2001 |
|
Table 17-6. Description of Selected FTP Servers | |
Two key vsFTP configuration files are / etc/vsftpd.conf and / etc/ftpusers. The vsftpd. conf configuration file is the standard. The / etc/ftpusers file is commonly used by other FTP servers to configure users who are not allowed access through the server.
The directives in this file are straightforward. I urge you to read the file for yourself; the comments provide good explanations of many of the directives. A few of these directives are listed in Table 17-7. (Because some directives are long, line wrapping is unavoidable.) Commented directives from the default version of the vsftpd.conf file include the pound character (#) in front. Many commented directives are default settings.
This section focuses on those directives that you might change to enhance the security or customize access to regular users. The directives in the default vsftpd.conf file are just a small fraction of the directives that are available; other directives are listed in the vsftpd.conf man page.
Once the configuration is complete, restart the server with the following command. You can connect from the local system or from a remote system on the same network.
$ sudo /etc/init.d/vsftpd restart
As I've enabled anonymous access, I'd expect to be able to access this FTP server with the username anonymous. And when the vsftpd package is installed, FTP server uploads and downloads are configured by default in the /home/ftp directory.
|
Command |
Description |
|
listen=YES |
Supports a control script in / etc/init.d; note the listen_ipv6 |
|
directive available for IPv6 communication | |
|
anonymous_enable=YES |
Allows anonymous access; can be set to NO |
|
# local_enable=YES |
Can support regular user logins |
|
# write_enable=YES |
Can support writes by authenticated regular users |
|
# local_umask=022 |
Can override the default umask of 077; requires local_ |
|
enable=yes | |
|
# anon_upload_ |
Enables uploads by anonymous users |
|
enable=YES | |
|
# anon_mkdir_write_ |
Enables new directories by anonymous users |
|
enable=YES | |
|
dirmessage_enable=YES |
Allows directory messages; by default, located in .message |
|
file | |
|
xferlog_enable=YES |
Activates logging of uploads and downloads |
|
connect_from_port_ |
Supports data transfers through TCP/IP port 20 |
|
20=YES | |
|
#chown_uploads=YES |
Allows changing the ownership of uploaded files |
|
#chown_ |
Sets the ownership for uploaded files |
|
username=whoever | |
|
#xferlog_file=/var/log/ |
Specifies the default log for file transfers |
|
vsftpd.log | |
|
#xferlog_std_ |
Specifies the standard log format |
|
format=YES | |
|
#idle_session_ |
Notes that sessions are timed out in 10 minutes |
|
timeout=600 | |
|
#data_connection_ |
Notes that attempted data connections are timed out in |
|
timeout=120 |
two minutes |
|
#nopriv_user=ftpsecure |
Defines an unprivileged user, not included in /etc/passwd |
|
#async_abor_enable=yes |
Required for some FTP clients; enabling this option is |
|
discouraged | |
|
#ascii_upload_ |
Enables uploads in ASCII mode; documentation suggests |
|
enable=yes |
this is a "terrible feature" |
|
Table 17-7. Some vsFTP Server Configuration Commands | |
|
Command |
Description |
|
#ascii_download_ |
Enables downloads in ASCII mode; documentation |
|
enable=yes |
suggests this is a "terrible feature" |
|
#ftp_banner=Welcome to |
Configures a banner |
|
blah FTP service | |
|
#deny_email_ |
Can set up a list of denied anonymous e-mail addresses |
|
enable=YES | |
|
#banned_email_file= |
Specifies file with unallowed e-mail addresses; requires |
|
/etc/vsftpd.banned_ |
deny_email_enable=YES |
|
emails | |
|
#chroot_local_user=YES |
Can limit local users to their home directories |
|
#chroot_list_enable=YES |
Can set up a list of users associated with chroot |
|
#chroot_list_file= |
If chroot_local_user=YES, users in the noted file are not |
|
/etc/vsftpd.chroot_list |
allowed to chroot |
|
#ls_recurse_enable=YES |
Can set up the ls -R command for subdirectories |
|
secure_chroot_dir=/var/ |
Points to a directory that should be empty, and not |
|
run/vsftpd |
writable by the FTP user |
|
pam_service_ |
Configures Pluggable Authentication Module (PAM) |
|
name=vsftpd |
security |
|
rsa_cert_file= |
Points to a certificate for secure connections |
|
/etc/ssl/certs/ssl-cert- | |
|
snakeoil.pem | |
|
rsa_private_key_file= |
Notes a certificate key for secure connections |
|
/etc/ssl/private/ssl-cert- | |
|
snakeoil.key | |
|
Table 17-7. Some vsFTP Server Configuration Commands {continued | |
FTP Client
The standard FTP client software is a basic command line, text-oriented client application that offers a simple but efficient interface. Most web browsers offer a graphical tool that can be used as an FTP client; to that end, the gFTP and KFTPgrabber tools are available from Ubuntu repositories. However, the FTP client I prefer is lftp.
Any FTP client supports views of files in a directory tree. Most FTP clients are simple. For example, you can use the ftp command to connect to a server such as ftp.kernel.org as follows:
$ ftp ftp.kernel.org
I prefer the lftp client, as it supports interchanges similar to those available at the command line. By default, the lftp client automatically attempts an anonymous login. It also supports command completion, which can help you access files and directories with longer names.
Most commands at the FTP prompt are run at the remote host, similar to a Telnet session. Most command line FTP clients still allow access to the local shell. From the FTP client prompt, just preface the desired local command with a bang (!) to run regular shell commands.
Continue reading here: The Network Time Protocol Service
Was this article helpful?