The Very Secure FTP Service

Before configuring the vsFTP server, you need to install it. One method is with the following command:

$ sudo apt-get install vsftpd

FTP Server

Description

Advanced TFTP (atftpd)

A multi-threaded TFTP server for multiple connections

Netkit FTP (ftpd)

An FTP server with an SSL option; other FTP servers are preferred in the Ubuntu documentation

Secure FTP (krb5-ftpd)

An FTP server that uses Kerberos for authentication

Pure-FTPd (pure-ftpd)

A complex FTP server with support for chroot directories, quotas, and more

Trivial FTP (tftpd)

The standard TFTP server, sometimes used for terminal servers

TwoFTPd (twoftpd)

A two-part FTP server, including an authenticating front-end without code

WU-FTPD (wu-ftpd)

A popular FTP server that hasn't been maintained since 2001

Table 17-6. Description of Selected FTP Servers

Two key vsFTP configuration files are / etc/vsftpd.conf and / etc/ftpusers. The vsftpd. conf configuration file is the standard. The / etc/ftpusers file is commonly used by other FTP servers to configure users who are not allowed access through the server.

The directives in this file are straightforward. I urge you to read the file for yourself; the comments provide good explanations of many of the directives. A few of these directives are listed in Table 17-7. (Because some directives are long, line wrapping is unavoidable.) Commented directives from the default version of the vsftpd.conf file include the pound character (#) in front. Many commented directives are default settings.

This section focuses on those directives that you might change to enhance the security or customize access to regular users. The directives in the default vsftpd.conf file are just a small fraction of the directives that are available; other directives are listed in the vsftpd.conf man page.

Once the configuration is complete, restart the server with the following command. You can connect from the local system or from a remote system on the same network.

$ sudo /etc/init.d/vsftpd restart

As I've enabled anonymous access, I'd expect to be able to access this FTP server with the username anonymous. And when the vsftpd package is installed, FTP server uploads and downloads are configured by default in the /home/ftp directory.

Command

Description

listen=YES

Supports a control script in / etc/init.d; note the listen_ipv6

directive available for IPv6 communication

anonymous_enable=YES

Allows anonymous access; can be set to NO

# local_enable=YES

Can support regular user logins

# write_enable=YES

Can support writes by authenticated regular users

# local_umask=022

Can override the default umask of 077; requires local_

enable=yes

# anon_upload_

Enables uploads by anonymous users

enable=YES

# anon_mkdir_write_

Enables new directories by anonymous users

enable=YES

dirmessage_enable=YES

Allows directory messages; by default, located in .message

file

xferlog_enable=YES

Activates logging of uploads and downloads

connect_from_port_

Supports data transfers through TCP/IP port 20

20=YES

#chown_uploads=YES

Allows changing the ownership of uploaded files

#chown_

Sets the ownership for uploaded files

username=whoever

#xferlog_file=/var/log/

Specifies the default log for file transfers

vsftpd.log

#xferlog_std_

Specifies the standard log format

format=YES

#idle_session_

Notes that sessions are timed out in 10 minutes

timeout=600

#data_connection_

Notes that attempted data connections are timed out in

timeout=120

two minutes

#nopriv_user=ftpsecure

Defines an unprivileged user, not included in /etc/passwd

#async_abor_enable=yes

Required for some FTP clients; enabling this option is

discouraged

#ascii_upload_

Enables uploads in ASCII mode; documentation suggests

enable=yes

this is a "terrible feature"

Table 17-7. Some vsFTP Server Configuration Commands

Command

Description

#ascii_download_

Enables downloads in ASCII mode; documentation

enable=yes

suggests this is a "terrible feature"

#ftp_banner=Welcome to

Configures a banner

blah FTP service

#deny_email_

Can set up a list of denied anonymous e-mail addresses

enable=YES

#banned_email_file=

Specifies file with unallowed e-mail addresses; requires

/etc/vsftpd.banned_

deny_email_enable=YES

emails

#chroot_local_user=YES

Can limit local users to their home directories

#chroot_list_enable=YES

Can set up a list of users associated with chroot

#chroot_list_file=

If chroot_local_user=YES, users in the noted file are not

/etc/vsftpd.chroot_list

allowed to chroot

#ls_recurse_enable=YES

Can set up the ls -R command for subdirectories

secure_chroot_dir=/var/

Points to a directory that should be empty, and not

run/vsftpd

writable by the FTP user

pam_service_

Configures Pluggable Authentication Module (PAM)

name=vsftpd

security

rsa_cert_file=

Points to a certificate for secure connections

/etc/ssl/certs/ssl-cert-

snakeoil.pem

rsa_private_key_file=

Notes a certificate key for secure connections

/etc/ssl/private/ssl-cert-

snakeoil.key

Table 17-7. Some vsFTP Server Configuration Commands {continued

FTP Client

The standard FTP client software is a basic command line, text-oriented client application that offers a simple but efficient interface. Most web browsers offer a graphical tool that can be used as an FTP client; to that end, the gFTP and KFTPgrabber tools are available from Ubuntu repositories. However, the FTP client I prefer is lftp.

Any FTP client supports views of files in a directory tree. Most FTP clients are simple. For example, you can use the ftp command to connect to a server such as ftp.kernel.org as follows:

$ ftp ftp.kernel.org

I prefer the lftp client, as it supports interchanges similar to those available at the command line. By default, the lftp client automatically attempts an anonymous login. It also supports command completion, which can help you access files and directories with longer names.

Most commands at the FTP prompt are run at the remote host, similar to a Telnet session. Most command line FTP clients still allow access to the local shell. From the FTP client prompt, just preface the desired local command with a bang (!) to run regular shell commands.

Continue reading here: The Network Time Protocol Service

Was this article helpful?

+1 0