Friday, May 4, 2012

Red Hat / CentOS VSFTPD FTP Server Configuration


Vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
  1. Setup vsftpd to Provide FTP Service.
  2. Configure vsftpd.
  3. Configure Firewalls to Protect the FTP Server.
  4. Configure vsftpd with SSL/TLS.
  5. Setup vsftpd as Download Only Anonymous Internet Server.
  6. Setup vsftpd With Virtual Users and Much More.

VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
  1. Virtual IP configurations
  2. Virtual users
  3. Run as standalone or inetd / xinetd operation
  4. Per-user configuration
  5. Bandwidth throttling
  6. Per-source-IP configurability
  7. Per-source-IP limits
  8. IPv6 ready
  9. Encryption support through SSL integration
  10. And much more.

Install Vsftpd FTP Server

Install the vsftpd package via yum command:
# yum install vsftpd

Vsftpd Defaults

  1. Default port: TCP / UDP - 21 and 20
  2. The main configuration file: /etc/vsftpd/vsftpd.conf
  3. Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server

Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:
chroot_local_user=YES
Create warning banners for all FTP users:
banner_file=/etc/vsftpd/issue
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
NOTICE TO USERS
Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.

Turn On Vsftpd Service

Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server

Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart

Tip: View FTP Log File

Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS."
Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER vivekda"
Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108", "331 Please specify the password."
Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108", "PASS
"
Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "230 Login successful."
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "SYST"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "215 UNIX Type: L8"
Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253"
Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV."
Thu May 21 11:41:05 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Ok to send data."
Thu May 21 11:41:06 2009 [pid 42299] [vivek] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec
Thu May 21 11:41:06 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 File receive OK."
Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "TYPE A"
Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96"
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "LIST"
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Here comes the directory listing."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 Directory send OK."

Tip: Restrict Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO

Tip: Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:
/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub

Kick Start Server


This is a quick tutorial on how to setup an Apache based Kickstart install server for provisioning Red Hat or CentOS hosts in your environment. By Kickstarting a host/s you can save time and standardize your environment by defining a configuration file that all hosts will use to perform automated installs.

1. Head over to centos.org and download the iso of the CentOS release you are interested in. I will be using CentOS 5.4 for the purposes of this tutorial.
2. Install Apache.
Check your system for Apache being installed using:
[root@kickstart kickstart]# rpm -qa |grep -i httpd
If nothing returns issue:
yum -y install httpd
This should download and install the dependencies for Apache.
3. Create a install root where we will be installing the contents of the cdrom to. I’ll be using the default document root in /var/www/html.
mkdir /var/www/html/centos5
4. Mount the iso you downloaded to a mount point.
[root@kickstart iso]# mount -o loop CentOS-5.4-i386-bin-DVD.iso /mnt
5. Copy the contents of the iso into the directory you created.
cp -ar /mnt/* /var/www/html/centos5/
6. Create a directory to house your kickstart configurations. Once again I’ll be using Apache’s default document root of /var/www/html. I will be creating a directory called ks to store my configurations.
mkdir /var/www/html/ks
7. Create the kickstart configuration file. I named my configuration ks.cfg and dropped it in the ks directory we created in step 6. Here is what I use for my kickstart profile. Very minimal config.
text
install
url --url http://192.168.3.128/centos5
lang en_US.UTF-8
keyboard us
langsupport --default=en_US.UTF-8 en_US.UTF-8
network --device eth0 --bootproto dhcp
rootpw --iscrypted $1$/KEoeArl$f5TokNUdzGIqlvRCLFWW9/
firewall --disabled
selinux --disabled
authconfig --enableshadow --enablemd5
timezone America/New_York
bootloader --location=mbr --append="console=xvc0"
#
zerombr yes
clearpart --all
part /boot --asprimary --fstype="ext3" --size=100 --bytes-per-inode=4096
part swap --asprimary --fstype="swap" --recommended --bytes-per-inode=4096
part / --asprimary --fstype="ext3" --grow --size=1 --bytes-per-inode=4096
reboot
#
%packages --nobase
authconfig
crontabs
kbd
kudzu
man
ntp
openssh-clients
openssh-server
passwd
pciutils
rootfiles
rpm
system-config-securitylevel-tui
traceroute
yum
yum-updatesd
vim-minimal
vixie-cron
which
wget
unzip
kudzu
man
ntp
openssh-clients
openssh-server
passwd
pciutils
rootfiles
rpm
system-config-securitylevel-tui
traceroute
yum
yum-updatesd
vim-minimal
vixie-cron
which
wget
unzip
sudo
%post
(
chkconfig --level 3 ip6tables off
chkconfig --level 3 kudzu off
chkconfig --level 3 netfs off
chkconfig --level 3 yum-updatesd off
#
useradd -p 'myreallycomplexpass' someuser
)  2>&1 | tee /root/post-install.log
8. Use the dvd you downloaded or grab a copy of the boot.iso from the install root. You can either use the install DVD iso you or use the 10MB boot.iso located in centos5/images/boot.iso I choose to use the boot.iso since its 10MB and is easily distributable.
9. Start up the Apache process
[root@kickstart images]# service httpd start
Starting httpd:                                            [  OK  ]
10. Now for the Moment of truth. Boot the system with boot.iso or install DVD. At the boot prompt enter:
linux ks=http://your_kickstart_ip/ks/ks.cfg
If all went well the system should boot and fetch the kickstart config. Then the installation will begin hands off.