FTP Server
If you are going to run something like horde on your web server, or need to provide FTP file transfers for people to manage their web sites, vsftpd is the package to use. The folks at kernel.org switched to vsftpd in 2004 (or maybe it was 2005). When I read this on their web site, I also switched from ProFTPd and had the same great experience as them: vsftpd is easy to configure, flexible, fast, and secure.
- Version as of this writing: vsftpd 2.2.2
Installation
emerge -va vsftpd
Configuration
Edit the configuration files in /etc/vsftpd as follows:
- Put the users you want to allow to use FTP in user_list, unless you want to allow everyone. Place one user log-in name per line using a text editor.
- Put privileged users in the file chroot_list, one user per line.
- Edit the vsftpd.conf file to contain the options and features you want. Here is one of my configuration files:
listen=YES anonymous_enable=NO async_abor_enable=YES connect_from_port_20=YES data_connection_timeout=90 delay_failed_login=10 dirmessage_enable=YES dual_log_enable=YES ftp_username=ftp ftpd_banner=FTP Server No. 2 hide_ids=YES idle_session_timeout=900 local_enable=YES local_umask=022 log_ftp_protocol=YES ls_recurse_enable=YES max_per_ip=5 nopriv_user=nobody session_support=YES setproctitle_enable=YES tcp_wrappers=YES use_localtime=YES write_enable=YES xferlog_enable=YES xferlog_std_format=YES xferlog_file=/var/log/xfer.log # Allow directory lists on this machine? # If not, WGET would work but not 'ls'. # # dirlist_enable=NO #-------------- # userlist_deny - If NO, users will be denied login unless explicitly listed in userlist_file # userlist_enable - If YES, vsftpd will load list of user name in userlist_file # userlist_file - name of file containing user names # userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd/user_list #-------------- # Define people who will NOT be chroot jailed in their home directories. # chroot_list_enable=YES chroot_local_user=YES chroot_list_file=/etc/vsftpd/chroot_list passwd_chroot_enable=YES #-------------- # Settings for virtual users # guest_username=ftp user_sub_token=$USER local_root=/home/$USER anon_upload_enable=YES virtual_use_local_privs=NO #--------------
Firewall considerations
If you use passive transfers on high ports (rather than port 21), you probably will want to limit the range so you can set a firewall rule. You can do this like so:
pasv_enable=yes pasv_min_port=45000 pasv_max_port=45049
Using SSL with FTP
To enable SSL using the OpenSSL library1) you would add these lines to your configuration file:
ssl_enable=yes allow_anon_ssl=no force_local_data_ssl=no force_local_logins_ssl=yes ssl_tlsv1=yes ssl_sslv2=no ssl_sslv3=no rsa_cert_file=/path/to/your/certificate/file.pem
To create a self-signed PEM file you can do something like this:
cd /etc/ssl/ftp
openssl req -utf8 -newkey rsa:1024 -keyout vsftpd.pem -nodes -x509 -days 730 -out key2.txt -set_serial 0
Answer all the questions, then:
cat key2.txt >> vsftpd.pem rm key2.txt
Now you have both keys in one PEM file.
Slight variations on this process can be used to create an SSL PEM certificate file for just about any application (Apache, Sendmail, LDAP, etc.).
A strange problem you may run into that took me a few hours to figure out: If you get an error saying SSL3_GET_RECORD:wrong version number or SSL_read: wrong version number it is probably due to having chroot_list_file set to a non-existent file.
