Thursday, March 26, 2009

FTP Configuration for Linux

Today I tried the FTP server in my SUSE server. It is a great experience to use my configured FTP by command line and FTP clients as well. There are many FTP server available for linux, some important are--
  1. ProFTPd This server, http://proftpd.org, is one of the more popular of the very complex FTP servers. It ships with most major Linux distributions. Its configuration file is modeled after that of Apache, and the server supports many advanced features.
  2. vsftpd This server aims to excel at security, stability, and speed. In doing so, its developers have chosen to ignore some of the more advanced features of servers such as ProFTPd and WU-FTPD. If you don’t need those features, this tradeoff may be more than acceptable. You can learn more from its website, http://vsftpd.beasts.org.
  3. WU-FTPD The Washington University FTP Daemon (WU-FTPD) is an old standard in the Linux world. Unfortunately, it’s collected more than its fair share of security problems and isn’t the speediest FTP server available. For these reasons, it ships with fewer Linux distributions today than in years past. Its main website is http://www.wu-ftpd.org.
  4. PureFTPd This server, headquartered at http://www.pureftpd.org, is another FTP server that emphasizes security. SuSE ships with a version of this server.
  5. oftpd This server is unusual because it’s designed to function only as an anonymous FTP server; it doesn’t support logins using ordinary user accounts. This feature can be appealing if you only want to run an anonymous server, but it makes this server unsuitable for many other purposes. It’s available from http://www.time-travellers.org/oftpd/.
I picked up the vsftpd for speed, security and to avail the facility of virtual users.

First of all, I installed the vsftpd daemon using yast. one can install it by installing the respective packages in their servers.

Second install PAM 1.0 if not available there. In my case it is already installed.

Third install DB43 or compat-DB for converting password text file to DB file(hash).

Now come the configuration....

1:- The PAM is already install in the SUSE machine. It is basically used for authorization and authentication purpose. Go /etc/pam.d and edit vsftpd to look like this--

#%PAM-1.0

# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vftpusers
account required /lib/security/pam_userdb.so db=/etc/vftpusers

#Uncomment the following line for anonymous ftp.
#auth sufficient pam_ftp.so
#auth required pam_shells.so
#auth include common-auth
#account include common-account
#password include common-password
#session required pam_loginuid.so
#session include common-session

2:- Now create a file vftpusers.txt in /etc directory contating the user name and password like--

testing
12345
username2
password2
username3
password3
....
....

save it.

3:- Now convert the text file to the db file using command

db_load -T -t hash -f /etc/vftpusers.txt /etc/vftpusers.db

In case of users using DB42 module, use command

db42_load -T -t hash -f /etc/vftpusers.txt /etc/vftpusers.db

and set mod to 644.


4:- Now create a directory in the '/home' with name virtualftp

5:- Create a user virtualftp by using the command

useradd -d /home/virtualftp/ virtualftp

6:- Make the owner of virtualftp folder to virtualftp using command

chown -R /home/virtualftp virtualftp

7:- Change the mode of folder to 755 using

chmod 755 /home/virtualftp

8:-Now login as virtualftp user and create the folder "testing" in /home/virtualftp/. This is for virtual user 'testing' home ( storage area).

After this lets configure the vsftpd.conf file which handles the configuration of vsftp inside /etc/.

9:- The vsftpd.conf file should look like this--

write_enable=YES
dirmessage_enable=YES
ftpd_banner="Welcome to MY FTP service."
local_enable=YES
local_umask=022
chroot_local_user=YES
anonymous_enable=YES
anon_upload_enable=YES
anon_umask=022
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
pam_service_name=vsftpd
listen=YES
pasv_min_port=30000
pasv_max_port=31000
idle_session_timeout=900
max_clients=20
max_per_ip=3
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
userlist_enable=YES


After configuration you can see the file without commnets by using--

sed '/^ *#/d;s/#.*//' /etc/vsftpd.conf

10:- Now restart the service by using command

service vsftpd restart

11:- Test the FTP

abhimanyu@GLC001:~/Desktop> ftp 192.168.100.167
Connected to 192.168.100.167.
220 "Welcome to MY FTP service."
Name (192.168.100.167:abhimanyu): testing
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||30333|)
150 Here comes the directory listing.
-rw-r--r-- 1 1001 100 8368115 Mar 26 16:38 mail
226 Directory send OK.
ftp>


Note :- You should keep your firewall in shut state to test this setting.

After configuration, you can allow port 21, 20 and higher port for passive mode 30000 - 31000 in firewall or directly editing the iptables file.

To create user by script, I used below script with user 'root'

#!/bin/bash
# Name: Createuser.sh
# Description: Add users to /etc/vftpusers.txt and recreate the database
# Author: Abhimanyu
# Special: abhimanyu.ald@gmail.com
# Version: 1.0
# Arguments: $1=Username $2=Password
if [ $# -ne 2 ]
then
echo “Username and Password needed as argument !”
else
echo $1 >> /etc/vsftpusers.txt
echo $2 >> /etc/vsftpusers.txt
db_load -T -t hash -f /etc/vsftpusers.txt /etc/vsftpusers.db
mkdir /home/virtualftp/$1
chown /home/virtualftp/$1 virtualftp
fi


Test it and post your experience...

Have fun..............

No comments: