vsftpd FTP Server
FTP - File Transfer Protocol - is used to transfer files to and from servers. It is an old protocol that has the advantage that most operating systems come with a command line ftp client, so you can use it on any computer. Also, web browsers can download with FTP and most newer ones can upload with FTP as well.
FTP is an insecure protocol. That means that all data, including the username and password, is transferred without any kind of encryption. Therefore, someone who can "sniff" the networks the data travels on could get your login and your data. For this reason, and in order to reduce possible risk, most systems will disable the root user from being able to use FTP.
FTP requires a username and password to connect to the server. The FTP server can be setup to allow for "anonymous" logins. This is usually used for downloads only. A special user is setup so that someone can log with the username "anonymous" and any password. Usually the password is the user's email address. This is useful to distribute files from a server without having to arrange accounts for everyone who will download a file.
FTP can also be used so that users can transfer files to the server. This is most commonly used to put files on a web server. Users can be given FTP access to the web server so they can upload files that can then be accessed through the web.
There are many FTP servers for Linux. Some common ones are wu-ftpd and ProFTPd. We will be setting up vsftpd, which is the FTP server included Red Hat 9 and Fedora Core 1. The "vs" stands for "Very Secure". wu-ftpd has had some security issues. vsftpd is also easier to configure than either wu-ftpd or ProFTPd.
When setting up an FTP server, you should ask yourself the following questions:
- Do my users need FTP access to the server?
- Do I need to provide anonymous FTP access?
- Do my users need FTP access to their area of the server?
Vsftpd allows you to allow anonymous and user access independently. The default settings in Red Hat allow both. The configuration file is well commented, so it is easy to figure out how to shut off either one. To shut off anonymous access set:
anonymous_enable=NO
To disable user logins set:
local_enable=NO
A couple of other features you might want to enable are:
"Change to root" (chroot) the users home directory. This makes the user's home directory look like the root directory when they FTP to the server. This prevents them from changing to /home and seeing other user's home directories or copying configuration files from /etc. The anonymous login is chrooted by default.
chroot_local_user=YES
Setting the user that vsftpd runs as. By default vsftpd runs as the user "nobody". This is a user with no privileges (an unprivileged user) which helps increase security so that if someone compromises the vsftpd server they cannot access anything other than what the user "nobody" can access. Unfortunately, many processes default to the user "nobody" so it actually becomes a somewhat privileged user. By changing the user to a unique user it eliminates this problem. Each server application should have it's own user that it runs as. Be sure to create a new user, in this example "ftpsecure", but don't set a password for it because you don't want anyone to log in using this account.
nopriv_user=ftpsecure
A site that has some useful information about vsftp is vsFTPdRocks.org.