proxy代理   soft软件   IT 业界特快   norton 诺顿病毒库   代理列表   search FTP搜索   whois IP地理位置   blog 追求完美  
money理财   life生活   RSS聚合门户   firefox WEB浏览器   免费域名   typeset 假古文   AntiVirus 反病毒   ipcn 站点导航  

« [FWD] 802.1x:开创认证新时代 | Main | squid maintain sample . chaotic sample:( »

April 2, 2004

vsftpd - probably the most secure and fastest FTP server for UNIX-like systems

版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/04/02/000436.html

vsftpd - probably the most secure and fastest FTP server for UNIX-like systems

http://vsftpd.beasts.org/

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable. Don't take my word for it, though. Below, we will see evidence supporting all three assertions. We will also see a list of a few important sites which are happily using vsftpd. This demonstrates vsftpd is a mature and trusted solution.

-----> Is vsftpd the right server for me?

If your main requirement from an FTP server is one of the following things then yes, vsftpd is probably the FTP server you are looking for.

Security
Performance
Stability

The only reason you might prefer a different FTP server to vsftpd is if you really need the configurability of one of the more bloated FTP servers. Having said this, note that vsftpd caters for the vast majority of use cases. Even if vsftpd appears to be missing a feature, it is often satisfied by an external component such as PAM or xinetd / tcp_wrappers. In this regard, vsftpd is being a small modular component in the proper spirit of UNIX. Finally, consider moving to vsftpd even if it means sacrificing some whacky feature of your current FTP server. The security, performance and stability gains are waiting for you.


-----> Features

Despite being small for purposes of speed and security, many more complicated FTP setups are achievable with vsftpd! By no means an exclusive list, vsftpd will handle:

Virtual IP configurations.
Virtual users.
Standalone or inetd operation.
Powerful per-user configurability.
Bandwidth throttling.
Per-source-IP configurability.
Per-source-IP limits.
IPv6
etc...

-----> README
This is vsftpd, version 1.2.1
Author: Chris Evans
Contact: chris@scary.beasts.org

What is this?
=============

vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously
this is not a guarantee, but a reflection that I have written the entire
codebase with security in mind, and carefully designed the program to be
resilient to attack.

Recent evidence shows that vsftpd is also extremely fast and scalable. vsftpd
has achieved ~4000 concurrent users on a single machine, in a production
environment.

vsftpd is now a proven stable solution. Of particular note, RedHat used vsftpd
to enable ftp.redhat.com to support 15,000 concurrent users across their
server pool. This extreme load was generated by the release of RedHat 7.2 to
the world.

Installation
============

Please see the INSTALL file.

Configuration
=============

All configuration options are documented in the manual page vsftpd.conf.5.
Various example configurations are discussed in the EXAMPLE directory.
Frequently asked questions are tackled in the FAQ file.

-----> INSTALL
INSTALL
=======

This file details how to build and install / run vsftpd from the vsftpd
distribution .tar.gz file.

Step 1) Build vsftpd.

Switch to the directory created when you unpacked the vsftpd .tar.gz file.
e.g.:

cd vsftpd-1.1.2

edit "builddefs.h" to handle compile-time settings (tcp_wrappers build,
etc).

Just type "make" (and mail me to fix it if it doesn't build ;-).
This should produce you a vsftpd binary. You can test for this, e.g.:

[chris@localhost vsftpd]$ ls -l vsftpd
-rwxrwxr-x 1 chris chris 61748 Sep 27 00:26 vsftpd

Step 2) Satisfy vsftpd pre-requisites
2a) vsftpd needs the user "nobody" in the default configuration. Add this
user in case it does not already exist. e.g.:

[root@localhost root]# useradd nobody
useradd: user nobody exists

2b) vsftpd needs the (empty) directory /usr/share/empty in the default
configuration. Add this directory in case it does not already exist. e.g.:

[root@localhost root]# mkdir /usr/share/empty/
mkdir: cannot create directory `/usr/share/empty': File exists

2c) For anonymous FTP, you will need the user "ftp" to exist, and have a
valid home directory (which is NOT owned or writable by the user "ftp").
The following commands could be used to set up the user "ftp" if you do not
have one:

[root@localhost root]# mkdir /var/ftp/
[root@localhost root]# useradd -d /var/ftp ftp

(the next two are useful to run even if the user "ftp" already exists).
[root@localhost root]# chown root.root /var/ftp
[root@localhost root]# chmod og-w /var/ftp

Step 3) Install vsftpd config file, executable, man page, etc.

Running "make install" will try to copy the binary, man pages, etc. to
somewhere sensible.
Or you might want to copy these things by hand, e.g.:
cp vsftpd /usr/local/sbin/vsftpd
cp vsftpd.conf.5 /usr/local/man/man5
cp vsftpd.8 /usr/local/man/man8

"make install" doesn't copy the sample config file. It is recommended you
do this:
cp vsftpd.conf /etc

Step 4) Smoke test (without an inetd).

vsftpd can run standalone or via an inetd (such as inetd or xinetd). You will
typically get more control running vsftpd from an inetd. But first we will run
it without, so we can check things are going well so far.
Edit /etc/vsftpd.conf, and add this line at the bottom:

listen=YES

This tells vsftpd it will NOT be running from inetd.
Right, now let's try and run it!
Log in as root.
Make sure you are not running other FTP servers (or vsftpd will not be able
to use the FTP port, 21).
Run the binary from wherever you put it, e.g.:

[root@localhost root]# /usr/local/sbin/vsftpd &
[1] 2104

If all is well, you can now connect! e.g.:

[chris@localhost chris]$ ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 1.1.1)
Name (localhost:chris): ftp
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,229,133)
150 Here comes the directory listing.
d--x--x--x 2 0 0 4096 Jan 14 2002 bin
d--x--x--x 2 0 0 4096 Apr 21 20:52 etc
drwxr-xr-x 2 0 0 4096 Apr 21 20:52 lib
drwxr-sr-x 2 0 50 4096 Jul 26 22:58 pub
226 Directory send OK.
ftp>

Step 5) Run from an inetd of some kind (optional - standalone mode is now
recommended)

You may want to run the binary from an inetd of some kind, because this can
give you extra features - e.g. xinetd has a lot of settings. (Note that
vsftpd's inbuilt listener covers most of the more useful xinetd settings).

5a) If using standard "inetd", you will need to edit /etc/inetd.conf, and add
a line such as:

ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/vsftpd

(Make sure to remove or comment out any existing ftp service lines. If you
don't have tcp_wrappers installed, or don't want to use them, take out the
/usr/sbin/tcpd part).

inetd will need to be told to reload its config file:
kill -SIGHUP `pidof inetd`

5b) If using "xinetd", you can follow a provided example, by looking at the
file EXAMPLE/INTERNET_SITE/README. Various other examples show how to leverage
the more powerful xinetd features.


Step 6) Set up PAM for local logins (optional)

If you are running vsftpd on a PAM enabled machine, you will need to have a
/etc/pam.d/ftp file present, otherwise non-anonymous logins will fail. [NOTE -
if you have an older version of PAM, that file might be /etc/pam.conf]

For a standard setup, you can just copy a provided example file:
cp RedHat/vsftpd.pam /etc/pam.d/ftp


Step 7) Customize your configuration

As well as the above three pre-requisites, you are recommended to install a
config file. The default location for the config file is /etc/vsftpd.conf.
There is a sample vsftpd.conf in the distribution tarball. You probably want
to copy that to /etc/vsftpd.conf as a basis for modification, i.e.:

cp vsftpd.conf /etc

The default configuration allows neither local user logins nor anonymous
uploads. You may wish to change these defaults.

Other notes
===========

Tested platforms (well, it builds)
- Any modern, well featured platform should work fine! More recent versions of
the platforms listed below should be fine.
- RedHat Linux 8.0
- RedHat Linux 7.3
- RedHat Linux 7.2
- RedHat Linux 7.0
- RedHat Linux 6.1
- RedHat Linux 6.2
- RedHat Linux 5.2
- Solaris 8 / GNU tools
- SuSE 6.4
- SuSE 6.0
- Debian 2.2
- OpenBSD 2.8
- FreeBSD 4.2
- FreeBSD 3.5
- HP-UX 11.11 / GNU tools
- HP-UX 10.20 / GNU tools
- Solaris 2.6
- IRIX 6.5.11 / GNU tools

-----> FAQ
vsftpd frequently asked questions!!
-----------------------------------

Q) Can I restrict users to their home directories?
A) Yes. You are probably after the setting:
chroot_local_user=YES

Q) Why don't symlinks work with chroot_local_user=YES?
A) This is a consequence of how chroot() security works. As alternatives,
look into hard links, or if you have a modern Linux, see the powerful
"mount --bind".

Q) Does vsftpd support a limit on the number of users connected?
A1) Yes, indirectly. vsftpd is an inetd-based service. If use the popular
"xinetd" as your inetd, this supports per-service per-IP connection limits.
There is an example of this in the "EXAMPLE" directory.
A2) If you run vsftpd in "standalone" mode with the setting listen=YES, then
you can investigate the setting (e.g.):
max_clients=10

Q) Help! I'm getting the error message "refusing to run with writable anonymous
root".
A) vsftpd is protecting against dangerous configurations. The cause of this
message is usually dodgy ownership of the ftp home directory. The home
directory should NOT be owned by the ftp user itself. Neither should it
be writable by the ftp user. A way to fix this is:
chown root ~ftp; chmod -w ~ftp

Q) Help! I'm getting the error message "str_getpwnam".
A) The most likely cause of this is that the "nobody" user does not exist on
your system. vsftpd needs this user to run bits of itself with no privilege.

Q) Help! Local users cannot log in.
A) There are various possible problems.
A1) By default, vsftpd disables any logins other than anonymous logins. Put
local_enable=YES in your /etc/vsftpd.conf to allow local users to log in.
A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to
find out whether this has happened or not). If vsftpd links with PAM, then
you will need to have a PAM file installed for the vsftpd service. There is
a sample one for RedHat systems included in the "RedHat" directory - put it
under /etc/pam.d
A3) If vsftpd didn't link with PAM, then there are various possible issues. Is
the user's shell in /etc/shells? If you have shadowed passwords, does your
system have a "shadow.h" file in the include path?
A4) If you are not using PAM, then vsftpd will do its own check for a valid
user shell in /etc/shells. You may need to disable this if you use an invalid
shell to disable logins other than FTP logins. Put check_shell=NO in your
/etc/vsftpd.conf.

Q) Help! Uploads or other write commands give me "500 Unknown command.".
A) By default, write commands, including uploads and new directories, are
disabled. This is a security measure. To enable writes, put write_enable=YES
in your /etc/vsftpd.conf.

Q) Help! What are the security implications referred to in the
"chroot_local_user" option?
A) Firstly note that other ftp daemons have the same implications. It is a
generic problem.
The problem isn't too severe, but it is this: Some people have FTP user
accounts which are not trusted to have full shell access. If these
accounts can also upload files, there is a small risk. A bad user now has
control of the filesystem root, which is their home directory. The ftp
daemon might cause some config file to be read - e.g. /etc/some_file. With
chroot(), this file is now under the control of the user. vsftpd is
careful in this area. But, the system's libc might want to open locale
config files or other settings...

Q) Help! Uploaded files are appearing with permissions -rw-------.
A1) Depending on if this is an upload by a local user or an anonymous user,
use "local_umask" or "anon_umask" to change this. For example, use
"anon_umask=022" to give anonymously uploaded files permissions
-rw-r--r--. Note that the "0" before the "22" is important.
A2) Also see the vsftpd.conf.5 man page for the new "file_open_mode"
parameter.

Q) Help! How do I integrate with LDAP users and logins?
A) Use vsftpd's PAM integration to do this, and have PAM authenticate against
an LDAP repository.

Q) Help! Does vsftpd do virtual hosting setups?
A1) Yes. If you integrate vsftpd with xinetd, you can use xinetd to bind to
several different IP addresses. For each IP address, get xinetd to launch
vsftpd with a different config file. This way, you can get different behaviour
per virtual address.
A2) Alternatively, run as many copies as vsftpd as necessary, in standalone
mode. Use "listen_address=x.x.x.x" to set the virtual IP.

Q) Help! Does vsftpd support virtual users?
A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This
has the effect of mapping every non-anonymous successful login to the local
username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb
module to provide authentication against an external (i.e. non-/etc/passwd)
repository of users.
Note - currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.
There is an example of virtual users setup in the "EXAMPLE" directory.

Q) Help! Does vsftpd support different settings for different users?
A) Yes - in a very powerful way. Look at the setting "user_config_dir" in the
manual page.

Q) Help! Can I restrict vsftpd data connections to a specific range of ports?
A) Yes. See the config settings "pasv_min_port" and "pasv_max_port".

Q) Help! I'm getting the message "OOPS: chdir".
A) If this is for an anonymous login, check that the home directory for the
user "ftp" is correct. If you are using the config setting "anon_root", check
that is correct too.

Q) Help! vsftpd is reporting times as GMT times and not local times!
A) This behaviour can be changed with the setting "use_localtime=YES".

Q) Help! Can I disable certain FTP commands?
A) Yes. There are some individual settings (e.g. dirlist_enable) or you can
specify a complete set of allowed commands with "cmds_allowed".

Q) Help! Can I change the port that vsftpd runs on?
A1) Yes. If you are running vsftpd in standalone mode, use the "listen_port"
directive in vsftpd.conf.
A2) Yes. If you are running vsftpd from an inetd or xinetd program, this
becomes an inetd or xinetd problem. You must change the inetd or xinetd
configuration files (perhaps /etc/inetd.conf or /etc/xinetd.d/vsftpd)

Q) Help! Will vsftpd authenticate against an LDAP server? What about a
MySQL server?
A) Yes. vsftpd uses PAM for authentication, so you need to configure PAM
to use pam_ldap or pam_mysql modules. This may involve installing the PAM
modules and then editing the PAM config file (perhaps /etc/pam.d/vsftpd).

Q) Help! Does vsftpd support per-IP limits?
A1) Yes. If you are running vsftpd standalone, there is a "max_per_ip"
setting.
A2) Yes. If you are running vsftpd via xinetd, there is an xinetd config
variable "per_source".

Q) Help! Does vsftpd support bandwidth limiting?
A) Yes. See vsftpd.conf.5 man page and investigate settings such as
"anon_max_rate" and "local_max_rate".

Q) Help! Does vsftpd support IP-based access control?
A1) Yes. vsftpd can integrate with tcp_wrappers (if built with this support).
It is enabled with the setting "tcp_wrappers=YES".
A2) Yes. vsftpd can be run from xinetd, which supports tcp_wrappers
integration.

Q) Help! Does vsftpd support IPv6?
A) Yes, as of version 1.2.0. Read the vsftpd.conf.5 man page.

Q) Help! vsftpd doesn't build, it fails with an error about being unable to
find -lcap.
A) Install the libcap package and retry the build. Seems to affect Debian
users a lot.

Q) Help! I've put settings in /etc/vsftpd.conf, but they are not taking
effect!
A) This is affecting some RedHat users - some RedHat versions put the config
file in /etc/vsftpd/vsftpd.conf.

Q) Help! vsftpd doesn't build, it complains about problems with incomplete
types in sysutil.c.
A) Your system probably doesn't have IPv6 support. Either use a more modern
system, use an older vsftpd (e.g. v1.1.3), or wait for a version of vsftpd
without this problem!

Q) Help! I'm getting messages along the lines of 500 OOPS: vsf_sysutil_bind
when trying to do downloads (particularly lots of small files).
A) vsftpd-1.2.1 should sort this out.

Q) Help! Does vsftpd support hiding or denying certain files?
A) Yes. Look at the hide_file and deny_file options in the manual page.

Q) Help! Does vsftpd support FXP?
A) Yes. An FTP server does not have to do anything special to support FXP.
However, you many get tripped up by vsftpd's security precautions on IP
addresses. In order to relax these precautions, have a look in the
vsftpd.conf.5 for pasv_promiscuous (and the less advisable port_promiscuous).

Q) Blah.. blah..
A) For a good idea of what vsftpd can do, read the vsftpd.conf.5 man page
and the EXAMPLES.

-----> EXAMPLE README
These subdirectories contain examples of vsftpd usage.
These examples are known to work on a RedHat 7.2 installation. Some of them
rely on xinetd and / or a highly functional version of PAM.

The examples should serve to illustrate how vsftpd becomes extremely powerful
when intregration with xinetd for connection handling and PAM for
authentication.

Contents
========
INTERNET_SITE How you might configure vsftpd for an internet site.
INTERNET_SITE_NOINETD How to use vsftpd without xinetd.
PER_IP_CONFIG How to apply different settings based on the connecting
IP address.
VIRTUAL_HOSTS How to set up vsftpd with virtual hosting.
VIRTUAL_USERS How to set up virtual users with vsftpd.
VIRTUAL_USERS_2 Advanced virtual users - different access rights.

-----> VIRTUAL_USERS/README
This example shows how to set up vsftpd / PAM with "virtual users".
A virtual user is a user login which does not exist as a real login on the
system. Virtual users can therefore be more secure than real users, beacuse
a compromised account can only use the FTP server.

Virtual users are often used to serve content that should be accessible to
untrusted users, but not generally accessible to the public.

Step 1) Create the virtual users database.
We are going to use pam_userdb to authenticate the virtual users. This needs
a username / password file in "db" format - a common database format.
To create a "db" format file, first create a plain text files with the
usernames and password on alternating lines.
See example file "logins.txt" - this specifies "tom" with password "foo" and
"fred" with password "bar".
Whilst logged in as root, create the actual database file like this:

db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
(Requires the Berkeley db program installed).
NOTE: Many systems have multiple versions of "db" installed, so you may
need to use e.g. db3_load for correct operation. This is known to affect
some Debian systems. The core issue is that pam_userdb expects its login
database to be a specific db version (often db3, whereas db4 may be installed
on your system).

This will create /etc/vsftpd_login.db. Obviously, you may want to make sure
the permissions are restricted:

chmod 600 /etc/vsftpd_login.db

For more information on maintaing your login database, look around for
documentation on "Berkeley DB", e.g.
http://www.sleepycat.com/docs/utility/index.html


Step 2) Create a PAM file which uses your new database.

See the example file vsftpd.pam. It contains two lines:

auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

This tells PAM to authenticate users using our new database. Copy this PAM
file to the PAM directory - typically /etc/pam.d/

cp vsftpd.pam /etc/pam.d/ftp


Step 3) Set up the location of the files for the virtual users.

useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
(which should give):
drwx------ 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite

We have created a user called "virtual" with a home directory "/home/ftpsite".
Let's add some content to this download area:

cp /etc/hosts /home/ftpsite
chown virtual.virtual /home/ftpsite/hosts


Step 4) Create your vsftpd.conf config file.

See the example in this directory. Let's go through it line by line:

anonymous_enable=NO
local_enable=YES

This disables anonymous FTP for security, and enables non-anonymous FTP (which
is what virtual users use).

write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

These ensure that for security purposes, no write commands are allowed.

chroot_local_user=YES

This makes sure that the virtual user is restricted to the virtual FTP area
/home/ftpsite we set up above.

guest_enable=YES
guest_username=virtual

The guest_enable is very important - it activates virtual users! And
guest_username says that all virtual users are mapped to the real user
"virtual" that we set up above. This will also determine where on the
filesystem the virtual users end up - the home directory of the user
"virtual", /home/ftpsite.

listen=YES
listen_port=10021

This puts vsftpd in "standalone" mode - i.e. not running from an inetd. This
means you just run the vsftpd executable and it will start up. This also
makes vsftpd listen for FTP requests on the non-standard port of 10021 (FTP
is usually 21).

pasv_min_port=30000
pasv_max_port=30999

These put a port range on passive FTP incoming requests - very useful if
you are configuring a firewall.

Copy the example vsftpd.conf file to /etc:

cp vsftpd.conf /etc/


Step 5) Start up vsftpd.

Go to the directory with the vsftpd binary in it, and:

./vsftpd

If all is well, the command will sit there. If all is not well, you will
likely see some error message.


Step 6) Test.

Launch another shell session (or background vsftpd with CTRL-Z and then "bg").
Here is an example of an FTP session:

ftp localhost 10021
Connected to localhost (127.0.0.1).
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (localhost:chris): tom
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (127,0,0,1,117,135)
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> size hosts
213 147
ftp>

Comments:
The password we gave was "foo".
Do not be alarmed by the "failed to open directory". That is because the
directory /home/ftpsite is not world readable (we could change this
behaviour if we wanted using anon_world_readable_only=NO but maybe we want
it this way for security.
We can see that we have access to the "hosts" file we copied into the virtual
FTP area, via the size command.

-----> vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
listen=YES
listen_port=10021
pasv_min_port=30000
pasv_max_port=30999

-----> vsftpd.pam
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

-----> one conf of vsftpd-1.1.3
# Standalone mode
max_clients=50
max_per_ip=5

# Access rights
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=002
dirmessage_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO

chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
message_file=.message
guest_enable=YES
guest_username=ftp
listen=YES
listen_port=***21
pasv_min_port=62001
pasv_max_port=63000
ftpd_banner=ftp.ipcn.org - windtear

# Security
anon_world_readable_only=NO
connect_from_port_20=NO
hide_ids=YES
#chown_upload=YES
#chown_username=username
nopriv_user=nobody
#pam_service_name=vsftpd
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails

# Features
xferlog_enable=NO
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
ls_recurse_enable=NO
ascii_download_enable=YES
async_abor_enable=YES

# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=12500000
#user_config_dir=/etc/vsftpd_user_conf
#echo "anon_world_readable_only=NO" > /etc/vsftpd_user_conf/tom

本blog WWW

Posted by windtear at April 2, 2004 10:12 PM

本站使用中的任何问题,请与 windtear @ windtear.net 联系
Copyright© 1999-2024 Windtear. All rights reserved.