[Howto] vsftpd unter debian4.0 (berkleydb pam auth / light-weight virtualhost solution)

Post by **guwapo** » 2007-05-09 22:35

An sich ne schnelle Geschichte. Auch hier fehlen meinerseits (noch) genauere Erklärungen. Docs sind aber verlinkt und können 100%ig nachvollzogen werden

Die Linuxprofis unter euch werden sicherlich die "Umstellung" von Sarge -> Etch problemlos gemeistert haben, aber für einen Anfänger vielleicht interessant.
ProFTPD -> http://www.rootforum.org/forum/viewtopic.php?t=44394 (mittlerweile denk ich meinerseits "solved")
Pure-FTPD -> gefiel mir vieeeel besser als ProFTPD von der Einfachheit her. Aber es gibt leider einige Probleme (http://www.rootforum.org/forum/viewtopi ... 315#285315)

vsftpd ist ziehmlich klein, einfach zu handhaben.

Update:
- umask config direktive hinzugefügt: die Einstellung dürfte nun mehr "common sense" sein ;)
- ftpd_banner config direktive hinzugefügt: wichtiger Sicherheitsaspekt -> "security by obscurity" (siehe: http://www.rootforum.org/forum/viewtopic.php?t=42663)

Code: Select all


                 H O W T O     F T P     W I T H     D E B I A N  4 . 0

==========================================================================================

                         FTP SERVER (VSFTPD) WITH VIRTUAL USERS                          
..........................................................................................

disclaimer:           I am not responsible for any damage at all! Please always do first
                      a local installation before adapting it on a production server. This
                      Howto is meant to be for a REAL light-weight solution without any 
                      losses in security. Therefor there is now *sneaky* web
                      administration nor are user data stored via mysql (=heavy-weight!)

system:               debian etch (4.0)
                      [test hw: AMD Athlon 1GHz, 512MB RAM, 4GB HDD]

info:                 # => shell command
                      : => active (uncommented) config line (use accordingly)
                      ; => inactive (commented) config line

changelines:          -

license:              (by-nc-sa): guwapo AT thedoghouse DOT bz
                      http://creativecommons.org/licenses/by-nc-sa/3.0/


last update (@#):     11.05.2007 0.2 - added umask, ftpd_banner (security issue)

==========================================================================================



(A) INSTALLATION
------------------------------------------------------------------------------------------
docs:
- http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
- http://alien2thisworld.net/sitePages/tutorials/vsftpd_virtual_users_setup.html
- http://brundlelab.wordpress.com/2007/03/21/vsftd-and-virtual-users/
- ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README
- http://vsftpd.beasts.org/vsftpd_conf.html


1) Install vsftpd + utils (needed for backend)
# apt-get install vsftpd db4.4-util


2) Create virtual-user backend
# mkdir /etc/vsftpd && cd /etc/vsftpd && nano /etc/vsftpd/logins

alternately type in username and password per line:

{USERNAME}
{PASSWORD}
{USERX}
{PASSX}

# cd /etc/vsftpd && db4.4_load -T -t hash -f logins /etc/vsftpd_login.db && chmod 600 /etc/vsftpd_login.db
# nano /etc/pam.d/vsftpd

(delete/comment everything)

: auth required pam_userdb.so db=/etc/vsftpd_login
: account required pam_userdb.so db=/etc/vsftpd_login


3) Create virtual enviroment
# mkdir /var/www/virtual
# mkdir /var/www/virtual/{USER}

do not forget to chown, or virtual-users will not be able to upload anything
# chown -R ftp:nogroup /var/www/virtual


4) Edit vsftpd.conf
# nano /etc/vsftpd.conf

(please check the docs / manual for each directive!)

: listen=YES
: anonymous_enable=NO
: local_enable=YES
: virtual_use_local_privs=YES
: write_enable=YES
: connect_from_port_20=YES
: secure_chroot_dir=/var/run/vsftpd
: pam_service_name=vsftpd
: guest_enable=YES
: user_sub_token=$USER
: local_root=/var/www/virtual/$USER
: chroot_local_user=YES
: hide_ids=YES
: local_umask=022
: ftpd_banner=I am a l33t ftp server!

(always add some random ftpd_banner. In case there is security hole, kiddies
won't find your server when searching for this specific version of ftpd)


5) Restart & Check (error logs)
# /etc/init.d/vsftpd restart

------------------------------------------------------------------------------------------




(Z) AFTERMATH / CONCLUSION
------------------------------------------------------------------------------------------
This was easy huh? Vsftpd is really a nice ftpd with a very small memory foot-print. The
configuration is easy (= not much to do wrong ;) ) and the virtual-user backend is easy to
manage! I just had to many problemes with pure-ftpd:
http://forum.openvz.org/index.php?t=msg&goto=11211&
http://www.rootforum.org/forum/viewtopic.php?t=15810
I think a better alternative would be proftpd, but the configuration is a little more
complicated, so I would only use it with the mysql-backend feature (which works perfect!).
But that would not be any more lightweight, e.g. if you have a small server where you only
need a ftpd ;)

==========================================================================================