Table of Contents
FTP, short for File Transfer Protocol, is a traditional and widely used standard for transferring files over a network. The transfer happens via a standard client-server connection with or without authentication support, as the server can be opened to anonymous users as well as restricting access to registered ones. Although FTP is considered to be reliable and secure it has big security flaws, the most critical one being the fact that the user credentials and data are trasmitted without encryption. This issue has been addressed in 1996 with the introduction of FTPS, also known as FTPES, FTP-SSL, S-FTP and FTP Secure - an extension to FTP that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.
In this article we'll show how to install, configure and secure VSFTPD, a standard FTP server, in CentOS/RHEL 7 and Fedora distributions: in a follow-up post we'll also explain how to properly secure it by adding SSL/TLS support with a self-signed SSL certificate.
Installing VSFTPD
VSFTPD, aka for "Very Secure FTP Daemon", is a small, lightweight and extensible FTP server that can be installed on any Linux machine in a couple minutes. All that we need to do in a CentOS 7.x machine is to input the following command in the terminal:
|
1 |
yum install vsftpd |
Start & Enable the service
Right after that, we need to manually start the service and also enable it to start automatically from the next system boot as well. We can do that in the following way:
|
1 2 |
systemctl start vsftpd systemctl enable vsftpd |
Opening the Firewall port(s)
Last but not least, in order to allow access to FTP services from external systems, we have to open port 21, where the FTP daemons are listening. To do that, assuming that the public zone is the one associated with WAN, we can use these terminal commands:
|
1 2 3 |
firewall-cmd --zone=public --add-port=21/tcp --permanent firewall-cmd --zone=public --add-service=ftp --permanent firewall-cmd --reload |
Passive Mode
In case we want our FTP server to work in passive mode we should also open a range of ports matching those that we will define in the VSFTPD configuration file (see below):
|
1 2 |
firewall-cmd --zone=public --add-port=40001-40100/tcp --permanent firewall-cmd --reload |
This will open a grand total of 100 TCP ports (40001-40100) for passive mode.
Needless to say, the above lines take for granted that the public zone is bound to the WAN: if this is not the case, be sure to open these ports on the right zone.
Configuring the FTP Server
The next step would be opening the vsftpd.conf file and setup and secure our brand-new FTP server. Before proceeding, it's advisable to make a backup of the original config file in the following way:
|
1 |
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.orig |
Right after that, open the .conf file above and set the following options:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # Uncomment this to allow local users to log in. local_enable=YES # Uncomment this to enable any form of FTP write command. write_enable=YES # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # Activate logging of uploads/downloads. xferlog_enable=YES # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not recommended! #chown_uploads=YES #chown_username=whoever # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # You may change the default value for timing out an idle session. #idle_session_timeout=600 # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=NO # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=YES # name of the PAM service vsftpd will use pam_service_name=vsftpd # enable vsftpd to load a list of usernames userlist_enable=YES # the file containing the list of allowed (or blocked, see below) usernames userlist_file=/etc/vsftpd/user_list # set it to YES to use the userlist_file as a blacklist (blocked users - everyone else can access), # set it to NO to use the userlist_file as a whitelist (allowed users - everyone else is blocked). userlist_deny=NO # set it to YES to turn on TCP wappers tcp_wrappers=YES #restrict FTP users to their /home directory and allow them to write there chroot_local_user=NO allow_writeable_chroot=YES #set maximum allowed connections per single IP address (0 = no limits) max_per_ip=10 |
The above settings are good for a general purpose FTP server: most of them mimics the default VSFTPD values with few notable exceptions such as pasv_enable and max_per_ip (see below). Feel free to adjust them to better your suit your needs.
Passive Mode
To configure passive mode for VSFTPD we need to set the following parameters:
|
1 2 3 |
pasv_enable=Yes pasv_min_port=40001 pasv_max_port=40100 |
This will enable passive mode and will also restrict it to use 100 ports for data connections (from TCP 40001 to TCP 40100): it goes without saying that these ports need to match those we opened earlier on the firewall (see above).
Max connections per single IP Address
By default VSFTPD allows unlimited connection from the same client IP address, which can expose the FTP service to flood-based attacks or make it prone to some sort of client's abuse. In order to overcome this, there is a special directive called max_per_ip that can be used to force the server to use limited number of connection:
|
1 2 |
#set maximum allowed connections per single IP address (0 = no limits) max_per_ip=10 |
That's it for now: in the following article we'll show how to strengthen the FTP server even further using SSL/TLS for secure connections and file transfers.
