Connect FTPS with multiple users using chroot with vsftpd
table of contents
Hello.
the Binary Log
System Solutions Department.
I want to eat yakitori. I like chicken breast and chicken hearts
Well, the other day I had a chance to play around with vsftpd, and it has some quirks in its configuration. I think anyone who has set it up will agree, but the "opposite of the opposite" way of configuring it makes my brain shrink
This time, I will leave a memo on how to use vsftpd for FTPS communication, enable chroot, and flexibly change permissions for multiple users. There is little information available about vsftpd x FTPS, so I hope this article will be useful to someone
Operating environment and protocols used
We use AlmaLinux9.
The protocol used is FTPS (Explicit mode), which is more secure than FTP for data connection exchange.
The vsftpd version is 3.0.5.
Purpose of using chroot
Basically, we will allow all administrators to access
/mnt/ftp However, we want some administrators to be able to move freely to other directories, so we will add them to the chroot list. This
will allow them to upload files to directories other than the specified directory.
Also, by defining files for each user, we can flexibly use the system, for example, by limiting a user to
" /mnt/ftp/user1 " if we don't want them to have much authority.
vsftpd installation
Let's install it now
dnf install vsftpd
vsftpd configuration
Once the installation is complete, let's start editing the conf file.
First, make a backup just in case,
cd /etc/vsftpd cp -ip vsftpd.conf vsftpd.conf_org
Configure vsftpd.conf.
There are many things to change/keep from the default configuration, so we will only extract the parts that will be enabled this time.
Please adjust the settings as appropriate depending on your environment.
#Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO
▶ Anonymous users cannot log in (NO)
# Uncomment this to allow local users to log in. local_enable=YES
▶ Allow local users to access (YES)
# Uncomment this to enable any form of FTP write command. write_enable=YES
▶ "write_enable" must be set to YES to grant upload permissions to the user
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022
▶This is the item regarding the permissions of the uploaded file. It is quite important.
The default value is "022", so the permissions of the uploaded file will be 755, which is 777 minus 022 .
# Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # You may fully customize the login banner string: ftpd_banner=Welcome!
▶ This is up to you. Display any message (in this case, "Welcome!") when logging in
# Activate logging of uploads/downloads. xferlog_enable=YES # You may override where the log file goes if you like. The default is shown # below. /var/log/xferlog in this case. xferlog_std_format=NO
▶ The logging part can be particularly complicated. It depends on your requirements, but checking these four points should be enough.
" xferlog_enable " is the most important. It enables logging. The default value is YES.
" log_ftp_protocol " records FTP requests/responses. For debugging purposes. Also disable "xferlog_std_format".
" dual_log_enable " is enabled when you want to collect both vsftpd and xferlog. "xferlog_enable" must also be enabled.
This should be considered as it will increase the log capacity. By configuring these settings, FTP file transfers will be output to "/var/log/xferlog" and FTP connection logs will be output to "/var/log/vsftpd.log".
⇩The log looks like this
xferlog
Mon Jul 24 16:25:03 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0 * c Mon Jul 24 18:01:39 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0*c
vsftpd.log
Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "220 Welcome!" Mon Jul 24 18:17:16 2023 [pid 42580] FTP command: Client "10.10.10.10", "QUIT" Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "221 Goodbye."
# Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES pasv_address=<IP> pasv_min_port=61000 pasv_max_port=61010
▶ Settings related to passive mode. Set the IP address assigned to the WAN side (global if via the Internet) in "pasv_address".
Specify the port range to be used for data connections in "pasv_min_port" and "pasv_max_port".
# You may change the default value for timing out an idle session. idle_session_timeout=<number>
▶ The default value is 600 when commented out. Specifies the number of seconds until the connection is disconnected when idle (i.e. left unattended).
Comment in only if necessary.
ascii_upload_enable=YES ascii_download_enable=YES
▶ Enabled to allow transfers in ASCII mode
local_root=/mnt/ftp chroot_local_user=YES chroot_list_enable=YES allow_writeable_chroot=YES chroot_list_file=/etc/vsftpd/chroot_list user_config_dir=/etc/vsftpd/users
▶ Chroot setting.
" local_root " specifies the root directory when connecting. In this case,
it is /mnt/ftp, and " chroot_local_user " allows you to set the user to not be able to access directories above the one specified in local_root.
(This is the basic chroot setting.)
chroot_list_enable=YES
allow_writeable_chroot=YES
chroot_list_file=/etc/vsftpd/chroot_list
▶ Enables chroot list application and grants file editing permissions.
Also, users listed in "chroot_list_file" will be able to move to any directory other than the one specified in "local_root".
Finally, you can specify the root directory for each user by creating a file with the user name under "user_config_dir".
# Example) local_root=/var/www/html
listen=YES # Make sure, that one of the listen options is commented !! # listen_ipv6=NO
▶ In this example, only the IPv4 listening setting is enabled. Communication is not possible unless either setting is enabled
userlist_enable=YES userlist_file=/etc/vsftpd/user_list
prevents users from logging in with the user names in "user_list ." Access from common user names such as root and shutdown is blocked in the first place.
⇩Users listed in user_list by default
# vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
ssl_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO ssl_tlsv1_1=YES ssl_tlsv1_2=YES ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES25 6-CCM8:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12 8-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-R SA-AES256-CCM8:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:!EXP force_local_data_ssl=YES force_local_logins_ssl=YES rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem rsa_private_key_file=/etc/pki/tls/private/vsftpd.key
▶ SSL/TLS.
Because of the POODLE issue, set TLS to YES and enable TLS 1.1 or higher.
Add various cipher settings and force encrypted communication with "force_local_...".
Specify the path to the certificate and private key to use at the bottom.
use_localtime=YES
Specify the local time
User Preparation
We will create a user who can only connect via FTP, so grant the following minimum user privileges.
Also, add a group called "ftp-group".
useradd <username> passwd <username> usermod <username> -s /sbin/nologin # Add only if /sbin/nologin does not exist in /etc/shells echo /sbin/nologin >> /etc/shells groupadd ftp-group usermod -aG ftp-group <username>
Also, since it would be better to be able to create directories, edit the FTP root directory permissions.
(Set this according to your security requirements. In this article, we will set an SGID for the directory and grant permissions to users belonging to the group.)
cd /mnt chmod g+s ftp/ chgrp ftp-group -R ftp/ ls /mnt/ drwxr-sr-x 2 root ftp-group 4096 Jul 23 22:06 ftp
Preparing chroot and per-user files
/etc/vsftpd/chroot_list specified in vsftpd.conf , and enter the user name in the file as needed.
Also, create the /etc/vsftpd/users directory with mkdir, and use touch etc. to create a user name file under users/ as needed, and enter local_root in it.
Preparing a self-signed certificate for FTPS
Follow the steps below to create a self-signed certificate. If it meets the requirements, set the expiration date to about 10 years
cd /etc/pki/tls/private openssl genrsa 2048 > vsftpd.key openssl req -new -key vsftpd.key -x509 -days 3650 -out vsftpd.pem mv vsftpd.pem /etc/pki/tls/certs/vsftpd.pem chmod 600 /etc/pki/tls/certs/vsftpd.pem
You will need to enter the certificate ON information in the above steps, so please set it up as shown below.
(Since it is self-signed, if you are only using it within your company, you can basically enter anything except the hostname.)
Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Osaka Locality Name (eg, city) [Default City]:Osaka Organization Name (eg, company) [Default Company Ltd]:Beyond Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:test-server Email Address []: [email protected]
Connection Test
Start vsftpd
systemctl start vsftpd.service
Connect using explicit encrypted communication (Explicit mode) using WinSCP, FileZilla, etc.
Firewalld, SELinux, etc. may interfere, so please allow or disable them as appropriate.
complete
11
Loading...11 
The person who wrote this article
About the author
