Use chroot with vsftpd to connect to FTPS with multiple users
table of contents
Hello.
wrinkles on your skin are a binary log of life
This is Kawa from the System Solutions Department, where
I want to eat yakitori. I like chicken breast and chicken hearts
Well, the other day I had a chance to play around with vsftpd, and it has some quirks in its configuration. I think anyone who has set it up will agree, but the "opposite of the opposite" way of configuring it makes my brain shrink
This time, I will leave a memo on how to use vsftpd for FTPS communication, enable chroot, and flexibly change permissions for multiple users. There is little information available about vsftpd x FTPS, so I hope this article will be useful to someone
Operating environment and protocols used
I will be using AlmaLinux9.
The protocol used will be FTPS (Explicit mode), which is more secure for data connection than FTP.
The vsftpd version is 3.0.5.
Purpose of using chroot
Basically, everyone/mnt/ftpis allowed to access
However, some administrators need to be able to move directories freely, so they are added to the chroot list. This
allows them to upload files to directories other than the specified one.
users with limited permissions
"/mnt/ftp/user1possible to use it flexibly, for example, by only allowing
vsftpd installation
Let's install it now
dnf install vsftpd
vsftpd configuration
Once installed, we'll immediately start modifying the conf file.
First, just to be safe, make a backup.
cd /etc/vsftpd cp -ip vsftpd.conf vsftpd.conf_org
Configure vsftpd.conf.
There are many things to change from the default configuration and many things to keep, so we will only highlight the parts we will enable here.
Please adjust the settings as needed according to your environment.
#Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO
▶ Anonymous users cannot log in (NO)
# Uncomment this to allow local users to log in. local_enable=YES
▶ Allow local users to access (YES)
# Uncomment this to enable any form of FTP write command. write_enable=YES
▶ "write_enable" must be set to YES to grant upload permissions to the user
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022
▶This item concerns the permissions of uploaded files. It's quite important.
The default value is "022," so the permissions of uploaded files will be 777 minus 022, which is 755.
# Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # You may fully customize the login banner string: ftpd_banner=Welcome!
▶ This is up to you. Display any message (in this case, "Welcome!") when logging in
# Activate logging of uploads/downloads. xferlog_enable=YES # You may override where the log file goes if you like. The default is shown # below. /var/log/xferlog in this case. xferlog_std_format=NO
▶ The logging is particularly complicated. Depending on your requirements, checking these four items should suffice.
"xferlog_enable" is the most important. Enables logging. The default value is YES.
"log_ftp_protocol" records FTP requests/responses. For debugging. Disable "xferlog_std_format" at the same time.
"dual_log_enable" is enabled when you want to obtain logs from both vsftpd and xferlog. "xferlog_enable" must also be enabled.
This should be considered carefully as it will increase the log size. With these settings, FTP file transfers will be output to "/var/log/xferlog" and FTP connection logs to "/var/log/vsftpd.log".
⇩The log looks like this
xferlog
Mon Jul 24 16:25:03 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0 * c Mon Jul 24 18:01:39 2023 1 10.10.10.10 8230 /test.jpg b _ ir ftp_test ftp 0*c
vsftpd.log
Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "220 Welcome!" Mon Jul 24 18:17:16 2023 [pid 42580] FTP command: Client "10.10.10.10", "QUIT" Mon Jul 24 18:17:16 2023 [pid 42580] FTP response: Client "10.10.10.10", "221 Goodbye."
# Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES pasv_address=<IP> pasv_min_port=61000 pasv_max_port=61010
▶ Passive mode related settings. Set the IP address assigned to the WAN side (global if via the internet) in "pasv_address".
Specify the port range used for data connections in "pasv_min_port" and "pasv_max_port".
# You may change the default value for timing out an idle session. idle_session_timeout=<number>
▶ The default value is 600 when commented out. Specifies the number of seconds before disconnecting when a connection is idle (i.e., left unattended).
Uncomment it only when necessary.
ascii_upload_enable=YES ascii_download_enable=YES
▶ Enabled to allow transfers in ASCII mode
local_root=/mnt/ftp chroot_local_user=YES chroot_list_enable=YES allow_writeable_chroot=YES chroot_list_file=/etc/vsftpd/chroot_list user_config_dir=/etc/vsftpd/users
▶ chroot settings.
"local_rootSpecify the root directory when connecting using
it's /mnt/ftp, and "chhroot_local_user" allows you to configure the system so that users cannot access directories above the one specified by local_root.
(This completes the basic chroot settings.)
chroot_list_enable=YES
allow_writeable_chroot=YES
chroot_list_file=/etc/vsftpd/chroot_list
▶ This enables the application of the chroot list and grants file editing permissions.
Additionally, users listed in "chroot_list_file" will be able to move to any directory other than the one specified in "local_root". Finally,
by creating a file with the username under "user_config_dir", you can specify the root directory for each individual user.
# Example) local_root=/var/www/html
listen=YES # Make sure, that one of the listen options is commented !! # listen_ipv6=NO
▶ In this example, only the IPv4 listening setting is enabled. Communication is not possible unless either setting is enabled
userlist_enable=YES userlist_file=/etc/vsftpd/user_list
using usernames listed in "user_list"prevents logins. Access from common usernames such as root or shutdown is blocked entirely.
⇩Users listed in user_list by default
# vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
ssl_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO ssl_tlsv1_1=YES ssl_tlsv1_2=YES ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES25 6-CCM8:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12 8-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-R SA-AES256-CCM8:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:!EXP force_local_data_ssl=YES force_local_logins_ssl=YES rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem rsa_private_key_file=/etc/pki/tls/private/vsftpd.key
▶ Regarding SSL/TLS.
Due to the POODLE issue, only TLS should be set to YES, and TLS 1.1 or higher should be enabled.
Add various cipher settings and force encrypted communication for the connection with "force_local_...".
Specify the paths to the certificate and private key to be used at the bottom.
use_localtime=YES
Specify the local time
User Preparation
We will create a user who can only connect via FTP, so we will grant them the following minimum user privileges.
We will also add a group called "ftp-grroup".
useradd <username> passwd <username> usermod <username> -s /sbin/nologin # Add only if /sbin/nologin does not exist in /etc/shells echo /sbin/nologin >> /etc/shells groupadd ftp-group usermod -aG ftp-group <username>
Additionally, since it's beneficial to be able to create directories, we'll edit the FTP root directory permissions.
(Configure this according to your security requirements. In this article, we'll set SGID for the directory and grant permissions to users belonging to the group.)
cd /mnt chmod g+s ftp/ chgrp ftp-group -R ftp/ ls /mnt/ drwxr-sr-x 2 root ftp-group 4096 Jul 23 22:06 ftp
Preparing chroot and per-user files
specified in vsftpd.conf/etc/vsftpd/chroot_listusing touch or similar tools, and add the username to the file as needed.
Additionally, create the /etc/vsftpd/users directory using mkdir, and if necessary, create a file with the username under users/ using touch or similar tools, and add local_root to it.
Preparing a self-signed certificate for FTPS
Follow the steps below to create a self-signed certificate. If it meets the requirements, set the expiration date to about 10 years
cd /etc/pki/tls/private openssl genrsa 2048 > vsftpd.key openssl req -new -key vsftpd.key -x509 -days 3650 -out vsftpd.pem mv vsftpd.pem /etc/pki/tls/certs/vsftpd.pem chmod 600 /etc/pki/tls/certs/vsftpd.pem
Following the above steps, you will need to enter the certificate's ON information, so configure it appropriately as shown below.
(Since it's self-signed, if you're only using it within your company, basically anything other than the hostname should be fine.)
Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Osaka Locality Name (eg, city) [Default City]:Osaka Organization Name (eg, company) [Default Company Ltd]:Beyond Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:test-server Email Address []:[email protected]
Connection Test
Start vsftpd
systemctl start vsftpd.service
Connect using explicit encrypted communication (Explicit mode) with a tool like WinSCP or FileZilla. This
may be interfered with by firewalld or SELinux, so please allow or disable them as needed.
complete
12
Loading...12 
The person who wrote this article
About the author
