Friday, August 3, 2012

Configuring vsftpd on Debian

Vsftpd is a robust and secure FTP server for Linux systems. In here I will give step by step instructions on configuring it to use SSL for secure communication  and to authenticate via a user file.

I was never able to get it working with the pam/MySQL authentication system and finally had to revert to this method which in my humble opinion is not at all bad for a small server system with limited number of users.

Step 1 : install vsftpd

#sudo apt-get install vsftpd

Step 2: create a Certificate for secure communication

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 
 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Openssl will take you through some basic question and answer rounds and once you have given all the  necessary details a certificate file will be created under the directory/etc/ssl/private/

Step 3: Create a directory structure for FTP uploads with a home directory for each user

This is going to be the FTP upload directory for the user tiraj.adikari. If you want to use vsftpd with apache , then you should crate this folder with   in /var/www/ . Thats the default directory for apache to store web contents.

Ex:  
#sudo mkdir /usr/ftp/tiraj.adikari

Step 4: Edit the /etc/shells file 

You need to edit this file and put a dummy shell in it for all FTP users to use. This way they will not be able to SSH in to the actual server using their credentials.

#vi /etc/shells

Add this line at the end

/usr/sbin/nologin

Step 5: Create the FTP users. One for each user who need access to the server

#sudo useradd -d /usr/ftp/tiraj.adikari -s /usr/sbin/nologin tiraj.adikari

Change the password for the new user. 

#passwd tiraj.adikari

Step 6: Create a new group and add all new ftp user to this seperate group

Lets create the group first

# addgroup ftpusers

Lets add tiraj.adikari to this group

# usermod -G ftpusers tiraj.adikari

Step 7: Create the vsftpd.userlist file to store the names of all users who need access to the FTP server.

This is the place where you tell vsftpd to check for valid ftp users.

#vi /etc/vsftpd.userlist

Add all the users you created in step 5 in to this file. Each username shoudl be in a seperate line. 


Step 8 : Edit the vsftpd.conf file

This file is located in  /etc/vsftpd.conf

Open the configuration file in vi or gedit
# vi /etc/vsftpd.conf

Set the configuration values as shown below.

# General settings
anonymous_enable=NO
local_enable=YES
write_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
local_umask=022

#Authentication settings
userlist_file=/etc/vsftpd.userlist
userlist_enable=YES
userlist_deny=NO

#Secure communication settings
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

Step 9: Restart the vsftpd service for the changes to take effect

service vsftpd restart

Trouble shooting tips:
If  vsftpd refuse to start , you can check whats causing it by manually executing the vsftpd executable and checking the output. go to /usr/sbin and execute the vsftpd executable manually 

ex: 
#./vsftpd

This will output any errors vsftp will encounter during its startup process to the terminal. Rest is up to you.

References: