You can install vsftpd on Ubuntu / Debian, CentOS /Fedora and RHEL linux.
Installing vsftpd on Ubuntu or Debian
sudo apt-get install vsftpd
Installing vsftpd on CentOS / Fedora
yum install vsftpd
How to configure vsftpd:
Now that you’ve installed vsftpd, follow this procedure to configure it. These steps applies for both the linux variants.
Before you get started, stop the vsftpd by typing:
service vsftpd stop
Edit the vsftp.conf
In Ubuntu / Debian:
vim /etc/vsftpd.conf
In Red Hat / CentOS
vim /etc/vsftpd/vsftpd.conf
Make the following changes:
We don’t want anonymous login:
anonymous_enable=NO
Enable local users:
Uncomment the “local_enable=YES” line (else you’ll get an error like ’500 OOPS: vsftpd: both local and anonymous access disabled!’)
local_enable=YES
The ftpuser should be able to write data:
Uncomment the “write_enable=YES” line (else you’ll get an error like ’550 Permission denied.’ from your FTP client when you upload a file or create a directory)
write_enable=YES
Port 20 need to turned off, makes vsftpd run less privileged:
connect_from_port_20=NO
Chroot everyone:
Add a “chroot_local_user=YES” line. This will trap your FTP users in their own /home/username directory. Otherwise they will be able to see and update some files outside their home directory.
chroot_local_user=YES
ascii_upload_enable=YES
ascii_download_enable=YES
set umask to 022 to make sure that all the files (644) and folders (755) you upload get the proper permissions.
local_umask=022
Now that basic configuration is complete, now let us begin with locking / securing a directory to user.
#sudo useradd -d /var/www/path/to/your/dir -s /usr/sbin/nologin ftpuser
Setup a password for the user:
#sudo passwd ftpuser
In order to enable the ftpuser read and write the data in your home dir, change the permission and take ownership:
#sudo chown ftpuser -R /var/www/path/to/your/dir
#sudo chmod 775 /var/www/path/to/your/dir
Create userlist file and add the user:
Ubuntu / Debian:
#vim /etc/vsftpd/vsftpd/vsftpd.userlist
CentOS / Fedora :
#vim /etc/vsftpd/vsftpd.userlist
and add the user:
ftpuser
save the file and open the vsftp.conf file again:
#vim /etc/vsftpd/vsftpd.conf
Add the following lines at the end of the file and save it:
# the list of users to give access
userlist_file=/etc/vsftpd/vsftpd.userlist
# this list is on
userlist_enable=YES
# It is not a list of users to deny ftp access
userlist_deny=NO
After completing all these procedures it is almost ready to use it, give it a try but you will get a “500 OOPS permission denied error”. To fix it you need to add a nologin to the shell set.
#vim /etc/shells
The file should look like this:
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/sbin/nologin
Now create a usergroup and add the ftpuser to it:
#sudo groupadd ftpusers
#sudo usermod -G ftpusers ftpuser
Now start the vsftpd:
#service vsftpd start
Running Service FTP automatically :
# chkconfig vsftpd on
Check konfigurasi SELinux :
SELinux kalau tidak salah adalah mirip User Account Control membatasi hak akses atau fungsi sebuah aplikasi atau daemon. Anda harus hati-hati dalam tahap ini karena jika salah dalam mengkonfigurasinya user ftp tidak akan bisa login ke home direktori mereka.
# getsebool -a | grep ftp
jika SELinux Disable maka rubah menjadi permissive
Edit file konfigurasi SELinux dengan perintah :
# vi /etc/selinux/config
This file controls the state of SELinux on the system.
#SELINUX= can take one of these three values:
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - SELinux is fully disabled.
SELINUX=permissive
#SELINUXTYPE= type of policy in use. Possible values are:
#targeted - Only targeted network daemons are protected.
#strict - Full SELinux protection.
SELINUXTYPE=targeted
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - SELinux is fully disabled.
SELINUX=permissive
#SELINUXTYPE= type of policy in use. Possible values are:
#targeted - Only targeted network daemons are protected.
#strict - Full SELinux protection.
SELINUXTYPE=targeted
ket :
Edit SELINUX Menjadi
SELINUX=permissive
Reboot Computer :
# reboot
Edit ftp_home_dir menjadi on
# setsebool -P ftp_home_dir on
# iptables -F
Check getsebool :
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Ref : linuxaway.net , http://kalpaz.blogspot.com
No comments:
Post a Comment