Skip to content

Instantly share code, notes, and snippets.

@azadkuh

azadkuh/Ubuntu-vsftpd.md

Last active February 12, 2023 23:49
Show Gist options
  • Save azadkuh/9289130 to your computer and use it in GitHub Desktop.
Save azadkuh/9289130 to your computer and use it in GitHub Desktop.
Download ZIP
setup vsftpd on Ubuntu
Raw
Ubuntu-vsftpd.md

setup vsftpd on Ubuntu

install

required packages:

$> sudo apt-get install libpam-pwdfile vsftpd mini-httpd

backup

backup original configs for recovery time or revert back to default settings:

$> sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
$> sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.original

users

to have virtual users, two type of users are needed:

a local ftp user

modify ftp user as: (if there's no ftp user, create it)

# make a home directory for 'ftp' (wherever you like)
$> sudo mkdir -p /home/share 
# set /home/share as home folder of 'ftp'
$> sudo usermod -d /home/share ftp

virtual ftp users

create hash passwords

$> sudo su
$> mkdir -p /etc/vsftpd
$> cd /etc/vsftpd

# for the first user
$> htpasswd -c .htpasswd user1

# to modify or add other users, simply
$> htpasswd .htpasswd user2

warning:

this tutorial uses htpasswd utility from mini-httpd. for some unknown-reason the same binary from apache2-utils package is not working with vsftpd! and you will end-up with incorrect login.

create home for virtual users

$> sudo su
$> mkdir -p /home/share/{user1,user2}
$> chown ftp:ftp -R /home/share
# vsftpd needs readonly home directory for 
#   every virtual user. other-wise it's not possible
#   to chroot the vitual user inside his/her home directory.
$> chmod a-w /home/share/*

writable directory

to grant write acess to virtual users, create a RW folder inside his/her directory:

$> sudo mkdir -p /home/share/{user1,user2}/upload
$> sudo chmod u+w /home/share/{user1,user2}/upload

now upload is writable by virtual user. warning:

at the moment, vsftpd (ver 2.3.5) on Ubuntu 12.04 does not support allow_writeable_chroot=YES or allow_writable_chroot=YES as the newer versions do.

configurations

pam.d

sample /etc/pam.d/vsftpd :

auth    required pam_pwdfile.so pwdfile /etc/vsftpd/.htpasswd
account required pam_permit.so

vsftpd

sample /etc/vsftpd.conf :

# If enabled, vsftpd will run in standalone mode.
listen=YES

# messages are stored in .message (inside each directory).
dirmessage_enable=YES
ftpd_banner="Welcome to ACME Co. ftp service."

# general settings. 
pasv_enable=YES
pasv_min_port=7500
pasv_max_port=7550
pasv_promiscuous=NO
syslog_enable=YES
ascii_download_enable=NO
ascii_upload_enable=NO
connect_from_port_20=YES
idle_session_timeout=200
use_localtime=YES
max_per_ip=4
max_clients=20

# disable anonymous users.
anonymous_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
anon_upload_enable=NO
anon_umask=022


# guest are needed for virtual users. remapped them to guest_username.
guest_enable=YES
guest_username=ftp
nopriv_user=ftp
# If enabled, all user and group information in directory listings will be displayed as "ftp"
hide_ids=YES


local_enable=YES
local_root=/home/share/$USER
local_umask=022
chroot_local_user=YES
user_sub_token=$USER
virtual_use_local_privs=YES
write_enable=YES
pam_service_name=vsftpd

issues

seccomp_sandbox

there may be a bug on some newer kernels, where vsftpd failed to authenticate users. if you got such an error:

500 OOPS: priv_sock_get_cmd

then add following line to /etc/vsftpd.conf:

seccomp_sandbox=NO

then restart vsftpd service.

references:

add SSL support

first create a certificate:

$> sudo openssl req -x509 -nodes -days 1000 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpdk.pem -out /etc/vsftpd/vsftpdc.pem

then add these config to vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

test

give it a try by $>ftp localhost and the virtual users you have set up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment