nslu:ftp_server

no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


nslu:ftp_server [2009/11/27 17:54] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Set up VSFTP ======
  
 +Download and install the VSFTPD package and XINETD package
 +<code>
 +# ipkg install vsftpd
 +Package vsftpd (2.0.6-2) installed in root is up to date.
 +Nothing to be done
 +# ipkg install xinetd
 +Package xinetd (2.3.14-7) installed in root is up to date.
 +Nothing to be done
 +#
 +</code>
 +
 +Make a jailed user for outside access.  We will poke a hole through our firewall to allow external FTP access.
 +<code>
 +adduser -h /home/ftpuser ftpuser
 +passwd ftpuser
 +</code>
 +
 +Designate this user as a JAILED user.
 +/opt/etc/vsftpd.chroot_list
 +<code>
 +ftpuser
 +</code>
 +
 +/opt/etc/vsftpd.conf
 +<code>
 +# Example config file /opt/etc/vsftpd.conf
 +#
 +# The default compiled in settings are fairly paranoid. This sample file
 +# loosens things up a bit, to make the ftp daemon more usable.
 +# Please see vsftpd.conf.5 for all compiled in defaults.
 +#
 +# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
 +# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
 +# capabilities.
 +#
 +# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 +anonymous_enable=NO
 +#
 +# Uncomment this to allow local users to log in.
 +local_enable=YES
 +#
 +# Uncomment this to enable any form of FTP write command.
 +write_enable=YES
 +#
 +# Default umask for local users is 077. You may wish to change this to 022,
 +# if your users expect that (022 is used by most other ftpd's)
 +local_umask=022
 +#
 +# Uncomment this to allow the anonymous FTP user to upload files. This only
 +# has an effect if the above global write enable is activated. Also, you will
 +# obviously need to create a directory writable by the FTP user.
 +#anon_upload_enable=YES
 +#
 +# Uncomment this if you want the anonymous FTP user to be able to create
 +# new directories.
 +#anon_mkdir_write_enable=YES
 +#
 +# Activate directory messages - messages given to remote users when they
 +# go into a certain directory.
 +dirmessage_enable=YES
 +#
 +# Activate logging of uploads/downloads.
 +xferlog_enable=YES
 +#
 +# Make sure PORT transfer connections originate from port 20 (ftp-data).
 +connect_from_port_20=YES
 +#
 +# If you want, you can arrange for uploaded anonymous files to be owned by
 +# a different user. Note! Using "root" for uploaded files is not
 +# recommended!
 +#chown_uploads=YES
 +#chown_username=whoever
 +#
 +# You may override where the log file goes if you like. The default is shown
 +# below.
 +vsftpd_log_file=/opt/var/log/vsftpd.log
 +#
 +# If you want, you can have your log file in standard ftpd xferlog format
 +#xferlog_std_format=YES
 +#
 +# You may change the default value for timing out an idle session.
 +#idle_session_timeout=600
 +#
 +# You may change the default value for timing out a data connection.
 +#data_connection_timeout=120
 +#
 +# It is recommended that you define on your system a unique user which the
 +# ftp server can use as a totally isolated and unprivileged user.
 +nopriv_user=ftp
 +#
 +# Enable this and the server will recognise asynchronous ABOR requests. Not
 +# recommended for security (the code is non-trivial). Not enabling it,
 +# however, may confuse older FTP clients.
 +#async_abor_enable=YES
 +#
 +# By default the server will pretend to allow ASCII mode but in fact ignore
 +# the request. Turn on the below options to have the server actually do ASCII
 +# mangling on files when in ASCII mode.
 +# Beware that turning on ascii_download_enable enables malicious remote parties
 +# to consume your I/O resources, by issuing the command "SIZE /big/file" in
 +# ASCII mode.
 +# These ASCII options are split into upload and download because you may wish
 +# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
 +# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
 +# on the client anyway..
 +#ascii_upload_enable=YES
 +#ascii_download_enable=YES
 +#
 +# You may fully customise the login banner string:
 +ftpd_banner=Welcome to the NSLU2 vsftp daemon.
 +#
 +# You may specify a file of disallowed anonymous e-mail addresses. Apparently
 +# useful for combatting certain DoS attacks.
 +#deny_email_enable=YES
 +# (default follows)
 +#banned_email_file=/opt/etc/vsftpd.banned_emails
 +#
 +# You may specify an explicit list of local users to chroot() to their home
 +# directory. If chroot_local_user is YES, then this list becomes a list of
 +# users to NOT chroot().
 +chroot_list_enable=YES
 +# (default follows)
 +chroot_list_file=/opt/etc/vsftpd.chroot_list
 +#
 +# You may activate the "-R" option to the builtin ls. This is disabled by
 +# default to avoid remote users being able to cause excessive I/O on large
 +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 +# the presence of the "-R" option, so there is a strong case for enabling it.
 +ls_recurse_enable=YES
 +</code>
 +
 +Allow the XINETD super service to start-up FTP daemons for us.
 +
 +/opt/etc/xinetd.d
 +<code>
 +service ftp
 +{
 +socket_type = stream
 +wait = no
 +user = root
 +server = /opt/sbin/vsftpd
 +server_args = /opt/etc/vsftpd.conf
 +nice = 10
 +disable = no
 +only_from = 0.0.0.0/0
 +}
 +</code>
 +
 +**Update:**  After having this configuration running and open to big bad internet I noticed a number of repeated attempts to hack into my FTP server.  So I restricted it to only those networks where I know people may be accessing it from.  It could be more restrictive but this seems to have done the trick for the moment.
 +
 +<code>
 +#only_from = 0.0.0.0/0
 +only_from += .btcentralplus.com
 +only_from += .btopenworld.com
 +only_from += .virginmedia.com
 +only_from += .ntl.com
 +only_from += .optusnet.com.au
 +only_from += .bigpond.com.au
 +# and Locally too.
 +only_from += 192.168.1.0/24
 +</code>
 +
 +{{tag>nslu2 network}}
  • nslu/ftp_server.txt
  • Last modified: 2009/11/27 17:54
  • by 127.0.0.1