Differences

This shows you the differences between two versions of the page.

Link to this comparison view

nslu:ftp_server [2009/11/27 17:54] (current)
Line 1: Line 1:
 +====== Set up VSFTP ======
  
 +Download and install the VSFTPD package and XINETD package
 +<​code>​
 +# ipkg install vsftpd
 +Package vsftpd (2.0.6-2) installed in root is up to date.
 +Nothing to be done
 +# ipkg install xinetd
 +Package xinetd (2.3.14-7) installed in root is up to date.
 +Nothing to be done
 +#
 +</​code>​
 +
 +Make a jailed user for outside access. ​ We will poke a hole through our firewall to allow external FTP access.
 +<​code>​
 +adduser -h /​home/​ftpuser ftpuser
 +passwd ftpuser
 +</​code>​
 +
 +Designate this user as a JAILED user.
 +/​opt/​etc/​vsftpd.chroot_list
 +<​code>​
 +ftpuser
 +</​code>​
 +
 +/​opt/​etc/​vsftpd.conf
 +<​code>​
 +# Example config file /​opt/​etc/​vsftpd.conf
 +#
 +# The default compiled in settings are fairly paranoid. This sample file
 +# loosens things up a bit, to make the ftp daemon more usable.
 +# Please see vsftpd.conf.5 for all compiled in defaults.
 +#
 +# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
 +# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd'​s
 +# capabilities.
 +#
 +# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 +anonymous_enable=NO
 +#
 +# Uncomment this to allow local users to log in.
 +local_enable=YES
 +#
 +# Uncomment this to enable any form of FTP write command.
 +write_enable=YES
 +#
 +# Default umask for local users is 077. You may wish to change this to 022,
 +# if your users expect that (022 is used by most other ftpd'​s)
 +local_umask=022
 +#
 +# Uncomment this to allow the anonymous FTP user to upload files. This only
 +# has an effect if the above global write enable is activated. Also, you will
 +# obviously need to create a directory writable by the FTP user.
 +#​anon_upload_enable=YES
 +#
 +# Uncomment this if you want the anonymous FTP user to be able to create
 +# new directories.
 +#​anon_mkdir_write_enable=YES
 +#
 +# Activate directory messages - messages given to remote users when they
 +# go into a certain directory.
 +dirmessage_enable=YES
 +#
 +# Activate logging of uploads/​downloads.
 +xferlog_enable=YES
 +#
 +# Make sure PORT transfer connections originate from port 20 (ftp-data).
 +connect_from_port_20=YES
 +#
 +# If you want, you can arrange for uploaded anonymous files to be owned by
 +# a different user. Note! Using "​root"​ for uploaded files is not
 +# recommended!
 +#​chown_uploads=YES
 +#​chown_username=whoever
 +#
 +# You may override where the log file goes if you like. The default is shown
 +# below.
 +vsftpd_log_file=/​opt/​var/​log/​vsftpd.log
 +#
 +# If you want, you can have your log file in standard ftpd xferlog format
 +#​xferlog_std_format=YES
 +#
 +# You may change the default value for timing out an idle session.
 +#​idle_session_timeout=600
 +#
 +# You may change the default value for timing out a data connection.
 +#​data_connection_timeout=120
 +#
 +# It is recommended that you define on your system a unique user which the
 +# ftp server can use as a totally isolated and unprivileged user.
 +nopriv_user=ftp
 +#
 +# Enable this and the server will recognise asynchronous ABOR requests. Not
 +# recommended for security (the code is non-trivial). Not enabling it,
 +# however, may confuse older FTP clients.
 +#​async_abor_enable=YES
 +#
 +# By default the server will pretend to allow ASCII mode but in fact ignore
 +# the request. Turn on the below options to have the server actually do ASCII
 +# mangling on files when in ASCII mode.
 +# Beware that turning on ascii_download_enable enables malicious remote parties
 +# to consume your I/O resources, by issuing the command "SIZE /​big/​file"​ in
 +# ASCII mode.
 +# These ASCII options are split into upload and download because you may wish
 +# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
 +# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
 +# on the client anyway..
 +#​ascii_upload_enable=YES
 +#​ascii_download_enable=YES
 +#
 +# You may fully customise the login banner string:
 +ftpd_banner=Welcome to the NSLU2 vsftp daemon.
 +#
 +# You may specify a file of disallowed anonymous e-mail addresses. Apparently
 +# useful for combatting certain DoS attacks.
 +#​deny_email_enable=YES
 +# (default follows)
 +#​banned_email_file=/​opt/​etc/​vsftpd.banned_emails
 +#
 +# You may specify an explicit list of local users to chroot() to their home
 +# directory. If chroot_local_user is YES, then this list becomes a list of
 +# users to NOT chroot().
 +chroot_list_enable=YES
 +# (default follows)
 +chroot_list_file=/​opt/​etc/​vsftpd.chroot_list
 +#
 +# You may activate the "​-R"​ option to the builtin ls. This is disabled by
 +# default to avoid remote users being able to cause excessive I/O on large
 +# sites. However, some broken FTP clients such as "​ncftp"​ and "​mirror"​ assume
 +# the presence of the "​-R"​ option, so there is a strong case for enabling it.
 +ls_recurse_enable=YES
 +</​code>​
 +
 +Allow the XINETD super service to start-up FTP daemons for us.
 +
 +/​opt/​etc/​xinetd.d
 +<​code>​
 +service ftp
 +{
 +socket_type = stream
 +wait = no
 +user = root
 +server = /​opt/​sbin/​vsftpd
 +server_args = /​opt/​etc/​vsftpd.conf
 +nice = 10
 +disable = no
 +only_from = 0.0.0.0/0
 +}
 +</​code>​
 +
 +**Update:​** ​ After having this configuration running and open to big bad internet I noticed a number of repeated attempts to hack into my FTP server. ​ So I restricted it to only those networks where I know people may be accessing it from.  It could be more restrictive but this seems to have done the trick for the moment.
 +
 +<​code>​
 +#only_from = 0.0.0.0/0
 +only_from += .btcentralplus.com
 +only_from += .btopenworld.com
 +only_from += .virginmedia.com
 +only_from += .ntl.com
 +only_from += .optusnet.com.au
 +only_from += .bigpond.com.au
 +# and Locally too.
 +only_from += 192.168.1.0/​24
 +</​code>​
 +
 +{{tag>​nslu2 network}}