Installing the VSFTPD Linux Server

To initiate the installation of the vsftpd package, simply open your CLI prompt and use the yum command (you need root privileges) as shown below:

# yum install vsftpd

Yum will automatically locate, download and install the latest vsftpd version.

 

Configure VSFTPD Server

To open the configuration file, type:

# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format and turn on verbose vsftpd log format by making the following changes in the vsftpd.conf file:

xferlog_std_format=NO
log_ftp_protocol=YES
Note: the default vsftpd log file is /var/log/vsftpd.log.

Above two directives will enable logging of all FTP transactions.

To lock down users to their home directories:

chroot_local_user=YES

        Method 1:

Set user HOME Directory to /var/www/ , if you want to change for existing user then you can use:

useradd username
passwd username
usermod --home /var/www/ username

then set required permission on /var/www/

sudo find /var/www/html -type d -exec chmod 775 {} \

      Method 2: Use user_sub_token

If you don’t want to change user’s Home directory then you can use:

chroot_local_user=YES
local_root=/ftphome/$USER
user_sub_token=$USER

You can create warning banners for all FTP users, by defining the path:

banner_file=/etc/vsftpd/issue

Now you can create the /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

“NOTICE TO USERS – Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address”.

 

Turn On VFSTPD Service

Turn on vsftpd on boot:

# systemctl enable vsftpd.service

Start the service:

# systemctl start vsftpd.service

You can verify the service is running and listening on the correct port using the following command:

# netstat -tulpn | grep :21

Here’s the expected output:

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      LISTEN 9734/vsftpd

 

Configure IPtables/firewall To Protect The FTP Server

Enable the ftp service on firewall:

firewall-cmd --permanent --add-service=ftp
systemctl restart firewalld

In case IPTables are configured on the system, it will be necessary to edit the iptables file and open the ports used by FTP to ensure the service’s operation.

To open file /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT

 

Next, open file /etc/sysconfig/iptables-config, and enter:

# vi /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection-tracking module:

IPTABLES_MODULES=”ip_conntrack_ftp”

Save and close the file and finally restart the firewall using the following commands:

systemctl restart iptables.service
systemctl restart ip6tables.service
Disable Selinux:
sudo setenforce 0
Enable passive mode

 

In the /etc/vsftpd/vsftpd.conf

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
Then enable this on the iptables as well:
iptables -I INPUT -p tcp --destination-port 1024:1048 -j ACCEPT
If you run this on the AWS, enable this on the security group in ASW console.
Custom TCP Rule
TCP
1024 – 1048
0.0.0.0/0
FTP passive
Custom TCP Rule
TCP
1024 – 1048
::/0
FTP passive

 

Connect from client

 

ftp server_ip
ls

Note the first command may take bit of time.

Tip: working directory

By default it will upload from your local machine’s user home folder to the server’s user home folder. Eg. on MAC from /Users/your_name to /var/www/vhost/your_account

Tip: View FTP Log File

Type the following command:

# tail -f /var/log/vsftpd.log

 

Tip: Restricting Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO

 

Tip: To Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO

 

Tip: To Enable Disk Quota

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

The ftp users are the same users as those on the hosting machine.

You could have a separate group for ftp users, to help keep their privileges down (for example ‘anonftpusers’). Knowing that, your script should do:

useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob

echo bobspassword | passwd --stdin bob

echo bob >> /etc/vsftpd/user_list

Be extremely careful with your scripts, as they will have to be run as root.

However, for this to work you will have to have the following options enabled in /etc/vsftpd/vsftpd.conf:

userlist_enable=YES
 userlist_deny=NO
Problems

 

1. vsftpd fails to start. There is not much in the logs. The vsftpd.conf file is from a vanilla install. Here are the pertinent details:

systemctl start vsftpd
Job for vsftpd.service failed. See ‘systemctl status vsftpd.service’ and ‘journalctl -xn’ for details.

solution:

in /etc/vsftpd/vsftpd.conf, below can not be both YES. however, YES in ipv6 will allow ipv4 connection.

listen=NO (default is NO); and
listen_ipv6=YES (default is uncommented).

2. Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

The problem is that your users root directory is writable, which isn’t allowed when using chroot restrictions in the new update.

To fix this you must either remove write permissions on the users root directory with the following command, replacing the directory with your users root:

chmod a-w /home/user

Or you can work around this security check by adding either of the two below into your configuration file.

For the standard vsFTPd build (vsftpd):

allow_writeable_chroot=YES

For the extended vsFTPd build (vsftpd-ext):

allow_writable_chroot=YES

Error:
Consider using PASV. 425 Failed to establish connection

it means vsftpd ftp login successful but failed to establish connection while directory listing. make sure your client is passive enable ftp connection.

pasv_enable=YES
pasv_max_port=10001
pasv_min_port=10000

Allow the same ports to be access in iptables.
iptables -I INPUT -p tcp --destination-port 10000:10001 -j ACCEPT

sudo tail -30 /var/log/audit/audit.log

type=AVC msg=audit(1544415254.461:430834): avc: denied { write } for pid=6034 comm="vsftpd" name="html" dev="xvda2" ino=25165995 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

Then we need to disable Selinux:

sudo setenforce 0
530 login incorrect

 

For some reason, there was 530 login error, reset the password, reinstalled the VSFTPd, but still does not work.

Then figured it out for this reason: if user is not having required shell like in /etc/shells then it will give same error check passwd username match given shell with /etc/shells.

Use the command:  lslogins Username to get the user parameters:

lslogins frank
Username: frank
UID: 1001
Gecos field:
Home directory: /var/www/html
Shell: /sbin/bash
No login: no
Primary group: root
GID: 0
Hushed: no
Running processes: 0

Last logs:

See the shell above, it actually need /sbin/bash to process the login, unfortunately the /sbin/bash does not exist in my redhat 7, the available shells are:

more /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/false

use command below to change the shell for the user

sudo usermod --shell /bin/bash frank

Retried the login, all working.

Reference

 

Get the Linux User info : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-displaying_comprehensive_user_information

 

Setup FTP in AWS: https://gist.github.com/tylermakin/4f633ad05a846ef62906e28aab922ecf

Change default shell in Linux:

3 Ways to Change a Users Default Shell in Linux