Install the vsftpd FTP server on Debian 4.0 Etch

by Pierre-Yves Landuré - last modified 2009-02-28 14:18

vsftpd is an FTP server designed from the perspective of security and speed. It is very powerful, supports many features and is relatively simple to implement. This guide explains how to implement it on Debian 4.0 Etch.
Installation

First, we install the necessary software:

 /usr/bin/apt-get install vsftpd fail2ban mysql-client libpam-mysql openssl

 We activate the protection of vsftpd Fail2Ban by:

/bin/sed -i -e '/\[vsftpd\]/, /filter/ {0,/^enabled.*/ s//enabled = true/ }' /etc/fail2ban/jail.conf

And we restart Fail2Ban to accommodate this configuration:

/ etc/init.d/fail2ban restart

To make a little more flexible server and can edit files it does not own, we create a group "ftp", and we add the user "ftp":

/ usr / sbin / addgroup - system ftp
/ usr / sbin / adduser ftp ftp

Creating the database

Once this is done, we create the database to contain vsftpd users of our FTP server. To do this, I advise you to follow my guide MySQL 4.0 on Debian Etch.

Once the database created, we will resume normal things short. First, we place a default value for the hostname of the server database:

if [-z "$ MYSQL_HOST"]; then
   MYSQL_HOST = localhost
fi

Warning: If you followed my guide, you can pass these command lines, if not, replace the information by those in bold corresponds to your MySQL database:

MYSQL_HOST = localhost
Mysql_db = vsftpd
MYSQL_USERNAME = vsftpd
MYSQL_USERPWD = vsftpd_password

Once the database is created, you must create the tables. This is done by the command:

/ usr / bin / wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-le-serveur-ftp-vsftpd-sur-debian-4-0-etch/vsftpd. sql \
     - output-document = / tmp / vsftpd.sql
/ usr / bin / mysql - user = $ MYSQL_USERNAME - password = $ MYSQL_USERPWD - host = $ $ MYSQL_HOST mysql_db \
     </ Tmp / vsftpd.sql

Configuring vsftpd

Now we configure vsftpd to accommodate the database and the SSL certificate:

/ bin / sed-i-e 's /^[#]* \ (anonymous_enable = \) .* / \ 1NO /' \
             -e 's /^[#]* \ (local_enable = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (write_enable = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (local_umask \ )=.*/ \ 1 = 022 /' \
             -e 's /^[#]* \ (dirmessage_enable = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (xferlog_enable = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (connect_from_port_20 = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (nopriv_user = \) .* / \ 1ftp /' \
             -e 's /^[#]* \ (chroot_local_user = \) .* / \ 1yes /' \
             -e 's /^[#]* \ (secure_chroot_dir = \) .* / \ 1 \ / var \ / run \ / vsftpd /' \
             -e 's /^[#]* \ (pam_service_name = \) .* / \ 1vsftpd /' \
          / etc / vsftpd.conf

We add the options that are not already present in the configuration file:

/ bin / echo '
# Virtual user configuration
guest_enable = YES
guest_username = ftp
local_root = / home / ftp / $ USER
user_sub_token = $ USER
virtual_use_local_privs = YES
user_config_dir = / etc / vsftpd.d '\
     | / Usr / bin / tee-a / etc / vsftpd.conf

And we create the folder to contain the specific configuration of users:

/ bin / mkdir / etc / vsftpd.d

For more information, here is an excerpt from the manual vsftpd:

     user_config_dir
     This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be / etc / vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file / etc / vsftpd_user_conf / chris for the duration of the session. The format of this file is as detailed in this manual page! PLEASE NOTE that not all settings are effective on a per-user basis. For example, many settings only prior to the user's session being started. Examples of settings which will not affect any behviour on a per-user basis include listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc..

         Default: (none)

We configure the PAM for vsftpd:

/ bin / sed-i-e 's / ^ \ (.* \) $ / # \ 1 /' / etc / pam.d / vsftpd
/ bin / echo "# MySQL configuration for vsftpd.
auth required pam_mysql.so MYSQL_USERNAME user = $ passwd = $ MYSQL_USERPWD host = $ db = $ MYSQL_HOST mysql_db table = accounts usercolumn = username passwdcolumn = pass crypt = 2
pam_mysql.so user account required MYSQL_USERNAME = $ passwd = $ MYSQL_USERPWD host = $ db = $ MYSQL_HOST mysql_db table = accounts usercolumn = username passwdcolumn = pass crypt = 2 "\
     | / Usr / bin / tee-a / etc / pam.d / vsftpd

We restart vsftpd to take into account the configuration:

/ etc / init.d / vsftpd restart

Encrypt data transfers

If you want to maximize your privacy, it is possible to configure the FTP server to encrypt data transferred. This is the coup of the transfer speed, because the figures are much larger than their equivalent in the clear. In good that I'm paranoid, privacy is something I appreciate, as I use this configuration. However, it is up to you.
Creating SSL certificate

To access your FTP server, I recommend you create the sub-field:

     * Ftp.domaine.com

To complete this sub-domain, create the SSL certificate corresponding following my guide:

Create an SSL certificate multi-domains

Once the certificates created, put them in / etc / ssl with the following file names:

     * / Etc / ssl / certs / ftp_cert.pem
     * / Etc / ssl / private / ftp_key.pem

And we pay the private key only readable by root:

/ bin / chown root: root / etc / ssl / private / ftp_key.pem
/ bin / chmod go-rwx / etc / ssl / private / ftp_key.pem

Configuring vsftpd

Now we configure vsftpd to accommodate the database and the SSL certificate:

/ bin / sed-i-e 's /^[#]* \ (rsa_cert_file = \) .* / \ 1 \ / etc \ / ssl \ / certs \ / ftp_cert.pem /' \
          / etc / vsftpd.conf

We add the options that are not already present in the configuration file:

/ bin / echo '
# SSL configuration
ssl_enable = YES
rsa_private_key_file = / etc / ssl / private / ftp_key.pem
ssl_tlsv1 = YES
force_local_logins_ssl = YES
force_local_data_ssl = YES '\
     | / Usr / bin / tee-a / etc / vsftpd.conf

We restart vsftpd to take into account the configuration:

/ etc / init.d / vsftpd restart

Passive mode behind a NAT router

If your FTP server is behind a NAT router, you must specify the interval of ports used for passive mode.

PASV_MIN_PORT = 34560
PASV_MAX_PORT = 35324

You must also specify the IP address of your router on the Internet (static IP address that you gave your provider). To get it, you can use the following command:

PASV_ADDRESS = $ (/ usr / bin / wget-q-O-http://www.monip.org/ \
     | / Bin / grep "IP:" | / usr / bin / cut - characters =- 80 \
     | / Bin / sed-e 's / ^ .* \ (\ ([0-9] \ (1,3 \) \. \) \ (3 \) [0-9] \ (1,3 \) \ ).*$/ \ 1 / ')

Source: Thanks to the Linux lab for article Supinfo Know the public IP behind a router.

Once this is done, use the configuration:

/ bin / echo "# Passive connections through NAT.
pasv_address = $ PASV_ADDRESS
pasv_min_port = $ PASV_MIN_PORT
pasv_max_port = $ PASV_MAX_PORT "\
     | / Usr / bin / tee-a / etc / vsftpd.conf

You can now restart your FTP server to accommodate the configuration:

/ etc / init.d / vsftpd restart

Warning: Do not forget to open the following ports on your router:

echo "Open Ports: 21, $ PASV_MIN_PORT, $ PASV_MAX_PORT"

Backup

To save your vsftpd, I advise you to use Backup Manager. To install, you can follow my guide:

Install and configure Backup Manager on Debian 4.0 Etch

Once Backup Manager installed, you can configure the backup files vsftpd with the following command:

/ usr / bin / update-bm-folders add / home / ftp

Important: Back up files is not enough! It should also save the database. The procedure for doing this is available in my MySQL on Debian 4.0 Etch.
Easy creation of users

We will set up two scripts facilitating the creation and deletion of users. These scripts read the vsftpd configuration file to retrieve the default users, and configuring connection to MySQL. You do not have to change, even if you slightly changed the configuration presented by this article. Here are the command lines to use for these scripts:

/ usr / bin / wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-le-serveur-ftp-vsftpd-sur-debian-4-0-etch/add- ftp-account \
     - output-document = / usr / bin / add-ftp-account
/ bin / chmod + x / usr / bin / add-ftp-account
/ usr / bin / wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-le-serveur-ftp-vsftpd-sur-debian-4-0-etch/remove- ftp-account \
     - output-document = / usr / bin / remove-ftp-account
/ bin / chmod + x / usr / bin / remove-ftp-account

You can now add a new user with the command:

ftp-add-account username

And delete it with the command:

remove-ftp-account username

To go further, you can get help on the advanced use of these commands:

ftp-add-account - help
remove-ftp-account - help

Manual creation of users

This section is presented as documentation. Preferably use the scripts provided by this article.
Prerequisite

Before you begin creating users, you must fill in the connection settings to the database:

MYSQL_HOST = localhost
Mysql_db = vsftpd
MYSQL_USERNAME = vsftpd
MYSQL_USERPWD = vsftpd_password

Creating a user

To create a user, start by identifying the information and password:

Ftp_username = my_username
FTP_PASSWORD = my_password

Once this is done, we create the folder of the user virtual

/ bin / mkdir / home / ftp / $ ftp_username
/ bin / chown ftp:nogroup / home / ftp / $ ftp_username

And we create the user in the database:

/ bin / echo "INSERT INTO accounts (username, pass) VALUES ( '$ ftp_username', PASSWORD ( '$ FTP_PASSWORD'));" \
     | / Usr / bin / mysql - user = $ MYSQL_USERNAME - password = $ MYSQL_USERPWD - host = $ $ MYSQL_HOST mysql_db

Note: If you want to use a different location for the folder of the user, you can do this using the File vsftpd.d. First, find the folder you want to use:

FTP_PATH = / some / other / folder

And if necessary, create it and assign it the proper permissions:

/ bin / mkdir - parent $ FTP_PATH
/ bin / chown-R ftp:nogroup $ FTP_PATH

You can then create the configuration file for your user:

/ bin / echo "# Custom user path.
local_root = $ FTP_PATH "| / usr / bin / tee / etc / vsftpd.d / $ ftp_username

Using the FTP client

In the configuration I propose, connections to the FTP server is encrypted. To connect with FileZilla, add your site to the Site Manager and select the server type FTPES.

Thanks to Author, orignal source http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-le-serveur-ftp-vsftpd-sur-debian-4-0-etch