vsftpd – my ever so slightly more secure conf file than the default

Posted on May 4, 2012 by hedscratchers

May not work in your particular environment, use at your own risk, and read the man pages.

Things to note, I had slightly different requirements and this is reflected in the vsftd.conf file. I configured to be not anonymous, for my purpose I created a new ‘FTP’ user for each account, in other words, each person I wanted to allow access to the FTP server was given a unique username and password.

I was using CentOS, with just the bare essentials to run a FTP service; it has been running well for 6 years.

The users were locked into their home directory, and had no SSH/shell.

I used the ‘chroot xxx’ to block/allow users.

I disabled root SSH access and changed the SHH port – always a good idea on a remote box – may not relevant in your case.

At some point I had an issue that FTP accounts could not change to home directory they received the following error ‘500 OOPS: cannot change directory:/home/someuser’ – to fix this I did the following as root – ‘getsebool –a |grep ftp’ display the current vsftd.conf , then to change it ‘setsebool –P ftp_home_dir on’- this might be relevant in your case
I added min and max port ranges to allow it to work in conjunction with the firewall, might be worth checking this in your vsftd.conf file.

I changed the default logging, all log file were also SCP copied over to another server every 24hrs, along with other useful stuff.

You might want to look into using fail2ban to blacklist IPs as well,  SSL with vsftpd to make it even more secure, enforce strong passwords etc etc…

•   anonymous_enable=NO
•   local_enable=YES
•   write_enable=YES
•   local_umask=002
•   dirmessage_enable=YES
•   connect_from_port_20=YES
•   local_umask=002
•   chroot_list_enable=YES
•   chroot_local_user=YES
•   chroot_list_file=/etc/vsftpd.chroot_list
•   pam_service_name=vsftpd
•   userlist_enable=YES
•   listen=YES
•   tcp_wrappers=YES
•   background=YES
•   xferlog_file=/var/log/vsftpd.log
•   xferlog_enable=YES
•   #xferlog_std_format=NO (or comment out)
•   dual_log_enable=YES
•   pasv_min_port=9000
•   pasv_max_port=9999
•   ftpd_banner=Welcome to the Mt_FTP FTP service.

Advertisement

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s