[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

First time vsftp setup



Greetings -

I am setting up my very first ftp server for my small company and I am wondering if someone with more experience than I could look at my configuration and give me some advice. I am wondering if my configuration is missing anything that would improve access security, within the constraints of my setup guidelines as described below.

The purpose of my ftp site is to enable our staff and a select group of our clients to exchange very large files back and forth, without the problems associated with emailing large files. Clients would be chrooted into only their project directory, based on their user account name. Internal staff would have access to all clients and project ftp directories by setting a Samba share on a directory above the clients project directories (we have a small close knit company with no internal security concerns). I will make the client directories (and user account names) based on a combination of the client name, project name, and accounting code number, so it should look relatively cryptic to anyone else. Our ftp server is on a different physical box and a different fixed ip from our web site and email server (which is hosted offsite). However it is on the same box as our Samba file server which also has OpenVPN running for our staff remote access. I am running RHEL3 update 9, and the version of vsftpd that is associated with this OS level.

Below are my configuration files. I have obscured the pasv port range. The /etc/vsftpd.ftpusers and the /etc/pam.d/vsftpd files have no changes from the stock out of the box configuration. Thanks for all suggestions.

/etc/vsftpd/vsftpd.conf
### Connection Information
listen=YES
background=YES
connect_from_port_20=YES
listen_port=21
ftp_data_port=20
pasv_enable=YES
pasv_min_port=10001
pasv_max_port=10003
idle_session_timeout=600
data_connection_timeout=120
#
### Access Restrictions
anonymous_enable=NO
local_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
pam_service_name=vsftpd
chroot_local_user=YES
write_enable=YES
local_umask=0666
#
### Logging and Messages
xferlog_enable=YES
dual_log_enable=YES
xferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
ftpd_banner=Welcome to Meridian Environmental's FTP Site.
dirmessage_enable=YES


/etc/vsftpd.users_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
#
# Generic example of UserName, also for chroot directory
ClientNameProjectNameAccountNo1
ClientNameProjectNameAccountNo2


/etc/vsftpd.ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody


/etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth       required pam_stack.so service=system-auth
auth       required pam_shells.so
account    required pam_stack.so service=system-auth
session    required pam_stack.so service=system-auth


Jeff Boyce
Meridian Environmental


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]