2011-02-01

CentOS 5 FTP Setup (vsftpd)

Ref 1: http://www.linuxquestions.org/questions/fedora-35/vsftpd-error-553-could-not-create-file-390569
Ref 2: http://www.cyberciti.biz/tips/rhel-fedora-centos-vsftpd-installation.html

Disable SELinux on FTP, so that uploading works:
setsebool -P ftp_home_dir 1

Install the vsftpd package via yum command:
# yum install vsftpd

vsftpd Defaults


Default port: TCP / UDP - 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server


# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:
chroot_local_user=YES
Create warning banners for all FTP users:
banner_file=/etc/vsftpd/issue
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server


# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="OTHER_MODULES ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart

Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log

Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO

Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO

For upload to work except for anonymous, you might need to:
  • create a group, say ftpw
  • change the ownership of /var/ftp and its subdirectories to group ftpw
  • add ftpw group onto users with write privilege
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)