Ftp
From TheBeard Science Project Wiki
packages: vsftpd xinetd - required for normal mode daemons: vsftpd configs: /etc/vsftpd/vsftpd.conf /etc/vsftpd/ftpusers /etc/vsftpd/user_list /var/ftp/pub - anon root directory /var/log/vsftp.log ports: 21 - server listens 20 - client connects (passive connection) other: user _vsftpd must exist umask is octal value of permissions which are NOT allowed. FTP should only be used for anonymous access on a secure system. to add vsftpd to xinetd: in vsftpd.conf add listen=NO echo desable = no > /etc/xinetd.d/vsftpd service vsftpd restart service xinetd restart arguments: listen=YES - standalone mode (NO allows xinetd to run vsftpd) listen_address=<addr> - address of interface to listen on (default: none) listen_port=<port> banner_file=/path/file - banner file. overrides ftpd_banner ftpd_banner=<string> - banner string dirmessage_enable=NO - YES shows directory change messages userlist_enable=YES - YES enables the use of a user list to grant access. file specified by userlist_file. userlist_file=/path/file - default is /etc/vsftpd/user_list userlist_deny=NO - YES denies users in file specified by userlist_file. NO allows ONLY those users in the file. (more secure) local_enable=YES - allow local login local_root=/path/dir - local users working directory after login (default: /home/user) local_umask=022 - default: 022 chroot_local_user=NO - NO chroots local users in file specified by chroot_list_file and is more secure. YES does NOT chroot them. chroot_list_enable=YES - YES checks whether username is listed in file specified by chroot_list_file. it decides whether to chroot based on chroot_local_user chroot_list_file=/path/file - default is /etc/vsftpd/chroot_list anonymous_enable=NO - NO denies anon login no_anon_password=NO - YES skips password for anon anon_mkdir_write_enable=NO - YES allows anon to make directories anon_root=/path/dir - anons working directory after login ftp_username=<username> - username of anonymous user write_enable=YES - allow write (default: NO) hide_ids=YES - hides user and groups in directory listings. shows up as "ftp" setproctitle_enable=NO - YES allows user to see processes. NO hides them. ls_recurse_enable=NO - YES allows user to do "ls -R" (default: NO) one_process_model=NO - YES creates a process for each connection, which has better performance. NO is more secure. idle_session_timeout=<#> - session timeout is seconds (default: 300) accept_timeout=<#> - seconds to wait for a passive connection (default: 60) connect_timeout=<#> - seconds to wait for response to active connection (default: 60) data_connection_timeout=<#> - seconds to wait for stalled transfer (default: 300) max_clients=<#> - 0 is infinite local_max_rate=<#> - max rate in bytes/sec for local users. 0 is infinite (default: 0) anon_max_rate=<#> - max rate in bytes/sec for anon users. 0 is infinite (default: 0) chown_uploads=NO - change owner of anonymously uploaded files to root or user specified by chown_username (default: NO) chown_username=<username> - username to chown to. root is NOT recommended. nopriv_user=<username> - underprivilaged user such as "ftp" (default: nobody) log_ftp_protocol=NO - log requests and responses (default: NO) xfer_log_enable=YES - log downloads and uploads ascii_upload_enable=NO - required for transfering plain text between different OS's. NO is more secure. ascii_download_enable=NO - required for transfering plain text between different OS's. NO is more secure. examples: #allow only ftpuser to access a chroot jail at /home/ftp/. listen=YES anonymous_enable=NO userlist_enable=YES userlist_file=/etc/vsftpd/allowed_users #file contains line "ftpuser" userlist_deny=NO local_enable=YES local_root=/home/ftp chroot_list_enable=YES chroot_list_file=/etc/vsftpd/allowed_users #same file as userlist_file chroot_local_user=NO #chroots local users. seems backwards. hide_ids=YES #for best security setproctitle_enable=NO #for best security
