RE: vsftpd beginner's tutorial?

From: Richardson, Robert (
Date: 10/29/03

  • Next message: Matthew Saltzman: "Re: Red Hat Professional Workstation"
    Date: Wed, 29 Oct 2003 13:20:45 -0800

    Due to the many requests for my documentation, I am releasing
    it to the list, as is. It is long, because I try to document as much
    as possible.

    Anyway, I hope that it helps all of you who desire it.

    Robert Richardson
    Activision Studios


    # This file was created to illustrate the steps needed to create a new FTP
    # This server will be configured with Redhat 9.0 and in the vsftpd format.
    # Author: Robert Richardson, Activision Studios
    # Date: 08/03/2003
    # Definition: Create a Very Secure FTP Server.
    VSFTP Server Configuration steps:
    1. System Specifications.
    2. Why vsftpd as this FTP Server?
    3. Hardware Considerations.
    4. Physical disks layout.
    5. System kernel upgrade procedures.
    6. System software customization considerations.
    7. User requirements.
    8. User and Group Configuration
    9. Creating a chroot (jail) environtment.
    10. System security requirements.
    11. Networking considerations.
    12. Configure with postfix.
    13. System transition.
    14. Windows user connectivity
    15. System disk space growth considerations.
    16. System recovery requirements.

    VSFTP Server Configuration steps:
    1. System Specifications.
        A. Disk Space: 104.1 GB
        B. Processor: 731.057 MHz
        C. Memory: 1030988k
        D. CPU: Intel Pentium III (Coppermine)
    2. Why vsftpd as this FTP Server? (See
        A. Security
           I. The vsftpd server was design to fix security problems found in
                 ftp servers such, BSD-FTP, WU-FTP, and proftp.
           II. It solves buffer overflow problems with secure encoding
           III. VSFTPD has the ability to prevent FTP Server saturation by
                 the bandwidth.
           IV. All remote network data is done in a process running as an
           V. All operations are handled only in a small privileged parent
           VI. All requests are distrusted.
           VII. After login the privileged parent dynamically calculates what
                 privileges it requires.
           VIII. vsftpd does not use an external /bin/ls program because of
           IX. vsftpd avoids using library calls which are also exploitable.
        B. Performance
           I. 2,500 users were handled concurrently on specific RedHat
                 servers during a 24 hour period.
           II. A more aggressive cache files can be obtained via a small
           III. VSFTPD has the ability to prevent FTP Server saturation by
                 the bandwidth.
           IV. VSFTPD has been benchmarked over localhost at 70Mbyte/sec.
        C. Stability
           I. It is used by some well known FTP servers, such as,
       ,, and others.
    3. Hardware Considerations.
        A. Red Hat Hardware Compatibility Listings shows:
           Dell - PowerEdge 4400 x86-based
           Certified Server Red Hat Linux 9.0 (US)
        B. Memory is NOT important for a dedicated FTP server, about 256 MB RAM
           is sufficient for a very big server, smaller servers can do well with
    64 MB RAM.
           Network connections would still be the most important factor.
    4. Physical disks layout.
        A. The proposed physical layout is as follows:
           I. Configured with Disk Druid as:
           I. Configured with Disk Druid as:
                 /dev/sda1 150MB /boot
                 /dev/sda2 2000MB swap
                 /dev/sda3 500MB /
                 /dev/sda4 extended
                 /dev/sda5 2500MB /usr
                 /dev/sda6 2000MB /tmp
                 /dev/sda7 2000MB /home
                 /dev/sda8 750MB /var
                 /dev/sda9 92500MB /data
           II. Final layout with "fdisk -l /dev/sda" gives:
                    Device Boot Start End Blocks Id System
                 /dev/sda1 * 1 19 152586 83 Linux
                 /dev/sda2 20 274 2048287+ 82 Linux swap
                 /dev/sda3 275 338 514080 83 Linux
                 /dev/sda4 339 13275 103916452+ 5 Extended
                 /dev/sda5 339 720 3068383+ 83 Linux
                 /dev/sda6 721 975 2048256 83 Linux
                 /dev/sda7 976 1230 2048256 83 Linux
                 /dev/sda8 1231 1326 771088+ 83 Linux
                 /dev/sda9 1327 13275 95980311 83 Linux
    5. System kernel & software upgrade procedures.
           I. Install Redhat 9.0 without X Window System.
    6. System software customization considerations.
        A. Install without X Window System.
        B. VSFTPD FTP Server Software Install.
           I. Mount RH 9.0 disk 1.
           II. rpm -Uvh /mnt/cdrom/RedHat/RPMS/libcap-1.10-8.i386.rpm
           III. Mount RH 9.0 disk 3.
           IV. rpm -Uvh /mnt/cdrom/RedHat/RPMS/vsftpd-1.1.3.i386.rpm
           V. vi /etc/xinetd.d/vsftpd
                 service ftp
                 disable = no <-- Change from yes to no.
                 socket_type = stream
                 wait = no
                 user = root
                 server = /usr/sbin/vsftpd
                 nice = 10
                 per_source = 5
                 instances = 200
                 banner_fail = /etc/vsftpd.busy_banner
           VI. vi /etc/vsftpd.conf
                 idle_session_timeout=120 # 2 minutes
                 data_connection_timeout=300 #5 minutes
                 #To limits a single client to ~50kbytes / sec download speed.
                 #To disable "ls -R", to prevent it being used as a DoS attack.
                 # You may fully customise the login banner string:
                 ftpd_banner=Welcome to the our FTP server
           VII. service xinetd restart
           VIII. touch /etc/vsftpd.chroot_list <--This file is populated by the
    account_creation script.
           IX. chmod 600 /etc/vsftpd.chroot_list
           X. echo "421 Server busy, please try later." >
        C. Invoke software quota on.
           I. vi /etc/fstab
                 #Add usrquota after the word defaults
                 LABEL=/data /data ext3 defaults,usrquota 1 2
           II. mount -o remount,usrquota /data
           III. quotacheck -c /data #Creates a data file called
           IV. quotaon /data
           V. Get quota information on all accounts using the repquota -a"
    and format into
                 the specific quota categories. Eg. quotas_100MB, quotas_256MB,
                 quotas_3GB, and quotas_5GB.
           VI. Run the script.
                 edquota <username> #Edits the quota limits for <username>.

                 edquota -p <olduser> <newuser> #Copies the same quotas of
    <olduser> to <newuser>.
                 edquota -t #Edit the soft time limits for
    each file system.
                 repquota -a #To get a formatted quota usage report on all
    users (good for cron).
                 /etc/warnquota.conf #Modify this file to warn users via email,
                 quotastats #Displays some stats about quotas.
                 "quotacheck -avcugm" #Generates the /home/aquota.usr &
    /home/ files
        D. Fix manpage character caret problem:
           I. cd /etc/sysconfig
           II. vi i18n
                 LANG="en_US" <--Changed from en_US.UTF-8
    7. User service xinetd restart requirements.
        A. Software Quota on for all FTP user accounts.
           I. vi /etc/fstab
                 LABEL=/data /data ext3 defaults,usrquota 1 2
        B. There is an option for users to get either 100MB, 250MB, 1GB, or 5GB
           the account_creation script is executed.
        C. Quota limits above 250MB for other users are alloted according to
    specific needs.
    8. User and Group Configuration
        A. Use the "useradd" command to install system administration users
    (/home), and the
           fake accounts that will determine the quota for FTP accounts users.
           The default configuration will be the /etc/default/useradd file.
           I. Create the system administration user accounts:
        B. Create the FTP directory.
           I. mkdir /data/ftp
        C. Create the ftponly group.
           I. groupadd -g 5000 ftponly
        D. Create the 100MB, 250MB, 1GB fake accounts. These accounts will be
    used to
           automatically designate new users their quota.
           I. useradd -d /data/ftp/ftp100 -u 502 -s /bin/bash ftp100
           II. useradd -d /data/ftp/ftp250 -u 503 -s /bin/bash ftp250
           III. useradd -d /data/ftp/ftp1GB -u 504 -s /bin/bash ftp1GB
           IV. useradd -d /data/ftp/ftp3GB -u 506 -s /bin/bash ftp3GB
           V. useradd -d /data/ftp/ftp5GB -u 505 -s /bin/bash ftp5GB
           VI. useradd -d /data/ftp/ftp500 -u 507 -s /bin/bash ftp500
           VII. useradd -d /data/ftp/mondo -u 508 -s /bin/bash mondo
           VIII. useradd -d /data/ftp/ftp10GB -u 509 -s /bin/bash ftp10GB
           IX. cd /data/ftp ; chown root:root * ; make sure the ftp###
    accounts are 700.
           X. mount -o remount,usrquota /data <--To make sure that quota is
    turned on.
        E. Modify the quota for each ftp### account.
           I. edquota ftp100
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 92160 102400 0 0
           II. edquota ftp250
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 230400 256000 0 0
           III. edquota ftp1GB
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 921600 1024000 0 0
           IV. edquota ftp3GB
                 Filesystem blocks soft hard inodes soft
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 2700000 3000000 0 0
           V. edquota ftp5GB
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 4808000 5120000 0 0
           VI. edquota ftp10GB
                 Filesystem blocks soft hard inodes soft
                 /dev/sda9 0 9216000 10240000 0 0
        F. Create a daily cron report cron job.
           I. vi /etc/cron.daily/quotareport.cron
                 # The purpose of this cron job is to send a daily reports of
    the quota
                 # status of all user in the /data/ftp filesystem.
                 # Added by Robert Richardson on 03/24/2003.
                 /usr/sbin/repquota -u /data | mail -s "FTP Server Daily Quota
    Report" root
           II. chmod 755 /etc/cron.daily/quotareport.cron
        B. Use the "account_creation" script to install ftp users
           Example 1:
           ./account_creation -c '' admin
    9. Creating a chroot (jail) environment (NOT NEEDED ON THIS SYSTEM).
        A. Allow for users to only move around in their home directory.
           I. vi /etc/vsftpd.conf
           II. Use the account_creation script to append every new user to a
    file called
           III. Make sure that the /data/ftp/<login> has permissions set to
    10. System security requirements.
        A. Security Level Configuration
           Install RedHat 9.0 with security level "No Firewall".
           I. The system will only accept connections that are explicitly
        B. Disable the following services:
           apmd atd autofs gpm ipchains isdn kudzu lpd rhnsd sendmail xfs
           I. chkconfig --list | grep on
                 crond 0:off 1:off 2:on 3:on 4:on 5:on
                 netfs 0:off 1:off 2:on 3:on 4:on 5:on
                 keytable 0:off 1:on 2:on 3:on 4:on 5:on
                 network 0:off 1:off 2:on 3:on 4:on 5:on
                 random 0:off 1:off 2:on 3:on 4:on 5:on
                 rawdevices 0:off 1:off 2:off 3:on 4:on 5:on
                 portmap 0:off 1:off 2:on 3:on 4:on 5:on
                 nfs 0:off 1:off 2:on 3:on 4:on 5:on
                 nfslock 0:off 1:off 2:on 3:on 4:on 5:on
                 sshd 0:off 1:off 2:on 3:on 4:on 5:on
                 syslog 0:off 1:off 2:on 3:on 4:on 5:on
                 vsftpd :on
                 xinetd 0:off 1:off 2:on 3:on 4:on 5:on
                 anacron 0:off 1:off 2:on 3:on 4:on 5:on
        C. Configure login messages.
           I. vi /etc/issue
                 Authorized users only. All access are being logged and
           II. vi /etc/
                 Authorized users only.
           III. vi /etc/motd

                 # This system is for the use of authorized users only.
                 # Individuals using this computer system without authority, or
    in #
                 # excess of their authority, are subject to having all of their
                 # activities on this system monitored and recorded by system
                 # personnel.

        D. Create user chroot environment.
           I. Ugrade Secure SSH to version 3.2.5.
                 1. Download version 3.2.5 from
                 2. tar xvpf ssh-3.2.5.tar
                 3. cd ssh-3.2.5
                 4. ./configure
                 5. make
                 6. make install
           II. Replace "r" programs with SSH:
                 1. cd /usr/bin/
                 2. mv ssh orig.ssh
                 3. mv ssh-add orig.ssh-add
                 4. mv ssh-agent orig.ssh-agent
                 5. mv ssh-keygen orig.ssh-keygen
                 6. mv ssh-keyscan orig.ssh-keyscan
                 7. rm rsh
                 8. cp -p /usr/local/bin/ssh2 .
                 9. ln -s /usr/bin/ssh2 rsh
                 10. rm -f slogin
                 11. ln -s /usr/bin/ssh2 slogin
                 12. cp -p /usr/local/bin/ssh-agent2 .
                 13. ln -s /usr/bin/ssh-agent2 ssh-agent
                 14. cp -p /usr/local/bin/ssh-add2 .
                 15. ln -s /usr/bin/ssh-add2 ssh-add
                 18. cp -p /usr/local/bin/ssh-keygen2 .
                 19. ln -s ssh-keygen2 ssh-keygen
                 20. cp -p /usr/local/bin/ssh-askpass2 .
                 21. ln -s ssh-askpass2 ssh-askpass
                 22. cp -p /usr/local/bin/ssh-dummy-shell /bin/.
                 23. ln -s /usr/local/bin/sftp-server2 /usr/bin/sftp-server
           III. Restrict users to their chrooted ssh environment (for sftp).
                 1. vi /etc/ssh2/sshd2_config
                     ChRootGroups ftponly
                     subsystem-sftp internal://sftp-server
                 2. The users are added via the account_creation script.
                 3. service xinetd restart
        E. Restrict access to cron.
           I. vi /etc/cron.allow
           II. "service crond restart" <-- To restart cron.
        F. Configure and start logwatch cron report.
           I. vi /etc/log.d/scripts/
                 $Config{'detail'} = 10;
           II. vi /etc/log.d/conf/logwatch.conf
                 Detail = High
        G. Disable useless services.
           I. Files in /etc/rc3.d, such as,
                 kudzu ipchains netfs apmd atd sendmail gpm anacron inetd
           II. Disable TELNET remote root logins.
           III. Restrict TCP connections.
        H. Other hardening steps are:
           I. chmod 700 /var/log
           II. vi /etc/profile
                 TMOUT=1800 <--30 minutes of idle time.
                 umask 027 <--owner can read, write, and execute, while
    members of
                                  the group to which the binary belongs can read
                                  execute it, and all others, cannot read,
    write, or execute it.
        I. Allow only certain users to shutdown the system using
           I. Add a -a option to the /etc/inittab line:
                 ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
           II. Create the /etc/shutdown.allow file. It is list of allowed
                 one per line, like the following:
        J. Disable Console Program Access.
           I. To not allow any user at the console to run poweroff, halt, and
                 do the following:
                 rm -f /etc/security/console.apps/poweroff
                 rm -f /etc/security/console.apps/halt
                 rm -f /etc/security/console.apps/reboot
    11. Networking considerations.
        A. vi /etc/sysconfig/network
        B. vi /etc/sysconfig/network-scripts/ifcfg-eth0
        C. vi /etc/sysconfig/network-scripts/ifcfg-eth1
        D. Start routing information.
           route add default gw
           route add -net netmask gw
        D. Create and configure an add gateway init script.
           I. vi addgateway
                 # Purpose: To add and delete the default gateways for eth0 and
                 # Name: addgateway
                 # Version: 1.0
                 # Author: Robert Richardson (Activision Studios)
                 # Date: April 4th, 2003.
                 # History:
                 # 04-APR-03 - Robert Richardson
                 # Version: 1.0
                 # 1. Created to add and delete the default
                 # display_gateways -- This function uses netstat to display the
                 display_gateways() { # gateways
                         echo " Checking the status of the
                         echo "
                         echo " "
                         /bin/netstat -rn | grep UG
                 case "$1" in
                 echo -n "Starting Default Gateway Parameters..."
                 route add -net xx.xx.xx.x netmask gw xx.xx.xx.x
                 route add -net netmask gw xx.xx.xx.x
                 echo -n "Shutting Down Gateway Parameters..."
                 route del -net xx.xx.xx.x netmask gw xx.xx.xx.x
                 route del -net netmask gw xx.xx.xx.x
                 $0 stop
                 $0 start
                 echo "Usage: gateway {start|stop|status|restart|reload}"
                 exit 1

                 exit 0
           II. chmod 700 /etc/rc.d/init.d/addgateway
           III. chkconfig --add addgateway
           IV. chkconfig --level 345 addgateway on
           V. Add the addgateway script to the various init directories.
                 cp -p addgateway /etc/rc.d/init.d/addgateway
                 cp -p addgateway /etc/rc.d/rc1.d/K91addgateway
                 cp -p addgateway /etc/rc.d/rc2.d/S11addgateway
                 cp -p addgateway /etc/rc.d/rc3.d/S11addgateway
                 cp -p addgateway /etc/rc.d/rc4.d/S11addgateway
                 cp -p addgateway /etc/rc.d/rc5.d/S11addgateway
                 cp -p addgateway /etc/rc.d/rc6.d/K91addgateway
    12. Configure with postfix.
        A. Go to get db*-deve*: ftp
        B. cd pub/redhat/linux/9/RedHat/RPMS
        C. mget db4-*
        D. rpm -qal | grep db4 <--It already exist then do the next steps.
        E. rpm -Uvh db4-devel-4.0.14-20.i386.rpm
        F. rpm -Uvh db4-java-4.0.14-20.i386.rpm
        G. rpm -Uvh db4-utils-4.0.14-20.i386.rpm
        H. useradd -d /home/postfix -u 12345 -s /bin/ssh-dummy-shell postfix
        I. groupadd -g 54321 postdrop
        J. Go to mirror site:
        K. gunzip postfix-2.0.16.tar.gz
        L. tar xpf postfix-2.0.16.tar
        M. cd postfix-2.0.16
        N. cd /home/admin/packages/postfix-2.0.16
        O. make
        P. make install
           install_root: [/]
           tempdir: [/home/admin/packages/postfix-2.0.16]
           config_directory: [/etc/postfix]
           daemon_directory: [/usr/libexec/postfix]
           command_directory: [/usr/sbin]
           queue_directory: [/var/spool/postfix]
           sendmail_path: [/usr/sbin/sendmail]
           newaliases_path: [/usr/bin/newaliases]
           mailq_path: [/usr/bin/mailq]
           mail_owner: [postfix]
           setgid_group: [postdrop]
           manpage_directory: [/usr/local/man]
           sample_directory: [/etc/postfix]
           readme_directory: [no]
        Q. postfix start
        R. mv /etc/aliases /etc/sendmail.orig.aliases
        S. ln -s /etc/postfix/aliases /etc/aliases
        T. vi /etc/postfix/aliases
           postfix: root
        U. newaliases
    13. System transition.
    14. Windows user connectivity
        A. Instruct Windows users on using secure ftp (sftp) via a pc.
           I. Go to the website below to get ssh for the pc.
           II. Follow the install instructions.
           III. Complete all encryted ftp transactions via sftp.
           IV. Make these instructions part of the intranet website that has
    the rules and
                 regulations for using this FTP Server.
    15. System disk space growth considerations.
    16. System recovery requirements.


    redhat-list mailing list

  • Next message: Matthew Saltzman: "Re: Red Hat Professional Workstation"

    Relevant Pages

    • First time vsftp setup
      ... I am setting up my very first ftp server for my small company and I am wondering if someone with more experience than I could look at my configuration and give me some advice. ... The purpose of my ftp site is to enable our staff and a select group of our clients to exchange very large files back and forth, without the problems associated with emailing large files. ...
    • Re: Configure ISA to allow ISA Server to make external FTP Connect
      ... > 2) FTP Download only< I added this ... If adding the FTP protocols does work, you should be able to remove the FTP ... Download and FTP Server and just leave FTP enabled becuase you don't want ... network layout little configuration would be required. ...
    • Re: Tool to backup cisco router configurations?
      ... This configuration on a router or switch will automatically save the ... startup-configuration to a FTP server (other transport options are ...
    • Re: IIS FTP service as HTTP
      ... But some proxys blocks ftp transactions and in that cases I saw someting ... There's no such thing as an HTTP FTP server. ... > That requires no configuration on the FTP server side, ... check an IE group or the FTP group for ...
    • Re: Microsoft FTP Server problem on W2K?
      ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ...