FTPD
VSFTPD
Configuration is in /etc/vsftpd/vsftpd.conf
PAM module is in /etc/pam.d/ftpd It uses pam_require and is limited to users in ftp-users group.
| Feature | Configuration | Default |
|---|---|---|
| chroot users | chroot_local_user | NO |
| Passive support | pasv_enable | YES |
| Allow chmod | chmod_enable | YES |
| Directory listing allowed | dirlist_enable | YES |
| Enable downloads | download_enable | YES |
| Hide user and group information | hide_ids | NO |
| Allow local users to login | local_enable | NO |
| Recursive ls support | ls_recurse_enable | NO |
| tcp_wrappers support | tcp_wrappers | NO |
| Allow write access | write_enable | NO |
| Minimum PASV port | pasv_min_port | 0 |
| Maximum PASV port | pasv_max_port | 0 |
| FTPS | ||
| SSL support | ssl_enable | NO |
Pure-FTPD
Pure-FTPD is setup to accept SSL/TLS connections if requested. It is using the digitaltrike.com wildcard SSL certificate as well.
Configuration is located at /etc/conf.d/pure-ftpd
| Feature | Configuration |
|---|---|
| Chroot everyone, but root | -A |
| Compatability hacks | -b |
| Daemonize | -B |
| Max # of clients | -c # |
| Max # connections per IP | -C # |
| Anonymous connections only | -e |
| Authenticated users only | -E |
| Don't resolve host names | -H |
| PAM authentication | -l pam |
| Disallow chmod | -R |
| Disallow reading/writing to dotfiles | -X |
| Miscellaneous safeguards | -Z |
| Active / Passive Modes | |
| NAT mode (force active mode) | -N |
| Passive mode port range | -p first:last |
| IP address to reply to PASV/EPSV/SPSV | -P ip address or host |
| FTPS | |
| Disable SSL/TLS (default) | -Y 0 |
| Accept normal and SSL/TLS sessions | -Y 1 |
| Require SSL/TLS to connect | -Y 2 |
| Require SSL/TLS for everything | -Y 3 |
SSL
By default, Pure-FTPD looks for an SSL certificate at /etc/ssl/private/pure-ftpd.pem
The format of the file is:
-----BEGIN RSA PRIVATE KEY----- (Your Private Key: your_domain_name.key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: from_cert_provider.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: from_cert_provider.crt) -----END CERTIFICATE-----
To create a self-signed certificate, you can use the following commands :
mkdir -p /etc/ssl/private openssl req -x509 -nodes -newkey rsa:1024 -keyout \ /etc/ssl/private/pure-ftpd.pem \ -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/*.pem
Notes
Sometimes Pure-FTPD will not kill stop with the init script, so you will have to manually kill the process.
Important: The FTP server can run in either active OR passive mode, but not both.
Notes
FTPD is simple to secure with SSL, and lock down with chroots.
Filezilla is buggy, plain and simple. I've read a lot of forum posts where users have tweaked their setups to work with it, and Filezilla still does not work properly. The developer usually cites firewall or SSL issues as the reasons.
Your best bet for providing support is to disable PASV tranfer support in the server.
