vsftp Question

[jazzer386]

I should not have been so quick to save over my old vsftpd.conf file.

Now, I have nothing, for comparison.

How do I tell vsftp to connect via the right port #?

- j

[forkbomb]

Quote:

Originally Posted by jazzer386

I should not have been so quick to save over my old vsftpd.conf file.

Now, I have nothing, for comparison.

How do I tell vsftp to connect via the right port #?

- j

Could try reading the man page for vsftpd

Code:

man vsftpd.conf

http://linuxreviews.org/man/vsftpd.conf/


Grepping through my vsftpd.conf, I assume you mean the option:

Code:

]$ grep port vsftpd.conf
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

I'm not a vsftpd guru, but what do you have right now for your vsftpd.conf and what do you want to accomplish?

EDIT:
I believe this is pretty close to the default.

Code:

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails

#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and 
# listens on IPv4 sockets. This directive cannot be used in conjunction 
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

Whenever I modify any default configs, I make a copy first.

[jazzer386]

Thanks for the input!

I think I'm getting a better grasp on my problem and it, actually, appears to be 2 issues: vsftp & Firewall.

So, I will separate them and place the Firewall question in a different post - despite I fail to see why Firewall should have been effected.

For this post, though, does anyone know how to assign a port #, to vsftpd?

- j

[forkbomb]

From the link I gave you:

Code:

listen_port
    If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.

    Default: 21

So, listen_port=666 would make it listen on 666.

That's standalone mode, mind you. If you're launching vsftpd through something like xinetd, that may be a different matter from what I gather from the man page. If you're running vsftpd with xinetd, I'd image you can configure the listen port in the xinetd config, but I'm not sure because I just go with the "simpler" (KISS) method of running standalone.

[jazzer386]

Thanks for the input, but my vsftpd.conf does not contain:

"listen_port
If vsftpd is in standalone mode, this is the port it will listen on for incoming FTP connections.

Default: 21 "

Instead, it is:

"# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to DDDPL's FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES



pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem"

- j

[forkbomb]

Quote:

Originally Posted by jazzer386

Thanks for the input, but my vsftpd.conf does not contain:

Add it if you need it...

I'm confused. Do you need vsftpd to listen on a nonstandard port? If you don't specify the listen_port=xyz option in vsftpd.conf, then the daemon will just listen on the standard FTP port (21 is ftp-control).

If you need a nonstandard port - and I've never heard of anybody needing or wanting to set FTP servers to listen on another port, then add listen_port=<portyouwant>

If you have customers or whatever who will be needing to connect to your ftp server, leave it to default ports unless you are confident that you will know what you're talking about when you tell them, "oh, by the way, my ftp server listens on a nonstandard port so change the port you're using on your ftp client to xyz." Most people will have no idea what you're talking about.

So, unless you have some compelling reason to use a nonstandard ftp port (I can't really think of any), leave the listen_port= option out and let vsftpd default to the standard port for the FTP protocol, 21.

[jazzer386]

In an attempt to enhance security, I changed the port # to a nonstandard one.

Your advice, however, worked!

So, thank you!

- j

[forkbomb]

Quote:

Originally Posted by jazzer386

In an attempt to enhance security, I changed the port # to a nonstandard one.

Your advice, however, worked!

So, thank you!

- j

Well, you're welcome.

Not to open up the old "security vs obscurity" can of worms, but nonstandard ports really don't foil the really dangerous cracking folk. Just so you know that. Nonstandard ports will, however, foil bots and script-kiddies who don't really know how to use a port scanner. I've been running VSFTPD on my server box for a few weeks. In that time, I've seen dozens of bogus SSH login attempts (thanks denyhosts), but nobody has tried FTP once.

(Non-standard SSH ports, on the other hand, can reduce attack attemps by a huge factor because lots of SSH attempts come from compromised zombie bots.)

Of course, I could also say that you should be using something other than FTP if you desire security (plain text passwords in standard, vanilla FTP), but then I noticed you're using SSL. So, score two for the home team.

[jazzer386]

Which username and password should I use for logging onto my vsftp server?

My regular user info or my su - info or something else?

- j

[marcrblevins]

vsftpd login uses your same linux login.

[forkbomb]

Quote:

Originally Posted by marcrblevins

vsftpd login uses your same linux login.

By default, yes.

You can also convigure vsftpd to use virtual users (users that don't actually exist locally on the system). And I believe there are some lines relating to user access restriction.

[jazzer386]

Quote:

Originally Posted by marcrblevins

vsftpd login uses your same linux login.

Same as what?

My 'usual' username & password?

Not the 'root' password?

Right?

I'm just trying to be clear about this.

- j

[briantan]

I think there is a confusion here.

When you're trying to gain access (login) to Fedora Linux system via telnet, or ssh, or ftp, or sftp, you have to supply a userid/password pair as credentials for authentication. (In general, by default)

In Fedora Linux system there is a very powerful superuser whose userid is root

Like "Supervisor" in Windows, Linux user root has full reign of the system.

User root has a uid of 0, the "highest" of them all. uid <= 499 are considered "system-level" users. The system-level users do not appear in "# system-config-users" in F9 (unless you uncheck the "hide system users and groups" in Edit->Preferences).

In constrast, your "usual" users starts with uid>=500.

When you login to Linux as user root, you have to supply root's password. However login as user root is frown upon by many in this forum.

When you login with any of the "usual" userid and password that you create, you can temporarily gain access to the "power" of user root by command "$ su"

When you triy to run application that requires "root" access priviledge, application will prompt for root's password, which then run "su" on your behalf.

Code:

[ jazzer@host ~]$ id
uid=500(jazzer) gid=500(jazzer) groups=500(jazzer)
[ jazzer@host ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[ jazzer@host ~]$ system-config-users &
Password: [root password here]

[ jazzer@host ~]$ su -
Password: {root password here}
[ root@host ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[ root@host ~]# cat /etc/shadow
root:$6$AbCdEfGhIjKlMnOpQrStUvWxYz/NfUmZv/:14090:0:99999:7:::
bin:*:14058:0:99999:7:::
daemon:*:14058:0:99999:7:::
......
[ root@host ~]# system-config-users &
{ no password prompt here }
[ root@host ~]#

Notice the change of command prompt from "$" (normal users) to "#" (user root).

/etc/shadow contains encrypted version of users password, and access is restricted to user root only for security reason.

marcrblevins said "same as Linux user", meaning you can login to vsftp with any userid as long as you know their password, provided the userid do not appear in the following files.

Code:

/etc/vsftpd/ftpusers
/etc/vsftpd/user_list

You can even login as user root if "root" is commented in these files. (NOT recommended).

As suggested by tjvanwyk, vsftpd allows login by virtual user (not real users defined in Fedora), but some setup is required.

Hope this clears up the confusion.

[forkbomb]

Quote:

Originally Posted by briantan

As suggested by tjvanwyk, vsftpd allows login by virtual user (not real users defined in Fedora), but some setup is required.

Hope this clears up the confusion.

I would definitely look into that...

It's far more secure. I'm not sure about the particulars of how vsftpd does virtual users, but I've run proftpd before and I manually created a sort of virtual user by:
1) Allowing only one user FTP access
2) making sure the ftp user couldn't leave the FTP root (chrooting)
3) Ensuring that that user had access to only a faux shell (by adding something like /bin/false to /etc/shells)

Can anybody confirm that that's essentially what vsftpd does with "virtual users?"

[jazzer386]

Briantan:

So, any of my Linux-user login IDs (not remote visitors) can log onto my vsftp server so long as their name/ID "does not appear in":

/etc/vsftpd/ftpusers
/etc/vsftpd/user_list

...?

- j