# vsftpd help request

## strubbldesign

hi everyone....

i'm planing to run a secure vsftpd...

the things i am considering are:

1.) Uploading (only local and virtual users via s-ftp)

in the documentation at http://en.gentoo-wiki.com/wiki/Vsftpd it tells me that i should use /var/ftp/upload

the things i wanna share are on /mnt/legal_data/ftp

the upload-directory should be the same....

the thing is that /mnt/legal_data/ is a ntfs-partition mounted as fstab tells: *Quote:*   

> /dev/sdb5               /mnt/legal_data     ntfs-3g         nls=utf8,auto,rw,user   0 0

 

a ls -lah shows me  *Quote:*   

> fysi@daxbau /mnt $ ls -lah
> 
> total 60K
> 
> ...
> ...

 

so this is owned by root

now the documentation tells (in section where to put files) me to chown the directory to ftp:ftp

does anyone of you have an idea to handle that? giving the directory from root to ftp but still having directly access to it from local machine as user?

----------

## causality

The man page for the "mount" command has this section for NTFS-specific options:

 *Quote:*   

> Mount options for ntfs
> 
>        iocharset=name
> 
>               Character set to use when returning file names.  Unlike VFAT, NTFS suppresses names that contain unconvertible characters. Dep-
> ...

 

You can edit your /etc/fstab file and change this line

```
/dev/sdb5 /mnt/legal_data ntfs-3g nls=utf8,auto,rw,user 0 0
```

to something like this:

```
/dev/sdb5 /mnt/legal_data ntfs-3g nls=utf8,auto,rw,user,uid=X,gid=Y,umask=Z 0 0
```

to set the permissions the way you want them.  This is of course because the NTFS filesystem does not have Unix permissions, so the kernel has to "fake" them in order to mount the NTFS partition in a way that is compatible with the rest of your virtual filesystem.

I apologize if this sounds obvious, but I wanted to emphasize it:  please be careful about the permissions you choose, particularly the implications of the "umask=" option if you decide to use that.  This is where a mistake might expose those files to users who should not be able to access them.

----------

## strubbldesign

do i have to use the value witch is given me by this userconsole 

```
fysi@daxbau /mnt $ umask -p

```

 *Quote:*   

> umask 0022
> 
> 

 

----------

## causality

No, you can use any value you like.  That value of 0022 may or may not be suitable depending on what you want.

----------

## strubbldesign

vsftpd won't start....

is there any log-file to see what happens? /var/log/.... isn't containing any vsftpd file

here's the config i wanted to have... (probably) *Quote:*   

> daxbau vsftpd # more /etc/vsftpd/vsftpd.conf
> 
> ############################
> 
> #      General Options     #
> ...

 

any missconfig?

----------

## causality

I should say up-front that I am not at all familiar with vsftpd.

I read through an online manual page for it (at http://vsftpd.beasts.org/vsftpd_conf.html).  It sounds like the logfile should be in /var/log/vsftpd.log.  You may be interested in the option "syslog_enable=yes", which will make VSFTPD go through the normal system logger instead of trying to write its own files.  In fact, if you are running it non-root, you may have to do this, since only root has permissions to write to /var/log.

How were you starting it?  Were you using "/etc/init.d/vsftpd start"?  If not, that'd be the first thing to try.  If so, then for diagnostic purposes you can try running the daemon yourself (the executable is probably located in /usr/sbin but you can check by using the command "whereis vsftpd").

FYI the man page describes the "force_local_data_ssl" option this way:

 *Quote:*   

> force_local_data_ssl
> 
>     Only applies if ssl_enable is activated. If activated, all non-anonymous logins are forced to use a secure SSL connection in order to send and receive data on data connections.
> 
>     Default: YES 

 

----------

## strubbldesign

yes i start vsftpd via

```
/etc/init.d/vsftpd stard
```

done the editing, and don't know where it could be the prob...

----------

## strubbldesign

well i've made changes to /etc/vsftpd/vsftpd.conf

(here's the new one) *Quote:*   

> ############################
> 
> #      General Options     #
> 
> ############################
> ...

 

the ftp starts fine via 

```
/etc/init.d/vsftpd start
```

the problem is the connection...

i run 

```
sftp fysi@localhost
```

 and get *Quote:*   

> daxbau vsftpd # sftp fysi@localhost
> 
> Connecting to localhost...
> 
> 

 

after minutes... still the same... tried it with filezilla... wich tells me a connection timed out (after a few sec.) 

as i connect with my own user (fysi) and having "local_enable and write_enable" set to Yes i should be able to connect...

the same thing when i try it with a virtual user...

any ideas?

using this: pam_pwdfile *Quote:*   

> auth    required pam_pwdfile.so pwdfile /etc/vsftpd/passwd_ftp
> 
> account required pam_permit.so
> 
> 

 

and this: /etc/vsftpd/passwd_ftp *Quote:*   

> chris:$1$WUkSBunu$Yf6UFKfI71ReT4dlEp93k/
> 
> mahcup:$1$uI7u7DcQ$EHzwDiP43FVY/N7mzDMwe.
> 
> 

  (of course i've changed the hash for posting manually  :Very Happy: 

thanks for your help

----------

## causality

Sftp is for connecting to an SSH (Secure SHell) server, and won't work with a vsftpd server.  SSH is primarily a secure, encrypted replacement for the insecure Telnet but it also includes SFTP.  Unless you are running SSHD and have it configured to accept SFTP requests, then your machine cannot service an SFTP client.

What you are running is a standard FTP daemon that supports SSL (Secure Sockets Layer).  SSL is also used anytime you access an https:// link with your Web browser.  They both use encryption, but otherwise SSL and SSH are quite different.  You'd need to use a standard FTP client that supports SSL to access your server.

Incidentally, I use SSHD and SFTP myself.  I wanted a secure way to access my own files remotely.  I run SSHD and have it configured so that no one has any sort of shell access (not even if they know a valid login and password).  Only one username/password can access SFTP, the files it can access are read-only (with one separate "uploads" directory that is writable), it's chrooted to that user's home directory, and is not allowed to run any programs or use anything other than SFTP.  The beauty of SSH is that you can really lock it down, as otherwise I'd be reluctant to run an Internet-facing server that I could live without.

Just wanted to add one thing.  If this is an Internet-facing server, you absolutely will get tons of automated password-guessing attempts against it.  It doesn't matter how obscure or unknown your server is.  There are entire botnets that seem to do nothing all day but scan random blocks of IP addresses looking for listening servers.  When they find a listening server, they try to guess passwords on it.  This is normal, not a big deal, and happens to anyone and everyone who ever runs any Internet-accessible server.  It's a good idea to plan for it.  You may want to consider installing Logsentry to help you keep an eye on things.  If you do switch to SFTP, I'd _highly_ recommend using SSHGuard as well.

Logsentry and SSHGuard are best regarded as "helpers" -- your real line of defense is the use of strong passwords and good file permissions.  In the case of SSH/SFTP, you could also have no passwords at all and use cryptographic keys instead.  The above is less of a concern if you are only accepting connections from local users and/or users on your LAN and not the global network, but is still a very good practice.

----------

## strubbldesign

thanks for your advice...

so wich ftp client shold i use?? proftpd??

btw: i wanna have it as secure as possible... (login- and transfe-data at least 256bit encrypted)

at least i will have me and further 7 users... (kerberos is not really what i'm looking for) 

please give me a hint to the useflags wich i should use [ebuild  N    ] net-ftp/proftpd-1.3.2b  USE="acl ipv6 mysql ncurses nls pam ssl tcpd -authfile -ban -case -clamav -deflate -hardened -ifsession -kerberos -ldap -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd

opensslcrypt? vroot? xinetd? mysql? (pam_file_preferde)

thanks

----------

## causality

I am sorry but I should not make a recommendation like that.  No one knows your machines, your network, and your specific needs quite like you do, so if I told you "yeah you should definitely use this particular program" it is very likely that I would lead you astray.  I wouldn't mean to, of course, but I just can't make a certain judgment like that about a network I have not personally examined (more importantly) servicing users I do not know.

What I can do is tell you what worked for me when I was faced with a similar situation.  I personally went with the net-misc/openssh package.  I then locked it down until it had no functionality left except the one or two things I needed it to do.  I found this to be a relatively simple solution and I especially liked the configurability.  SSH was obviously designed from the ground up with security in mind, and it shows.  I'd expect nothing less from the OpenBSD folks who designed that particular implementation.

The only caveat is that I sometimes want to access my SFTP server from a Windows machine (i.e. because I am at someone else's house and that's what they have) and that requires installing additional software (WinSCP, which is Open Source).  SSH and SFTP are well-supported on Unix.  For Windows machines, this might be a problem in a corporate environment, where users don't typically have permission to install software.

If you do decide to go with SSH/SFTP, I should be able to help you configure it.  I personally run such a server, while I have never personally run a standard FTP daemon like vsftpd or proftpd.  If you decide to go with a standard FTP daemon, someone more experienced with those should be able to help you.

----------

## Carman2313

Hi.  I got it working for me.  Here are details:

I have an external NTFS Gigabyte drive that I called "Store01".  This volume contains a directory called "/ftp".  I want anonymous ftp clients to upload to what is seen thru FTP as "/ftp/pub", and I want this to actually be /ftp on my NTFS drive.

First, vsftpd wants the anonymous root directory to be owned by ftp:ftp

So, I looked in the user file to find the id for ftp:

```
cat /etc/passwd
```

and found that on my system ftp is userid 14

Then I looked in the groups file to find the id for the ftp group:

```
cat /etc/group
```

and found that on my system the ftp group is 50

Next, I looked to see what device name my NTFS volume has:

```
fdisk -l
```

on my system, my NTFS volume is shown to be called: /dev/sdc1

So, I created a mount point for it thus (I'm arbitrarily calling it "Store01":

```
mkdir /mnt/Store01
```

in /etc/fstab, this line gets the NTFS volume mounted at /mnt/Store01:

```
/dev/sdc1    /mnt/Store01    ntfs-3g    nls=utf8,auto,user,rw,uid=14,gid=50,umask=0000,defaults 0 0
```

Note that it is going to belong to user 14, which is ftp on my system, and group 50, which is ftp on my system.  VSFTPD requires that anonymous upload directories to belong to ftp:ftp

Now I define a mount point I want to use as my ftp anonymous root:

```
mkdir /var/ftp

chown root:root /var/ftp

mkdir /var/ftp/pub

chown ftp:ftp /var/ftp/pub
```

Notice /var/ftp is owned by root:root, and therefore cannot be written to by vsftpd.  This is a requirement of vsftpd for a ROOT anonymous directory, that the anonymous root directory not be writable. So, /var/ftp is what I'm going to use as the anonymous root directory.

But /var/ftp/pub is writeable by vsftpd.  It appears to anonymous users as a "pub" directory on the FTP site where they can write files.

So I add this line to /etc/fstab, which will point /var/ftp/pub (the anonymous writable directory) to the /ftp folder on my NTFS volume:

```
/mnt/Store01/ftp    /var/ftp/pub    auto    bind 0 0
```

And finally, in /etc/vsftpd/vsftpd.conf, this line:

```
anon_root=/var/ftp
```

Now an anonymous user can upload into the "pub" directory, on the anonymous FTP site.  Files uploaded there will appear in /ftp on my NTFS volume.

----------

