# FTP Server

## chr0n0

How can I set-up an FTP server from my home box?  I have tried VSFTP, pro-FTP and pure-ftpd.  None of them seem to work.  I have been trying to configure them all day and just can't getting any to work.  I am behind a NAT, but I have tried forwarding ports and have had no success.  

What I want:  to have one directory that is in a chroot jail that others can use to download files.  How can I achieve this?

Is there an EASY way to set-up an FTP server?  Something that doesn't take a networking expert?

----------

## hanj

Hello

What's the exact problem? Those FTP servers should be pretty easy to set up. Are users hitting the service? Is the service starting? Are users having trouble accessing the files? My gut tells me it's the port forward issue on the router or something similar to that. I guess we need to determine what's not working.

Thanks!

hanji

----------

## chr0n0

```
# Config file for /etc/init.d/pure-ftpd

##Comment variables out to disable its features, or change the values in it... ##

## This variable must be uncommented in order for the server to start ##

IS_CONFIGURED="yes"

## FTP Server,Port (separated by comma) ##

## If you prefer host names over IP addresses, it's your choice:

## SERVER="-S ftp.rtchat.com,21"

## IPv6 addresses are supported.

## !!! WARNING !!!

## Using an invalid IP will result in the server not starting,

## but reporting a correct start!

## SERVER="-S 192.168.0.1,21"

## By default binds to all available IPs.

SERVER="-S xxx.xxx.xxx.xxx,21"

## Number of simultaneous connections in total, and per IP ##

MAX_CONN="-c 2"

MAX_CONN_IP="-C 1"

## Start daemonized in background ##

DAEMON="-B"

## Don't allow uploads if the partition is more full then this var ##

DISK_FULL="-k 90%"

## If your FTP server is behind a NAT box, uncomment this ##

USE_NAT="-N"

## Authentication mechanisms (others are 'pam', ...) ##

## Further infos can be found in the README file.

AUTH="-l unix"

## Change the maximum idle time (in minutes) ##

## If this variable is not defined, it will default to 15 minutes.

#TIMEOUT="-I <timeout>'"

## Facility used for syslog logging ##

## If this variable is not defined, it will default to the 'ftp' facility.

## Logging can be disabled with '-f none'.

#LOG="-f <facility>"

## Charset conversion support *experimental* ##

## Only works if USE "charconv" is enabled (only Pure-FTPd >=1.0.21).

## Set the charset of the filesystem.

# CHARCONV="--fscharset <charset>"

## If you want to process each file uploaded through Pure-FTPd, enter the name

## of the script that should process the files below.

## man pure-uploadscript to learn more about how to write this script.

# UPLOADSCRIPT="/path/to/uploadscript"

## Misc. Others ##

MISC_OTHER="-A -x -j -R -Z"

#

# Use these inside $MISC_OTHER

# More can be found on "http://download.pureftpd.org/pub/pure-ftpd/doc/README"

#

# -A [ chroot() everyone, but root ]

# -e [ Only allow anonymous users ]

# -E [ Only allow authenticated users. Anonymous logins are prohibited. ]

# -i [ Disallow upload for anonymous users, whatever directory perms are ]

# -j [ If the home directory of a user doesn't exist, auto-create it ]

# -M [ Allow anonymous users to create directories. ]

# -R [ Disallow users (even non-anonymous ones) usage of the CHMOD command ]

# -x [ In  normal  operation mode, authenticated users can read/write

#   files beginning with a dot ('.'). Anonymous users can't, for security reasons

#   (like changing banners or a forgotten .rhosts). When '-x' is used, authenticated

#   users can download dot-files, but not overwrite/create  them,  even  if they own

#   them. ]

# -X [ This  flag  is  identical  to  the  previous one (writing

#       dot-files is prohibited), but in addition, users can't even *read* files and

#       directories beginning with a dot (like "cd .ssh"). ]

# -D [ List files beginning with a dot ('.') even when the client doesn't

#      append the '-a' option to the list command. A workaround for badly

#      configured FTP clients. ]

# -G [ Disallow renaming. ]

# -d [ Send various debugging messages to the syslog. ONLY for DEBUG ]

# -F <fortune file> [ Display a fortune cookie on login. Check the README file ]

# -H [ By default, fully-qualified host names are logged. The '-H' flag avoids host names resolution. ]
```

That's my config for pure-ftpd.  I copied it into /etc.  I then created a new group and a user assigned to /home/ftp.  I then tried forwarding my ports in my router (I use tomato firmware).  I have tried connecting with my FTP client and nothing.

I am a bit confused on what the "AUTH" variable in this config file should be.  Also, I am a bit confused on whether I should compile pure-ftpd with the xinetd USE flag or not.  I have tried it both ways and still I can't connect.

----------

## hanj

Are you trying to connect from the 'outside'? Also are you seeing anything in the FTP logs. I personally use vsftpd, so not too familiar with pure-ftpd. Let's make sure the service is running.. can you show me the output of..

```
netstat -lnp | grep 21
```

and

```
ps aux | grep pure
```

Also, are you using a firewall (iptables) on that machine? Are you blocking incoming requests?

hanji

----------

## chr0n0

I am going to go emerge VSFTPD so maybe you can have an easier time helping me.  Any certain USE flags I need to compile in?  Should I use xinetd or not?

----------

## hanj

These are my USE flags...

```
[ebuild   R   ] net-ftp/vsftpd-2.0.7-r1  USE="logrotate pam ssl tcpd -caps (-selinux) -xinetd" 0 kB
```

hanji

----------

## chr0n0

OK, I got it compiled.  What should I add to the config file for a basic set-up?  That is, I want to allow a couple of users to log into a chrooted directory.

----------

## hanj

You'll need to edit a few files in /etc/vsftpd

ftpusers files has users who are NOT allowed to connect. I would include all the users in /etc/passwd except the users you want to connect.

Here is my vsftpd.conf

```
anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_file=/var/log/vsftpd/vsftpd.log

log_ftp_protocol=YES

idle_session_timeout=600

data_connection_timeout=120

nopriv_user=ftpsecure

ftpd_banner='FTP Service'

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/vsftpd.chroot

pasv_min_port=50231

pasv_max_port=50251

listen=YES
```

vsftpd.chroot is a blank file. I'm not sure if the emerge created the ftpsecure user. If not, you'll need to create him. 

```
groupadd ftpsecure

useradd -s /bin/false -d /home/ftpsecure -g ftpsecure ftpsecure
```

Add it to the default runlevel

```
rc-update add vsftpd default
```

Start the service

```
/etc/init.d/vsftpd start
```

Check the logs for anything weirdl

```
tail -f /var/log/vsftpd.log 
```

Check to make sure the port is open and the process is hot

```
ps aux | grep vsftpd

netstat -lnp | grep 21
```

If you see something with those two commands your FTP server is running. Next is to see what the problem is with connections. Make sure the user you want to connect has a home directory somewhere.

hanji

----------

## chr0n0

When I try to start vsftps, I get the following:

```
/etc/init.d/vsftpd start

 * Starting vsftpd ...                                   [ !! ]

```

I did everything exactly as you outlined.

Also, when I try to view the log, I get:

```
tail -f /var/log/vsftpd.log

tail: cannot open `/var/log/vsftpd.log' for reading: No such file or directory
```

----------

## hanj

Can you post the contents of /etc/init.d/vsftpd

Thanks!

hanji

----------

## chr0n0

```
#!/sbin/runscript

# Copyright 2003-2004 Gentoo Foundation

# Distributed under the terms of the GNU General Public License, v2

# $Header: /var/cvsroot/gentoo-x86/net-ftp/vsftpd/files/vsftpd.init,v 1.7 2008/12/26 16:50:15 armin76 Exp $

VSFTPD_NAME=${SVCNAME##*.}

if [ -n "${VSFTPD_NAME}" -a "${SVCNAME}" != "vsftpd" ]; then

    VSFTPD_PID="/var/run/vsftpd.${VSFTPD_NAME}.pid"

    VSFTPD_CONF_DEFAULT="/etc/vsftpd/${VSFTPD_NAME}.conf"

else

    VSFTPD_PID="/var/run/vsftpd.pid"

    VSFTPD_CONF_DEFAULT="/etc/vsftpd/vsftpd.conf"

fi

VSFTPD_CONF=${VSFTPD_CONF:-${VSFTPD_CONF_DEFAULT}}

VSFTPD_EXEC=${VSFTPD_EXEC:-/usr/sbin/vsftpd}

depend() {

   need net

   use dns logger

}

checkconfig() {

   if [ ! -e ${VSFTPD_CONF} ] ; then

      eerror "Please setup ${VSFTPD_CONF} before starting vsftpd"

      eerror "There are sample configurations in /usr/share/doc/vsftpd"

      return 1

   fi

   if egrep -iq "^ *background *= *yes" "${VSFTPD_CONF}" ; then

      eerror "${VSFTPD_CONF} must not set background=YES"

      return 1

   fi

   local has_ip=false has_ipv6=false ip_error=true

   egrep -iq "^ *listen *= *yes" "${VSFTPD_CONF}" && has_ip=true

   egrep -iq "^ *listen_ipv6 *= *yes" "${VSFTPD_CONF}" && has_ipv6=true

   if ${has_ip} && ! ${has_ipv6} ; then

      ip_error=false

   elif ! ${has_ip} && ${has_ipv6} ; then

      ip_error=false

   fi

   if ${ip_error} ; then

      eerror "${VSFTPD_CONF} must contain listen=YES or listen_ipv6=YES"

      eerror "but not both"

      return 1

   fi

}

start() {

   checkconfig || return 1

   ebegin "Starting ${SVCNAME}"

   start-stop-daemon --start --exec ${VSFTPD_EXEC} \

      --background --make-pidfile --pidfile "${VSFTPD_PID}" \

      -- "${VSFTPD_CONF}"

   eend $?

}

stop() {

   ebegin "Stopping ${SVCNAME}"

   if [ -f ${VSFTPD_PID} ]; then

      start-stop-daemon --stop --pidfile ${VSFTPD_PID} 

   else

      ewarn "Couldn't found ${VSFTPD_PID} trying to stop over the process name ${SVCNAME}"

      start-stop-daemon --stop --name ${SVCNAME}

   fi

   eend $?

}

# vim: ts=4
```

----------

## hanj

Can you post the output of this..

```
netstat -lnp | grep 21
```

Thanks!

hanji

----------

## chr0n0

```
netstat -lnp | grep 21

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     13681/xinetd

udp6       0      0 fe80::21d:7dff:fea3:123 :::*                               5373/ntpd

unix  2      [ ACC ]     STREAM     LISTENING     10121    5856/kdeinit Runnin /tmp/ksocket-chr0n0/kdeinit-:0
```

----------

## hanj

That's what I thought looks like port 21 is already bound by xinetd process. Must have been related to pureftpd? You need to stop that service. Verify nothing is listening on port 21 before starting vsftpd. vsftpd can't bind to an already bound port.

hanji

----------

## chr0n0

 *hanj wrote:*   

> That's what I thought looks like port 21 is already bound by xinetd process. Must have been related to pureftpd? You need to stop that service. Verify nothing is listening on port 21 before starting vsftpd. vsftpd can't bind to an already bound port.
> 
> hanji

 

 :Embarassed:   :Embarassed: 

All I had to do was restart xinetd.  I must have not restarted it since I unmerged pure-ftp.  Now, vsftpd starts.  What's the best way to test?

----------

## hanj

Did you verify that process is there and port is bound by vsftpd?

hanji

----------

## chr0n0

Yes, it is:

```
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     386/vsftpd
```

Now should I fire up Filezilla and try to connect or is there something else I should do first?  (I assume I need to port forward).

----------

## hanj

We should test one thing at a time. We should test direct connection via your LAN first. Do you have another machine on the LAN? We don't want to mess with port forwards yet. Connect to your IP on port 21 (assuming it's a 10.0.0.x or 192.168.0.x, etc). See if you can connect and then log in. The next step after that is to see if you can connect from outside your router and verify that port forward is working.

hanji

----------

## chr0n0

 *hanj wrote:*   

> We should test one thing at a time. We should test direct connection via your LAN first. Do you have another machine on the LAN? We don't want to mess with port forwards yet. Connect to your IP on port 21 (assuming it's a 10.0.0.x or 192.168.0.x, etc). See if you can connect and then log in. The next step after that is to see if you can connect from outside your router and verify that port forward is working.
> 
> hanji

 

OK, I do have a Windows PC on my LAN.  Both it and my Gentoo box are behind the router (WRT54GL running Tomato).  Should I try with my other machine first?

EDIT: I just tried to connect locally via my browser: ftp://192.168.1.100:21.  I am now getting a prompt for username and password.  I set-up the user ftpsecure as you suggested.  However, when it connects, there is nothing there.  Do I need to change permissions on /home/ftpsecure?

EDIT #2:

OK, I figured it out partially, I think.  I moved some files into /home/ftpsecure, and now they show up when I log in via my ftp client or via my browser.  So, it seems to work when I login locally (from the machine my FTP server is on).  Now I just need to test from outside..

----------

## hanj

Hello

Logging in should send you to your /home directory. Make sure a home directory is set up for the user you're logging in as. It does sound like FTP is working locally, so yes, external check is required next. You'll want to watch firewall logs to see if there are blocks, etc. If you're not getting the FTP service, it'll mean that your port forward is not working.. or possibly NAT is fighting you, but it's not going to be vsftpd.

Good luck!

hanji

----------

## chr0n0

 *hanj wrote:*   

> Hello
> 
> Logging in should send you to your /home directory. Make sure a home directory is set up for the user you're logging in as. It does sound like FTP is working locally, so yes, external check is required next. You'll want to watch firewall logs to see if there are blocks, etc. If you're not getting the FTP service, it'll mean that your port forward is not working.. or possibly NAT is fighting you, but it's not going to be vsftpd.
> 
> Good luck!
> ...

 

Which ports should i forward?  Just 21? Or do I need to forward 20?

Secondly, I am using this to "link" folders into the ftp directory:

```
mount --bind /path/to/folder /home/ftpsecure
```

One question.  How can I unbind this if I want to in the future?

----------

## hanj

I would just forward port 21. And on your second question, you should be able to do a umount.

hanji

----------

## chr0n0

 *hanj wrote:*   

> I would just forward port 21. And on your second question, you should be able to do a umount.
> 
> hanji

 

Thanks VERY much for your help and time, hanj.  It seems to be working perfectly!

----------

## hanj

That's great! Glad it's working for you.

hanji

----------

