Very Secure FTP Daemon

提供: ArchWiki
2015年8月28日 (金) 23:50時点におけるKusakata (トーク | 投稿記録)による版
ナビゲーションに移動 検索に移動

vsftpd (Very Secure FTP Daemon) は UNIX ライクなシステム用の、軽量で安定していてセキュアな FTP サーバーです。

インストール

公式リポジトリから vsftpdインストールしてください。

vsftpd.service デーモンを起動・有効化します。

xinetd で vsftpd を使う方法は #xinetd を使う を見て下さい。

設定

vsftpd の設定は /etc/vsftpd.conf ファイルを編集することでほとんど行えます。ファイルの中に説明がちゃんと書かれているので、このセクションでは重要な変更点を取り上げるにとどめます。利用可能な全てのオプションとドキュメントについては、vsftpd.conf (5) の man ページを見るか オンラインで閲覧 してください。デフォルトのファイルは /srv/ftp にあります。

アップロードを有効にする

アップロードなどの、ファイルシステムへの変更を可能にするには、/etc/vsftpd.confWRITE_ENABLE フラグを YES に設定する必要があります:

write_enable=YES

ローカルユーザーログイン

/etc/passwd のユーザーがログインできるようにするには /etc/vsftpd.conf に以下の行を設定する必要があります:

local_enable=YES

匿名ログイン

匿名ユーザーがログインできるようにするには /etc/vsftpd.conf を以下のように編集します:

# Allow anonymous login
anonymous_enable=YES
# No password is required for an anonymous login          
no_anon_password=YES
# Maximum transfer rate for an anonymous client in Bytes/second          
anon_max_rate=30000 
# Directory to be used for an anonymous login           
anon_root=/example/directory/

Chroot 監獄

A chroot environment that prevents the user from leaving its home directory can be set up. To enable this, add the following lines to /etc/vsftpd.conf:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

The chroot_list_file variable specifies the file which contains users that are jailed.

For a more restricted environment, specify the line:

chroot_local_user=YES

This will make local users jailed by default. In this case, the file specified by chroot_list_file lists users that are not in a chroot jail.

ユーザーログインの制限

It's possible to prevent users from logging into the FTP server by adding two lines to /etc/vsftpd.conf:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

userlist_file now specifies the file which lists users that are not able to login.

If you only want to allow certain users to login, add the line:

userlist_deny=NO

The file specified by userlist_file will now contain users that are able to login.

接続の制限

The data transfer rate, i.e. number of clients and connections per IP for local users can be limited by adding the information in /etc/vsftpd.conf:

local_max_rate=1000000 # Maximum data transfer rate in bytes per second
max_clients=50         # Maximum number of clients that may be connected
max_per_ip=2           # Maximum connections per IP

xinetd を使う

Xinetd provides enhanced capabilities for monitoring and controlling connections. It is not necessary though for a basic good working vsftpd-server.

Installation of vsftpd will add a necessary service file, /etc/xinetd.d/vsftpd. By default services are disabled. Enable the ftp service:

service ftp
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/bin/vsftpd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
        disable                 = no
}

If you have set the vsftpd daemon to run in standalone mode make the following change in /etc/vsftpd.conf:

listen=NO

Otherwise connection will fail:

500 OOPS: could not bind listening IPv4 socket

vsftpd デーモンを起動する代わりに xinetd.service を起動・有効化してください。

SSL を使って FTP をセキュア化

以下のように SSL 証明書を生成してください:

# cd /etc/ssl/certs
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
# chmod 600 /etc/ssl/certs/vsftpd.pem

You will be asked a lot of Questions about your Company etc., as your Certificate is not a trusted one it doesn't really matter what you fill in. You will use this for encryption! If you plan to use this in a matter of trust get one from a CA like thawte, verisign etc.

edit your configuration /etc/vsftpd.conf

#this is important
ssl_enable=YES

#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO

#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO

#choose what you like
force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

ダイナミック DNS

/etc/vsftpd.conf に以下の二行を記述してください:

pasv_addr_resolve=YES
pasv_address=yourdomain.noip.info

It is not necessary to use a script that updates pasv_address periodically and restarts the server, as it can be found elsewhere!

ノート: You won't be able to connect in passive mode via LAN anymore. Try the active mode on your LAN PC's FTP client.

ポートの設定

Especially for private FTP servers that are exposed to the web it's recommended to change the listening port to something other than the standard port 21. This can be done using the following lines in /etc/vsftpd.conf:

listen_port=2211

Furthermore a custom passive port range can be given by:

pasv_min_port=49152
pasv_max_port=65534

iptables の設定

FTP デーモンを実行するサーバーが iptables ファイアウォールで保護されている可能性があります。FTP サーバーにアクセスできるように、以下のようにして適切なポートを開く必要があります:

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2211 -j ACCEPT

この記事では iptables を設定する方法に関する説明はしません。次のページを見て下さい: シンプルなステートフルファイアウォール

There are some kernel modules needed for proper FTP connection handling by iptables that should be referenced here. Among those especially ip_conntrack_ftp. It is needed as FTP uses the given listen_port (21 by default) for commands only; all the data transfer is done over different ports. These ports are chosen by the FTP daemon at random and for each session (also depending on whether active or passive mode is used). To tell iptables that packets on ports should be accepted, ip_conntrack_ftp is required. To load it automatically on boot create a new file in /etc/modules-load.d e.g.:

# echo nf_conntrack_ftp > /etc/modules-load.d/nf_conntrack_ftp.conf

If you changed the listen_port you also need to configure the conntrack module accordingly:

/etc/modprobe.d/ip_conntrack_ftp.conf
options nf_conntrack_ftp ports=2211

Tips and tricks

PAM と仮想ユーザー (updated)

Since PAM no longer provides pam_userdb.so another easy method is to use pam_pwdfileAUR. For environments with many users another option could be pam_mysqlAUR. This section is however limited to explain how to configure a chroot environment and authentication by pam_pwdfile.so.

In this example we create the directory vsftpd:

# mkdir /etc/vsftpd

One option to create and store user names and passwords is to use the Apache generator htpasswd:

# htpasswd -c /etc/vsftpd/.passwd

A problem with the above command is that vsftpd might not be able to read the generated MD5 hashed password. If running the same command with the -d switch, crypt() encryption, password become readable by vsftpd, but the downside of this is less security and a password limited to 8 characters. Openssl could be used to produce a MD5 based BSDvsftpd-ext password with algorithm 1:

# openssl passwd -1

Whatever solution the produced /etc/vsftpd/.passwd should look like this:

username1:hashed_password1
username2:hashed_password2
...

Next you need to create a PAM service using pam_pwdfile.so and the generated /etc/vsftpd/.passwd file. In this example we create a file in the /etc/pam.d directory named vsftpd with the following content:

auth required pam_pwdfile.so pwdfile /etc/vsftpd/.passwd
account required pam_permit.so

Now it is time to create a home for the virtual users. In the example /srv/ftp is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make /srv/ftp its home:

# useradd -d /srv/ftp virtual

Make virtual the owner:

# chown virtual:virtual /srv/ftp

A basic /etc/vsftpd.conf with no private folders configured, which will default to the home folder of the virtual user:

# pointing to the correct PAM service file
pam_service_name=vsftpd
write_enable=YES
hide_ids=YES
listen=YES
connect_from_port_20=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
virtual_use_local_privs=YES

Some parameters might not be necessary for your own setup. If you want the chroot environment to be writable you will need to add the following to the configuration file:

allow_writeable_chroot=YES

Otherwise vsftpd because of default security settings will complain if it detects that chroot is writable.

Start the vsftpd daemon:

# systemctl start vsftpd

You should now be able to login from a ftp-client with any of the users and passwords stored in /etc/vsftpd/.passwd.

仮想ユーザーにプライベートフォルダを追加

First create directories for users:

# mkdir /srv/ftp/user1
# mkdir /srv/ftp/user2
# chown virtual:virtual /srv/ftp/user?/

Then, add the following lines to /etc/vsftpd.conf:

local_root=/srv/ftp/$USER
user_sub_token=$USER

トラブルシューティング

vsftpd: 最新のカーネル (3.5 以上) と .service で接続できない (Error 500)

/etc/vsftpd.conf に以下を追加してください:

seccomp_sandbox=NO

vsftpd: refusing to run with writable root inside chroot()

As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.

The safe way to allow upload is to keep chroot enabled, and configure your FTP directories.

local_root=/srv/ftp/user
# mkdir -p /srv/ftp/user/upload
#
# chmod 550 /srv/ftp/user
# chmod 750 /srv/ftp/user/upload

If you must:

You can put this into your /etc/vsftpd.conf to workaround this security enhancement (since vsftpd 3.0.0; from Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()):

allow_writeable_chroot=YES

or alternative:

AUR から vsftpd-extAUR をインストールして設定ファイルに allow_writable_root=YES と設定してください。

FileZilla Client: GnuTLS error -8 when connecting via SSL

vsftpd tries to display plain-text error messages in the SSL session. In order to debug this, temporarily disable encryption and you will see the correct error message.[1]

vsftpd.service がブート時に起動しない

vsftpd を有効にしてもブート時に起動しない場合、サービスファイルが network.target の後にロードされるように設定されているか確認してください:

/usr/lib/systemd/system/vsftpd.service
[Unit]
Description=vsftpd daemon
After=network.target

参照