Sunday, May 24, 2009

Configure vsftpd in CentOS

FTP is an old and insecure file transfer protocol but still sees wide use. FTP uses a client/server model in which an FTP server listens for connections from an FTP client. Depending on the configuration of the server, file transfers can occur in both directions. By default, FTP servers listen on TCP port 21. This is the port used to establish connections. The actual file transfer will occur over a different port.

FTP operates in two moves, active and PASV (pronounced "passive"). In active mode, the client dictates the port to be used for the file transfer whereas in passive mode, the server chooses the port to use. This distinction is important for port forwarding and fire walling.

vsftpd is an FTP server daemon for *nix systems. It was built with speed and security in mind. This daemon is included with CentOS, among other distributions, and should be included in the repositories for most systems. There is an option that allows each user on a system to authenticate using their Unix login and have FTP access to their home directory. This is very dangerous. Let me repeat that: This is very dangerous.

Using FTP, everything is transmitted in cleartext; all data, connection requests, usernames, and passwords are send insecurely. By allowing users to log into the FTP server using their Unix login that password is compromised. Solutions to this are to replace FTP with FTPS (FTP over SSL/TLS) or SFTP/SCP (file transfer over SSH). For those file transfers in where security is not important, FTP is a convenient solution.

On my CentOS server, I configured vsftpd to allow for anonymous read access. To conduct this setup, first you must assume superuser priviliges. The vsftpd config files are located in /etc/vsftpd. Before changing anything, make a copy of the applicable files:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original
Now open the file at /etc/vsftpd/vsftpd.conf with a text editor and locate these two lines:
local_enable=YES
write_enable=YES
Change them to read:
local_enable=NO
write_enable=NO
Now add these lines at the end of the file:
pasv_enable=YES
pasv_min_port=7090
pasv_max_port=7099
This will enable passive transfers and establishes a 10 port range over which file transfers may occur. I just arbitrarily chose this port range. You can really use any range not already in use by another service on your network. You will need to add this port range plus port 21 to your firewall exceptions. Not sure how to do this in CentOS with iptables? Check out this post.

Files you want to distribute via your new anonymous FTP server should reside in /var/ftp/. To start vsftpd, type this:
/sbin/service vsftpd start
If you want vsftpd to start with the system whenever it boots, type:
/sbin/chkconfig vsftpd on

No comments:

Post a Comment