FTP Configuration

Introduction

The File Transfer Protocol (FTP) is a protocol for copying files between servers over the Internet.

See http://en.wikipedia.org/wiki/File_transfer_Protocol for more details.

The following guidance is might be useful in helping to configure FTP on a Linux server. In particular details about the configuration and use of Very Secure FTP Daemon (vsftpd) is given.

My FTP Server Configuration

My FTP Server is based on vsftpd.

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure, fast and stable. A list of a few important sites which are using vsftpd is shown at http://vsftpd.beasts.org/.

After experimentation I arrived at the following /etc/vsftpd/vsftpd.conf configuration file. Only relevant lines are shown:

$ sudo more vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
# ...
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
# ...
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#...
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#...
#
# You may fully customise the login banner string:
# ftpd_banner=Welcome to blah FTP service.
banner_file=/etc/banners/ftp.msg
# ...
#
pam_service_name=vsftpd
userlist_enable=YES
# userlist_file=/etc/vsftpd.user_list # user matching names in this file will be denied before they are asked for a password
#
#enable for standalone mode
listen=YES
tcp_wrappers=YES
# Added - the following lines are additional to the original file
max_clients=6   # default 0 (unlimited)
max_per_ip=2    # default 0 (unlimited)
# local_max_rate        
#
# Added - lock logon user in chroot() jail
chroot_local_user=YES
# ...

Firewall Configuration

The firewall/port-blocking configuration of any routers/firewalls used on the LAN needs careful attention.

FTP uses port 20, 21 plus other ports. The discussion about Active FTP and Passive FTP is much too long to go into here. See the Active FTP vs. Passive FTP, a Definitive Explanation link below.

There are also security issues surrounding the use of FTP, so pay careful attention to firewall configuration; on balance try to use SFTP (the secure FTP run over SSH) in preference if possible.

General Links

The following general links are useful references when setting up FTP:


URLSummary/Description
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch15_:_Linux_FTP_Server_Setup Excellent site (and book) on Linux configuration in general, and in this chapter on FTP in particular
http://www.vsftpd.org/ Comprehensive vfstpd site
http://vsftpd.beasts.org/ vfstpd: Secure, fast FTP server for UNIX-like systems
http://slacksite.com/other/ftp.html Active FTP vs. Passive FTP, a Definitive Explanation
http://www.cyberciti.biz/tips/vsftp-chroot-users-limit-to-only-their-home-directory.html chroot() jail: locking users into their home directory
http://www.experts-exchange.com/Security/Linux_Security/Q_21405710.html VSFTP: Keep ftp users from leaving there home directory
http://www.mail-production.com/commandftp.html DOS FTP Automation: useful for the FTP command line and return codes
http://ftp.wmo.int/pages/prog/www/TEM/Guidance-doc/Guide_Use-FTP_rev11Aug2006.doc Configuring ftp
http://www.dslreports.com/forum/remark,12329921 Set up ftp behind a NAT router