|
Size: 3163
Comment:
|
← Revision 14 as of 2023-04-08 13:23:09 ⇥
Size: 2642
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from VSFTPDSetup = VSFTPD Setup = |
= Vsftpd = |
| Line 4: | Line 3: |
| '''Very Secure FTP Daemon''' ('''VSFTPD''') is exactly what it says on the tin. | '''`vsftpd(8)`''' ('''V'''ery '''S'''ecure '''FTP''' '''D'''aemon) is a simple but secure [[Protocols/FTP|FTP]] server. |
| Line 6: | Line 5: |
| VSFTPD provides a service, accessed in `systemd` as `vsftpd.service`. | <<TableOfContents>> |
| Line 12: | Line 11: |
| == Users == | == Installation == |
| Line 14: | Line 13: |
| TODO: fill this in | Most [[Linux]] and [[BSD]] distributions offer a `vsftpd` package. |
| Line 16: | Line 15: |
=== Guest Users === TODO: fill this in |
For `systemd`-capable systems, [[Linux/Systemd|start and enable]] `vsftpd.service`. |
| Line 25: | Line 21: |
| == Ports == | == Configuration == |
| Line 27: | Line 23: |
| FTP requires multiple open ports, with two (non-conflicting) options. Several well-considered decisions are required here, and a firewall is highly recommended. For details on configuring a simple firewall, see [[UFWSetup|the article for UFW setup]]. | |
| Line 32: | Line 27: |
| For the FTP protocol, a server configured in ''active mode'' uses port 21 (configurable to, for example, 2121) to establish a connection and then shifts to using port 20 (configurable to, for example, 2020) for data transfer. (This is active because the server forms the connection back to the client.) These ports are set in `/etc/vsftpd.conf` with: | A server configured in '''active mode''' uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is ''active'' because the server forms the connection back to the client. These ports are configured in `/etc/vsftpd.conf` with: |
| Line 43: | Line 40: |
| Correspondingly, `ufw` would be configured with: {{{ ufw allow 2020/tcp ufw allow 2121/tcp }}} |
This is the recommended configuration, as the server is in control of connections. |
| Line 49: | Line 42: |
| This is the recommended configuration, as the server is in control of connections. | |
| Line 54: | Line 46: |
| For the purposes of FTPS, a server configured in ''passive mode'' uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. (This is passive because the client forms the new connection to a passively-open port.) The pool of ports is set in `/etc/vsftpd.conf` with: | A server configured in '''passive mode''' uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is ''passive'' because the client forms the new connection to a passively-open port. The pool of ports are configured in `/etc/vsftpd.conf` with: |
| Line 63: | Line 57: |
| Correspondingly, `ufw` would be configured with: {{{ ufw allow 21/tcp ufw allow 40000:42000/tcp }}} Changing these port numbers is not only possible, but encouraged. ---- |
Changing these port numbers is encouraged. |
| Line 76: | Line 61: |
| == Encryption == | === Encryption === |
| Line 78: | Line 63: |
| For encrypting FTP, it is possible to use a self-signed certificate. For more context, see [[SSLSetup|the article for SSL setup]]. | For encrypting FTP, it is possible to use a self-signed certificate. |
| Line 97: | Line 82: |
| Note that as the open port has changed, the firewall will need to be re-configured. For `ufw` specifically: | Note that as the open port has changed, the firewall will need to be re-configured. For example, if using `ufw(8)`: |
| Line 108: | Line 95: |
| == Avahi Discovery == | == Usage == |
| Line 110: | Line 97: |
| FTP can be made discoverable on the network through Zeroconf. The service file `/etc/avahi/services/ftp.service` should be configured as: | === mDNS Broadcasting === `vsftpd(8)` can be advertised over mDNS via [[Avahi]]. The service file should look like: |
| Line 124: | Line 115: |
| For further details, see [[AvahiSetup|the article on Avahi setup]]. | For further details, see [[Avahi|here]]. ---- == See also == [[https://man.archlinux.org/man/vsftpd.8|vsftpd(8)]] |
Vsftpd
vsftpd(8) (Very Secure FTP Daemon) is a simple but secure FTP server.
Contents
Installation
Most Linux and BSD distributions offer a vsftpd package.
For systemd-capable systems, start and enable vsftpd.service.
Configuration
Active Mode
A server configured in active mode uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is active because the server forms the connection back to the client.
These ports are configured in /etc/vsftpd.conf with:
connect_from_port_20=YES pasv_enable=NO listen_port=2121 ftp_data_port=2020
Contrary to the name, connect_from_port_20 does not force port 20.
This is the recommended configuration, as the server is in control of connections.
Passive Mode
A server configured in passive mode uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is passive because the client forms the new connection to a passively-open port.
The pool of ports are configured in /etc/vsftpd.conf with:
connect_from_port_20=NO pasv_enable=YES pasv_min_port=40000 pasv_max_port=42000
Changing these port numbers is encouraged.
Encryption
For encrypting FTP, it is possible to use a self-signed certificate.
su - root openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/vsftpd.key \ -out /etc/ssl/certs/vsftpd.pem
Then configure /etc/vsftpd.conf with:
rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES implicit_ssl=YES listen_port=990
Note that as the open port has changed, the firewall will need to be re-configured.
For example, if using ufw(8):
ufw disallow 21/tcp ufw allow 990/tcp
Usage
mDNS Broadcasting
vsftpd(8) can be advertised over mDNS via Avahi. The service file should look like:
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">FTP on %h</name>
<service>
<type>_ftp._tcp</type>
<port>21</port>
</service>
</service-group>For further details, see here.