|
Size: 3163
Comment:
|
Size: 2377
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from VSFTPDSetup = VSFTPD Setup = |
= VSFTPD = |
| Line 4: | Line 3: |
| '''Very Secure FTP Daemon''' ('''VSFTPD''') is exactly what it says on the tin. | '''Very Secure FTP Daemon''' ('''VSFTPD''') is a simple but secure FTP server. |
| Line 6: | Line 5: |
| VSFTPD provides a service, accessed in `systemd` as `vsftpd.service`. | <<TableOfContents>> |
| Line 12: | Line 11: |
| == Users == TODO: fill this in === Guest Users === TODO: fill this in |
== Installation == |
| Line 25: | Line 17: |
| == Ports == FTP requires multiple open ports, with two (non-conflicting) options. Several well-considered decisions are required here, and a firewall is highly recommended. For details on configuring a simple firewall, see [[UFWSetup|the article for UFW setup]]. |
== Configuration == |
| Line 32: | Line 21: |
| For the FTP protocol, a server configured in ''active mode'' uses port 21 (configurable to, for example, 2121) to establish a connection and then shifts to using port 20 (configurable to, for example, 2020) for data transfer. (This is active because the server forms the connection back to the client.) These ports are set in `/etc/vsftpd.conf` with: | A server configured in '''active mode''' uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is ''active'' because the server forms the connection back to the client. These ports are configured in `/etc/vsftpd.conf` with: |
| Line 43: | Line 34: |
| Correspondingly, `ufw` would be configured with: {{{ ufw allow 2020/tcp ufw allow 2121/tcp }}} |
This is the recommended configuration, as the server is in control of connections. |
| Line 49: | Line 36: |
| This is the recommended configuration, as the server is in control of connections. | |
| Line 54: | Line 40: |
| For the purposes of FTPS, a server configured in ''passive mode'' uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. (This is passive because the client forms the new connection to a passively-open port.) The pool of ports is set in `/etc/vsftpd.conf` with: | A server configured in '''passive mode''' uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is ''passive'' because the client forms the new connection to a passively-open port. The pool of ports are configured in `/etc/vsftpd.conf` with: |
| Line 63: | Line 51: |
| Correspondingly, `ufw` would be configured with: {{{ ufw allow 21/tcp ufw allow 40000:42000/tcp }}} Changing these port numbers is not only possible, but encouraged. ---- |
Changing these port numbers is encouraged. |
| Line 76: | Line 55: |
| == Encryption == | === Encryption === |
| Line 78: | Line 57: |
| For encrypting FTP, it is possible to use a self-signed certificate. For more context, see [[SSLSetup|the article for SSL setup]]. | For encrypting FTP, it is possible to use a self-signed certificate. |
| Line 108: | Line 87: |
| == Avahi Discovery == | == Zeroconf Discoverability == |
| Line 124: | Line 103: |
| For further details, see [[AvahiSetup|the article on Avahi setup]]. | For further details, see [[Avahi|here]]. |
VSFTPD
Very Secure FTP Daemon (VSFTPD) is a simple but secure FTP server.
Contents
Installation
Configuration
Active Mode
A server configured in active mode uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is active because the server forms the connection back to the client.
These ports are configured in /etc/vsftpd.conf with:
connect_from_port_20=YES pasv_enable=NO listen_port=2121 ftp_data_port=2020
Contrary to the name, connect_from_port_20 does not force port 20.
This is the recommended configuration, as the server is in control of connections.
Passive Mode
A server configured in passive mode uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is passive because the client forms the new connection to a passively-open port.
The pool of ports are configured in /etc/vsftpd.conf with:
connect_from_port_20=NO pasv_enable=YES pasv_min_port=40000 pasv_max_port=42000
Changing these port numbers is encouraged.
Encryption
For encrypting FTP, it is possible to use a self-signed certificate.
su - root openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/vsftpd.key \ -out /etc/ssl/certs/vsftpd.pem
Then configure /etc/vsftpd.conf with:
rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES implicit_ssl=YES listen_port=990
Note that as the open port has changed, the firewall will need to be re-configured. For ufw specifically:
ufw disallow 21/tcp ufw allow 990/tcp
Zeroconf Discoverability
FTP can be made discoverable on the network through Zeroconf. The service file /etc/avahi/services/ftp.service should be configured as:
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">FTP on %h</name>
<service>
<type>_ftp._tcp</type>
<port>21</port>
</service>
</service-group>For further details, see here.