Phase 1: Basic Installation
Step 1: Installation vsftpd
Open up a command line and type
sudo apt-get install vsftpd.
Step 2: Change the configurations file. Open the vsftpd.conf file with a text editor. The file is located in the etc directory on path /etc/vsftpd.conf
Step 3: Create a user account with limited privileges for use with ftp for security reasons. For example, use the command
sudo adduser guest
password ...
Step 4: Set up the router to have port forwarding on the ports used by ftp (20 and 21 TCP). It must forward to the IP address of your ftp server.
Step 5: Decide how should vsftpd run. vsftpd can run either from an inetd or as a standalone daemon started from an initscript. To run in the standalone mode, enable the listen option in the configuration file by adding listen=YES or changing the value to YES if the option is already added and have the default value NO.
Phase 2: Configuration Options
Step 1: listen_ipv6, whether to run as standalone with
IPv6. Uncomment the listen parameter, vsftpd will listen on an IPv6 socket
instead of an IPv4 one. This parameter and the listen parameter are mutually exclusive.
Step 2: anonymous_enable, whether to allow anonymous FTP. Beware - this option is turned ON by default which might cause some security trouble.
Step 3: local_enable, whether local logins are permitted. If enabled, normal user accounts in /etc/passwd may be used to log in.
Step 4: write_enable, whether to allow any FTP commands which change the file system such as stor, dele, rnfr, rnto, mkd, rmd, appe and site
Step 5: anon_upload_enable, whether to allow the anonymous FTP user to upload files. For this to work, the option write_enable must be enabled, and the anonymous ftp user must be given write permission on any desired upload location.
Step 6: anon_mkdir_write_enable, whether you want the anonymous FTP user to be able to create new directories. Like above, write_enable must be enabled.
Step 7: dirmessage_enable, whether to activate directory messages - messages given to remote users when they go into a certain directory.
Step 8: xferlog_enable, whether to activate logging of uploads/downloads. By default, the log file will be placed at /var/log/vsftpd.log, but this location may be overridden using the configuration setting vsftpd_log_file
Step 9: xferlog_std_format, whether to have your log file in standard ftpd xferlog format.
Step 10: connect_from_port_20, whether to make sure PORT transfer connections originate from port 20 (ftp-data).
Step 11: async_abor_enable, whether the server will recognize asynchronous ABOR requests. Not recommended for security (the code is non-trivial). Not enabling it, however, may confuse older FTP clients.
Step 13: chown_uploads and chown_username. If you want, you can arrange for uploaded anonymous files to be owned by a different user.
Note: Using "root" for uploaded files is not recommended!
Step 14: xferlog_file. You may override where the log file goes if you like. The default is shown below.
Step 15: idle_session_timeout, which will enable you to change the default value for timing out an idle session.
Step 16: data_connection_timeout, which enable you to change the default value for timing out a data connection.
Step 16: nopriv_user. It is recommended that you define on your system a unique user which the ftp server can use as a totally isolated and unprivileged user.
Step 17: ftpd_banner, which allows you to fully customize the login banner string.
Step 18: deny_email_enable and banned_email_file enable you to specify a file of disallowed anonymous e-mail addresses. Apparently useful for combating certain DOS attacks.
Step 19: chroot_local_user, which allows you to restrict local users to their home directories.
Step 20: chroot_list_enable and chroot_list_file. You may specify an explicit list of local users to chroot() to their home directory.
Note: if chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
Step 21: is_recurse_enable, which enable you to activate the "-R" option to the builtin ls. This is disabled by default to avoid remote users being able to cause excessive I/O on large sites. However, some broken FTP clients such as "ncftp" and "mirror" assume the presence of the "-R" option, so there is a strong case for enabling it.
Step 22: secure_chroot_dir. Some of vsftpd's settings don't fit the Debian filesystem layout by default. These settings are more Debian-friendly. This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require file system access.
Step 23: secure_chroot_dir. Some of vsftpd's settings don't fit the Debian filesystem layout by default. These settings are more Debian-friendly. This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require file system access.
Step 24: pam_service_name, is the name of the PAM service vsftpd will use.
Step 25: rsa_cert_file, specifies the location of the RSA certificate to use for SSL encrypted connections
Step 26: local_umask. Default umask for local users is 077. You may wish to change this to 022, If your users expect that (022 is used by most other ftpd's)
- Allowed values: Boolean (YES/NO)
- Default value: NO
Step 2: anonymous_enable, whether to allow anonymous FTP. Beware - this option is turned ON by default which might cause some security trouble.
- Allowed values: Boolean
- Default value: YES
Step 3: local_enable, whether local logins are permitted. If enabled, normal user accounts in /etc/passwd may be used to log in.
- Allowed values: Boolean
- Default value: NO
Step 4: write_enable, whether to allow any FTP commands which change the file system such as stor, dele, rnfr, rnto, mkd, rmd, appe and site
- Allowed values: Boolean
- Default value: NO
Step 5: anon_upload_enable, whether to allow the anonymous FTP user to upload files. For this to work, the option write_enable must be enabled, and the anonymous ftp user must be given write permission on any desired upload location.
- Allowed values: Boolean
- Default value: NO
Step 6: anon_mkdir_write_enable, whether you want the anonymous FTP user to be able to create new directories. Like above, write_enable must be enabled.
- Allowed values: Boolean
- Default value: NO
Step 7: dirmessage_enable, whether to activate directory messages - messages given to remote users when they go into a certain directory.
- Allowed values: Boolean
- Default value: NO (in the sample configuration file, it is enabled)
Step 8: xferlog_enable, whether to activate logging of uploads/downloads. By default, the log file will be placed at /var/log/vsftpd.log, but this location may be overridden using the configuration setting vsftpd_log_file
- Allowed values: Boolean
- Default value: NO (in the sample configuration file, it is enabled)
Step 9: xferlog_std_format, whether to have your log file in standard ftpd xferlog format.
- Allowed values: Boolean
- Default value: NO
Step 10: connect_from_port_20, whether to make sure PORT transfer connections originate from port 20 (ftp-data).
- Allowed values: Boolean
- Default value: NO (in the sample configuration file, it is enabled)
Step 11: async_abor_enable, whether the server will recognize asynchronous ABOR requests. Not recommended for security (the code is non-trivial). Not enabling it, however, may confuse older FTP clients.
- Allowed values: Boolean
- Default value: NO
- Allowed values: Boolean
- Default value: NO
Step 13: chown_uploads and chown_username. If you want, you can arrange for uploaded anonymous files to be owned by a different user.
Note: Using "root" for uploaded files is not recommended!
- Allowed values: chown_uploads is Boolean, chown_username is a username string
- Default value: chown_uploads defaults to NO and chown_username defaults to "root"
Step 14: xferlog_file. You may override where the log file goes if you like. The default is shown below.
- Allowed values: path string
- Default value: /var/log/vsftpd.log
Step 15: idle_session_timeout, which will enable you to change the default value for timing out an idle session.
- Allowed values: Numeric
- Default value: 300
Step 16: data_connection_timeout, which enable you to change the default value for timing out a data connection.
- Allowed values: Numeric
- Default value: 300
Step 16: nopriv_user. It is recommended that you define on your system a unique user which the ftp server can use as a totally isolated and unprivileged user.
- Allowed values: Username string
- Default value: nobody
Step 17: ftpd_banner, which allows you to fully customize the login banner string.
- Allowed values: String
- Default value: none - default vsftpd banner is displayed
ftpd_banner FTP Server by George Viorel Olteanu
Step 18: deny_email_enable and banned_email_file enable you to specify a file of disallowed anonymous e-mail addresses. Apparently useful for combating certain DOS attacks.
- Allowed values: File path string for banned_email_file and Boolean for deny_email_enable
- Default value: NO for deny_email_enable and /etc/vsftpd.banned_emails for banned_email_file
Step 19: chroot_local_user, which allows you to restrict local users to their home directories.
- Allowed values: Boolean
- Default value: NO
Step 20: chroot_list_enable and chroot_list_file. You may specify an explicit list of local users to chroot() to their home directory.
Note: if chroot_local_user is YES, then this list becomes a list of users to NOT chroot().
- Allowed values: File path string for chroot_list_file and Boolean for chroot_list_enable
- Default value: NO for chroot_list_enable and /etc/vsftpd.chroot_list for chroot_list_file
Step 21: is_recurse_enable, which enable you to activate the "-R" option to the builtin ls. This is disabled by default to avoid remote users being able to cause excessive I/O on large sites. However, some broken FTP clients such as "ncftp" and "mirror" assume the presence of the "-R" option, so there is a strong case for enabling it.
- Allowed values: Boolean
- Default value: NO
Step 22: secure_chroot_dir. Some of vsftpd's settings don't fit the Debian filesystem layout by default. These settings are more Debian-friendly. This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require file system access.
- Allowed values: File path string
- Default value: /usr/share/empty
Step 23: secure_chroot_dir. Some of vsftpd's settings don't fit the Debian filesystem layout by default. These settings are more Debian-friendly. This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require file system access.
- Allowed values: File path string
- Default value: /usr/share/empty
Step 24: pam_service_name, is the name of the PAM service vsftpd will use.
- Allowed values: string
- Default value: ftp
Step 25: rsa_cert_file, specifies the location of the RSA certificate to use for SSL encrypted connections
- Allowed values: File path string
- Default value: /usr/share/ssl/certs/vsftpd.pem
Step 26: local_umask. Default umask for local users is 077. You may wish to change this to 022, If your users expect that (022 is used by most other ftpd's)
- Allowed values: Numeral
- Default value: 077