Configure authenticated FTP Server


FTP stands for File Transfer Protocol. Normal internet users access webpages via ‘http’ protocol. Here, in FTP we only deal with files.
FTP is a protocol used to transfer files from one host to another. A FTP server has files for sharing or downloading, and the client uses it to download files at his side. To use any ftp server enter ‘ftp://’server IP address‘ in address bar.
Linux allows you to create your own FTP server. The default directory, where you need to put files for sharing is ‘/var/ftp/pub‘ in red hat based Operating Systems, and ‘srv/ftp‘ in Debian based operating Systems.
You can configure FTP server such that, Anonymous users can use it or you can allow selected sets of users. Here we will learn how to configure authenticated FTP server only for selected users.

To configure it follow these steps :

  1. Yum install vsftpd -y
    If your don’t have FTP, install thevsftpd package.

    Install vsftpd package.

    Install vsftpd package.

     

  2. cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftp.conf.bak
    vi /etc/vsftpd/vsftpd.conf
    – Create a backup file of orignial configuration file ‘/etc/vsftpd/vsftpd.conf’
    – open the configuration file

    Create backup and open Configuration file.

    Create backup and open Configuration file.

     

  3. Change ‘anonymous_enable=NO’
                 ‘local_enable=YES’
    Uncomment and Disable the anonymous login option so that no anonymous user can reach your server.
    Uncomment and Change Local_enable to YES so that local users you define can reach the FTP server.

    Disable anonymous login, enable local users.

    Disable anonymous login, enable local users.

     

  4. service vsftpd restart
    Since you made changes in the configuration file, restart the service.

    Restart the service.

    Restart the service.

     

  5. groupadd ftp-users
    mkdir /home/ftp-users
    – Add a group named ftp-users. The users who will use this server will belong to this group.
    – Create a directory of the same group name, here ftp-users. The files which you want to share on FTPshould be put under this directory.

    Add group and create their home directory

    Add group and create their home directory

     

  6. useradd -g ftp-users -d /home/ftp-users/ user1
    Add users , and make their default directory /home/ftp-users.
    To add new user to a group ‘-g’ switch is used.
    To specify which directory we want to be the user’s home directory, ‘-d’ switch is used.

    Add new users in the group we created earlier.

    Add new users in the group we created earlier.

     

  7. passwd user1
    Create a password for new user.

    Set password for new users.

    Set password for new users.

     

  8. cp -r /var/* /home/ftp-users
    Copy the files you want clients to download, in ftp-users directory. Here ‘/var’is copied in ftp-users.

    Copy files in home directory of group.

    Copy files in home directory of group.

     

  9. chown root:ftp-users /home/ftp-users
    chmod 0740 /home/ftp-users/*
    – Give ftp-users group the ownership of /home/ftp-users.
    – Change permissions of the files inside ftp-users.

    Take ownership and change permissions.

    Take ownership and change permissions.

     

  10. Check your IP
    Check your ip

    Check your ip

     

  11. Enter ftp://192.168.222.128
    Enter ftp:// followed by your IP.
  12. Enter username password and check.

    Checking for User 1

    Checking for User 1

     

    Access granted for User 1.

    Access granted for User 1.

     

    Checking user 2

    Checking user 2

     

    Access granted to User 2

    Access granted to User 2

     

You can do it this way or just add a user and set his password. Then, the files you need to share are in default location ‘/var/ftp/pub‘.
Check your selinux status (use getenforce).
If your SELinux is in enforcing mode.  Change it to permissive. If you want enforcing mode, you may get Error 500.
If you get that error try ‘getsebool -a | grep ftp‘ and if the first line is ‘allow ftp_home-dir –> off‘ ,
set it to ON using ‘setsebool -P ftp_home_dir on‘.

Error due to SElinux

Error due to SElinux

 

How to Secure your FTP Server?

If you created a FTP server with User authentication, you can try clicking on ‘Up to Higher level directory.
When you click on it, it will take you one directory up, That is to ‘/home‘ and if you again click on it, it will take up to ‘/‘. So, in short any user trying to use your FTP server can see your ‘/‘ and other file-systems.
This is a very serious issue, and should not be left unsolved.

To secure your FTP server all you need to do is uncomment line number 100 ‘chroot_local_user=YES
and then restart vsftpd service. Then users can only access their own home directory.

chroot1

Enable chroot for all local users!

 

However, if you have 5 users, and you wish to put restrictions only on user 1, user 2 and user 3.
Then Comment line number 100
chroot_local_user=YES‘ and uncomment line number 101 and 103
chroot_list_enable=YES‘ and ‘chroot_list_file=/etc/vsftpd/chroot_list

Enabling chroot only for users in list.

Enabling chroot only for users in list.

What you’re actually doing is :
First: Enabling ‘chroot‘ only for a list of users.
Second: you’re telling FTP server where the file exists..
Create a file in ‘/etc/vsftpd‘ with name ‘chroot_list‘ and add users (here user1, user2, user3) in this file.
So only for users in this file ‘chroot‘ will be enabled.

contents of chroot_list file

contents of chroot_list file

If you don’t comment ‘chroot_local_user=YES‘ then ‘chroot’ will be enabled for all users.

Leave a Reply