English
Русский
Installing vsFTPd on CentOS
Start from the RPM package installation.
yum install vsftpd
Configure /etc/vsftpd/vsftpd.conf. This configuration disables anonymous users to upload files and create directories, states that only users in /etc/vsftpd/user_list are allowed to ftp, assigns $HOME/public_ftp as initial directory for non-anonymous logins. Refer to vsftpd configuration manual for details.
anon_upload_enable=NO anon_mkdir_write_enable=NO ftpd_banner=Welcome to vitki.net FTP service. userlist_deny=NO local_root=public_ftp pasv_enable=YES pasv_min_port=11001 pasv_max_port=11005
Edit /etc/vsftpd/user_list and include names of users allowed to ftp, including anonymous.
According to the CA-1997-27 CERT advisory, a FTP bounce attack can leverage the PORT command to establish connections to arbitrary ports on machines other than the originating client. So we disable the port command:
port_enable=NO
To let ftp daemon work behind firewall, we enable passive mode on forts 11001 .. 11005. Add the following lines to your iptables configuration and restart iptables:
# FTP, passive -A INPUT -m state --state NEW -p tcp --dport 20:21 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 11001:11005 -j ACCEPT
Now enable vsftpd on boot and start the daemon
chkconfig vsftpd on /etc/init.d/vsftpd restart
Create the /etc/init.d/public_ftp script to map public_ftp user folders to site-wide anonymous ftp directory /var/ftp. Mapping is achieved via bind mounting. Edit the script and tune such parameters as home_root and public_subdir. Enable this script for startup
chkconfig public_ftp on
To synchronize directories every hour, create a cron job /etc/cron.hourly/public_ftp
#!/bin/sh /etc/init.d/public_ftp restart exit 0
Bookmark this post on:
Comments
Post new comment