vsftpd_564

Using VSFTPD with MySQL and restricting users

Let me save you over 10 hours of hair pulling stress and give you the easiest guide you’ll ever come across to setup vsftpd on your linux box and give you control of your private server.

This guide will let you accomplish the following:

  • Allow vsftpd to use a mysql database for login authentication and logging of authentication messages
  • Setup a base set of permissions for all users
  • Setup per-user permission sets, including a chroot’d login, download speed limit and hidden directories

Let’s get started. Firstly you’ll need to install all the packages required:

  • vsftpd
  • mysql-server
  • pam_mysql

On Redhat based systems this command will install it all for you:  yum -y vsftpd mysql-server pam_mysql

Now that you’ve got them all installed correctly, you’ll need to setup a mysql database and user for vsftpd to use:

CREATE TABLE IF NOT EXISTS `logs` (
`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`msg` VARCHAR(255) NOT NULL,
`user` VARCHAR(30) NOT NULL,
`pid` VARCHAR(15) NOT NULL,
`host` VARCHAR(30) NOT NULL,
`rhost` VARCHAR(30) NOT NULL,
`logtime` VARCHAR(30) NOT NULL,
PRIMARY KEY (`id`)
);
CREATE TABLE IF NOT EXISTS `users` (
`id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
`name` VARCHAR(30) NOT NULL,
`passwd` VARCHAR(30) NOT NULL,
`group` VARCHAR(10) NOT NULL,
PRIMARY KEY (`id`)
);

This is all you need to allow PAM to authenticate. You might want to add yourself as a user right about now. Note that the password field is plain text and not encrypted.

Now we want to setup a PAM entry for vsftpd. There should already be one here: /etc/pam.d/vsftpd but we want to replace that with our own. Edit this file or create a new one and insert the following contents, replacing the values:

auth required /lib/security/pam_mysql.so user=your-db-user passwd=your-db-password host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=0 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime
account required /lib/security/pam_mysql.so user=your-db-user passwd=your-db-password host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=0 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime

Next we’ll setup vsftpd. All the configuration files for vsftpd exist in: /etc/vsftpd/

Crack open vsftpd.conf and make some changes. This is how I have mine setup. You may want to change a couple of things after finding out more about them, but at this stage you might want to stick with this.

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YE
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=This is a private server.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chmod_enable=YES
text_userdb_names=YES
use_localtime=YES
virtual_use_local_privs=YES
user_sub_token=$USER
guest_enable=YES
guest_username=nobody
local_root=/media
ftp_username=nobody
user_config_dir=/etc/vsftpd/users
chroot_local_user=YES
passwd_chroot_enable=YES
dual_log_enable=YES

The most important part is the pam_service_name entry, it must be the same name as the file we edited in /etc/pam.d/. The local_root entry is where your users will be locked in to as their root directory. Change that to something else too.

So what we have so far is a FTP server that will allow users who exist in the mysql table to login and see the files within the local_root folder only.

From this point I have a more specific setup going on. I have a login for myself that I don’t want restricted in any way. Here’s how to accomplish this:

Edit the file /etc/vsftpd/chroot_list and add yourself on a single line. Ie, my username in the mysql database is ‘jc’ so I just add ‘jc’ to a line in that file all by itself. This tells vsftpd that my user should not be chroot’d unlike the others.

Then go into the /etc/vsftpd/users/ directory (create one if it doesn’t exist) and edit a new file, named after the user, in my case ‘jc’. Add these lines to the file, replacing the values with your preferences:

local_root=/home/jc
guest_username=jc
ftp_username=jc
force_dot_files=YES

This tells vsftpd that for the ftp user ‘jc’, the home is /home/jc and the files that I upload or modify fall under the linux permissions of the linux user ‘jc’. I also want to see hidden files too.

Now for everyone else I also have a user file setup for them too. Here’s what it generally looks like:

deny_file={www,lost*found,important}
hide_file={www,lost*found,important}
guest_username=ftp
local_max_rate=4096

So this tells vsftpd that these users can’t see or access some directories that I don’t want them to and it restricts their speeds (in bytes per second).

You could just setup a file like this for all your other users and ln -s them to the actual usernames if you want. Alternatively you can move these directives into vsftpd.conf and then override them where appropriate using these user files. It’s up to you.

So once this is all setup and assuming your firewall is good to go and mysqld is running, it’s time to start the vsftpd service. In some installations of vsftpd, it will create an init.d script but won’t add it to chkconfig and therefore you have to add it yourself first.

Troubleshooting problems

I haven’t managed to prevent vsftpd from starting up properly yet so I can’t explain how to debug it. However if you find that vsftpd has started up and working, try logging in. If you can’t, try checking the logs for the authentication: /var/log/secure

Be Sociable, Share!
This entry was posted by jc on Monday, October 4th, 2010 at 1:45 pm and is filed under Linux, Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Comments : Leave a Reply

  1. prefabrik says:

    thank you mate.

Leave a Reply