21.2.2. The vsftpd Server

The vsftpd RPM installs the /etc/rc.d/init.d/vsftpd script, which can be accessed using the service command.

To start the server, type the following as root:

~]# service vsftpd start

To stop the server, as type:

~]# service vsftpd stop

The restart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.

To restart the server, as type the following as root:

~]# service vsftpd restart

The condrestart (conditional restart) option only stops and starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running. The try-restart option is a synonym.

To conditionally restart the server, as root type:

~]# service vsftpd condrestart

By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. See Chapter 12, Services and Daemons for more information regarding these tools.

Sometimes, one computer is used to serve multiple FTP domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.

To do this, first assign all relevant IP addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, see Chapter 10, NetworkManager. For additional information about network configuration scripts, see Chapter 11, Network Interfaces.

Next, the DNS server for the FTP domains must be configured to reference the correct machine. For information about BIND, the DNS protocol implementation used in Red Hat Enterprise Linux, and its configuration files, see Section 17.2, “BIND”.

For vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. In order to make this possible, a separate vsftpd configuration file for each required instance of the FTP server must be created and placed in the /etc/vsftpd/ directory. Note that each of these configuration files must have a unique name (such as /etc/vsftpd/vsftpd-site-2.conf) and must be readable and writable only by the root user.

Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:

listen_address=N.N.N.N

Replace N.N.N.N with a unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.

Once there are multiple configuration files present in the /etc/vsftpd/ directory, all configured instances of the vsftpd daemon can be started by executing the following command as root:

~]# service vsftpd start

See Section 21.2.2.1, “Starting and Stopping vsftpd” for a description of other available service commands.

Individual instances of the vsftpd daemon can be launched from a root shell prompt using the following command:

~]# vsftpd /etc/vsftpd/configuration-file

In the above command, replace configuration-file with the unique name of the requested server's configuration file, such as vsftpd-site-2.conf.

Other directives to consider altering on a per-server basis are:

For a detailed list of directives that can be used in the configuration file of the vsftpd daemon, see Section 21.2.2.5, “Files Installed with vsftpd”.

In order to counter the inherently insecure nature of FTP, which transmits user names, passwords, and data without encryption by default, the vsftpd daemon can be configured to utilize the TLS protocol to authenticate connections and encrypt all transfers. Note that an FTP client that supports TLS is needed to communicate with vsftpd with TLS enabled.

Set the ssl_enable configuration directive in the vsftpd.conf file to YES to turn on TLS support. The default settings of other TLS-related directives that become automatically active when the ssl_enable option is enabled provide for a reasonably well-configured TLS set up. This includes, among other things, the requirement to only use the TLS v1 protocol for all connections (the use of the insecure SSL protocol versions is disabled by default) or forcing all non-anonymous logins to use TLS for sending passwords and data transfers.

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

~]# service vsftpd restart

See the vsftpd.conf(5) manual page for other TLS-related configuration directives for fine-tuning the use of TLS by vsftpd. Also, see Section 21.2.2.6, “vsftpd Configuration Options” for a description of other commonly used vsftpd.conf configuration directives.

The SELinux policy governing the vsftpd daemon (as well as other ftpd processes), defines a mandatory access control, which, by default, is based on least access required. In order to allow the FTP daemon to access specific files or directories, appropriate labels need to be assigned to them.

For example, in order to be able to share files anonymously, the public_content_t label must be assigned to the files and directories to be shared. You can do this using the chcon command as root:

~]# chcon -R -t public_content_t /path/to/directory

In the above command, replace /path/to/directory with the path to the directory to which you want to assign the label. Similarly, if you want to set up a directory for uploading files, you need to assign that particular directory the public_content_rw_t label. In addition to that, the allow_ftpd_anon_write SELinux Boolean option must be set to 1. Use the setsebool command as root to do that:

~]# setsebool -P allow_ftpd_anon_write=1

If you want local users to be able to access their home directories through FTP, which is the default setting on Red Hat Enterprise Linux 6, the ftp_home_dir Boolean option needs to be set to 1. If vsftpd is to be allowed to run in standalone mode, which is also enabled by default on Red Hat Enterprise Linux 6, the ftpd_is_daemon option needs to be set to 1 as well.

See the ftpd_selinux(8) manual page for more information, including examples of other useful labels and Boolean options, on how to configure the SELinux policy pertaining to FTP. Also, see the Red Hat Enterprise Linux 6 Security-Enhanced Linux for more detailed information about SELinux in general.

The vsftpd RPM installs the daemon (vsftpd), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to vsftpd configuration:

Although vsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to satisfy most administrators' needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.

All configuration of vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:

directive=value

For each directive, replace directive with a valid directive and value with a valid value.

Comment lines must be preceded by a hash symbol (#) and are ignored by the daemon.

For a complete list of all directives available, see the man page for vsftpd.conf. For an overview of ways to secure vsftpd, see the Red Hat Enterprise Linux 6 Security Guide.

The following is a list of some of the more important directives within /etc/vsftpd/vsftpd.conf. All directives not explicitly found or commented out within the vsftpd's configuration file are set to their default value.