이 콘텐츠는 선택한 언어로 제공되지 않습니다.
21.2.2. The vsftpd Server
The Very Secure FTP Daemon (
vsftpd
) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd
is the only stand-alone FTP
server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
The security model used by
vsftpd
has three primary aspects:
- Strong separation of privileged and non-privileged processes — Separate processes handle different tasks, and each of these processes runs with the minimal privileges required for the task.
- Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary — By taking advantage of compatibilities found in the
libcap
library, tasks that usually require full root privileges can be executed more safely from a less privileged process. - Most processes run in a
chroot
jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered achroot
jail. For example, if the/var/ftp/
directory is the primary shared directory,vsftpd
reassigns/var/ftp/
to the new root directory, known as/
. This disallows any potential malicious hacker activities for any directories not contained in the new root directory.
Use of these security practices has the following effect on how
vsftpd
deals with requests:
- The parent process runs with the least privileges required — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the
FTP
clients and run with as close to no privileges as possible. - All operations requiring elevated privileges are handled by a small parent process — Much like the Apache
HTTP
Server,vsftpd
launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks. - All requests from unprivileged child processes are distrusted by the parent process — Communication with child processes is received over a socket, and the validity of any information from child processes is checked before being acted on.
- Most interactions with
FTP
clients are handled by unprivileged child processes in achroot
jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allow the attacker access to the shared files.
21.2.2.1. Starting and Stopping vsftpd
The vsftpd RPM installs the
/etc/rc.d/init.d/vsftpd
script, which can be accessed using the service
command.
To start the server, type the following as
root
:
~]# service vsftpd start
To stop the server, as type:
~]# service vsftpd stop
The
restart
option is a shorthand way of stopping and then starting vsftpd
. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd
.
To restart the server, as type the following as
root
:
~]# service vsftpd restart
The
condrestart
(conditional restart) option only stops and starts vsftpd
if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running. The try-restart
option is a synonym.
To conditionally restart the server, as root type:
~]# service vsftpd condrestart
By default, the
vsftpd
service does not start automatically at boot time. To configure the vsftpd
service to start at boot time, use an initscript utility, such as /sbin/chkconfig
, /usr/sbin/ntsysv, or the Services Configuration Tool program. See Chapter 12, Services and Daemons for more information regarding these tools.
21.2.2.2. Starting Multiple Copies of vsftpd
Sometimes, one computer is used to serve multiple
FTP
domains. This is a technique called multihoming. One way to multihome using vsftpd
is by running multiple copies of the daemon, each with its own configuration file.
To do this, first assign all relevant
IP
addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, see Chapter 10, NetworkManager. For additional information about network configuration scripts, see Chapter 11, Network Interfaces.
Next, the DNS server for the
FTP
domains must be configured to reference the correct machine. For information about BIND, the DNS
protocol implementation used in Red Hat Enterprise Linux, and its configuration files, see Section 17.2, “BIND”.
For
vsftpd
to answer requests on different IP
addresses, multiple copies of the daemon must be running. In order to make this possible, a separate vsftpd
configuration file for each required instance of the FTP
server must be created and placed in the /etc/vsftpd/
directory. Note that each of these configuration files must have a unique name (such as /etc/vsftpd/vsftpd-site-2.conf
) and must be readable and writable only by the root
user.
Within each configuration file for each
FTP
server listening on an IPv4
network, the following directive must be unique:
listen_address=N.N.N.N
Replace N.N.N.N with a unique
IP
address for the FTP
site being served. If the site is using IPv6
, use the listen_address6
directive instead.
Once there are multiple configuration files present in the
/etc/vsftpd/
directory, all configured instances of the vsftpd
daemon can be started by executing the following command as root
:
~]# service vsftpd start
See Section 21.2.2.1, “Starting and Stopping vsftpd” for a description of other available
service
commands.
Individual instances of the
vsftpd
daemon can be launched from a root
shell prompt using the following command:
~]# vsftpd /etc/vsftpd/configuration-file
In the above command, replace configuration-file with the unique name of the requested server's configuration file, such as
vsftpd-site-2.conf
.
Other directives to consider altering on a per-server basis are:
anon_root
local_root
vsftpd_log_file
xferlog_file
For a detailed list of directives that can be used in the configuration file of the
vsftpd
daemon, see Section 21.2.2.5, “Files Installed with vsftpd”.
21.2.2.3. Encrypting vsftpd Connections Using TLS
In order to counter the inherently insecure nature of
FTP
, which transmits user names, passwords, and data without encryption by default, the vsftpd
daemon can be configured to utilize the TLS
protocol to authenticate connections and encrypt all transfers. Note that an FTP
client that supports TLS
is needed to communicate with vsftpd
with TLS
enabled.
Note
SSL
(Secure Sockets Layer) is the name of an older implementation of the security protocol. The new versions are called TLS
(Transport Layer Security). Only the newer versions (TLS
) should be used as SSL
suffers from serious security vulnerabilities. The documentation included with the vsftpd server, as well as the configuration directives used in the vsftpd.conf
file, use the SSL
name when referring to security-related matters, but TLS
is supported and used by default when the ssl_enable
directive is set to YES
.
Set the
ssl_enable
configuration directive in the vsftpd.conf
file to YES
to turn on TLS
support. The default settings of other TLS
-related directives that become automatically active when the ssl_enable
option is enabled provide for a reasonably well-configured TLS
set up. This includes, among other things, the requirement to only use the TLS
v1 protocol for all connections (the use of the insecure SSL
protocol versions is disabled by default) or forcing all non-anonymous logins to use TLS
for sending passwords and data transfers.
Example 21.10. Configuring vsftpd to Use TLS
In this example, the configuration directives explicitly disable the older
SSL
versions of the security protocol in the vsftpd.conf
file:
ssl_enable=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
Restart the
vsftpd
service after you modify its configuration:
~]# service vsftpd restart
See the vsftpd.conf(5) manual page for other
TLS
-related configuration directives for fine-tuning the use of TLS
by vsftpd
. Also, see Section 21.2.2.6, “vsftpd Configuration Options” for a description of other commonly used vsftpd.conf
configuration directives.
21.2.2.4. SELinux Policy for vsftpd
The SELinux policy governing the
vsftpd
daemon (as well as other ftpd
processes), defines a mandatory access control, which, by default, is based on least access required. In order to allow the FTP
daemon to access specific files or directories, appropriate labels need to be assigned to them.
For example, in order to be able to share files anonymously, the
public_content_t
label must be assigned to the files and directories to be shared. You can do this using the chcon
command as root
:
~]# chcon -R -t public_content_t /path/to/directory
In the above command, replace /path/to/directory with the path to the directory to which you want to assign the label. Similarly, if you want to set up a directory for uploading files, you need to assign that particular directory the
public_content_rw_t
label. In addition to that, the allow_ftpd_anon_write
SELinux Boolean option must be set to 1
. Use the setsebool
command as root
to do that:
~]# setsebool -P allow_ftpd_anon_write=1
If you want local users to be able to access their home directories through
FTP
, which is the default setting on Red Hat Enterprise Linux 6, the ftp_home_dir
Boolean option needs to be set to 1
. If vsftpd
is to be allowed to run in standalone mode, which is also enabled by default on Red Hat Enterprise Linux 6, the ftpd_is_daemon
option needs to be set to 1
as well.
See the ftpd_selinux(8) manual page for more information, including examples of other useful labels and Boolean options, on how to configure the SELinux policy pertaining to
FTP
. Also, see the Red Hat Enterprise Linux 6 Security-Enhanced Linux for more detailed information about SELinux in general.
21.2.2.5. Files Installed with vsftpd
The vsftpd RPM installs the daemon (
vsftpd
), its configuration and related files, as well as FTP
directories onto the system. The following lists the files and directories related to vsftpd
configuration:
/etc/pam.d/vsftpd
— The Pluggable Authentication Modules (PAM) configuration file forvsftpd
. This file specifies the requirements a user must meet to log in to theFTP
server. For more information on PAM, see the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Single Sign-On and Smart Cards guide./etc/vsftpd/vsftpd.conf
— The configuration file forvsftpd
. See Section 21.2.2.6, “vsftpd Configuration Options” for a list of important options contained within this file./etc/vsftpd/ftpusers
— A list of users not allowed to log in tovsftpd
. By default, this list includes theroot
,bin
, anddaemon
users, among others./etc/vsftpd/user_list
— This file can be configured to either deny or allow access to the users listed, depending on whether theuserlist_deny
directive is set toYES
(default) orNO
in/etc/vsftpd/vsftpd.conf
. If/etc/vsftpd/user_list
is used to grant access to users, the user names listed must not appear in/etc/vsftpd/ftpusers
./var/ftp/
— The directory containing files served byvsftpd
. It also contains the/var/ftp/pub/
directory for anonymous users. Both directories are world-readable, but writable only by theroot
user.
21.2.2.6. vsftpd Configuration Options
Although vsftpd may not offer the level of customization other widely available
FTP
servers have, it offers enough options to satisfy most administrators' needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
All configuration of
vsftpd
is handled by its configuration file, /etc/vsftpd/vsftpd.conf
. Each directive is on its own line within the file and follows the following format:
directive=value
For each directive, replace directive with a valid directive and value with a valid value.
Important
There must not be any spaces between the directive, equal symbol, and the value in a directive.
Comment lines must be preceded by a hash symbol (
#
) and are ignored by the daemon.
For a complete list of all directives available, see the man page for
vsftpd.conf
. For an overview of ways to secure vsftpd
, see the Red Hat Enterprise Linux 6 Security Guide.
The following is a list of some of the more important directives within
/etc/vsftpd/vsftpd.conf
. All directives not explicitly found or commented out within the vsftpd
's configuration file are set to their default value.
21.2.2.6.1. Daemon Options
The following is a list of directives that control the overall behavior of the
vsftpd
daemon.
listen
— When enabled,vsftpd
runs in standalone mode, which means that the daemon is started independently, not by thexinetd
super-server. Red Hat Enterprise Linux 6 sets this value toYES
. Note that the SELinuxftpd_is_daemon
Boolean option needs to be set forvsftpd
to be allowed to run in standalone mode. See Section 21.2.2.4, “SELinux Policy for vsftpd” and toftpd_selinux(8)
for more information onvsftpd
's interaction with the default SELinux policy. This directive cannot be used in conjunction with thelisten_ipv6
directive.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.listen_ipv6
— When enabled,vsftpd
runs in standalone mode, which means that the daemon is started independently, not by thexinetd
super-server. With this directive, it only listens onIPv6
sockets. Note that the SELinuxftpd_is_daemon
Boolean option needs to be set forvsftpd
to be allowed to run in standalone mode. See Section 21.2.2.4, “SELinux Policy for vsftpd” and toftpd_selinux(8)
for more information onvsftpd
's interaction with the default SELinux policy. This directive cannot be used in conjunction with thelisten
directive.The default value isNO
.session_support
— When enabled,vsftpd
attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, see the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Single Sign-On and Smart Cards and the PAM man pages. If session logging is not necessary, disabling this option allowsvsftpd
to run with less processes and lower privileges.The default value isNO
.
21.2.2.6.2. Log In Options and Access Controls
The following is a list of directives that control the login behavior and access-control mechanisms.
anonymous_enable
— When enabled, anonymous users are allowed to log in. The user namesanonymous
andftp
are accepted.The default value isYES
.See Section 21.2.2.6.3, “Anonymous User Options” for a list of directives affecting anonymous users.banned_email_file
— If thedeny_email_enable
directive is set toYES
, this directive specifies the file containing a list of anonymous email passwords that are not permitted access to the server.The default value is/etc/vsftpd/banned_emails
.banner_file
— Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in theftpd_banner
directive.There is no default value for this directive.cmds_allowed
— Specifies a comma-delimited list ofFTP
commands allowed by the server. All other commands are rejected.There is no default value for this directive.deny_email_enable
— When enabled, any anonymous user utilizing email passwords specified in/etc/vsftpd/banned_emails
are denied access to the server. The name of the file referenced by this directive can be specified using thebanned_email_file
directive.The default value isNO
.ftpd_banner
— When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by thebanner_file
directive.By default,vsftpd
displays its standard banner.local_enable
— When enabled, local users are allowed to log in to the system. Note that the SELinuxftp_home_dir
Boolean option needs to be set for this directive to work as expected. See Section 21.2.2.4, “SELinux Policy for vsftpd” and toftpd_selinux(8)
for more information onvsftpd
's interaction with the default SELinux policy.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.See Section 21.2.2.6.4, “Local-User Options” for a list of directives affecting local users.pam_service_name
— Specifies the PAM service name forvsftpd
.The default value isftp
. On Red Hat Enterprise Linux 6, this option is set tovsftpd
in the configuration file.tcp_wrappers
— When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, theVSFTPD_LOAD_CONF
environment variable can be used to load different configuration files based on the IP address being requested by the client.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.userlist_deny
— When used in conjunction with theuserlist_enable
directive and set toNO
, all local users are denied access unless their user name is listed in the file specified by theuserlist_file
directive. Because access is denied before the client is asked for a password, setting this directive toNO
prevents local users from submitting unencrypted passwords over the network.The default value isYES
.userlist_enable
— When enabled, users listed in the file specified by theuserlist_file
directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.userlist_file
— Specifies the file referenced byvsftpd
when theuserlist_enable
directive is enabled.The default value is
, which is created during installation./etc/vsftpd/user_list
21.2.2.6.3. Anonymous User Options
The following lists directives that control anonymous user access to the server. To use these options, the
anonymous_enable
directive must be set to YES
.
anon_mkdir_write_enable
— When enabled in conjunction with thewrite_enable
directive, anonymous users are allowed to create new directories within a parent directory that has write permissions.The default value isNO
.anon_root
— Specifies the directoryvsftpd
changes to after an anonymous user logs in.There is no default value for this directive.anon_upload_enable
— When enabled in conjunction with thewrite_enable
directive, anonymous users are allowed to upload files within a parent directory that has write permissions.The default value isNO
.anon_world_readable_only
— When enabled, anonymous users are only allowed to download world-readable files.The default value isYES
.ftp_username
— Specifies the local user account (listed in/etc/passwd
) used for the anonymousFTP
user. The home directory specified in/etc/passwd
for the user is the root directory of the anonymousFTP
user.The default value is
.ftp
no_anon_password
— When enabled, the anonymous user is not asked for a password.The default value isNO
.secure_email_list_enable
— When enabled, only a specified list of email passwords for anonymous logins is accepted. This is a convenient way of offering limited security to public content without the need for virtual users.Anonymous logins are prevented unless the password provided is listed in/etc/vsftpd/email_passwords
. The file format is one password per line, with no trailing white spaces.The default value isNO
.
21.2.2.6.4. Local-User Options
The following lists directives that characterize the way local users access the server. To use these options, the
local_enable
directive must be set to YES
. Note that the SELinux ftp_home_dir
Boolean option needs to be set for users to be able to access their home directories. See Section 21.2.2.4, “SELinux Policy for vsftpd” and to ftpd_selinux(8)
for more information on vsftpd
's interaction with the default SELinux policy.
chmod_enable
— When enabled, theFTP
commandSITE CHMOD
is allowed for local users. This command allows the users to change the permissions on files.The default value isYES
.chroot_list_enable
— When enabled, the local users listed in the file specified in thechroot_list_file
directive are placed in achroot
jail upon log in.If enabled in conjunction with thechroot_local_user
directive, the local users listed in the file specified in thechroot_list_file
directive are not placed in achroot
jail upon log in.The default value isNO
.chroot_list_file
— Specifies the file containing a list of local users referenced when thechroot_list_enable
directive is set toYES
.The default value is
./etc/vsftpd/chroot_list
chroot_local_user
— When enabled, local users are change-rooted to their home directories after logging in.The default value isNO
.Warning
Enablingchroot_local_user
opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.guest_enable
— When enabled, all non-anonymous users are logged in as the userguest
, which is the local user specified in theguest_username
directive.The default value isNO
.guest_username
— Specifies the user name theguest
user is mapped to.The default value is
.ftp
local_root
— Specifies the directoryvsftpd
changes to after a local user logs in.There is no default value for this directive.local_umask
— Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a “0” prefix. Otherwise, the value is treated as a base-10 integer.The default value is077
. On Red Hat Enterprise Linux 6, this option is set to022
in the configuration file.passwd_chroot_enable
— When enabled in conjunction with thechroot_local_user
directive,vsftpd
change-roots local users based on the occurrence of/./
in the home-directory field within/etc/passwd
.The default value isNO
.user_config_dir
— Specifies the path to a directory containing configuration files bearing the names of local system users that contain specific settings for those users. Any directive in a user's configuration file overrides those found in/etc/vsftpd/vsftpd.conf
.There is no default value for this directive.
21.2.2.6.5. Directory Options
The following lists directives that affect directories.
dirlist_enable
— When enabled, users are allowed to view directory lists.The default value isYES
.dirmessage_enable
— When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in themessage_file
directive and is.message
by default.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.force_dot_files
— When enabled, files beginning with a dot (.
) are listed in directory listings, with the exception of the.
and..
files.The default value isNO
.hide_ids
— When enabled, all directory listings showftp
as the user and group for each file.The default value isNO
.message_file
— Specifies the name of the message file when using thedirmessage_enable
directive.The default value is
..message
text_userdb_names
— When enabled, text user names and group names are used in place of UID and GID entries. Enabling this option may negatively affect the performance of the server.The default value isNO
.use_localtime
— When enabled, directory listings reveal the local time for the computer instead of GMT.The default value isNO
.
21.2.2.6.6. File Transfer Options
The following lists directives that affect directories.
download_enable
— When enabled, file downloads are permitted.The default value isYES
.chown_uploads
— When enabled, all files uploaded by anonymous users are owned by the user specified in thechown_username
directive.The default value isNO
.chown_username
— Specifies the ownership of anonymously uploaded files if thechown_uploads
directive is enabled.The default value is
.root
write_enable
— When enabled,FTP
commands which can change the file system are allowed, such asDELE
,RNFR
, andSTOR
.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.
21.2.2.6.7. Logging Options
The following lists directives that affect
vsftpd
's logging behavior.
dual_log_enable
— When enabled in conjunction withxferlog_enable
,vsftpd
writes two files simultaneously: awu-ftpd
-compatible log to the file specified in thexferlog_file
directive (/var/log/xferlog
by default) and a standardvsftpd
log file specified in thevsftpd_log_file
directive (/var/log/vsftpd.log
by default).The default value isNO
.log_ftp_protocol
— When enabled in conjunction withxferlog_enable
and withxferlog_std_format
set toNO
, allFTP
commands and responses are logged. This directive is useful for debugging.The default value isNO
.syslog_enable
— When enabled in conjunction withxferlog_enable
, all logging normally written to the standardvsftpd
log file specified in thevsftpd_log_file
directive (/var/log/vsftpd.log
by default) is sent to the system logger instead under theFTPD
facility.The default value isNO
.vsftpd_log_file
— Specifies thevsftpd
log file. For this file to be used,xferlog_enable
must be enabled andxferlog_std_format
must either be set toNO
or, ifxferlog_std_format
is set toYES
,dual_log_enable
must be enabled. It is important to note that ifsyslog_enable
is set toYES
, the system log is used instead of the file specified in this directive.The default value is
./var/log/vsftpd.log
xferlog_enable
— When enabled,vsftpd
logs connections (vsftpd
format only) and file-transfer information to the log file specified in thevsftpd_log_file
directive (/var/log/vsftpd.log
by default). Ifxferlog_std_format
is set toYES
, file-transfer information is logged, but connections are not, and the log file specified inxferlog_file
(/var/log/xferlog
by default) is used instead. It is important to note that both log files and log formats are used ifdual_log_enable
is set toYES
.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.xferlog_file
— Specifies thewu-ftpd
-compatible log file. For this file to be used,xferlog_enable
must be enabled andxferlog_std_format
must be set toYES
. It is also used ifdual_log_enable
is set toYES
.The default value is
./var/log/xferlog
xferlog_std_format
— When enabled in conjunction withxferlog_enable
, only awu-ftpd
-compatible file-transfer log is written to the file specified in thexferlog_file
directive (/var/log/xferlog
by default). It is important to note that this file only logs file transfers and does not log connections to the server.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.
Important
To maintain compatibility with log files written by the older
wu-ftpd
FTP
server, the xferlog_std_format
directive is set to YES
under Red Hat Enterprise Linux 6. However, this setting means that connections to the server are not logged. To both log connections in vsftpd
format and maintain a wu-ftpd
-compatible file-transfer log, set dual_log_enable
to YES
. If maintaining a wu-ftpd
-compatible file-transfer log is not important, either set xferlog_std_format
to NO
, comment the line with a hash symbol (“#”), or delete the line entirely.
21.2.2.6.8. Network Options
The following lists directives that define how
vsftpd
interacts with the network.
accept_timeout
— Specifies the amount of time for a client using passive mode to establish a connection.The default value is60
.anon_max_rate
— Specifies the maximum data transfer rate for anonymous users in bytes per second.The default value is0
, which does not limit the transfer rate.connect_from_port_20
— When enabled,vsftpd
runs with enough privileges to open port20
on the server during active-mode data transfers. Disabling this option allowsvsftpd
to run with less privileges but may be incompatible with someFTP
clients.The default value isNO
. On Red Hat Enterprise Linux 6, this option is set toYES
in the configuration file.connect_timeout
— Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.The default value is60
.data_connection_timeout
— Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.The default value is300
.ftp_data_port
— Specifies the port used for active data connections whenconnect_from_port_20
is set toYES
.The default value is20
.idle_session_timeout
— Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.The default value is300
.listen_address
— Specifies theIP
address on whichvsftpd
listens for network connections.There is no default value for this directive.Note
If running multiple copies ofvsftpd
serving differentIP
addresses, the configuration file for each copy of thevsftpd
daemon must have a different value for this directive. See Section 21.2.2.2, “Starting Multiple Copies of vsftpd” for more information about multihomedFTP
servers.listen_address6
— Specifies theIPv6
address on whichvsftpd
listens for network connections whenlisten_ipv6
is set toYES
.There is no default value for this directive.Note
If running multiple copies ofvsftpd
serving differentIP
addresses, the configuration file for each copy of thevsftpd
daemon must have a different value for this directive. See Section 21.2.2.2, “Starting Multiple Copies of vsftpd” for more information about multihomedFTP
servers.listen_port
— Specifies the port on whichvsftpd
listens for network connections.The default value is21
.local_max_rate
— Specifies the maximum rate at which data is transferred for local users logged in to the server in bytes per second.The default value is0
, which does not limit the transfer rate.max_clients
— Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.The default value is0
, which does not limit connections.max_per_ip
— Specifies the maximum number of clients allowed to connect from the same sourceIP
address.The default value is50
. The value0
switches off the limit.pasv_address
— Specifies theIP
address for the public-facingIP
address of the server for servers behind Network Address Translation (NAT) firewalls. This enablesvsftpd
to hand out the correct return address for passive-mode connections.There is no default value for this directive.pasv_enable
— When enabled, passive-mode connections are allowed.The default value isYES
.pasv_max_port
— Specifies the highest possible port sent toFTP
clients for passive-mode connections. This setting is used to limit the port range so that firewall rules are easier to create.The default value is0
, which does not limit the highest passive-port range. The value must not exceed65535
.pasv_min_port
— Specifies the lowest possible port sent toFTP
clients for passive-mode connections. This setting is used to limit the port range so that firewall rules are easier to create.The default value is0
, which does not limit the lowest passive-port range. The value must not be lower than1024
.pasv_promiscuous
— When enabled, data connections are not checked to make sure they are originating from the sameIP
address. This setting is only useful for certain types of tunneling.Warning
Do not enable this option unless absolutely necessary as it disables an important security feature, which verifies that passive-mode connections originate from the sameIP
address as the control connection that initiates the data transfer.The default value isNO
.port_enable
— When enabled, active-mode connects are allowed.The default value isYES
.
21.2.2.6.9. Security Options
The following lists directives that can be used to improve
vsftpd
security.
isolate_network
— If enabled,vsftpd
uses theCLONE_NEWNET
container flag to isolate the unprivileged protocol handler processes, so that they cannot arbitrarily callconnect()
and instead have to ask the privileged process for sockets (theport_promiscuous
option must be disabled).The default value isYES
.isolate
— If enabled,vsftpd
uses theCLONE_NEWPID
andCLONE_NEWIPC
container flags to isolate processes to their IPC and PID namespaces to prevent them from interacting with each other.The default value isYES
.ssl_enable
— Enablesvsftpd
's support forSSL
(includingTLS
). SSL is used both for authentication and subsequent data transfers. Note that all otherSSL
-related options are only applicable ifssl_enable
is set toYES
.The default value isNO
.allow_anon_ssl
— Specifies whether anonymous users should be allowed to use securedSSL
connections.The default value isNO
.require_cert
— If enabled, allSSL
client connections are required to present a client certificate.The default value isNO
.