sábado, novembro 20, 2010

vsftp , remote access

I had to configure this so that a client could test an app.  I confess that ftp is not on my expertise list, and is also part of my 'insecure paranoia' list... but knowing of no better solution for the problem @hands..  you stick with the best you got. If you're going for long term use... I'd sugest searching google for a way to keep your server running on sftp..  a reminder that ... encryption is still the best vaccine we got against web disease... =P

steps are
1) configure to allow virtual users && allow remote acess
2) gen users auth
3) configure your router to allow connection to the machine where vsftp is running

1) sample /etc/vsftpd/vsftpd-virtual.conf
 # disables anonymous FTP
anonymous_enable=NO
# enables non-anonymous FTP
local_enable=YES
# activates virtual users
guest_enable=YES
# virtual users to use local privs, not anon privs
virtual_use_local_privs=YES
# enables uploads and new directories
write_enable=YES
# the PAM file used by authentication of virtual uses
pam_service_name=vsftpd-virtual
# in conjunction with 'local_root',
# specifies a home directory for each virtual user
user_sub_token=$USER
local_root=/var/www/$USER #CHANGE THIS TO YOUR DESIRED FOLDER
# the virtual user is restricted to the virtual FTP area
chroot_local_user=YES
# hides the FTP server user IDs and just display "ftp" in directory listings
hide_ids=YES
# runs vsftpd in standalone mode
listen=YES
# listens on this port for incoming FTP connections
listen_port=60021
# the minimum port to allocate for PASV style data connections
pasv_min_port=62222
# the maximum port to allocate for PASV style data connections
pasv_max_port=63333
# controls whether PORT style data connections use port 20 (ftp-data)
connect_from_port_20=YES
# the umask for file creation
local_umask=022

#log
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES



#remote client
pasv_enable=yes
pasv_address=YOUR_NETWORK_PUBLIC_ADDRESS
pasv_min_port=65000

2) create a text file containing your users and their passwords 
ex 
 user1
 user1pwd
 user2
 user2pwd


generate the db file that vsftp will use , your comand may be something like db4.8_load depending on what version you got installed

user@host#  db_load -T -t hash -f logins.txt /etc/vsftpd/virtual-users.db
remove your logins.txt file it is no longer needed 

start your server 
sudo /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf 



3) Configure your router 

 http://www.dslreports.com/forum/r4733382-HOW-TO-vsftpd-linux-and-linksys-router


HOW TO: vsftpd, linux and linksys router

Recently I've got vsftpd running from behind my BEFSX41 both in PORT and PASV modes so I thought that I share my set-up since FTP servers are quite a hot topic here ;)

My config:
BEFSX41 1.43.4 (any BEFSx should be OK)
vsftpd 1.1.1 (1.1.0 and up supports PASV from behind NAT, get it here: vsftpd.beasts.org )
RedHat 7.3 (any linux should be fine)

Router set-up:
Forward port 21 TCP on UPnP Forwarding page
Forward ports 65000~65534 TCP on Port Range Forwarding Page (any range, it's up to you)

vsftpd.conf set-up:
pasv_enable=YES
pasv_min_port=65000 (same range as on router)
pasv_max_port=65534
pasv_address=100.100.100.100 (here comes your WAN IP)
...all other variables are set to default values

And since I have dynamic WAN IP from my ISP here's a little script running from cron to update vsftpd.conf with current IP (I use free dynamic DNS service www.dynu.com )
code:
#!/bin/sh
#vsftpd.conf IP update by Brano See Profile
vsftpd_conf=/etc/vsftpd.conf
vsftpd_log=/var/log/vsftpd.log
#change to your domain name in next line
my_ip=`host your_host.dynu.com | cut -f4 -d" "`
vsftpd_ip=`grep pasv_address $vsftpd_conf | cut -f2 -d=`

if [ "$my_ip" != "$vsftpd_ip" ] ; then
   ( echo ",s/$vsftpd_ip/$my_ip/g" && echo w ) | ed - $vsftpd_conf
   echo `date` "$vsftpd_conf updated with $my_ip IP address" >> $vsftpd_log
fi

...hope this helps to somebody :)

My special thanks to Bill_MI See Profile


happy sharing