First time vsftp setup

Jeff Boyce jboyce at meridianenv.com
Tue Jul 14 16:53:24 UTC 2009 

Greetings -

I am setting up my very first ftp server for my small company and I am 
wondering if someone with more experience than I could look at my 
configuration and give me some advice.  I am wondering if my configuration 
is missing anything that would improve access security, within the 
constraints of my setup guidelines as described below.

The purpose of my ftp site is to enable our staff and a select group of our 
clients to exchange very large files back and forth, without the problems 
associated with emailing large files.  Clients would be chrooted into only 
their project directory, based on their user account name.  Internal staff 
would have access to all clients and project ftp directories by setting a 
Samba share on a directory above the clients project directories (we have a 
small close knit company with no internal security concerns).  I will make 
the client directories (and user account names) based on a combination of 
the client name, project name, and accounting code number, so it should look 
relatively cryptic to anyone else.  Our ftp server is on a different 
physical box and a different fixed ip from our web site and email server 
(which is hosted offsite).  However it is on the same box as our Samba file 
server which also has OpenVPN running for our staff remote access.  I am 
running RHEL3 update 9, and the version of vsftpd that is associated with 
this OS level.

Below are my configuration files.  I have obscured the pasv port range.  The 
/etc/vsftpd.ftpusers and the /etc/pam.d/vsftpd files have no changes from 
the stock out of the box configuration.  Thanks for all suggestions.

/etc/vsftpd/vsftpd.conf
### Connection Information
listen=YES
background=YES
connect_from_port_20=YES
listen_port=21
ftp_data_port=20
pasv_enable=YES
pasv_min_port=10001
pasv_max_port=10003
idle_session_timeout=600
data_connection_timeout=120
#
### Access Restrictions
anonymous_enable=NO
local_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
pam_service_name=vsftpd
chroot_local_user=YES
write_enable=YES
local_umask=0666
#
### Logging and Messages
xferlog_enable=YES
dual_log_enable=YES
xferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
ftpd_banner=Welcome to Meridian Environmental's FTP Site.
dirmessage_enable=YES


/etc/vsftpd.users_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
#
# Generic example of UserName, also for chroot directory
ClientNameProjectNameAccountNo1
ClientNameProjectNameAccountNo2


/etc/vsftpd.ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody


/etc/pam.d/vsftpd
#%PAM-1.0
auth       required pam_listfile.so item=user sense=deny 
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required pam_stack.so service=system-auth
auth       required pam_shells.so
account    required pam_stack.so service=system-auth
session    required pam_stack.so service=system-auth


Jeff Boyce
Meridian Environmental

More information about the redhat-list mailing list