vsftpd configuration (multi user, PASV mode) in debian
 
This short how-to exaplins how to install vsftpd (very secure ftp server). It is assumed that the directories of the different ftp-users reside in /var/www.

Issue the following commands to add a user for the ftp server and install the daemon:
useradd ftpsecure -m -d /var/www/ftpsecure -s /bin/false
passwd ftpsecure
touch /etc/vsftpd.user_list
apt-get install vsftpd


Add to /etc/shells:
/bin/false
(otherwise ftp logins wont work with users that have /bin/false as a shell)

The following configuration example should work for a multi-user environment with vsftpd in passive mode:
/etc/vsftpd.conf:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=000
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
nopriv_user=ftpsecure
ascii_upload_enable=YES
ascii_download_enable=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
syslog_enable=YES
log_ftp_protocol=YES
pasv_enable=YES
pasv_address=[EXT_IP_ADDRESS_HERE]
pasv_min_port=32000
pasv_max_port=32127
port_enable=YES


Replace [EXT_IP_ADDRESS_HERE] with your external static IP address.


To add a user to the FTP environment:
- Add System user: useradd USERNAME -m -d /var/www/USERDIR -s /bin/false
- Give password for the user: passwd USERNAME
- Add user to /etc/vsftpd.user_list (users separated by newline)

If you are behind a firewall / NAT device, forward the TCP-ports 20,21,32000-32127 to your ftp server. More information on this:
http://splatdot.com/running-vsftpd-behind-a-nat-firewall/

Additionally, for more security and if a certificate is available, vsftpd can be configured with TLS/SSL. Add the following additional entries to /etc/vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=[PATH_TO_CERTIFICATE]
require_ssl_reuse=NO


And replace [PATH_TO_CERTIFICATE] with the /path/to/your/certificate.pem
 
admin / Dec 03, 2012
   
 
 
Login: 
Pass: 
 
 
     
     
2004 - 2019 / lookass.ch
makememad@lookass.ch