Skip to main content

Deploy and Test VSFTPD Server

Hands-On Lab

 

Length

01:00:00

Difficulty

Intermediate

In this Hands-On Lab you will download and configure a VSFTPD server and then connect to it to test it is working.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Deploy and Test a VSFTPD Server

In this lab, we'll deploy a VSFTPD server, configure it, and test access to it from a second server.

To get started, log in to the server using the credentials provided on the Hands-on Lab page.

Install VSFTPD

First, we'll install the vsftpd package, which will act as the server, and the ftp package, which includes a client for testing:

$ sudo yum install vsftpd ftp

Start the Service

In order to use the VSFTPD server, we must start its service:

$ sudo systemctl start vsftpd
$ sudo systemctl status vsftpd

Configure VSFTPD

In this section, we'll configure VSFTPD. Let's first navigate to its configuration directory:

$ cd /etc/vsftpd
$ ll
total 20
-rw------- 1 root root  125 Mar 22 12:14 ftpusers
-rw------- 1 root root  361 Mar 22 12:14 user_list
-rw------- 1 root root 4599 Mar 22 12:14 vsftpd.conf
-rwxr--r-- 1 root root  338 Mar 22 12:14 vsftpd_conf_migrate.sh

The ftpusers file includes a list of users that do not have access to the VSFTPD service:

$ cat ftpusers

The user_list file contains a list of users that can be prevented from accessing VSFTPD. Alternatively, depending on the PAM module's settings, this list may be configured as the only list of users that are allowed to use the service:

$ cat user_list

Next, we'll look at the main VSFTPD configuration file:

$ sudo vim /etc/vsftpd/vsftpd.conf

Most of the default settings are well commented. However, there are a few settings not in the default configuration that are important to know:

anon_max_rate=1000

This allows us to provide a rate limit for anonymous users in bytes.

banner_file=/etc/vsftpd/bannerfile

This specifies a text file to show to users upon connecting to the server. By default, VSFTPD displays a message that includes its version number, which makes it easier for malicious users to find known attack vectors. By overriding this behavior, we can increase the security of our system.

ftpd_banner=Welcome to blah FTP service.

This setting is similar to the banner file, but specifies a string in the configuration file itself, rather than pointing to an external file.

User List

Next, we'll see how to configure the user list that allows or denies access to the FTP server. Look for the following line:

userlist_enable=YES

This tells VSFTP to define a file that will be used for access control. In older versions, it may be set to NO by default. When set to yes, we can control those users' access by adding or modifying this line:

userlist_deny=YES

When set to YES, this means that all users in the user_list file will be denied from using the service. When set to NO, this means that only users in the user_list file are able to access it.

Connect to the FTP Server

Now we can test the connection to our VSFTPD server locally:

$ ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:linuxacademy):

To log in, we can use the anonymous user that's been configured on our system, using user@user.com (or any syntactically valid email address) as its password. Once logged in, we can enter ls at the FTP prompt to see a list of files. We can also use other standard FTP commands. To exit the FTP prompt, enter quit.

We may also log in as the linuxacademy user, using our normal system password to authenticate.

Security Configuration

In these sections, we'll learn some common configuration changes to enhance the security of our VSFTPD server.

Disable Anonymous Users

Let's head back to our configuration file:

$ sudo vim vsftpd.conf

To disable anonymous users from connecting, look for the following line:

anonymous_enable=YES

Change YES to NO. Be aware that simply commenting it out is not enough; by default, anonymous users are allowed. To apply the change, save the file and restart the service:

$ sudo systemctl restart vsftpd

Now if we attempt to connect as an anonymous user, we'll receive a Login failed message.

Change the Banner

We saw earlier that we can customize the banner message displayed upon connecting to the FTP server. Let's change that to see how it looks on a real connection:

$ sudo vim vsftpd.conf

Look for the following line:

ftpd_banner=Welcome to blah FTP service.

Change it to:

ftpd_banner=Welcome to Linux Academy FTP service.

Save and exit the file, and restart the service:

$ sudo systemctl restart vsftpd

Now when we connect, we can see the version information has been replaced with our message:

$ ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 Welcome to Linux Academy FTP service.
Name (localhost:linuxacademy):

Disable Access for a User

We can disable access for specific system users in addition to anonymous users. To do so, we'll open up our ftpusers file:

$ sudo vim ftpusers

Add your system username to the file. For example, on the lab servers, this will be linuxacademy. Once it's been added, save and close the file.

Now when we try to connect with that user, the login will fail. Note that we don't need to restart the service for this to take effect, since it's configured by the associated PAM module:

$ ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1). 
220 Welcome to Linux Academy FTP service.
Name (localhost:linuxacademy):

After trying to log in, the user will be denied access.

530 Login incorrect.
Login failed.

We can see how it's configured by looking at the PAM module itself:

$ cat /etc/pam.d/vsftpd

We can see on the second line that the /etc/vsftpd/ftpusers file is used to deny access.

To see the difference, open up the ftpusers file again:

$ sudo vim ftpusers

Remove your system username from the file. Open the user_list file:

$ sudo vim user_list

Add your username to this file, then save and exit. Now when we try to log in to the FTP server as that user, we'll be rejected immediately.

Review

In this lab, we installed VSFTPD and looked at some common security-related configuration settings. You should now have all the skills you need to start setting up your own secure FTP servers.

Congratulations! You've completed the lab on deploying and testing a VSFTPD server!