Saturday, September 7, 2013

guide to effectively configure vsftp with chroot'ed users on Amazon EC2

VSFTP is fast and secure FTP server.

It is easy to configure. I needed it to work with Amazon EC2. Here's how.

I took this guide: http://blog.liwen.name/configure-vsftpd-on-amazon-ec2/148

Configure vsftpd on Amazon EC2

There are quite a few FTP server options available for Debian: ProFTPDPure-FTPd and wu-ftpd to name a few. Here we opt forvsftpd (very secure FTP daemon), the default FTP server included in Ubuntu, CentOS, Fedora and some other Linux distributions.

Install

apt-get update apt-get install vsftpd

Configure vsftpd

The configuration file /etc/vsftpd.conf of vsftpd is very well commented. Read it through if you want to, otherwise here are a few changes need to be made in order to get it to work with Amazon EC2. The explanation of these changes are mostly quoted from manpages of vsftpd configure package.
nano /etc/vfstpd.conf
First let’s disable anonymous logins:
anonymous_enable=NO
Enable local logins to allow local users to connect via FTP, this must be enabled for any non-anonymous login to work.
local_enable=YES
Give FTP users write permission:
write_enable=YES
Disnable PORT style data connections with port 20. It makes vsftpd run with slightly less privilege.
connect_from_port_20=NO
Restrict local users (all FTP users) in chroot jails (their home directory):
chroot_local_user=YES
To set proper permissions for files(644) and directories(755):
local_unmask=022
Specify a range of ports for vsftpd to run PASV connections
pasv_max_port=12100
pasv_min_port=12000
After setting up the port range, go to your EC2 console and open the ports specified above, also don’t forget to open the default ftp port 21.
It turns out that vsftpd advises the incomming PASV command the internal IP of EC2 instance, which FTP clients would not be able to resolve. To solve this problem, we explicitly tell vsftp to use our public IP address instead of asking the server for it. If you don’t have an Elastic IP associated with the instance, you will need to enable pasv_addr_resolve and provide your public DNS.
pasv_address=your.public.ip.address
That is all we have to do with vsftpd.conf for now. Next let’s setup our first FTP user.

Setup FTP users

To enable group-based FTP access and also make things more organised, create a dedicated FTP user group.
addgroup ftpusers
Next create our first FTP user:
useradd -d /home/web/your/root/ftp/dir/for/the/user -s /usr/sbin/nologin -g ftpusers devuser
Here we added a new user devuser with home directory /home/web/your/root/ftp/dir/for/the/user, we obviously do not want FTP users to have shell access, -s option sets user’s shell to nologinNote: don’t forget to add nologin into/etc/shells, otherwise FTP users may not be able to login via FTP clients.
echo "/usr/sbin/nologin" >> /etc/shells
Set a password for the user:
passwd devuser
To allow FTP users to read and write files in their chroot jails (home directories), we need to let FTP users take ownership of their home directories and give them proper permission.
chown -R devuser /home/web/your/root/ftp/dir/for/the/user
chmod 775 /home/web/your/root/ftp/dir/for/the/user
Create a userlist for vsftpd and add all FTP users into the list – one user per line:
touch /etc/vsftpd.userlist
nano /etc/vsftpd.userlist
The userlist file should look like this:
devuser
user2
user3
Save /etc/vsftpd.userlist, reopen /etc/vsftpd.conf and add the following lines to the end of the file:
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
If you only want to allow the users in the userlist to login and deny anyone else, you can also set:
userlist_deny=NO
Now save the file, restart the vsftpd service.
/etc/init.d/vsftpd restart
Phew, that’s it, now you have successfully configured vsftpd on Amazon EC2 instance.