Indeed, with standard FTP servers, authentication is done against the user accounts on the Linux or Unix box. So if someone sniffs an FTP passwords, he'll have a shell password at the same time and may make use of it to break into the server system.
The present HowTo will guide you through the steps to set up a virtual FTP server. This won't prevent FTP passwords from being sniffed, but it will greatly diminish the impact of a stolen password on the rest of the servers. Indeed, while having no FTP server running at all is certainly the best solution, sometimes you need to have one and in that case, running a virtual FTP server is the next best thing to do.
Indeed, virtual FTP servers have two major advantages. The first one is that they chroot the system to the FTP directory once an FTP user logs in. That means that even when a malicious user can log into the FTP server, he won't be able to break out of the "ftp cage" and cause havok to other parts of the system.
The second and biggest advantage is that a virtual FTP server uses a secondary password database for user authentication. This means that you can create FTP accounts without creating Linux shell accounts to go with them. So, if someone sniffs a FTP password, there will be no match in the Linux password file and thus the malicious user won't be able to log into the server and try to gain more access or cause trouble.
To achieve all this, we will use a daemon called vftpd to provide FTP services. It has been designed to be used as a virtual FTP server (although it can also be used as a regular one) and it includes a lot of automatic security features which will especially be useful to new Linux users.
These features include:
- It always chroot's your users to their home directories.
- It allows access to users without valid shells.
- VFTPD disallows the user's home directories to be /, /etc, /bin, /sbin, /usr/bin, /usr/sbin, /dev/, /lib, /tmp.
- Home directory paths may not contain any symbolic links.
- It does not allow any users with UID 0, other than root.
- It does not login user's if their password file has write access permissions open to Group and Others.
Ok, so now on how to install this baby. First you will have to get the sources at the . The latest version as of the date of writing is 6.5.8.
Once you downloaded the archive, unpack it by typing "tar -xvzf virtualftpd.tgz". Next, "cd" to virtualftpd-6.5.8/ftpd and simply type "make". Now, "su" to root and type "make install".
That's it already for installing the FTP daemon. Now to configure it.
Most of the configuration for vftpd is automatic, some additional parameters can be specified with command line switches when starting the daemon. The only true configuration file you'll have to bother about is /etc/ftppasswd which contains the actual accounts for your various FTP users.
The /etc/ftppasswd file has roughly the same format than the /etc/password file. It has one line per user and is of style:
login:encryptedpassword:uid:gid:description:ftppath:/no/shell
Each argument is seperated by a : caracter. Login is the username, encryptedpassword the unix encrypted password, uid the user id for the login, gid the group id, description can be anything, the real name of the user for instance, ftppath is the path to the directory the FTP user will be logged into and the final argument /no/shell is to indicate that the user is not supposed to have any shell access to the server.
For your own convenience, vftpd provides a tool to easily add FTP users to the system, addvuser. As root, simply type "addvuser" into a terminal window. You will first be prompted the username, than the plaintext password, then a user id, you typically should enter an unexisting uid here, same for the gid, then you will be asked for the user's home directory, enter the path to the FTP directory the user shall be logged into. The entry will then automatically be added to /etc/ftppasswd. You can change passwords for an exiting user by typing "ftppasswd username" where username is the user's login.
Also, if you have existing shell accounts on your ftp server, you should add entries for those usernames too, with different passwords than the shell passwords. This will prevent malicious people from login into someone's real home directory and it will also prevent them from using that user's account in case they spy an FTP password. (Be aware that accounts in /etc/password also work with vftpd, thus my tip to add corresponding entries to /etc/ftppasswd, as this will override the shell accounts)
Also, if users with shell account don't need ftp access (such as root for instance), put them into /etc/ftpusers which will prevent any ftp login with that username.
Finally, you can add ftp messages into /etc/ftpwelcome (displays after connecting) and /etc/motd (displays after successful login).
Ok, now that everything is nicely configured, let's start the ftp daemon with the optimal parameters.
You can launch it manually by typing (as root):
vftpd -D -l -U
-D makes it detach as a daemon and run in the background
-l logs FTP logins (failed and successful ones) into syslog, specifying -l twice gives more detailed logs.
-U will let you see active ftp sessions by typing "who" into a terminal.
additionally:
-A will only allow anonymous connections and disable user logins
-S makes the daemon log anonymous logins to /var/log/ftpd
-p portnum will make the daemon listen on another port than the default 21
(check "man vftpd" for details on how to setup vftpd securely for anonymous logins)
So, now that we have everything up and running, we only have to make vftpd start automatically when the server is booted. The simplest way is to add a line to your boot.local or rc.local file, depending on your distribution. That line should look like:
/usr/local/bin/vftpd -D -U -l -l
And that's it. If you have any questions, concerns or comments, don't hesitate to .
