This page looks best with JavaScript enabled

Vsftpd on Gentoo

 ·  🎃 kr0m

Vsftpd is known to be one of the most secure FTP servers available today. In this article, we will configure our Vsftpd server to work under SSL since FTP does not offer any type of encryption natively.

As usual, we start by installing the necessary software:

emerge -av vsftpd

We configure vsftpd as follows:

vi /etc/vsftpd/vsftpd.conf

vsftpd_log_file=/var/log/vsftpd.log
local_enable=YES
use_localtime=YES
anonymous_enable=NO
async_abor_enable=YES
chmod_enable=NO
ftpd_banner=Alfaexploit File Transfer Protocol
connect_from_port_20=YES
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/users
download_enable=NO
dirlist_enable=NO
write_enable=NO
listen_port=21
max_clients=25
max_login_fails=2
chroot_local_user=YES
guest_enable=YES
pam_service_name=vsftpd
guest_username=nobody
hide_ids=YES
listen=YES
pasv_enable=YES
#userlist_enable=NO
#userlist_deny=NO
dirmessage_enable=YES
xferlog_enable=YES

# ssl

require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
#force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

# passive port range
pasv_min_port=60000
pasv_max_port=60500

Despite using an external file as a user database, it is necessary to have a home dir:

useradd user001
mkdir /home/user001
chown -R user001:user001 /home/user001

We configure the parameters of the user in question:

vi /etc/vsftpd/users/user001

dirlist_enable=YES
download_enable=YES
local_root=/home/user001
write_enable=YES
anon_world_readable_only=NO
local_umask=027 # 640 for files , 750 for dirs
#file_open_mode=0640
guest_username=user001
allow_writeable_chroot=YES

We tell vsftp how to authenticate users:

vi /etc/pam.d/vsftpd

auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users

We add the user and the user’s password:

vi /etc/vsftpd/vsftpd_users.txt

user001
PASS

We generate the file in BerkleyDB format:

db4.8_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db

We generate the certificate:

cd /etc/vsftpd/
openssl genrsa -out ftpserver.key 2048
openssl req -new -key ftpserver.key -out ftpserver.csr
openssl x509 -req -days 3650 -in ftpserver.csr -signkey ftpserver.key -out ftpserver.crt
cat ftpserver.key » ftpserver.pem
cat ftpserver.crt » ftpserver.pem
chmod 400 ftpserver.*
mv ftpserver.pem vsftpd.pem

We restart the service:

/etc/init.d/vsftpd restart

The following error is caused due to a bug in vsftp, which manifests when the remote directory has more than 32 files and vsftpd is running with a 64-bit kernel 3.5.0:

500 OOPS: priv_sock_get_cmd

We will have to disable the sandbox():

seccomp_sandbox=NO

If we want to check SSL, we can install lftp:

vi /etc/portage/package.use/lftp

net-ftp/lftp -gnutls ssl openssl
emerge -av lftp
vi ~/.lftprc
set ftp:ssl-force true; --> Forzamos que el login sea cifrado
set ssl:verify-certificate false; --> No hace falta que el certificado sea de confianza

debug 9
user USER PASS
If you liked the article, you can treat me to a RedBull here