I write this post more as a reminder for myself than as a generic tutorial. Anyway, it is about a precise FTP server configuration on Ubuntu that might or might not be useful for other people. It is just useful in the environment I am using (web server, just one Unix user, some FTP accounts). Here we go:
The server that I’ve used in several cases, and which I prefer just because it is simple enough to have it running quickly, is VSFTP (Very Simple FTP). It works in integration with the machine’s users so that we only need to add users to the server in order to have them available for the FTP daemon. Once the server is installed, a few configurations must be done. In file /etc/vsftpd.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
# # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES
So, let’s take a look at this configuration. First of all, it makes no sense having anonymous users on this machine. Then, we allow local users to connect to the FTP server, and give them write permissions. Finally, they are going to be confined to their local home directory, to make the server safe enough. But, what’s the point in that? After all, this is a web server, so we want the users to be able to update some web sites.
The solution to this is to mount the specific folders of the Apache webroot directory into the user’s home page, depending on the right access it should have. A symbolic link is just not enough, since the system prevents FTP clients to follow them as they are outside the home root. A command line like:
mount --bind /home/username/mountpoint/ /var/www/user_website/
would do the trick.
A potential security risk is related to the use of this server. As long as FTP clients have to have a user in the machine, they potentially can log in into the server and execute code. First of all, one must ensure that these users do have just the essential access rights, but in addition, we can go further on protecting the server. In my case, the web server is a virtual machine in a cloud of computers, so there is not possible local access. Then, about SSH access, it is enough to specify the users that can log into the machine, so that we can have no matter how many users – allowed to access their home page through FTP – which cannot just execute anything on the machine. To do this, let’s edit /etc/ssh/sshd_config:
AllowUsers user1 user2 user3 ...
With this setting, only the selected users can log in the machine via SSH access; the others are just confined to their home folders via the FTP server. And that’s all, just remember to restart both FTP and SSH services.
It is not the best FTP server I can have installed, but it is simple enough