Try   HackMD

Last Update: 20230722


Abstract


Install vsftpd

sudo apt update && sudo apt install vsftpd

Setting vsftpd Config File

File path: /etc/vsftpd.conf

  1. Disable anonymous user
    ​​​​anonymous_enable=NO
    
  2. Enable local users
    ​​​​local_enable=YES
    
  3. Enable write permission
    ​​​​write_enable=YES
    
  4. Restrict directory changing for local users
    ​​​​chroot_local_user=YES
    ​​​​# By default (chroot_local_user=NO), the vsftpd.chroot_list specifies the users that can be chroot. If set to YES, the list becomes a list of users to NOT chroot.
    ​​​​
    ​​​​# Allow upload if needed. (here we create ~/ftp for file management)
    ​​​​user_sub_token=$USER
    ​​​​local_root=/home/$USER/ftp
    ​​​​## Another solution (user needs writable permission to home directory)
    ​​​​write_enable=YES
    ​​​​allow_writeable_chroot=YES
    
  5. Add range of port for passive mode
    ​​​​pasv_min_port=30000
    ​​​​pasv_max_port=31000
    
  6. Restrict user login
    ​​​​userlist_enable=YES
    ​​​​userlist_file=/etc/vsftpd.user_list
    ​​​​userlist_deny=NO
    
  7. Securing transmission with SSL

If using vsftpd.user_list while enable anonymous users, the user anonymous need to be appended into vsftpd.user_list to allow anonymous login.

The anonymous user will login to default direcotry /srv/ftp, and the shell access and chroot will be restricted.

Create FTP User

  1. Add New User
    ​​​​sudo adduser <user_name>
    
  2. Add User to List
    ​​​​echo "<user_name>" | sudo tee -a /etc/vsftpd.user_list
    
  3. Create New Directory for FTP
    ​​​​sudo mkdir -p /home/<user_name>/ftp/upload
    ​​​​sudo chmod 550 /home/<user_name>/ftp
    ​​​​sudo chmod 750 /home/<user_name>/ftp/upload
    ​​​​sudo chown -R <user_name>: /home/<user_name>/ftp
    
  4. Change User Home Directory (Optional)
    ​​​​sudo usermod -d /home/<user_name>/ftp <user_name>
    

Restrict User Permission

Disable Shell Access

  1. Create file to print the restricting message
    ​​​​# Create message showing file
    ​​​​echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
    ​​​​# Make it executable
    ​​​​sudo chmod a+x /bin/ftponly
    
  2. Append new shell to the list of valid shells
    ​​​​echo "/bin/ftponly" | sudo tee -a /etc/shells
    
  3. Change the user shell to ftponly
    ​​​​sudo usermod <user_name> -s /bin/ftponly