Greetings -
I am setting up my very first ftp server for my small company and I am
wondering if someone with more experience than I could look at my
configuration and give me some advice. I am wondering if my configuration
is missing anything that would improve access security, within the
constraints of my setup guidelines as described below.
The purpose of my ftp site is to enable our staff and a select group of our
clients to exchange very large files back and forth, without the problems
associated with emailing large files. Clients would be chrooted into only
their project directory, based on their user account name. Internal staff
would have access to all clients and project ftp directories by setting a
Samba share on a directory above the clients project directories (we have a
small close knit company with no internal security concerns). I will make
the client directories (and user account names) based on a combination of
the client name, project name, and accounting code number, so it should look
relatively cryptic to anyone else. Our ftp server is on a different
physical box and a different fixed ip from our web site and email server
(which is hosted offsite). However it is on the same box as our Samba file
server which also has OpenVPN running for our staff remote access. I am
running RHEL3 update 9, and the version of vsftpd that is associated with
this OS level.
Below are my configuration files. I have obscured the pasv port range. The
/etc/vsftpd.ftpusers and the /etc/pam.d/vsftpd files have no changes from
the stock out of the box configuration. Thanks for all suggestions.
/etc/vsftpd/vsftpd.conf
### Connection Information
listen=YES
background=YES
connect_from_port_20=YES
listen_port=21
ftp_data_port=20
pasv_enable=YES
pasv_min_port=10001
pasv_max_port=10003
idle_session_timeout=600
data_connection_timeout=120
#
### Access Restrictions
anonymous_enable=NO
local_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
pam_service_name=vsftpd
chroot_local_user=YES
write_enable=YES
local_umask=0666
#
### Logging and Messages
xferlog_enable=YES
dual_log_enable=YES
xferlog_file=/var/log/xferlog.log
vsftpd_log_file=/var/log/vsftpd.log
ftpd_banner=Welcome to Meridian Environmental's FTP Site.
dirmessage_enable=YES
/etc/vsftpd.users_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
#
# Generic example of UserName, also for chroot directory
ClientNameProjectNameAccountNo1
ClientNameProjectNameAccountNo2
/etc/vsftpd.ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
/etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Jeff Boyce
Meridian Environmental
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
