Can someone provide dummy proof instructions on setting up login/password using vsftpd? Everything is installed all that is left is login setup and setup of the a default folder... /mnt/sda1/ftp_folder so that I can securely access (read & download) files from my Linkysy 1900ACS router.
Add a new user (and group) as described here:
Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)
Create a new file: /etc/vsftpd/vsftpd.userlist
Add the new user(name) here.
edit your /etc/vsftpd.conf as follows:
background=YES listen=YES listen_address=10.0.0.254 <--- change to your desired listen address anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 check_shell=NO chroot_local_user=YES allow_writeable_chroot=YES #dirmessage_enable=YES ftpd_banner=Welcome to anon's FTP service. session_support=NO #syslog_enable=YES userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/vsftpd.userlist #user_config_dir=/etc/vsftpd/vsftpd_user_conf
If you want a per-user config:
Create a new directory: /etc/vsftpd/vsftpd_user_conf/
In that directory create a file that is named after the user.
For example if you want to deny delete/remove actions:
Add the following to the file:
##Disable delete commands cmds_denied=DELE,RMD
Uncomment user_config_dir in /etc/vsftpd.conf
If you need access from wan side:
Add the following to /etc/vsftpd.conf:
pasv_enable=Yes pasv_max_port=30000 pasv_min_port=31000
Comment listen_address out to make vsftpd listen on all interfaces.
Open Ports 21,30000-31000 TCP on the wan side.
The old page is for archival purposes only and doesn't receive any updates any more.
Blockquote "Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)"
Is this in the /etc/vsftpd.conf file your referring? I changed a line from local_root=/mnt/usb1 to local_root=/mnt/sda1.
Where, what file is is "shell set to /bin/false"? <-- still not sure if I did this please confirm.
I was successful internally on my router, once I opened port 21 I can access from WAN. I think your saying to open a port, either 21 default or pick one from 30k to 31k. OK, only open 1 port not many (securit risk of course).
The default folder is /home/ftp_user instead of the F2FS usb. I want ftp path to be /etc/sda1/ftp_folder, is this set in the /etc/ vsftpd.conf file? I rebooted problem went away!
Did you create the user for ftp usage?
What is the username? ftp_user?
Do you want the ftp folder to be: /etc/sda1/ftp_folder or /mnt/sda1/ftp_folder?
Or /etc/sda1/ftp_folder/ftp_user or /mnt/sda1/ftp_folder/ftp_user ?
local_root will be put all users in that directory after ftp login.
Better don't use that?
Assuming your ftp username is ftp_user
In /etc/passwd you will find something like
/mnt/usb is the home directory.
Change that to your desired home directory (e.g. where the user is put after (ftp) login)
/bin/false is the path of the users shell. You want to set this to /bin/false
Only opening port 21 on wan side will not work.
To make file transfers work you also have to specify a passive port range and open those ports.
Thanks. I edited my post.
I did successfully create the ftp user per the old wiki link you provided. I used a made-up name and password, ftp_user was just example purpose like you mentioned. I'm not sure if I left any obvious security risk.
In /etc/vsftpd.conf file, I change local_root=/mnt/sda1. Does this set default path or is this done by /etc/passwd?
In /etc/passwd I have
ftp_user:x:1000:1000:ftp_user:/home/ftp_user:/bin/ash, so change bin/ash to bin/false. The only line with bin/ash is root:x:0:0:root:/root:/bin/ash
Weird, I open port 21, and then was able to access ftp from the WAN side. I did something wrong here? If I close port 21, I get connection failed. I do remember being able to open a range of ports on some-other GUI besides LuCI. I don't see where/how to do that in LuCI.
I updated my firmware to 18.06.4 r7808-ef686b7292, subsequently vsftp login failed. I reinstalled a few things from the procedure and was only able to login as root with root password.
I reset the ftp_user passwd and was able to login using ftp_user. It looks like firmware updates wiped out the ftp_user password.
FTP (without encryption) transfers login information in plain text.
This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure is silently ignored.
You can use this setting to specify a directory to put local users in after login.
I think the use for this if you want the users ftp directory to be different then their home directories.
For example (in /etc/vsftpd.conf):
$USER will be replaced with the user that logs on. (in your case ftp_user)
So ftp_user will end up in the /mnt/sda1/ftp/ftp_user/ directory after login.
But ftp_user's home directory is /home/ftp_user (or any other directory that is set in /etc/passwd)
You can also put the local_root option in the user config as I described above.
But then you have to use direct paths.
To make things a bit more secure... you don't want a writeable chroot.
(But for normal home use I guess it is fine to have writeable chroot....)
Change/Add/Remove the following to vsftpd.conf
- allow_writeable_chroot=YES -> Remove or set to NO
- local_root -> Remove
- Add passwd_chroot_enable=YES
Create the following directory structure:
Change the owner and group:
chown nobody:nogroup /mnt/sda1/ftp
chown nobody:nogroup /mnt/sda1/ftp/ftp_user
chown ftp_user:ftp_user /mnt/sda1/ftp/ftp_user/uploads
chmod 555 /mnt/sda1/ftp
chmod 555 /mnt/sda1/ftp/ftp_user
chmod 755 /mnt/sda1/ftp/ftp_user/uploads
The problem with a none writeable chroot is, you have to use subdirectories.
So users can upload things. (Because the chroot is not writeable anymore, obviously x) )
To work around this:
We set passwd_chroot_enable=YES and use ./upload in the home directory path in /etc/passwd to tell vsftpd to change into that directory after login.
If you want to have an encrypted connection you have to setup some certificate madness
Did you try to transfer some files? It should fail with only port 21 open.
You can use - to specify a port range and even combine single port(s) with ranges.
I know the post is a bit old, but still works.
A small contribution:
If you want/need jail the user in home add:
If want free add the user in the list /etc/vsftpd/vsftpd.chroot_list