Vsftpd usb3 f2fs setup

Can someone provide dummy proof instructions on setting up login/password using vsftpd? Everything is installed all that is left is login setup and setup of the a default folder... /mnt/sda1/ftp_folder so that I can securely access (read & download) files from my Linkysy 1900ACS router.

Add a new user (and group) as described here:
https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt

Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)

Create a new file: /etc/vsftpd/vsftpd.userlist
Add the new user(name) here.

edit your /etc/vsftpd.conf as follows:

background=YES
listen=YES
listen_address=10.0.0.254 <--- change to your desired listen address
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
chroot_local_user=YES
allow_writeable_chroot=YES
#dirmessage_enable=YES
ftpd_banner=Welcome to anon's FTP service.
session_support=NO
#syslog_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.userlist
#user_config_dir=/etc/vsftpd/vsftpd_user_conf

Restart vsftpd.

If you want a per-user config:
Create a new directory: /etc/vsftpd/vsftpd_user_conf/
In that directory create a file that is named after the user.
For example if you want to deny delete/remove actions:
Add the following to the file:

##Disable delete commands
cmds_denied=DELE,RMD

Uncomment user_config_dir in /etc/vsftpd.conf
Restart vsftpd.

If you need access from wan side:
Add the following to /etc/vsftpd.conf:

pasv_enable=Yes
pasv_max_port=30000
pasv_min_port=31000

Comment listen_address out to make vsftpd listen on all interfaces.
Open Ports 21,30000-31000 TCP on the wan side.

New URL: https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt

The old page is for archival purposes only and doesn't receive any updates any more.

Blockquote "Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)"

Edited--

Is this in the /etc/vsftpd.conf file your referring? I changed a line from local_root=/mnt/usb1 to local_root=/mnt/sda1.

Where, what file is is "shell set to /bin/false"? <-- still not sure if I did this please confirm.

I was successful internally on my router, once I opened port 21 I can access from WAN. I think your saying to open a port, either 21 default or pick one from 30k to 31k. OK, only open 1 port not many (securit risk of course).

The default folder is /home/ftp_user instead of the F2FS usb. I want ftp path to be /etc/sda1/ftp_folder, is this set in the /etc/ vsftpd.conf file? I rebooted problem went away!

Did you create the user for ftp usage?
What is the username? ftp_user?
Do you want the ftp folder to be: /etc/sda1/ftp_folder or /mnt/sda1/ftp_folder?
Or /etc/sda1/ftp_folder/ftp_user or /mnt/sda1/ftp_folder/ftp_user ?

local_root will be put all users in that directory after ftp login.
Better don't use that?

Assuming your ftp username is ftp_user
In /etc/passwd you will find something like
ftp_user:x:1000:1000:GROUP:/mnt/usb:/bin/false

/mnt/usb is the home directory.
Change that to your desired home directory (e.g. where the user is put after (ftp) login)
/bin/false is the path of the users shell. You want to set this to /bin/false

Only opening port 21 on wan side will not work.
To make file transfers work you also have to specify a passive port range and open those ports.

@tmomas
Thanks. I edited my post.

I did successfully create the ftp user per the old wiki link you provided. I used a made-up name and password, ftp_user was just example purpose like you mentioned. I'm not sure if I left any obvious security risk.

In /etc/vsftpd.conf file, I change local_root=/mnt/sda1. Does this set default path or is this done by /etc/passwd?

In /etc/passwd I have
ftp_user:x:1000:1000:ftp_user:/home/ftp_user:/bin/ash, so change bin/ash to bin/false. The only line with bin/ash is root:x:0:0:root:/root:/bin/ash

Weird, I open port 21, and then was able to access ftp from the WAN side. I did something wrong here? If I close port 21, I get connection failed. I do remember being able to open a range of ports on some-other GUI besides LuCI. I don't see where/how to do that in LuCI.

I noticed,

I updated my firmware to 18.06.4 r7808-ef686b7292, subsequently vsftp login failed. I reinstalled a few things from the procedure and was only able to login as root with root password.

I reset the ftp_user passwd and was able to login using ftp_user. It looks like firmware updates wiped out the ftp_user password.

FTP (without encryption) transfers login information in plain text.

http://vsftpd.beasts.org/vsftpd_conf.html

local_root
This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure is silently ignored.

You can use this setting to specify a directory to put local users in after login.
I think the use for this if you want the users ftp directory to be different then their home directories.
For example (in /etc/vsftpd.conf):
user_sub_token=$USER
local_root=/mnt/sda1/ftp/$USER

$USER will be replaced with the user that logs on. (in your case ftp_user)
So ftp_user will end up in the /mnt/sda1/ftp/ftp_user/ directory after login.
But ftp_user's home directory is /home/ftp_user (or any other directory that is set in /etc/passwd)

You can also put the local_root option in the user config as I described above.
But then you have to use direct paths.
For example:
local_root=/mnt/sda1/ftp/ftp_user

To make things a bit more secure... you don't want a writeable chroot.
(But for normal home use I guess it is fine to have writeable chroot....)
Change/Add/Remove the following to vsftpd.conf

  • allow_writeable_chroot=YES -> Remove or set to NO
  • local_root -> Remove
  • Add passwd_chroot_enable=YES

Create the following directory structure:
/mnt/sda1/ftp/ftp_user/uploads

Change the owner and group:
chown nobody:nogroup /mnt/sda1/ftp
chown nobody:nogroup /mnt/sda1/ftp/ftp_user
chown ftp_user:ftp_user /mnt/sda1/ftp/ftp_user/uploads

Change permissions:
chmod 555 /mnt/sda1/ftp
chmod 555 /mnt/sda1/ftp/ftp_user
chmod 755 /mnt/sda1/ftp/ftp_user/uploads

edit /etc/passwd:
ftp_user:x:1000:1000:ftp_user:/mnt/sda1/ftp/ftp_user/./uploads:/bin/false

The problem with a none writeable chroot is, you have to use subdirectories.
So users can upload things. (Because the chroot is not writeable anymore, obviously x) )
To work around this:
We set passwd_chroot_enable=YES and use ./upload in the home directory path in /etc/passwd to tell vsftpd to change into that directory after login.

If you want to have an encrypted connection you have to setup some certificate madness :wink:

Did you try to transfer some files? It should fail with only port 21 open.
You can use - to specify a port range and even combine single port(s) with ranges.
For example:
21 33000-33100

I know the post is a bit old, but still works.
A small contribution:

If you want/need jail the user in home add:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

If want free add the user in the list /etc/vsftpd/vsftpd.chroot_list