Vsftpd usb3 f2fs setup

richjoh · July 9, 2019, 5:39am

Can someone provide dummy proof instructions on setting up login/password using vsftpd? Everything is installed all that is left is login setup and setup of the a default folder... /mnt/sda1/ftp_folder so that I can securely access (read & download) files from my Linkysy 1900ACS router.

shm0 · July 9, 2019, 9:46am

Add a new user (and group) as described here:
https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt

Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)

Create a new file: /etc/vsftpd/vsftpd.userlist
Add the new user(name) here.

edit your /etc/vsftpd.conf as follows:

background=YES
listen=YES
listen_address=10.0.0.254 <--- change to your desired listen address
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
chroot_local_user=YES
allow_writeable_chroot=YES
#dirmessage_enable=YES
ftpd_banner=Welcome to anon's FTP service.
session_support=NO
#syslog_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.userlist
#user_config_dir=/etc/vsftpd/vsftpd_user_conf

Restart vsftpd.

If you want a per-user config:
Create a new directory: /etc/vsftpd/vsftpd_user_conf/
In that directory create a file that is named after the user.
For example if you want to deny delete/remove actions:
Add the following to the file:

##Disable delete commands
cmds_denied=DELE,RMD

Uncomment user_config_dir in /etc/vsftpd.conf
Restart vsftpd.

If you need access from wan side:
Add the following to /etc/vsftpd.conf:

pasv_enable=Yes
pasv_max_port=30000
pasv_min_port=31000

Comment listen_address out to make vsftpd listen on all interfaces.
Open Ports 21,30000-31000 TCP on the wan side.

tmomas · July 9, 2019, 10:59am

New URL: https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt

The old page is for archival purposes only and doesn't receive any updates any more.

richjoh · July 14, 2019, 2:11am

Blockquote "Make sure home directory is set to /mnt/sda1/ftp_folder
And the shell is set to /bin/false (to deny shell access)"

Edited--

Is this in the /etc/vsftpd.conf file your referring? I changed a line from local_root=/mnt/usb1 to local_root=/mnt/sda1.

Where, what file is is "shell set to /bin/false"? <-- still not sure if I did this please confirm.

I was successful internally on my router, once I opened port 21 I can access from WAN. I think your saying to open a port, either 21 default or pick one from 30k to 31k. OK, only open 1 port not many (securit risk of course).

The default folder is /home/ftp_user instead of the F2FS usb. I want ftp path to be /etc/sda1/ftp_folder, is this set in the /etc/ vsftpd.conf file? I rebooted problem went away!

shm0 · July 14, 2019, 10:25pm

Did you create the user for ftp usage?
What is the username? ftp_user?
Do you want the ftp folder to be: /etc/sda1/ftp_folder or /mnt/sda1/ftp_folder?
Or /etc/sda1/ftp_folder/ftp_user or /mnt/sda1/ftp_folder/ftp_user ?

local_root will be put all users in that directory after ftp login.
Better don't use that?

Assuming your ftp username is ftp_user
In /etc/passwd you will find something like
ftp_user:x:1000:1000:GROUP:/mnt/usb:/bin/false

/mnt/usb is the home directory.
Change that to your desired home directory (e.g. where the user is put after (ftp) login)
/bin/false is the path of the users shell. You want to set this to /bin/false

Only opening port 21 on wan side will not work.
To make file transfers work you also have to specify a passive port range and open those ports.

@tmomas
Thanks. I edited my post.

richjoh · July 15, 2019, 12:49am

I did successfully create the ftp user per the old wiki link you provided. I used a made-up name and password, ftp_user was just example purpose like you mentioned. I'm not sure if I left any obvious security risk.

In /etc/vsftpd.conf file, I change local_root=/mnt/sda1. Does this set default path or is this done by /etc/passwd?

In /etc/passwd I have
ftp_user:x:1000:1000:ftp_user:/home/ftp_user:/bin/ash, so change bin/ash to bin/false. The only line with bin/ash is root:x:0:0:root:/root:/bin/ash

Weird, I open port 21, and then was able to access ftp from the WAN side. I did something wrong here? If I close port 21, I get connection failed. I do remember being able to open a range of ports on some-other GUI besides LuCI. I don't see where/how to do that in LuCI.

richjoh · July 22, 2019, 1:18am

I noticed,

I updated my firmware to 18.06.4 r7808-ef686b7292, subsequently vsftp login failed. I reinstalled a few things from the procedure and was only able to login as root with root password.

I reset the ftp_user passwd and was able to login using ftp_user. It looks like firmware updates wiped out the ftp_user password.

shm0 · July 22, 2019, 5:26pm

FTP (without encryption) transfers login information in plain text.

http://vsftpd.beasts.org/vsftpd_conf.html

local_root
This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login. Failure is silently ignored.

You can use this setting to specify a directory to put local users in after login.
I think the use for this if you want the users ftp directory to be different then their home directories.
For example (in /etc/vsftpd.conf):
user_sub_token=$USER
local_root=/mnt/sda1/ftp/$USER

$USER will be replaced with the user that logs on. (in your case ftp_user)
So ftp_user will end up in the /mnt/sda1/ftp/ftp_user/ directory after login.
But ftp_user's home directory is /home/ftp_user (or any other directory that is set in /etc/passwd)

You can also put the local_root option in the user config as I described above.
But then you have to use direct paths.
For example:
local_root=/mnt/sda1/ftp/ftp_user

To make things a bit more secure... you don't want a writeable chroot.
(But for normal home use I guess it is fine to have writeable chroot....)
Change/Add/Remove the following to vsftpd.conf

allow_writeable_chroot=YES -> Remove or set to NO
local_root -> Remove
Add passwd_chroot_enable=YES

Create the following directory structure:
/mnt/sda1/ftp/ftp_user/uploads

Change the owner and group:
chown nobody:nogroup /mnt/sda1/ftp
chown nobody:nogroup /mnt/sda1/ftp/ftp_user
chown ftp_user:ftp_user /mnt/sda1/ftp/ftp_user/uploads

Change permissions:
chmod 555 /mnt/sda1/ftp
chmod 555 /mnt/sda1/ftp/ftp_user
chmod 755 /mnt/sda1/ftp/ftp_user/uploads

edit /etc/passwd:
ftp_user:x:1000:1000:ftp_user:/mnt/sda1/ftp/ftp_user/./uploads:/bin/false

The problem with a none writeable chroot is, you have to use subdirectories.
So users can upload things. (Because the chroot is not writeable anymore, obviously x) )
To work around this:
We set passwd_chroot_enable=YES and use ./upload in the home directory path in /etc/passwd to tell vsftpd to change into that directory after login.

If you want to have an encrypted connection you have to setup some certificate madness

Did you try to transfer some files? It should fail with only port 21 open.
You can use - to specify a port range and even combine single port(s) with ranges.
For example:
21 33000-33100

CB0T · December 27, 2020, 7:11pm

I know the post is a bit old, but still works.
A small contribution:

If you want/need jail the user in home add:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

If want free add the user in the list /etc/vsftpd/vsftpd.chroot_list

tmomas · July 3, 2021, 2:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.