In this tutorial we will show you how to deploy FTP daemon vsFTPD on a Linux server, finally vsFTPD will be hardened by fail2ban.
Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD provide a stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.
How to Install vsFTPD and hardening FTP with Fail2ban
The provision of vsFTPD on Debian as well as under Ubuntu as usual by running the apt package manager from the default repository.
$ sudo apt-get install vsftpd -y
CentOS and RHEL install vsFTPD using DNF Dandified Yum.
$ sudo yum install vsftpd -y
After the installation we take steps to configuring vsFTPD.
$ sudo vi /etc/vsftpd.conf
For CentOS / RHEL / Fedora, vsftpd.conf find on path /etc/vsftpd.
$ sudo vi /etc/vsftpd/vsftpd.conf
If you don’t like VIM, you can edit using
ne. or whatever your favorite is,
We disable anonymous login and allow local users to write.
anonymous_enable=NO local_enable=YES write_enable=YES
chroot jail for FTP users
chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for vsFTPD ftp users can be found in the file
To configuring for chroot users, go to the line
chroot_local_user and change to
YES, as with
All users are chrooted, except for a few who are exempt by creating the file
/etc/vsftpd.chroot_list to containing those users who are excluded from chroot.
CentOS / RHEL path
It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.
userlist_deny=YES userlist_enable=YES userlist_file=/etc/vsftpd.userlist
Create a file
vsftpd.userlist and add users to it. Add user per line like the service accounts, for example:
# for users that are denied. root bin daemon sys sync man backup admin sshd lp sync proxy list irc shutdown halt mail news uucp operator games nobody postfix www-data ftp mysql
SFTP encrypted authentication
So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Note: The default is that SFTP is already enabled by the SSH daemon, so check the file
Subsystem sftp /usr/lib/openssh/sftp-server
Hint! more recommended VSFTPD settings
# chroot() jail at times vsftpd does not require filesystem. secure_chroot_dir=/var/run/vsftpd/empty # This string is the name of the PAM service vsftpd will use. pam_service_name=ftp # Uncomment this to indicate that vsftpd use a utf8 filesystem. utf8_filesystem=YES # passive mode FTP port range this allows by firewall. pasv_min_port=40000 pasv_max_port=50000
Note: An FTP connection consists of the command channel and the data channel. Passive mode allows the FTP client to create both channels, so the firewall is allowed to let the FTP connection through, therefore the port range from pasv_min_port to pasv_max_port must be open on the firewall.
FTP server vsFTPD hardening trough Fail2ban
To protect the FTP server from brute force attacks, Fail2ban is enabled for vsFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. To this end, Fail2ban is installed on the FTP server.
$ sudo apt install -y fail2ban
Fail2ban vsFTPD Configure FTP services
For fail2ban and vsFTPD, create the file
jail.local, if not already exist.
$ sudo vi /etc/fail2ban/jail.local
The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.
[vsftpd] enabled = true # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s findtime=1800 bantime = 7200 maxretry = 4
Logs are important for the functionality of fail2ban. The FTP server (VSFTPD) logs in to log file
/var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with
In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable
xferlog_enable=YES log_ftp_protocol=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=NO
The fail2ban filter for vsftpd contains the file at
[INCLUDES] before = common.conf [Definition] __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,) ignoreregex =
The Fail2ban daemon must restart to apply changes.
$ sudo systemctl restart fail2ban
Now check vsftpd blocked IP addresses by fail2ban, you can be here as root run this
$ fail2ban-client status vsftpd Status for the jail: vsftpd | Filter | |- Currently failed: 0 | |- Total failed: 3 | '- File list: /var/log/vsftpd.log '- Actions |- Currently Banned: 17 |- Total banned: 126 '- Banned IP list: