Tag Archives: vsftpd server

The vsftpd is a server for the File Transfer Protocol. As an acronym, its name stands for Very Secure File Transfer Protocol Daemon.

Install FTP server vsFTPD and hardening trough Fail2ban

Install FTP server VSFTPD and hardening trough Fail2ban

In this tutorial we will show you how to deploy FTP daemon vsFTPD on a Linux server, finally vsFTPD will be hardened by fail2ban.

Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD provide a stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.

How to Install vsFTPD and hardening FTP with Fail2ban

Installation

The provision of vsFTPD on Debian as well as under Ubuntu as usual by running the apt package manager from the default repository.

$ sudo apt-get install vsftpd -y

CentOS and RHEL install vsFTPD using DNF Dandified Yum.

$ sudo yum install vsftpd -y

After the installation we take steps to configuring vsFTPD.

$ sudo vi /etc/vsftpd.conf

For CentOS / RHEL / Fedora, vsftpd.conf find on path /etc/vsftpd.

$ sudo vi /etc/vsftpd/vsftpd.conf

  If you don’t like VIM, you can edit using nano or ne. or whatever your favorite is,

We disable anonymous login and allow local users to write.

anonymous_enable=NO
local_enable=YES
write_enable=YES

chroot jail for FTP users

chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for vsFTPD ftp users can be found in the file vsftpd.conf.

To configuring for chroot users, go to the line chroot_local_user and change to YES, as with chroot_list_enable

chroot_local_user=YES
chroot_list_enable=YES

All users are chrooted, except for a few who are exempt by creating the file /etc/vsftpd.chroot_list to containing those users who are excluded from chroot.

chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

  CentOS / RHEL path /etc/vsftpd/vsftpd.chroot_list

It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.

userlist_deny=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist

Create a file vsftpd.userlist and add users to it. Add user per line like the service accounts, for example: vsftpd.userlist

# for users that are denied.
root
bin
daemon
sys
sync
man
backup
admin
sshd
lp
sync
proxy
list
irc
shutdown
halt
mail
news
uucp
operator
games
nobody
postfix
www-data
ftp
mysql

SFTP encrypted authentication

So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Note: The default is that SFTP is already enabled by the SSH daemon, so check the file /etc/ssh/sshd_config.

Subsystem   sftp  /usr/lib/openssh/sftp-server
# chroot() jail at times vsftpd does not require filesystem.
secure_chroot_dir=/var/run/vsftpd/empty
# This string is the name of the PAM service vsftpd will use.
pam_service_name=ftp
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
utf8_filesystem=YES
# passive mode FTP port range this allows by firewall.
pasv_min_port=40000
pasv_max_port=50000

Note: An FTP connection consists of the command channel and the data channel. Passive mode allows the FTP client to create both channels, so the firewall is allowed to let the FTP connection through, therefore the port range from pasv_min_port to pasv_max_port must be open on the firewall.

FTP server vsFTPD hardening trough Fail2ban

To protect the FTP server from brute force attacks, Fail2ban is enabled for vsFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. To this end, Fail2ban is installed on the FTP server.

$ sudo apt install -y fail2ban

Fail2ban vsFTPD Configure FTP services

For fail2ban and vsFTPD, create the file jail.local, if not already exist.

$ sudo vi /etc/fail2ban/jail.local

  The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.

[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
findtime=1800
bantime = 7200
maxretry = 4

Logs are important for the functionality of fail2ban. The FTP server (VSFTPD) logs in to log file /var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with dual_log_enable=YES.

  In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable %(vsftpd_log)s.

xferlog_enable=YES
log_ftp_protocol=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO

The fail2ban filter for vsftpd contains the file at /etc/fail2ban/filter.d/vsftpd.conf

[INCLUDES]

before = common.conf

[Definition]

__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
_daemon =  vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)

ignoreregex =

The Fail2ban daemon must restart to apply changes.

$ sudo systemctl restart fail2ban

Now check vsftpd blocked IP addresses by fail2ban, you can be here as root run this fail2ban-client command.

$ fail2ban-client status vsftpd
Status for the jail: vsftpd
| Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  '- File list: /var/log/vsftpd.log
'- Actions
   |- Currently Banned: 17
   |- Total banned: 126
   '- Banned IP list: