Episode: 181
Title: HPR0181: Setting up  vsFTPD
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0181/hpr0181.mp3
Transcribed: 2025-10-07 13:01:57

---

Music
Hi, welcome to Hacker Public Radio. My name is Quattu and I'm going to be talking about
FTP, setting up an FTP server. I'm no expert at setting up an FTP server. The experience
I've had has been just playing around with it. So don't take my advice or my example is
necessarily the most secure setup that you could ever have. I'm no expert on security opening
up your computer to the world-wide web could be a very, very bad thing if you don't configure
it correctly, as I'm sure you're probably aware. Setting up an FTP server is really no different
in many ways than setting up an HTTP server, just a normal web server. It's giving people access
to your computer, so you want to make sure that you've got that roped off and locked down and
stuff like that. However, FTP is a pretty handy device to have on your computer at times
when you're sending very large files to someone. Obviously, there are lots of different ways to
do it. There are services like Media Fire or places that will send big files across
the network. It'll store it for a temporary time and then you can go download it, things like that.
But sometimes it's nothing beats just having the file on a server that's in your control
that is being seen by your eyes mostly only and just directing people to that server so they
can grab the file and then you can get rid of the file. It's just kind of a handy way sometimes
to do it. FTP, as I understand it, dates back to about 1971. This is a very old protocol
and it was used back then to sort of protocol to transfer files. At that time, in the beginning,
you had to know exactly where the file was in order to go find it. Later on, go for similar tools
like that sprung up and kind of helped in when you were searching for files that you might want.
They would direct you to the location, the FTP server that they were stored and then you could
go grab them. In FTP, there are two types of users. There are the real users, which the system
administrator knows and has set up with a user name and a password. Then there are the anonymous
users, which ideally would be a user that can log in anonymously and get access to that file,
but hopefully, usually you don't want them to be able to upload. Uploading an anonymous
letting anonymous people upload obviously would not be a very good idea. One of the biggest
FTP server applications out there is called VS FTPD. That is the sense for very secure FTP
Damon. It is fairly simple to install and to configure. It is also considered pretty secure.
It has become one of the more popular default FTP servers that you will find easily installable
in a number of Linux distributions. You may be able to find this in a repo, depending on
what distro you are with. If you hunt around for VS FTP or VS FTPD, you should be able to find it
probably in a repo and you can download it and install it. You don't only need to do that
obviously if you had installed just a normal desktop Linux. If you have installed
the server distro of whatever, you know, the server version of whatever distro you are running,
then probably you have already got either VS FTP or WUFTP or some application that will provide
FTP service. But either way, as long as you have got something, I am going to be doing VS FTP
because that is the only one that I have ever used. If it is not in your distro's repo or if you
are going to have a repo with your distro, then you can just go directly to their website and that
is HTTP colon slash slash VS FTPD.beasts.org. You can download the source code there, compile it,
and install it. Now you are going to want to start it up after it is all installed and that would
be service space VS FTPD space start. Or you can also, well that is how I did it on my fedora box.
So once it is started, then you should be able to log in just from your own computer into the
FTP folder, even though you don't have to go out onto the network. Yeah, just do this locally.
So you can totally just FTP to your local host. It should give you some kind of welcome message.
And then you can type in your username and your password. And that would just be your normal
username, your username that you have logged into your computer as and your password that you log in
with. And then it should log in successfully. And so now you are connected to your FTP server via
the local host. Not that big of a deal, not very helpful, obviously, but at least establishes that
the FTP daemon is running. It is aware of itself. It knows that it is allowed to have users,
things like that. Now to test it out a little bit further, you can go out onto another computer on
that local area network and try the same thing. So you are just going to FTP into whatever IP address
the server is. And then it should again ask you for your username and your password. So you are
going to use the username and the password of that computer, of that server. Not the one you are
sitting on, the one that you just installed VSFTPD on. Type in your username and your password.
And ideally it will let you in and you should be in your FTP directory. If that does not work,
you should probably check your firewall setting. Certainly on a Fedora box, the firewall is set by
default to have ports 20 and 21 closed. So you are going to want to open those up. Now you've got
the FTP server open to the rest of your network. And you should be able to log in after that.
Okay. So once you have established that it is working as expected, one of the things you will
want to do is either enable or disable anonymous login. So if you look in the flash at C,
slash VSFTPD slash VSFTPD.conf file, you will find a line pretty early in called anonymous
underscore enable equals yes. And local underscore enable equals yes. The anonymous enable line is
obviously the one that lets just anyone log in into the server as FTP. And if it is on by default,
it is enabled by default. Now if you just comment out that line, it is still on. You need to
specifically tell it to turn that off. So you are going to change anonymous underscore enable equals yes
to anonymous underscore enable equals no. That will make sure that anonymous login is not permitted.
It doesn't take a security expert to know that that is probably a pretty good idea if you are
just fooling around with FTP like I am. No reason to have just anyone who happens across your
server log in. Even if you think oh well they don't have right access, it will be fine,
they can look, they can't touch. If you don't know what you are doing, that would probably be a great
line to include to just make sure that it is a little bit more restricted. Now any user with
a local account on your machine on the server are going to be able to log in to the FTP as long
as you have got local underscore enable set to yes. The exception to that general rule is that all
the user accounts listed in slash fc slash vsftpd slash user underscore list,
okay they are denied access. So that is kind of handy like if you don't want certain people to be
able to log in, then you can include their name in the user list and they will be denied access
to the server. So that is kind of handy. You have a fair amount of control over the users
in vsfTP. Some other programs kind of let you get really specific with some of the permissions
and things like that. VsfTP uses standard units file permissions. So if you want someone to,
for instance, not have right access and you are obviously going to make something not
writable or if you don't want them to see a file you are not going to make it not readable,
things like that. And the standard area for the files is going to be in slash vsftp.
That is the directory where everyone will log in to if they are an anonymous user and the
anonymous user is going to be under the category of other. So if the file permissions for
our slash ftp are like 600, then obviously just the root user is going to be able to read
right there. You open it up to read for other users and anonymous log in is going to be able to
get in there. Now you can also change, and this is where the control comes in over the users,
that what the root directory is within their ftp environment. So the root directory which
would technically be a charute environment is slash vr slash ftp. That means that in terms of
anonymous person logging in, the computer's root is the computer's slash is really technically your
slash vr slash ftp, which is nice because that means that they can't really get outside of that.
That is far down in the file system that they can go. Now if someone with a user name and a
password, you might want to charute their environment via ftp. Simply because if someone gets their
username and their password, then they would have access to your entire computer. So you might want
to instead within the vsftpd.conf file, do the line charute underscore local underscore user equals
yes. And that's going to charute the local user environment and restrict them only to their home
folder, which seems like a really good idea to me. So try that out. That will make sure that they're
not wandering around your entire computer's file system via ftp. And you should always keep in
mind that ftp is plain text. It's not an ssh process. So everything is sent in the clear. So you
really want to make sure that that you're protecting yourself and your users from, you know,
themselves and people who might be sniffing traffic, things like that. There are ways to
affect the way things are downloaded, whether it's ASCII or binary. Again, that's just a line in
the comp file. Just ASCII download enable equals yes or no. There are ways to enable local users to
upload, you know, write files. And that is simply write underscore enable equals yes.
And local underscore you mask equals 022. And that's going to allow the local users to write to
the server. And the UMask is simply setting the file permissions so that it's 644 permissions,
which would allow what users to read and write. Everyone else would be read only. So you've got,
you know, a lot of a fair amount of control over that kind of stuff. You can do the same thing with
anonymous users. But I'm not even going to talk about that because I can only imagine that that
seems like a phenomenally bad idea. Especially if you're just playing around with this, like I am,
probably not a good idea to allow anonymous users to be writing onto your disk.
Now what there is are message files. And I guess some programs really let you go crazy with
this kind of stuff that you can just do all kinds of cool sort of almost interactive messages
and things like that. The SFTP, just as long as you've got the the Derr message underscore enable
option as set as yes. So that is Derr message underscore enable equals yes.
Then you will be able to have a dot message file in the root directory of FTP server. So that
would be your slash bar slash FTP and then dot message. But you can also have it in other folders
within within that within that directory. And the message file can be really anything, you know,
I mean, it can just be information on that directory or it could be helpful information
about how to install a program or, you know, just whatever. You can also do an FTPD underscore banner.
And then you can have, you know, just equals and then whatever banner you want so that when they
first initially log in, it could be something that indicates any information that you want or
by the same token misinformation, which isn't a bad security stuff in itself.
Advertising, you know, what distro you're running and things like that might be great for
distro pride, but, you know, the less information or the more misinformation you give people
logging into your system, probably, you know, the better.
So obviously with with this kind of thing, you're really going to make sure that you're
looking at your logs and keeping tabs on your system. Not a good idea to to ignore this if you
if you literally have FTP, even if you've just turned it on for a little while, you know,
just long enough for your friend to download whatever file you want to send them.
You're going to want to make sure that you're keeping keeping a watch on your log files.
The logging is enabled by default, as you can imagine, and the log files themselves are in
FlashVar, FlashLog, FlashExferLog, as in TransferLog, X-F-E-R-L-O-G.
And to look at that, you know, you can just you can more, you know,
FlashVar, FlashLog, FlashExferLog, or you can look at it in real time, tail,
space, dash, capital F, space, FlashVar, FlashLog, FlashExferLog.
And that will show you all the all the activity going on in real time.
Another good way of protecting your users from both themselves and sort of you from your users
is to set up a timeout times. And this is one of the big reasons that I kind of find having
your own FTP server kind of nice because sometimes if I'm doing something on an FTP server where
I have a lot of files, a lot of the services out there that you, you know, you find out for like
go daddy or someone that's hosting your server and or with that owns the server and you simply
have just really basic FTP access to. A lot of times their timeout is just really, really brief.
And, you know, by the time you figure out what you want to do, they've already logged you out
and you have to log back in. Having said that, it's actually, you know, it's a good security measure.
So you might want to think about setting up a timeout so that if someone walks away,
forget that they've got an FTP connection open, it's going to close, you know, after a while.
So you can set the timeout that it's going to allow while they're connecting or while they're
to accept all their login information that, you know, you could do like 60 seconds or something.
A connection timeout so that if they're trying to connect and it's not going timeout after 60 seconds.
An idle session timeout, that's idle underscore session underscore timeout. You can give them like
10 minutes maybe, 600 seconds. You could do data underscore connection underscore timeout
so that if there's no progress occurring in the transfer, it'll log out. I like if there's an error
in transferring the file or something. So that's all kind of a good security, security, security
precaution. And speaking of security, you can find out lots more about FTP and FTP,
the anonymous ways of abusing FTP if you go to cert, C-E-R-T. If you go to their FTP
information, their documentation on FTP, it's very enlightening. It will give you a good idea
of some of the risks out there. Some of the things that you might want to worry about,
keep in mind that FTP is in plain text. Everything's just completely, you know, if you're sniffing someone
on the network and they're FTPing, you're seeing everything that they're typing in. So
you want to make sure that you're not doing that yourself and just keep it in mind if you're
sending this kind of information on how to get to your system to people and they're logging in
than, you know, quite possibly their username and their password have been seen by someone.
So, you know, if I'm out and about usually the way to FTP somewhere is to SSH home and then FTP
from the SSH. So, keep that in mind. It's not a secure system. There are variations of it,
like FTP, things like that, but it just kind of depends on what the servers configured to do.
This is this that I've gone over, normal FTP. So, it's all plain text.
And if you are behind a firewall, if your server is behind a firewall and you're trying to
FTP, you know, from some remote location, remember that you're probably going to have to configure
your router or your modem to forward the ports and the ports are 20 and 21 for FTP. It's probably
some way to change that from the default to be more secure. I don't know, haven't done it yet
myself. I'm just using 20 and 21 and I'm not leaving it out very often. So, it's one of those
things where I'm using it for a brief time and then taking it down, just kind of getting my
feet wet. It's kind of interesting, though. You can also keep in mind that if you are logging in from
a remote place and you need a DNS address to go to to be able to get to the computer where the
FTP server is set up, just keep in mind either no IP or dy in DNS. Those are both services that
will provide you a dynamic DNS name and you can hear more about those services in my episode.
On SSH, which is a couple of episodes back now. I'm not sure the number off at the top of my head.
A couple of quick tips on how to access the FTP server once you have it set up. At least for
friends, I find it's all very helpful to be able to tell them that the FTP itself, the site itself
can be accessed via Firefox. So, if you're sending a friend who maybe isn't as familiar with
the whole online file transfer deal, then they might want to just look into using Firefox.
Now, they can access Firefox. I mean, they can access FTP straight from Firefox's URL,
just FTP, colon slash slash whatever, and they can get into the FTP server. It'll give them a pop-up
dialogue box and they can type in their username and their password and they can see all the files
and download what they need to and that'll be a very familiar way for them to do it.
Now, if it's a little bit more complex and you want them to be able to upload,
then there is a great little add-on to Firefox. At least it was available for Firefox too.
It seems to be under development right now for Firefox 3, but it's definitely worth keeping an
eye on. And that is at addons.mozilla.org slash EN-US slash Firefox slash add-on slash 5460.
And I don't remember exactly what it's called, but it's like FTP upload or something very
sort of practical and pragmatic like that. And all it does is add to your file menu an upload
file menu item and as long as you're signed into an FTP site that you have rightable access to,
you can go there and upload it. For something a little bit more robust,
something a little bit more like, for instance, Filezilla. Well, there is Filezilla. But there's also
this is currently out for Firefox 3 Fire FTP. And that once you fire that up, it looks basically,
I mean, it's practically just like Filezilla. It's got the traditional
local side and the remote side and you just transfer your files back and forth as needed.
That tends to be a little bit overwhelming for the new user. So either Kotlin to just go
straight to it in Firefox or get them familiar with something that's a little bit more robust.
But I find Firefox itself is really good just for the new users to be able to grab the file
and download it. And that's about it. That's how you set up an FTP server. It's kind of
surprisingly easy when you get down to it. It's just sort of installing the application and then
configuring the environment. So give it a try. But be safe, be practical about it, be secure,
and have fun. Thanks for listening to Hack or Public Radio.
Thank you for listening to Hack or Public Radio.
HPR is sponsored by Carol.net. So head on over to CARO.NAC for all of us in the