FTP-Server absichern
Datum: 21.12.2020
Understanding of passive vs. active FTP connections
Siehe S. 470 ff sowie
https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#securing-ftp-servers (Handout)
http://www.istudynetwork.com/2012/12/how-active-and-passive-ftp-mode-works.html (anschauliche Grafiken)
Aktiver vs. passiver Modus:
Per Default wird der aktive Modus verwendet, in dem der Server die Nutzdaten über seinen Port 20 ausliefert (PROBLEM: Aus Sicht des Clients sieht das aber wie eine von außen neu zu initiierende Verbindung aus -> Firewall blockiert dies!)
Der FTP-Client muss nach dem FTP-Login (Port 21) das interne Kommando ‚passive‘ eingeben, damit sich der Server passiv verhält.
Einrichtung von vsftpd
Diese Server wurde völlig neu geschrieben, die Config-Datei wird ziemlich strikt geparst, allerdings gab es auch schon größere Bugs.
Installation
Installation im Container ‚deb2‘
my@bash $ exit
exit
my@bash $ lxc exec deb2 bash
my@bash $
my@bash $ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0
inet 192.168.2.232/24 brd 192.168.2.255 scope global eth0
valid_lft forever preferred_lft forever
my@bash $
my@bash $ apt-get update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Hit:2 http://deb.debian.org/debian buster InRelease
Get:3 http://security.debian.org/debian-security buster/updates/main amd64 Packages [256 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main Translation-en [140 kB]
Fetched 462 kB in 1s (548 kB/s)
Reading package lists... Done
my@bash $
my@bash $ apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apt libapt-pkg5.0 libssl1.1
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 3923 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://security.debian.org/debian-security buster/updates/main amd64 libapt-pkg5.0 amd64 1.8.2.2 [966 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 apt amd64 1.8.2.2 [1419 kB]
Get:3 http://security.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u4 [1538 kB]
Fetched 3923 kB in 1s (5157 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 17742 files and directories currently installed.)
Preparing to unpack .../libapt-pkg5.0_1.8.2.2_amd64.deb ...
Unpacking libapt-pkg5.0:amd64 (1.8.2.2) over (1.8.2.1) ...
Setting up libapt-pkg5.0:amd64 (1.8.2.2) ...
(Reading database ... 17742 files and directories currently installed.)
Preparing to unpack .../archives/apt_1.8.2.2_amd64.deb ...
Unpacking apt (1.8.2.2) over (1.8.2.1) ...
Setting up apt (1.8.2.2) ...
(Reading database ... 17742 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u4_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u4) over (1.1.1d-0+deb10u3) ...
Setting up libssl1.1:amd64 (1.1.1d-0+deb10u4) ...
Processing triggers for libc-bin (2.28-10) ...
my@bash $
my@bash $
my@bash $ apt-get install vsftpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
vsftpd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 153 kB of archives.
After this operation, 357 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 vsftpd amd64 3.0.3-12 [153 kB]
Fetched 153 kB in 0s (1196 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package vsftpd.
(Reading database ... 17742 files and directories currently installed.)
Preparing to unpack .../vsftpd_3.0.3-12_amd64.deb ...
Unpacking vsftpd (3.0.3-12) ...
Setting up vsftpd (3.0.3-12) ...
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /lib/systemd/system/vsftpd.service.
[vsftpd.conf:1] Line references path below legacy directory /var/run/, updating /var/run/vsftpd/empty → /run/vsftpd/empty; please update the tmpfiles.d/ drop-in file accordingly.
Processing triggers for systemd (241-7~deb10u5) ...
my@bash $
my@bash $
Konfiguration
Jede Distribution bringt eine andere Default-Config mit, bei Debian sieht das so aus:
my@bash $ alias gg="grep -v '^\s*#\|^$'"
my@bash $
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
my@bash $
my@bash $
my@bash $ ## Testweise als tux auf localhost einloggen:
my@bash $ apt-get install ftp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ftp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.4 kB of archives.
After this operation, 140 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 ftp amd64 0.17-34.1 [59.4 kB]
Fetched 59.4 kB in 0s (317 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package ftp.
(Reading database ... 17800 files and directories currently installed.)
Preparing to unpack .../ftp_0.17-34.1_amd64.deb ...
Unpacking ftp (0.17-34.1) ...
Setting up ftp (0.17-34.1) ...
update-alternatives: using /usr/bin/netkit-ftp to provide /usr/bin/ftp (ftp) in auto mode
my@bash $
my@bash $
my@bash $ useradd -m -s /bin/bash tux
my@bash $ passwd tux
New password:
Retype new password:
passwd: password updated successfully
my@bash $
my@bash $ ftp localhost
Connected to localhost.
220 (vsFTPd 3.0.3)
Name (localhost:root): tux
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> mkdir ABC
550 Permission denied.
ftp>
ftp> cd /etc
250 Directory successfully changed.
ftp>
ftp> get passwd
local: passwd remote: passwd
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for passwd (1753 bytes).
226 Transfer complete.
1753 bytes received in 0.00 secs (28.8240 MB/s)
ftp>
ftp> get shadow
local: shadow remote: shadow
200 EPRT command successful. Consider using EPSV.
550 Failed to open file.
ftp>
ftp> by
221 Goodbye.
my@bash $
my@bash $ ## >> Der Nutzer kann im rootfs umherwandern und an gewisse Informationen gelangen.
my@bash $ ## Also keine Change-Root-Umgebung!
Zum Erstellen eines Chroot-Jails auf klassische Art siehe ftp://ftp.wayne.edu/ldp/en/solrhe/chap29sec296.html
Den Nutzer-Accounts Schreibrechte geben und das interne Chroot aktivieren:
my@bash $ vi /etc/vsftpd.conf
27 # Uncomment this to allow local users to log in.
28 local_enable=YES
29 #
30 # Uncomment this to enable any form of FTP write command.
31 write_enable=YES
32 #
111 # You may restrict local users to their home directories. See the FAQ for
112 # the possible risks in this before using chroot_local_user or
113 # chroot_list_enable below.
114 chroot_local_user=YES
115 #
115
116 ## Damit $HOME schreibfähig bleiben kann:
117 allow_writeable_chroot=YES
118
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
my@bash $
my@bash $ systemctl restart vsftpd
Aus dem internen LAN heraus testen wir jetzt:
my@bash $ lxc exec deb-int1 bash
my@bash $
my@bash $ apt-get install ftp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ftp
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 59.4 kB of archives.
After this operation, 140 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 ftp amd64 0.17-34.1 [59.4 kB]
Fetched 59.4 kB in 0s (664 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package ftp.
(Reading database ... 18722 files and directories currently installed.)
Preparing to unpack .../ftp_0.17-34.1_amd64.deb ...
Unpacking ftp (0.17-34.1) ...
Setting up ftp (0.17-34.1) ...
update-alternatives: using /usr/bin/netkit-ftp to provide /usr/bin/ftp (ftp) in auto mode
my@bash $
my@bash $
my@bash $ ftp 192.168.2.232
Connected to 192.168.2.232.
220 (vsFTPd 3.0.3)
Name (192.168.2.232:root): tux
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> pwd
257 "/" is the current directory
ftp>
ftp> cd /etc
550 Failed to change directory.
ftp>
ftp> mkdir ABC
257 "/ABC" created
ftp>
ftp>
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> ls
227 Entering Passive Mode (192,168,2,232,247,70).
150 Here comes the directory listing.
drwx------ 1 2001 2001 0 Dec 21 09:28 ABC
226 Directory send OK.
ftp>
ftp>
my@bash $ ## Auf dem FTP-Server eine Testdatei erzeugen:
my@bash $ echo INHALT > /home/tux/wichtig.txt
my@bash $
my@bash $ ## >> Diese Datei "zieht" sich jetzt der Client, er hat
my@bash $ ## bereits den Modus auf 'passive' umgeschaltet...
ftp>
ftp> ls
227 Entering Passive Mode (192,168,2,232,108,186).
150 Here comes the directory listing.
drwx------ 1 2001 2001 0 Dec 21 09:28 ABC
-rw-r--r-- 1 0 0 7 Dec 21 09:31 wichtig.txt
226 Directory send OK.
ftp>
ftp>
ftp> get wichtig.txt
local: wichtig.txt remote: wichtig.txt
227 Entering Passive Mode (192,168,2,232,167,112).
150 Opening BINARY mode data connection for wichtig.txt (7 bytes).
226 Transfer complete.
7 bytes received in 0.00 secs (94.9436 kB/s)
ftp>
ftp> by
221 Goodbye.
my@bash $
my@bash $ ls -ltrc ~
total 40
-rw-r--r-- 1 root root 122 Dec 9 10:43 hugo1.ldif
-rw-r--r-- 1 root root 207 Dec 9 11:15 fritz-posix.ldif
-rw-r--r-- 1 root root 202 Dec 9 11:43 lisa-posix.ldif
-rw-r--r-- 1 root root 205 Dec 9 11:51 franz-posix.ldif
-rw-r--r-- 1 root root 83 Dec 9 12:43 fritz-uid-mod.ldif
-rw-r--r-- 1 root root 208 Dec 10 08:35 maria-posix.ldif
-rw-r--r-- 1 root root 3418 Dec 10 09:05 myLDAP-data-2020-12-10.ldif
-rw-r--r-- 1 root root 73 Dec 10 10:08 loglevel-change.ldif
-rw------- 1 root root 2677 Dec 11 11:01 mbox
-rw-r--r-- 1 root root 7 Dec 21 09:32 wichtig.txt
my@bash $
my@bash $
Login-Restriktionen
Eine uralte Datei ist die /etc/ftpusers, in der weitere Benutzer,
die diesen FTP-Server nicht verwenden dürfen, aufgelistet
werden können (jeder Nutzername auf separater Zeile):
my@bash $ cat /etc/ftpusers
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody
my@bash $
Anonymous Login aktivieren
Der interne FTP-Nutzer ‚anonymous‘ (mit Aliasnamen ‚ftp‘) wird immer in eine Chroot-Umgebung gesperrt, bei Debian ist dies /srv/ftp, siehe $HOME des Systemnutzers ‚ftp‘:
my@bash $ grep ^ftp /etc/passwd
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
my@bash $
my@bash $ ls -ld /srv/ftp
drwxr-xr-x 1 root ftp 0 Dec 21 08:53 /srv/ftp
my@bash $
my@bash $
my@bash $ echo Hallo Welt > /srv/ftp/willkommen.txt
my@bash $
my@bash $
my@bash $ grep anonymous /etc/vsftpd.conf
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
# Uncomment this to allow the anonymous FTP user to upload files. This only
# Uncomment this if you want the anonymous FTP user to be able to create
# If you want, you can arrange for uploaded anonymous files to be owned by
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
my@bash $
my@bash $ sed -i 's/anonymous_enable=NO/anonymous_enable=YES/' /etc/vsftpd.conf
my@bash $
my@bash $ systemctl restart vsftpd
Von ‚deb-intern1‘ aus testen:
my@bash $ ftp 192.168.2.232
Connected to 192.168.2.232.
220 Welcome to blah FTP service.
Name (192.168.2.232:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> mkdir ABC
550 Permission denied.
ftp>
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> ls
227 Entering Passive Mode (192,168,2,232,218,7).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt
226 Directory send OK.
ftp>
ftp> get willkommen.txt
local: willkommen.txt remote: willkommen.txt
227 Entering Passive Mode (192,168,2,232,230,225).
150 Opening BINARY mode data connection for willkommen.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (52.6578 kB/s)
ftp>
ftp> by
221 Goodbye.
my@bash $
my@bash $ pwd
/root
my@bash $
my@bash $ cat willkommen.txt
Hallo Welt
my@bash $
Kontrolle der serverseitigen Einstellungen, mit denen Schreibrechte erteilt werden:
my@bash $ grep -E --color 'write|upload' /etc/vsftpd.conf
# Uncomment this to enable any form of FTP write command.
write_enable=YES
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
# Activate logging of uploads/downloads.
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
#chown_uploads=YES
#ascii_upload_enable=YES
allow_writeable_chroot=YES
# the user does not have write access to the top level directory within the
my@bash $
my@bash $ ## >> Vor allem bei Anonymous aufpassen:
my@bash $ ## a) anon_upload_enable=NO
my@bash $ ## b) anon_mkdir_write_enable=NO
vsftpd mit TLS absichern
Siehe dazu https://pemmann.de/cc/Doc/Abuild/_build/html/netzdienste/vsftpd.html#ssl-zertifikate-fur-vsftpd
Prüfen, welche eigenen Zertifikate vorliegen:
my@bash $ ls -ltrc /etc/ssl/certs/ | tail -3
-rw-r--r-- 1 root root 1070 Dec 16 10:23 ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root 21 Dec 16 10:23 4e3cc0b7 -> ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 200061 Dec 16 10:23 ca-certificates.crt
my@bash $
my@bash $ ls -ltrc /etc/ssl/certs/*my*
ls: cannot access '/etc/ssl/certs/*my*': No such file or directory
my@bash $
my@bash $ ## >> Keins gefunden!
Also erzeugen wir wieder ein eigenes:
my@bash $ cd /etc/ssl
my@bash $ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout private/vsftpd.key -out certs/vsftpd.pem
Generating a RSA private key
.....+++++
..+++++
writing new private key to 'private/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Sachsen
Locality Name (eg, city) []:Chemnitz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMCAVE
Organizational Unit Name (eg, section) []:Technik
Common Name (e.g. server FQDN or YOUR name) []:deb2.haus1.tld
Email Address []:
my@bash $
my@bash $ head -3 private/vsftpd.key
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALXUJXAAthajob0J
o0HoMVcAdAZhsCa3BKhkX9XKD5FJ0aTDrrz02cjBZjVgGmiwvdtj70XQl/WVftMP
my@bash $
my@bash $ head -3 certs/vsftpd.pem
-----BEGIN CERTIFICATE-----
MIICujCCAiOgAwIBAgIUP0WA1Bq2wZxDDQcmhIw4paZM/OkwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCREUxEDAOBgNVBAgMB1NhY2hzZW4xETAPBgNVBAcMCENo
my@bash $
Zertifikat einbinden, weitere TLS-Einstellungen:
my@bash $ vi /etc/vsftpd.conf
152 # This option specifies the location of the RSA certificate to use for SSL
153 # encrypted connections.
154 rsa_cert_file=/etc/ssl/certs/vsftpd.pem
155 rsa_private_key_file=/etc/ssl/private/vsftpd.key
156 ssl_enable=YES
157 ssl_tlsv1=YES
158 ssl_sslv2=NO
159 ssl_sslv3=NO
160
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
my@bash $
my@bash $ systemctl restart vsftpd
my@bash $
my@bash $
my@bash $ systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-12-21 10:41:41 CET; 1min 59s ago
Process: 1267 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Process: 1268 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2)
Main PID: 1268 (code=exited, status=2)
Dec 21 10:41:41 deb2 systemd[1]: Starting vsftpd FTP server...
Dec 21 10:41:41 deb2 systemd[1]: Started vsftpd FTP server.
Dec 21 10:41:41 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Dec 21 10:41:41 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'.
my@bash $
my@bash $
my@bash $ systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-12-21 10:45:28 CET; 15s ago
Process: 1280 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Process: 1281 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2)
Main PID: 1281 (code=exited, status=2)
Dec 21 10:45:28 deb2 systemd[1]: Starting vsftpd FTP server...
Dec 21 10:45:28 deb2 systemd[1]: Started vsftpd FTP server.
Dec 21 10:45:28 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, "
Dec 21 10:45:28 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'.
my@bash $
my@bash $ ## >> ?????
Der Daemon startet nicht mehr und systemd sagt uns nicht klar, was los ist ("status=2/INVALIDARGUMENT")! Liegt es evl. an fehlenden Leserechten für die Gruppenmitglieder? Was nicht der Fall ist, wie sich später herausstellt:
my@bash $ ls -l /etc/ssl/certs/*oil*
-rw-r--r-- 1 root root 1070 Dec 16 10:23 /etc/ssl/certs/ssl-cert-snakeoil.pem
my@bash $
my@bash $ ls -l /etc/ssl/certs/vsftpd.pem
-rw-r--r-- 1 root root 1005 Dec 21 10:33 /etc/ssl/certs/vsftpd.pem
my@bash $
my@bash $ ls -l /etc/ssl/private/*oil*
-rw-r----- 1 root ssl-cert 1704 Dec 16 10:23 /etc/ssl/private/ssl-cert-snakeoil.key
my@bash $
my@bash $ ls -l /etc/ssl/private/vsftpd.key
-rw------- 1 root root 916 Dec 21 10:32 /etc/ssl/private/vsftpd.key
my@bash $
my@bash $
my@bash $ chmod 640 /etc/ssl/private/vsftpd.key
my@bash $ chgrp ssl-cert /etc/ssl/private/vsftpd.key
my@bash $
my@bash $ /usr/sbin/vsftpd -ossl_enable=NO /etc/vsftpd.conf
500 OOPS: SSL: cannot load RSA certificate
my@bash $
my@bash $ /usr/sbin/vsftpd -ossl_enable=YES /etc/vsftpd.conf
500 OOPS: SSL: cannot load RSA certificate
my@bash $
my@bash $ systemctl restart vsftpd
my@bash $
my@bash $ systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-12-21 10:54:06 CET; 8s ago
Process: 1303 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Process: 1304 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2)
Main PID: 1304 (code=exited, status=2)
Dec 21 10:54:06 deb2 systemd[1]: Starting vsftpd FTP server...
Dec 21 10:54:06 deb2 systemd[1]: Started vsftpd FTP server.
Dec 21 10:54:06 deb2 systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Dec 21 10:54:06 deb2 systemd[1]: vsftpd.service: Failed with result 'exit-code'.
my@bash $
my@bash $ ## >> Kein Erfolg!
Fehlersuche/Logging
TIPP: Zur Fehlersuche den Daemon am besten direkt im Vordergrund der Bash ausführen:
my@bash $ /usr/sbin/vsftpd --help
500 OOPS: unrecognise option: --help
my@bash $
my@bash $ /usr/sbin/vsftpd -h
500 OOPS: unrecognise option: -h
my@bash $
my@bash $ /usr/sbin/vsftpd help
500 OOPS: cannot read config file: help
Dann also die man-Page lesen https://linux.die.net/man/8/vsftpd und weiterprobieren:
my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf
500 OOPS: SSL: cannot load RSA certificate
my@bash $
my@bash $ ## >> Schon eine genauere Aussage als das obige "status=2/INVALIDARGUMENT"!
Falls wichtige Parameter mit höherer Priorität auf der Kommandozeile getestet werden sollen, muss die Konfigurationsdatei allerdings gleich als erster Parameter angegegeben werden (das Loggen aller möglichen Ereignisse bringt hier übrigens nichts, da der Daemon gar nicht erst startet):
my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf -oxferlog_std_format=NO -olog_ftp_protocol=YES -ossl_enable=YES -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem
500 OOPS: SSL: cannot load RSA certificate
my@bash $
Mit -ossl_enable=NO würde der Daemon mit dem unsicheren 1024-Bit Zertifikat wieder starten, weil TLS deaktiviert wird:
my@bash $ /usr/sbin/vsftpd /etc/vsftpd.conf -oxferlog_std_format=NO -olog_ftp_protocol=YES -ossl_enable=NO -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem -orsa_cert_file=/etc/ssl/certs/vsftpd-1024.pem
^C
my@bash $
HINWEIS zum Loggen: Soll möglichst viel in die Datei /var/log/vsftpd.log geschrieben werden, müssen zwei Schalter eingeschaltet und einer ausgeschaltet sein:
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
Sichere Zertifikate
Erzeugen wir uns nun ein Zertifikat mit größerer RSA-Bitlänge als 1024 (2048 oder 4096 Bits), klappt dann alles:
my@bash $ rm /etc/ssl/private/vsftpd.key /etc/ssl/certs/vsftpd.pem
my@bash $
my@bash $ openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout private/vsftpd.key -out certs/vsftpd.pem
Generating a RSA private key
..........................++++
...........................++++
writing new private key to 'private/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Sachsen
Locality Name (eg, city) []:Chemnitz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:deb2.haus1.tld
Email Address []:
my@bash $
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
my@bash $
Alternativ können Zertifikat und Schlüssel in ein und derselben Datei stehen, die dann nur mit rsa_cert_file= anzugeben ist:
my@bash $ cat certs/vsftpd.pem private/vsftpd.key > /etc/ssl/my-FTP-cert-and-key.pem
my@bash $
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/my-FTP-cert-and-key.pem
ssl_enable=YES
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
my@bash $
my@bash $ systemctl restart vsftpd
my@bash $
my@bash $ pgrep -alfi ftp
1399 /usr/sbin/vsftpd /etc/vsftpd.conf
my@bash $
my@bash $ vi /etc/vsftpd.conf
my@bash $
my@bash $ systemctl stop vsftpd
my@bash $
my@bash $ pgrep -alfi ftp
my@bash $
my@bash $ systemctl start vsftpd
my@bash $
my@bash $ pgrep -alfi ftp
1410 /usr/sbin/vsftpd /etc/vsftpd.conf
my@bash $
my@bash $
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
my@bash $
my@bash $ ## Gegenprobe: Der Server startet sich auch mit separaten Files:
my@bash $ grep ^rsa /etc/vsftpd.conf
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
my@bash $
my@bash $ ## >> Halten wir fest: Die Schlüssellänge muss größer als 1024 Bits sein!
my@bash $ ## Also mindestens '-newkey rsa:2048'!
my@bash $
my@bash $ systemctl stop vsftpd
my@bash $ systemctl start vsftpd
my@bash $ pgrep -alfi ftp
1427 /usr/sbin/vsftpd /etc/vsftpd.conf
my@bash $
Wir testen auf dem internen FTP-Client:
my@bash $
my@bash $ ftp 192.168.2.232
Connected to 192.168.2.232.
220 Welcome to blah FTP service.
Name (192.168.2.232:root): tux
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp> by
my@bash $
my@bash $ ftp 192.168.2.232
Connected to 192.168.2.232.
220 Welcome to blah FTP service.
Name (192.168.2.232:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> passive
Passive mode on.
ftp>
ftp> ls
227 Entering Passive Mode (192,168,2,232,127,232).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt
226 Directory send OK.
ftp>
ftp> by
221 Goodbye.
my@bash $
my@bash $ ## >> Anonym geht das Ganze, User können sich aber nur via TLS authentifizieren.
Auf dem SuSE-Host nach zypper in filezilla können wir filezilla ausführen und im Server-Manager ein Profil mit explizitem SSL anlegen.
Und so sieht die Konfiguration schließlich aus:
my@bash $ gg /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
my@bash $
my@bash $ ## Wir testen weiterhin, ob alles klappt:
my@bash $ systemctl stop vsftpd
my@bash $ pgrep -alfi ftp
my@bash $
my@bash $ systemctl start vsftpd
my@bash $
my@bash $ pgrep -alfi ftp
1453 /usr/sbin/vsftpd /etc/vsftpd.conf
my@bash $
my@bash $ ## >> Passt, auch mit den Sicherheitseinstellungen kann 'filezilla' umgehen.
Einrichtung von pure-ftpd
Hierbei handelt es sich um einen weitereren, sehr sicheren Server. Wir wollen vsftpd durch ihn ersetzten, wobei zumindest anonymer Login möglich sein soll.
Installation
my@bash $ apt-get install pure-ftpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
openbsd-inetd pure-ftpd-common update-inetd
The following packages will be REMOVED:
vsftpd
The following NEW packages will be installed:
openbsd-inetd pure-ftpd pure-ftpd-common update-inetd
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 374 kB of archives.
After this operation, 700 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian buster/main amd64 update-inetd all 4.49 [27.8 kB]
Get:2 http://deb.debian.org/debian buster/main amd64 openbsd-inetd amd64 0.20160825-4 [36.4 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 pure-ftpd-common all 1.0.47-3 [185 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 pure-ftpd amd64 1.0.47-3 [124 kB]
Fetched 374 kB in 0s (1231 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 17809 files and directories currently installed.)
Removing vsftpd (3.0.3-12) ...
Selecting previously unselected package update-inetd.
(Reading database ... 17756 files and directories currently installed.)
Preparing to unpack .../update-inetd_4.49_all.deb ...
Unpacking update-inetd (4.49) ...
Selecting previously unselected package openbsd-inetd.
Preparing to unpack .../openbsd-inetd_0.20160825-4_amd64.deb ...
Unpacking openbsd-inetd (0.20160825-4) ...
Selecting previously unselected package pure-ftpd-common.
Preparing to unpack .../pure-ftpd-common_1.0.47-3_all.deb ...
Unpacking pure-ftpd-common (1.0.47-3) ...
Selecting previously unselected package pure-ftpd.
Preparing to unpack .../pure-ftpd_1.0.47-3_amd64.deb ...
Unpacking pure-ftpd (1.0.47-3) ...
Setting up pure-ftpd-common (1.0.47-3) ...
Setting up update-inetd (4.49) ...
Setting up openbsd-inetd (0.20160825-4) ...
Created symlink /etc/systemd/system/multi-user.target.wants/inetd.service → /lib/systemd/system/inetd.service.
Setting up pure-ftpd (1.0.47-3) ...
Installing new version of config file /etc/ftpusers ...
Processing triggers for systemd (241-7~deb10u5) ...
my@bash $
Konfiguration
Wie wir beim Installieren gesehen haben, wurde eine neue /etc/ftpusers bereitgestellt:
my@bash $ cat /etc/ftpusers
# /etc/ftpusers: list of users disallowed FTP access.
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
majordom
postgres
www-data
backup
msql
operator
list
irc
nobody
my@bash $
Da wir anonymen Login wollen, müssen wir uns um den ftp-Account kümmern:
my@bash $
my@bash $ grep ftp /etc/passwd
my@bash $
my@bash $ ## >> Der Paketbetreuer liefert den Daemon OHNE solch ein Konto aus! (in unserem Fall wurde 'ftp' entfernt)
my@bash $
my@bash $ ## Daher ist ein anonymer Login NICHT möglich:
my@bash $ /usr/sbin/pure-ftpd -4 -e
Unable to start a standalone server: Address already in use
my@bash $
my@bash $ pgrep -alfi ftp
1708 pure-ftpd (SERVER)
my@bash $
my@bash $ systemctl stop pure-ftpd
my@bash $
my@bash $ /usr/sbin/pure-ftpd -4 -e
^Cmy@bash $
my@bash $
my@bash $ /usr/sbin/pure-ftpd -4 -e -A
my@bash $ ## >> Der Server startet sich zwar, kann aber niemanden bedienen!
my@bash $ ## (FTP-Client: "421 Unable to set up secure anonymous FTP")
my@bash $
Den User ‚ftp‘ manuell anlegen:
my@bash $ useradd -d /srv/ftp -s /usr/sbin/nologin -c "Anonymous FTP User" -r ftp
my@bash $
my@bash $ grep ^ftp /etc/passwd
ftp:x:998:998:Anonymous FTP User:/srv/ftp:/usr/sbin/nologin
my@bash $
my@bash $ ## >> Dank -r, --system ist die User- und Gruppen-ID kleiner als 1000.
my@bash $
my@bash $ ls -la /srv/ftp
total 4
drwxr-xr-x 1 root 113 28 Dec 21 10:14 .
drwxr-xr-x 1 root root 82 Dec 21 08:53 ..
-rw-r--r-- 1 root root 11 Dec 21 10:14 willkommen.txt
my@bash $
my@bash $ ## >> Die GID der ehem. FTP-Users taucht auf!
my@bash $ ## Daher:
my@bash $ chgrp ftp /srv/ftp
my@bash $
my@bash $ ls -ld /srv/ftp
drwxr-xr-x 1 root ftp 28 Dec 21 10:14 /srv/ftp
my@bash $
Den Server wieder starten und testen:
my@bash $ /usr/sbin/pure-ftpd -4 -e -A -c 3 -d -B
my@bash $
my@bash $ ftp 192.168.2.232
Connected to 192.168.2.232.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 3 allowed.
220-Local time is now 12:26. Server port: 21.
220-Only anonymous FTP is allowed here
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.2.232:root): ftp
230 Anonymous user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 I won’t open a connection to 10.1.1.3 (only to 192.168.2.103)
ftp: bind: Address already in use
ftp> passive
Passive mode on.
ftp>
ftp> ls
227 Entering Passive Mode (192,168,2,232,103,91)
150 Accepted data connection
-rw-r--r-- 1 0 0 11 Dec 21 10:14 willkommen.txt
226-Options: -l
226 1 matches total
ftp>
ftp> get willkommen.txt
local: willkommen.txt remote: willkommen.txt
227 Entering Passive Mode (192,168,2,232,91,28)
150 Accepted data connection
226-File successfully transferred
226 0.002 seconds (measured here), 6.73 Kbytes per second
11 bytes received in 0.00 secs (14.2469 kB/s)
ftp>
ftp> by
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 Logout.
my@bash $
my@bash $ /usr/sbin/pure-ftpd --help
pure-ftpd v1.0.47 [privsep]
-0 --notruncate
-1 --logpid
-2 --certfile <opt>
-4 --ipv4only
-6 --ipv6only
-8 --fscharset <opt>
-9 --clientcharset <opt>
-A --chrooteveryone
-a --trustedgid <opt>
-b --brokenclientscompatibility
-B --daemonize
-C --maxclientsperip <opt>
-c --maxclientsnumber <opt>
-d --verboselog
-D --displaydotfiles
-e --anonymousonly
-E --noanonymous
-f --syslogfacility <opt>
-F --fortunesfile <opt>
-g --pidfile <opt>
-G --norename
-h --help
-H --dontresolve
-I --maxidletime <opt>
-i --anonymouscantupload
-j --createhomedir
-K --keepallfiles
-k --maxdiskusagepct <opt>
-l --login <opt>
-L --limitrecursion <opt>
-M --anonymouscancreatedirs
-m --maxload <opt>
-N --natmode
-n --quota <opt>
-o --uploadscript
-O --altlog <opt>
-p --passiveportrange <opt>
-P --forcepassiveip <opt>
-q --anonymousratio <opt>
-Q --userratio <opt>
-r --autorename
-R --nochmod
-s --antiwarez
-S --bind <opt>
-t --anonymousbandwidth <opt>
-T --userbandwidth <opt>
-U --umask <opt>
-u --minuid <opt>
-V --trustedip <opt>
-w --allowuserfxp
-W --allowanonymousfxp
-x --prohibitdotfileswrite
-X --prohibitdotfilesread
-y --peruserlimits <opt>
-Y --tls <opt>
-J --tlsciphersuite <opt>
-z --allowdotfiles
-Z --customerproof
my@bash $
Hilfsprogramme
Siehe S. 474 f
my@bash $ /usr/sbin/pure-ftpd -4 -e -A -c 3 -B
my@bash $
my@bash $ pure-ftpwho
+------+---------+-------+------+-------------------------------------------+
| PID | Login |For/Spd| What | File/IP |
+------+---------+-------+------+-------------------------------------------+
| 1781 | ftp | 00:00 | IDLE | |
| '' | '' | '' | '' | -> 192.168.2.103 |
+------+---------+-------+------+-------------------------------------------+
my@bash $
my@bash $ pure-ftpd-control stop
[ ok ] Stopping pure-ftpd (via systemctl): pure-ftpd.service.
my@bash $
my@bash $ pure-ftpd-control status
● pure-ftpd.service
Loaded: loaded (/etc/init.d/pure-ftpd; generated)
Active: inactive (dead) since Mon 2020-12-21 12:12:49 CET; 21min ago
Docs: man:systemd-sysv-generator(8)
Process: 1736 ExecStop=/etc/init.d/pure-ftpd stop (code=exited, status=0/SUCCESS)
Dec 21 12:04:05 deb2 systemd[1]: Starting pure-ftpd.service...
Dec 21 12:04:06 deb2 pure-ftpd[1698]: Starting ftp server: Running: /usr/sbin/pure-f…GH -B
Dec 21 12:04:06 deb2 systemd[1]: Started pure-ftpd.service.
Dec 21 12:12:49 deb2 systemd[1]: Stopping pure-ftpd.service...
Dec 21 12:12:49 deb2 pure-ftpd[1736]: Stopping ftp server: pure-ftpd.
Dec 21 12:12:49 deb2 systemd[1]: pure-ftpd.service: Succeeded.
Dec 21 12:12:49 deb2 systemd[1]: Stopped pure-ftpd.service.
Hint: Some lines were ellipsized, use -l to show in full.
my@bash $
my@bash $
my@bash $ pure-pw useradd www -u 1000 -g 1000 -d /www
Password:
Enter it again:
my@bash $
my@bash $
my@bash $
my@bash $ cat /etc/pure-ftpd/pureftpd.passwd
www:$6$X7cfQjxzUwEGfmP0$c1VOXieNUC4b1CE5qKT6q4DArjzdPiECfFqhqMLbZRM5adMe5CwQMbsnoYDZmIH2X5zK8FioDXHuLFmilyfRm/:1000:1000::/www/./::::::::::::
my@bash $
my@bash $ ## >> Gut zu wissen: Virtuelle Nutzer lassen sich relativ leicht erzeugen.
Konfigurationsdateien
Wir erleben hier eine etwas seltsame Art und Weise; es gibt es einige wichtige Dateien, deren Dateiname der Konfigirationsdirektive entspricht, in der Datei selber steht dann einfach nur der Wert:
my@bash $ grep -r -v --color '^#\|^$' /etc/pure-ftpd/
/etc/pure-ftpd/conf/AltLog:clf:/var/log/pure-ftpd/transfer.log
/etc/pure-ftpd/conf/FSCharset:UTF-8
/etc/pure-ftpd/conf/MinUID:1000
/etc/pure-ftpd/conf/NoAnonymous:yes
/etc/pure-ftpd/conf/PAMAuthentication:yes
/etc/pure-ftpd/conf/PureDB:/etc/pure-ftpd/pureftpd.pdb
/etc/pure-ftpd/conf/TLSCipherSuite:HIGH
/etc/pure-ftpd/conf/UnixAuthentication:no
/etc/pure-ftpd/pure-ftpd.conf:ChrootEveryone yes
/etc/pure-ftpd/pure-ftpd.conf:BrokenClientsCompatibility no
/etc/pure-ftpd/pure-ftpd.conf:MaxClientsNumber 50
/etc/pure-ftpd/pure-ftpd.conf:Daemonize yes
/etc/pure-ftpd/pure-ftpd.conf:MaxClientsPerIP 8
/etc/pure-ftpd/pure-ftpd.conf:VerboseLog no
/etc/pure-ftpd/pure-ftpd.conf:DisplayDotFiles yes
/etc/pure-ftpd/pure-ftpd.conf:AnonymousOnly no
/etc/pure-ftpd/pure-ftpd.conf:NoAnonymous no
/etc/pure-ftpd/pure-ftpd.conf:SyslogFacility ftp
/etc/pure-ftpd/pure-ftpd.conf:DontResolve yes
/etc/pure-ftpd/pure-ftpd.conf:MaxIdleTime 15
/etc/pure-ftpd/pure-ftpd.conf:LimitRecursion 10000 8
/etc/pure-ftpd/pure-ftpd.conf:AnonymousCanCreateDirs no
/etc/pure-ftpd/pure-ftpd.conf:MaxLoad 4
/etc/pure-ftpd/pure-ftpd.conf:AntiWarez yes
/etc/pure-ftpd/pure-ftpd.conf:Umask 133:022
/etc/pure-ftpd/pure-ftpd.conf:MinUID 100
/etc/pure-ftpd/pure-ftpd.conf:AllowUserFXP no
/etc/pure-ftpd/pure-ftpd.conf:AllowAnonymousFXP no
/etc/pure-ftpd/pure-ftpd.conf:ProhibitDotFilesWrite no
/etc/pure-ftpd/pure-ftpd.conf:ProhibitDotFilesRead no
/etc/pure-ftpd/pure-ftpd.conf:AutoRename no
/etc/pure-ftpd/pure-ftpd.conf:AnonymousCantUpload no
/etc/pure-ftpd/pure-ftpd.conf:MaxDiskUsage 99
/etc/pure-ftpd/pure-ftpd.conf:CustomerProof yes
/etc/pure-ftpd/pureftpd.passwd:www:$6$X7cfQjxzUwEGfmP0$c1VOXieNUC4b1CE5qKT6q4DArjzdPiECfFqhqMLbZRM5adMe5CwQMbsnoYDZmIH2X5zK8FioDXHuLFmilyfRm/:1000:1000::/www/./::::::::::::
my@bash $
Siehe dazu auch:
Einrichtung pro-ftpd
Zu diesem weiteren FTP-Server siehe S. 476 sowie https://www.ionos.de/digitalguide/server/konfiguration/eigenen-debian-ftp-server-mit-proftpd-einrichten/
Für LPI ist dieser Server nicht von besonderem Interesse.
Vorteile:
Beherrscht virtuelle User (wie auch pure-ftpd)
Beherrscht darüberhinaus auch virtuelle Hosts
Modularer Aufbau
Detailierte Rechtevergabe
Nachteile:
Größerer Arbeitsspeicherbedarf
Hohe Flexibilität geht auf Kosten der Sicherheit!