1This example shows how you might set up a (possibly large) internet facing 2FTP site. 3 4The emphasis will be on security and performance. 5 6We will see how by integrating vsftpd with xinetd, we get a powerful 7combination. 8 9Step 1) Set up your xinetd configuration file. 10 11An example xinetd configuration file "vsftpd.xinetd" is supplied. 12To install it: 13 14cp vsftpd.xinetd /etc/xinetd.d/vsftpd 15 16Let's look at the important content in this file and see what it does: 17 18disable = no 19socket_type = stream 20wait = no 21 22This says that the service is active, and it is using standard TCP sockets. 23 24user = root 25server = /usr/local/sbin/vsftpd 26 27The server program /usr/local/sbin/vsftpd is used to handle incoming FTP 28requests, and the program is started as root (vsftpd will of course quickly 29drop as much privilege as possible). NOTE! Make sure that you have the vsftpd 30binary installed in /usr/local/sbin (or change the file path in the xinetd 31file). 32 33per_source = 5 34instances = 200 35 36For security, the maximum allowed connections from a single IP address is 5. 37The total maximum concurrent connections is 200. 38 39no_access = 192.168.1.3 40 41As an example of how to ban certain sites from connecting, 192.168.1.3 will 42be denied access. 43 44banner_fail = /etc/vsftpd.busy_banner 45 46This is the file to display to users if the connection is refused for whatever 47reason (too many users, IP banned). 48 49Example of how to populate it: 50echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner 51 52log_on_success += PID HOST DURATION 53log_on_failure += HOST 54 55This will log the IP address of all connection attempts - successful or not, 56along with the time. If an FTP server is launched for the connection, it's 57process ID and usage duration will be logged too. If you are using RedHat 58like me, this log information will appear in /var/log/secure. 59 60 61Step 2) Set up your vsftpd configuration file. 62 63An example file is supplied. Install it like this: 64 65cp vsftpd.conf /etc 66 67Let's example the contents of the file: 68 69# Access rights 70anonymous_enable=YES 71local_enable=NO 72write_enable=NO 73anon_upload_enable=NO 74anon_mkdir_write_enable=NO 75anon_other_write_enable=NO 76 77This makes sure the FTP server is in anonymous-only mode and that all write 78and upload permissions are disabled. Note that most of these settings are 79the same as the default values anyway - but where security is concerned, it 80is good to be clear. 81 82# Security 83anon_world_readable_only=YES 84connect_from_port_20=YES 85hide_ids=YES 86pasv_min_port=50000 87pasv_max_port=60000 88 89These settings, in order 90- Make sure only world-readable files and directories are served. 91- Originates FTP port connections from a secure port - so users on the FTP 92server cannot try and fake file content. 93- Hide the FTP server user IDs and just display "ftp" in directory listings. 94This is also a performance boost. 95- Set a 50000-60000 port range for passive connections - may enable easier 96firewall setup! 97 98# Features 99xferlog_enable=YES 100ls_recurse_enable=NO 101ascii_download_enable=NO 102async_abor_enable=YES 103 104In order, 105- Enables recording of transfer stats to /var/log/vsftpd.log 106- Disables "ls -R", to prevent it being used as a DoS attack. Note - sites 107wanting to be copied via the "mirror" program might need to enable this. 108- Disables downloading in ASCII mode, to prevent it being used as a DoS 109attack (ASCII downloads are CPU heavy). 110- Enables older FTP clients to cancel in-progress transfers. 111 112# Performance 113one_process_model=YES 114idle_session_timeout=120 115data_connection_timeout=300 116accept_timeout=60 117connect_timeout=60 118anon_max_rate=50000 119 120In order, 121- Activates a faster "one process per connection" model. Note! To maintain 122security, this feature is only available on systems with capabilities - e.g. 123Linux kernel 2.4. 124- Boots off idle users after 2 minutes. 125- Boots off idle downloads after 5 minutes. 126- Boots off hung passive connects after 1 minute. 127- Boots off hung active connects after 1 minute. 128- Limits a single client to ~50kbytes / sec download speed. 129 130 131Step 3) Restart xinetd. 132 133(on RedHat) 134/etc/rc.d/init.d/xinetd restart 135 136If you run into problems, check: 1371) Your /etc/xinetd.d directory only has one FTP service. 138 139