Linux HOWTOs

About | Home | Search

HOWTO: vsftpd
Description: Secure and fast FTP server
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything

# vsftpd 3.0.3
# ============
# Slackware 13.37: vsftpd 2.3.4
# Slackware 14.0, 14.1: vsftpd 3.0.2
# Slackware 14.2: vsftpd 3.0.3

# Prerequisites:
# tcp wrappers (optional)
# PAM (optional)
# OpenSSL (optional)

# This will not build with SSL enabled and OpenSSL >= 1.1.0 installed,
# after a quick look around, I did not come across a patch

# Get it
test -f installed/vsftpd-3.0.3.tar.gz && mv installed/vsftpd-3.0.3.tar.gz .
test ! -f vsftpd-3.0.3.tar.gz &&

# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball)
echo "9d4d2bf6e6e2884852ba4e69e157a2cecd68c5a7635d66a3a8cf8d898c955e\
f7  vsftpd-3.0.3.tar.gz" | sha256sum -c

# Verify tarball w/ gnupg:
( gpg --list-keys 3C0E751C > /dev/null 2>&1 || gpg --recv-keys 3C0E751C ) &&
 wget -nc &&
  gpg --verify vsftpd-3.0.3.tar.gz.asc && rm vsftpd-3.0.3.tar.gz.asc

# Extract the tarball
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1  -type d -name "vsftpd-*" -exec rm -r {} \;
tar xzvf ~/vsftpd-3.0.3.tar.gz
cd vsftpd-3.0.3
test $UID = 0 && chown -R root:root .

# If you have OpenSSL >= 1.1.0 installed, and you want to enable SSL for
# vsftpd, apply these three patches from Slackware64-current.  I did not
# check if these are 64-bit specific, so you may want to look in the regular
# Slackware-current if you are not 64-bit.
wget -nc\
n/vsftpd/0021-Introduce-support-for-DHE-based-cipher-suites.patch.gz &&
 zcat 0021-Introduce-support-for-DHE-based-cipher-suites.patch.gz |
  patch -p1
wget -nc\
gz &&
 zcat 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch.gz |
  patch -p1
wget -nc\
n/vsftpd/ &&
 zcat |
  patch -p1

# Open up ./builddefs.h to enable or disable certain features that will be
# built in.  To enable the feature make sure it says 'define', to disable it
# make sure it says 'undef'.
# VSF_BUILD_TCPWRAPPERS = use TCP wrappers (/etc/hosts.allow, hosts.deny)
# VSF_BUILD_SSL = use SSL (this will allow you to use ftp + SSL (ftps))

# If you use source-installed OpenSSL < 1.1.0 installed under the
# /usr/local/ssl prefix, and would like to update the LDFLAGS and CFLAGS
# that are in the Makefile with the location of your OpenSSL libraries and
# includes, here's a way of updating the Makefile.  If you want to see what
# it did, run this: diff -u Makefile.orig Makefile
test $(uname -m) = "x86_64" && LIBDIR=lib64
cp -a Makefile Makefile.orig
cat Makefile.orig | sed \
-e "s%^LDFLAGS\t=\t%LDFLAGS\t=\t-L/usr/local/ssl/${LIBDIR} %" \
-e "s%^CFLAGS\t=\t%CFLAGS\t=\t-I/usr/local/ssl/include %" > Makefile
unset LIBDIR

# Build it

# Become root to install and configure it

# Back up your existing configuration file, if there is one:
test -f /etc/vsftpd.conf &&
 ( mkdir -p -m 0700 ~/backup
   cp --preserve=timestamps /etc/vsftpd.conf \
    ~/backup/vsftpd.conf-$(date +%Y%m%d)
   chmod 600 ~/backup/vsftpd.conf-$(date +%Y%m%d) )

# Remove the Slackware package, if there is one
test -x /sbin/removepkg && /sbin/removepkg vsftpd

# Rather than 'make install' which would put everything under the /usr/local
# prefix, run 'install' (or cp if you prefer) for each item:
install -m 755 -s vsftpd /usr/sbin/vsftpd
install -m 644 -p vsftpd.conf.5 /usr/man/man5/vsftpd.conf.5
install -m 644 -p vsftpd.8 /usr/man/man8/vsftpd.8

# You can go with the default user "nobody", but I like to create
# a user just for vsftpd (because so many other things use nobody).  If you
# do decide to do this too, add "nopriv_user: vsftpd" to your vsftpd.conf
getent group | egrep "^vsftpd:" > /dev/null || groupadd vsftpd
id vsftpd > /dev/null 2>&1 ||
 useradd -d /home/ftp -s /bin/false -g vsftpd vsftpd

# Create the directory that the chroot will use, if you set it to use one:
# (Slackware already has a /var/empty too...)
mkdir -p /usr/share/empty

# Set up the anonymous ftp directory, if you're going to have anonymous
# ftp.  You don't have to use uid 14 and gid 50 for the user and group, I
# just put that here so I don't have mismatched uid and gid numbers on
# different servers.  If you already have an ftp user and you decide to go
# with the /home/blahblah/ftp directory, make sure you change the ftp
# user's home directory to that.
mkdir -p /home/ftp
chown root:root /home/ftp
chmod 755 /home/ftp
getent group | egrep "^ftp:" > /dev/null || groupadd -g 50 ftp
id ftp > /dev/null 2>&1 || useradd -d /home/ftp -g ftp -u 14 ftp

# If you compiled-in PAM support, create a /etc/pam.d/ftp (or an ftp section
# of /etc/pam.conf).  If you use pam_ldap you can get a sample from it's
# source (./pam.d/ftp).  You'll find an example in the Linux-PAM source in
# conf/pam.conf  You can get a sample intended for use with RedHat from the
# vsftpd source:
test -d /etc/pam.d && test ! -e /etc/pam.d/ftp &&
 cp RedHat/vsftpd.pam /etc/pam.d/ftp

# Install the example configuration file:
test ! -e /etc/vsftpd.conf && cp vsftpd.conf /etc/
chown root:root /etc/vsftpd.conf
chmod 600 /etc/vsftpd.conf

# If you want to keep a full un-modified example config:
install -m 600 -p vsftpd.conf /etc/vsftpd.conf.dist

# If you compiled-in SSL support and would like to enable it, read through
# ./README.ssl, and read through 'man vsftpd.conf' for info about the
# SSL-related configuration items like ssl_enable, rsa_cert_file, and so on.
# You will at least need to specify "ssl_enable=YES" and specify the full
# path to a PEM-format certificate for vsftpd to use configured as 
# "rsa_cert_file=/wherever/you/put/it/vsftpd.pem"

## Here is a sample configuration that I have set up on one FTP server that
## runs as anonymous-only with no uploads.  vsftpd runs as the 'vsftpd'
## user, the anonymous ftp tree is the ftp user's home directory
## (/home/ftp).  vsftpd runs standalone (not via inetd).  Here it is:
# background=YES
# connect_from_port_20=YES
# dirmessage_enable=YES
# hide_ids=YES
# listen=YES
# syslog_enable=YES
# delay_failed_login=3
# max_clients=3
# max_per_ip=2
# nopriv_user=vsftpd
# tcp_wrappers=YES
# log_ftp_protocol=YES

# (re-)start vsftpd:
killall vsftpd
sleep 1
test -x /usr/sbin/vsftpd && /usr/sbin/vsftpd
test -x /usr/local/sbin/vsftpd && /usr/local/sbin/vsftpd

## Set something like this in /etc/rc.d/rc.local to start vsftpd on boot-up:
# if [ -x /usr/sbin/vsftpd ]; then
#   echo "Starting vsftpd..."
#   /usr/sbin/vsftpd
# fi

# If you have the logrotate /etc/logrotate.d/ directory set up (if you have
# a recent version of Slackware, you should), this will handle rotating
# vsftpd.log, if it exists:
cat < /etc/logrotate.d/vsftpd
/var/log/vsftpd.log {
    rotate 6
chmod 600 /etc/logrotate.d/vsftpd

## If you do a test connection to it and get this:
# Connected to localhost.
# 500 OOPS: 500 OOPS: child died
## then try adding "seccomp_sandbox=NO" to vsftpd.conf and restarting it.
## That may make it less secure, but at least it will function...

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again

# Save the source for later
mkdir -p -m 0700 installed
rm -f installed/vsftpd-*.tar.*
mv vsftpd-3.0.3.tar.gz installed/

# If you ever want to uninstall vsftpd, this should do it:
killall vsftpd
rm -f /etc/vsftpd.conf* /etc/logrotate.d/vsftpd /usr/sbin/vsftpd \
 /usr/man/man5/vsftpd.conf.5 /usr/man/man8/vsftpd.8
find ~/src -maxdepth 1 -type d -name "vsftpd-*" -exec rm -r {} \;
rm -f ~/installed/vsftpd-*.tar.*

Back to the list

Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>