A virtual user is a user login which does not exist as a real user in the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services. As vsftpd supports virtual users with PAM, we can take full advantages of it.
Requirements:
1. Berkeley DB (version 4) databases
2. pam_userdb.so
2. pam_userdb.so
Step-1: Install Vsftpd, Berkeley DB And Utilities
Type the following command as root user
# yum install db4-utils db4 vsftpd
Step-2: Create The Virtual Users Database
To create a "db4" format file, first create a plain text files with the usernames and password on alternating lines.
To create a "db4" format file, first create a plain text files with the usernames and password on alternating lines.
For e.g. create user called "ftpuser1" with password called "ftpuserpass1"
# cd /etc/vsftpd
# vi vsftpd.passwd.raw
# cd /etc/vsftpd
# vi vsftpd.passwd.raw
ftpuser1
ftpuserpass1
ftpuser2
ftpuserpass2
Save the file and Exit. Next, we need to create the actual database file like this way:
# db_load -T -t hash -f vsftpd.passwd.raw vsftpd.passwd.db
# chmod 600 vsftpd.passwd.db
# db_load -T -t hash -f vsftpd.passwd.raw vsftpd.passwd.db
# chmod 600 vsftpd.passwd.db
Step-3: Configure Vsftpd for virtual user
#cd /etc/vsftpd/
Add and modify the following settings in vsftpd config file.
#vi vsftpd.conf
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
Local_enable=YES
# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).
virtual_use_local_privs=YES
write_enable=YES
#Get chmod Right for Apache,This will set new uploaded files chmod to 644 and folders to 755.
file_open_mode=0666
local_umask=0022
# Set the name of the PAM service vsftpd will use
# RHEL / centos user should use /etc/pam.d/vsftpd
pam_service_name=vsftpd.virtual
# Activates virtual users
guest_enable=YES
anonymous_enable=NO
Local_enable=YES
# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).
virtual_use_local_privs=YES
write_enable=YES
#Get chmod Right for Apache,This will set new uploaded files chmod to 644 and folders to 755.
file_open_mode=0666
local_umask=0022
# Set the name of the PAM service vsftpd will use
# RHEL / centos user should use /etc/pam.d/vsftpd
pam_service_name=vsftpd.virtual
# Activates virtual users
guest_enable=YES
#Specify Guest user name
guest_username=apache
# Chroot user and lock down to their home directories
chroot_local_user=YES
# User Level configuration file such as user home directory.
# Chroot user and lock down to their home directories
chroot_local_user=YES
# User Level configuration file such as user home directory.
user_config_dir=/etc/vsftpd/user_conf
## Hide ids from user, all user and group information in directory listings will be hidden
hide_ids=YES
Save and exit the file.
Step-4Create a PAM File Which Uses Your New Database
The following PAM is used to authenticate users using your new database. Create /etc/pam.d/vsftpd.virtual:
#vi /etc/pam.d/vsftpd.virtual
Append the following:
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vsftpd.passwd
account required pam_userdb.so db=/etc/vsftpd/vsftpd.passwd
session required pam_loginuid.so
Save & Exit.
Step-5: Creating User Configuration file
#cd /etc/vsftpd
#mkdir user_conf
#vi ftpuser1
local_root=/var/www/vhosts/domain1.com/public_html
#vi ftpuser2
local_root=/var/www/vhosts/domain2.com/public_html
for each user, you have to create one file.
Create The Location Of The Files
Step-7: You need to set up the location of the files / dirs for the virtual users. Type the following command:
# mkdir -p /var/www/vhosts/domain1.com/public_html
# mkdir -p /var/www/vhosts/domain2.com/public_html
# chown -R apache:apache /var/www/vhosts
Step-8:Restart The FTP Server
Type the following command:
# service vsftpd restart
Step-9: Add rules to your firewall to allow ftp traffic. also run this command
#modprobe ip_conntrack_ftp
Step-10: Test Your Setup
Test with your favorite ftp client program.
0 comments:
Post a Comment