The vsftpd standard FTP daemon on Fedora 17 comes configured to not work. It doesn’t work in normal mode (chroot problems) it doesn’t handle TLS, it allows anonymous by default, and it doesn’t handle passive mode in a way that works with the iptables firewall (because of TLS).
Goal: TLS, no chroot-ing, no anonymous,Passive Mode.
Setup:
First cd to /etc/pki/tls/certs and run ‘make vsftpd.pem’. This will let you create a certificate. ‘chmod 600’ the certificate.
Then, go edit /etc/vsftpd/vsftpd.conf . Here’s a working configuration:
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES dual_log_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES chroot_local_user=NO ls_recurse_enable=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem pasv_min_port=50000 pasv_max_port=50064 require_ssl_reuse=NO seccomp_sandbox=NO
Now go edit /etc/sysconfig/iptables. Because of TLS, the standard nf_conntrack_ftp module isn’t going to work. It would be nice if somebody enhanced that to know about the .pem file. Here’s a working set of rules that matches the above (arbitrary) port range:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -p tcp --dport 50000:50064 -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
Then restart your vsftpd and iptables services and you should be good to go. Filezilla will work with its defaults. For lftp, you can create a .lftprc file like this:
set ssl:verify-certificate false set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-allow yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes