VSFTPD service and intergate with AD

I. INITIAL SETUP

  1. Configure ip address

[root@centos ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

 

DEVICE=eth0

HWADDR=00:0C:29:0A:20:99T

YPE=EthernetUUID=a5b5cf6d-7ab8-4d2d-93b0-32f4a848e4aeONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=static

IPADDR=192.168.106.22

NETMASK=255.255.255.0

GATEWAY=192.168.106.1

  1. DNS can be added in the file

[root@centos ~]# vi /etc/resolv.conf

  1. Restart networking service

[root@centos ~]# /etc/init.d/network restart

  1. Configure IPTABLE to allow ftp service
  2. Using command line

[root@centos ~]# vi /etc/sysconfig/iptables

 

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth+ -j ACCEPT

-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT

-A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -p icmp -j ACCEPT-A FORWARD -i lo -j ACCEPT

-A FORWARD -i eth+ -j ACCEPT-A INPUT -j REJECT –reject-with icmp-host-prohibited

-A FORWARD -j REJECT –reject-with icmp-host-prohibitedCOMMIT

[root@centos ~]# service iptables restart

 

II. Install and Configure VSFTPD As active mode

[root@mainserver ~]# yum install -y vsftpd

[root@mainserver ~]# vi /etc/vsftpd/vsftpd.conf

Disable Enable anonymous login

anonymous_enable=NO

When this line is set to Yes, all the local users will be jailed within their chroot and will be denied access to any other part of the server.

use_localtime=YES

The file looks like this

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

chroot_local_user=YES

listen=YES

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

use_localtime=YES

 

Create a new ftp user

[root@mainserver ~]# useradd an

[root@mainserver ~]# passwd an

Configure SELinux to allow upload/download in user’s home directory

[root@mainserver ~]# setsebool -P ftp_home_dir on

[root@mainserver ~]# service vsftpd restart

[root@mainserver ~]# chkconfig vsftpd on

 

III. Important directives of vsftpd.conf

Enable local users login with their regular password

local_enable=YES

Users are restricted in their home directory

chroot_local_user=YES

If write is enabled permissions will be based on the value of umask

local_umask=022

Enable anonymous user to upload file

#anon_upload_enable=YES

Allow anonymous users to create directories

#anon_mkdir_write_enable=YES

Set FTP banner

ftpd_banner=Welcome to blah FTP service

Configures Pluggable Authentication Modules (PAM) security for FTP

pam_service_name=vsftpd

block users listed in /etc/vsftpd/user_list

userlist_enable=YES

Supports the use of security commands in /etc/hosts.allow and /etc/hosts.deny through tcpwrappers

tcp_wrappers=YES

 IV. USING WINDOWS ACTIVE DIRECTORY FOR AUTHENTICATION

Just need to join CentOS to windows domain

Read here: https://duongtuanan.wordpress.com/2015/09/03/join-centos-to-windows-ad/

V. SElinux boolean associated with vsftpd daemons

There are five SElinux boolean associated with vsftpd daemons

vsftpd daemons will run on a SElinux context without any restriction

# setsebool  allow_ftpd_full_access 1

Supports the writing of files to directories configured with the public_content_rw_t SELinux setting

# setsebool  allow_ftpd_anon_write 1

Allows the use of files shared via CIFS on an FTP server

# setsebool  allow_ftpd_use_cifs  1

Allows the use of files shared via NFS on an FTP server

# setsebool  allow_ftpd_use_nfs  1

Supports FTP read/write access to user home directories

# setsebool  ftp_home_directory  1

Any directory that is going to be used on read FTP operations it must be labelled as public_content_rw_t

# chcon -R -t public_content_t /var/ftp/pub/

Any directory that is going to be used on read-write FTP operations it must be labelled as public_content_rw_t

# chcon -R -t public_content_rw_t /var/pub/ftp

 

 

About Terri

System Administrator @Netpower Datacenter

Posted on 24.09.2015, in Linux, Technical Articles and tagged , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: