Friday, September 10, 2010

Very Secure File Transfer Protocol Daemon (VSFTPD)

File Transfer Protocol (FTP) is considered as the primary method used to transfer files over a network from computer to computer. FTP uses a client/server model. An FTP client is used to access the FTP server, and as a server, FTP provides access to files or storage.

Very Secure File Transfer Protocol Daemon (vsFTPd) is a fast and secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux.

How to Install Very Secure File Transfer Protocol Daemon (vsFTPd)

You can use the rpm command to install vsFTPd as shown below.

[root@RHEL04 ~]# rpm -Uvh vsftpd-2.0.5-10.el5.i386.rpm

OR by using the yum command, if you have configured yum properly.


[root@RHEL04 ~]# yum –y install vsftpd


Once vsFTPd is installed, make sure it starts the next time you boot Linux. You can use the ‘chkconfig’ command to make the vsFTPd start working when you reboot the system.

[root@RHEL04 ~]# chkconfig vsftpd on

Main files and directories Installed with vsftpd

The vsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system.

The following list shows the main files and directories related to vsftpd configuration:

• /etc/rc.d/init.d/vsftpd: The initialization script (initscript) used by the /sbin/service command to start, stop, or reload vsftpd.

• /etc/pam.d/vsftpd: The Pluggable Authentication Modules (PAM) configuration file for vsftpd.

• /etc/vsftpd/vsftpd.conf: The main configuration file for vsftpd.

• /etc/vsftpd/ftpusers: A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others, since sending the username and password credentials of sensitive users using clear text is not secure.

• /etc/vsftpd/user_list: This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd.ftpusers.

• /var/ftp/: — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.

vsFTPd configuration file /etc/vsftpd/vsftpd.conf

All configuration of vsftpd can be done by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:

=

The lines starting with‘#’ are comments.

vsFTPd daemon Options in /etc/vsftpd/vsftpd.conf

The following is a list of directives which control the overall behavior of the vsftpd daemon.

listen: When enabled, vsftpd runs in standalone mode. This value is set to YES by default. This directive cannot be used in conjunction with the listen_ipv6 directive.

listen_ipv6: When enabled, vsftpd runs in standalone mode, but listen only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.

The default value is NO.

Log-in Options and Access Controls in /etc/vsftpd/vsftpd.conf

Anonymous access features can be changed for your FTP server by editing the vsftpd.conf file and changing related entries to YES or NO in the file. The main setting related with anonymous access are:

anonymous_enable: Enabled by default. Use a setting of NO, and then restart the server to turn off anonymous access.

anon_mkdir_write_enable: Allows or disallows creating of new directories.

anon_other_write_enable: Allows or disallows deleting or renaming of files and directories.

anon_upload_enable: Controls whether anonymous users can upload files (also depends on the global write_enable setting).

anon_world_readable_only: Allows anonymous users to download only files with world-readable (444) permission

no_anon_password: When enabled, the anonymous user is not asked for a password. The default value is NO.

banner_file: Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.

cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.

ftpd_banner: When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive. By default vsftpd displays its standard banner.

local_enable: When enabled, local users are allowed to log into the system.

userlist_deny: If userlist_deny=NO, only allow users in userlist_file. If userlist_deny=YES (default), never allow users in userlist_file, and do not even prompt for a password.

userlist_enable: When enabled, the users listed in the file specified by the userlist_file directive are denied access.

userlist_file: Specifies the file referenced by vsftpd when the userlist_enable directive is enabled. This file is created when vsftp is installed and is located in /etc/vsftpd/user_list.

ftp_username: Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user. The default user is ftp and default home folder is /var/ftp/.

chroot_list_enable: When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in. If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in. The default value is NO.

chroot_list_file: Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES. The default value is /etc/vsftpd/chroot_list.

chroot_local_user: When enabled, local users are change-rooted to their home directories after logging in. The default value is NO.

Other important options in /etc/vsftpd/vsftpd.conf

dirlist_enable: When enabled, users are allowed to view directory lists.

write_enable: When enabled, FTP commands which can change the file system are allowed.

accept_timeout: Specifies the amount of time for a client using passive mode to establish a connection. The default value is 60.

anon_max_rate: Specifies the maximum data transfer rate for anonymous users in bytes per second. The default value is 0, which does not limit the transfer rate.

connect_timeout: Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds. The default value is 60.

idle_session_timeout: Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.

listen_address: Specifies the IP address on which vsftpd listens for network connections. There is no default value for this directive.

listen_address6: Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES. There is no default value for this directive.

listen_port: Specifies the port on which vsftpd listens for network connections. The default value is 21.

local_max_rate: Specifies the maximum rate data is transferred for local users logged into the server in bytes per second. The default value is 0, which does not limit the transfer rate.

max_clients: Specifies the maximum number of simultaneous clients allowed to connect to the vsFTPd server when it is running in standalone mode. Any additional client connections to the vsFTPd server would result in an error message. The default value is 0, which does not limit connections.


Posted by at No comments:
Labels: , , ,

Wednesday, September 1, 2010

Users and Groups

Although adding users and groups seems like a simple task on the surface, it does require forward planning and preparation for a large user group such as one for a large company or corporation or for an organization that requires users to have access to multiple computers throughout the same building or even a set of worldwide offices.

In addition to a Red Hat Enterprise Linux system having a username for each user allowed access to a system, each system has user groups. A user group is a group of one or more users. A user can be a member of more than one group.

Each user on a Red Hat Enterprise Linux system is assigned a unique user identification number, also known as a UID. UIDs below 500 are reserved for system users such as the root user. System users also include those added for a specific service such as the nfsnobody, rpc and rpcuser users for the NFS service.

By default in Red Hat Enterprise Linux, when a user is added, a private user group is created—meaning that a user group of the same name is created and that the new user is the sole user in that group.

Adding and Modifying Users
Configure the username, full name, and password for the new user. The default login shell for new users is bash. By default, the directory /home// is created as the user’s home directory, and a private group is created for the user.

Adding Users
To add a new user, use the useradd command. The basic syntax is useradd . The username is the only information required to add a new user. The useradd command creates the account, but the account is locked. To unlock the account and create a password for the user, use the command passwd . By default, the user’s home directory is created and the files from /etc/skel/ are copied into it. The two exceptions are if the -M
option is used and if the home directory already exists.



Password Aging
Optionally, password aging can also be configured with the chage command. If the chage
command is immediately followed by a username, the administrator will be interactively
prompted for the password aging

[root@Matrix ~]# chage swathi
Changing the aging information for swathi
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 15
Maximum Password Age [99999]: 15
Last Password Change (YYYY-MM-DD) [2010-09-01]: 2010-09-02
Password Expiration Warning [7]: 5
Password Inactive [-1]: -1
Account Expiration Date (YYYY-MM-DD) [1969-12-31]: 2010-09-17

[root@Matrix ~]# chage -l swathi
Last password change : Sep 02, 2010
Password expires : Sep 17, 2010
Password inactive : never
Account expires : Sep 17, 2010
Minimum number of days between password change : 15
Maximum number of days between password change : 15
Number of days of warning before password expires : 5

Deleting Users
The userdel command is available for deleting users using the userdel syntax. If no command line options are used, the user is deleted and can no longer log into the system. The private user group for the user is also deleted, and the user is removed from any other groups of which he was a member. However, the user’s home directory and any other files the user owned are not deleted from the system. To remove the user’s home directory and mail spool, use the userdel -r command. All other files owned by the user must be deleted manually if the administrator needs them removed. However, use caution when removing files owned by a removed user, they might be shared files still needed by others in the group.

Any remaining files will still exist with the user’s old UID, so be careful when creating new users.
If the UID is reused for a different user, you might be giving the new user access to the old
user’s files because file permissions are based on the UID and GID associated with the file.


Managing Groups
A new group with the same name as the user is created by default when a new user is added. This new group is referred to as a private user group. Every user has a default group, which is usually the user’s private user group, but every user can also be a member of more than one group. When a file or directory is created by a user, the user’s default group becomes the group associated with the file unless the directory is configured to with the s option to chmod that sets the group ID of files in that directory upon creation. The additional groups a user is a member of allows the user to
have access to files associated with the group and with the proper group file permissions.
A unique integer known as a GID is associated with each group. GIDs below 500 are reserved for system groups just like UIDs below 500 are reserved for system users.

Adding Groups
The groupadd command can be used to add user groups to the system. The basic syntax is
groupadd . If no command-line options are used, the group is created with the next available GID above 499. To specify a GID, use the groupadd -g command. To add a system group, use the groupadd -r command. The first available GID below 500 is used for the system group. To add a system group and specify the GID, use the groupadd -r -g command. Even if you specify a GID for the system group, the GID still needs to be below 500 to follow the numbering convention.

To add users to a group, use the usermod -G command

Modifying Groups
Other than adding users to the group, the name of the group and the GID of the group
can be changed with the groupmod command. To change the GID of a group, use the
groupmod -g command. To change the name of the group, use the
groupmod -n command.
Red Hat Enterprise Linux also includes the gpasswd command for managing groups. It
allows an administrator to configure group administrators, group members, and a group
password. Group administrators can add and delete users as well as set, change, or remove
the group password. A group can have more than one group administrator.
To add group administrators, use the gpasswd -A command, where
is a comma-separated list of existing users you want to be group administrators.
Don’t use any spaces between the commas.
The root user or a group administrator can add users to the group with the gpasswd -a
command. Using this method, only one user can be added at a time.
Similarly, to remove a user from a group, use the gpasswd -d command.
t is also possible for the root user (not a group administrator) to modify the members of a
group with the gpasswd -M command, where is a comma-
separated list of all the users in the group. Notice the word all. When this command is
executed, the group members list changes to the users listed in this command. Any exist
ing members not listed will be removed.
To add or change the password for a group, the root user or a group administrator can use
the gpasswd command. When changing the password, the old password is
not needed. To remove the group password, use the
gpasswd -r command.
If a user is a member of a group, she can use the newgrp command to make
that group her default group for that login session. If the group has a password, the user
must enter the correct password before successfully switching groups. If the group has a
password, users who aren’t members of the group can also make the group their default
group with the newgrp command. If the group doesn’t have a password configured, only
users who are members of the group can use the newgrp command to change groups for
that login session. To disable the use of the newgrp command for a group, use the gpasswd
-R command.

How It All Works
A list of all local users is stored in the /etc/passwd file. This file is in plain text format and
is readable by anyone logged in to the system because it is referenced by user-accessible
utilities such as ls and who to map user and group IDs to usernames and group names.
Each user is listed on a separate line, with the following format:
username:password:uid:gid:real_name:/home/directory:shell

If shadow passwords are used (the default), the encrypted passwords are stored in the
/etc/shadow file, readable only by root for security reasons. This file can also store
optional password expiration data.
All user groups are stored in the /etc/group file, readable by everyone but only writable
by root for the same reason /etc/passwd has these permissions—user utilities need to be
able to map group IDs to group names. Each group is listed on a separate line in the
following format:
groupname:password:gid:users

The group name is the actual name of the user group, the password field contains the x
character if shadow passwords are used or the encrypted password if shadow passwords
are not used. The gid is the unique group ID for the group, and the users field is a
comma-delimited list of users in the group.
If shadow passwords are used for group passwords (the default), they are stored in
/etc/gshadow, a file readable only by the root user.
When a new user is added, files from the /etc/skel/ directory are copied to the user’s
home directory unless the administrator chooses not to create one.

NOTE
By default, a home directory is created when a user is added. If the user’s home direc
tory already exists (for example, the /home/ directory was preserved during reinstalla
tion), the files from /etc/skel/ are not copied to the existing home directory so that
the existing files are not overwritten. This behavior has changed in recent versions of
useradd, so use caution when performing this same operation on older versions of
Red Hat Enterprise Linux.
The default values used when adding a user are stored in the /etc/default/useradd file.
Additional default values for creating users and groups are located in the /etc/login.defs
file. This file is documented with comments above each directive, which should be easy
to follow if modifications are needed. The following can be modified with options from
this file:
. Mail spool directory
. Maximum number of days a password can be used
. Minimum number of days between password changes
. Minimum password length accepted
. Number of days to warn user before password expires
. Maximum UID for automatic selection by useradd
. Minimum UID for automatic selection by useradd
. Maximum GID for automatic selection by groupadd
. Minimum GID for automatic selection by groupadd
. Whether to remove cron and print jobs owned by user when user is removed
. Whether or not to create the home directory by default

Deleting Groups
To delete an existing group, use the groupdel command. The group is removed, and the users in the group are no longer members of the group.
Posted by at No comments:
Subscribe to: Comments (Atom)