This article is transferred from: http://bbs.chinaunix.net/thread-561183-1-1.html
Original title: Complete Guide to vsftp Configuration---Ultra Complete, First Published in CU's FTP Section
vsftpd.conf is used to control various functions of VSFTPD. By default, its location is /etc/vsftpd.conf.
(Note from the translator: Perhaps in older versions of LINUX, the configuration file is located here, but in newer LINUX versions, such as FC2, the configuration file is in the /etc/vsftpd directory.
However, it may also depend on the installation method; for RPM package installations, the configuration file is /etc/vsftpd.conf. For source package installations: /etc/vsftpd/vsftpd.conf. I'm not sure.
But I won't point this out specifically in the future; it's really tiring!!)
However, you can also specify a different directory by modifying the configuration line. This is useful because you might want to use some advanced inetd features, such as xinetd, to call different configuration files on a multi-virtual-host machine.
Format
The format of VSFTPD.conf is very simple; each line is either a comment or a directive. Comment lines start with # and are ignored. The directive line format is as follows:
configuration_item=parameter_value
An important point is that there are no spaces in this format.
By default, each configuration item occupies one editing line in the configuration file and can be modified.
Boolean Options
The boolean options for parameter values can be:
YES or NO
allow_anon_ssl
This option can only be enabled if ssl_enable is activated. If set to YES, anonymous users will be allowed to use secure SSL connections to the server.
Default value: NO
anon_mkdir_write_enable
If set to YES, anonymous users will be allowed to create new directories in the specified environment. For this option to take effect, the write_enable configuration must be activated, and anonymous users must have write permission in their parent directory.
Default value: NO
anon_other_write_enable
If set to YES, anonymous users will be granted greater write permissions, such as deleting and renaming. Generally, this is not recommended unless you want to grant full permissions.
Default value: NO
anon_upload_enable
If set to YES, anonymous users will be allowed to upload files in the specified environment. For this option to take effect, the write_enable configuration must be activated, and anonymous users must have write permission in the relevant directory.
Default value: NO
anon_world_readable_only
When enabled, anonymous users are only allowed to download fully readable files, which allows FTP users to have ownership of the files, especially in the case of uploads.
Default value: YES
anonymous_enable
Controls whether anonymous users are allowed to log in. If allowed, both "ftp" and "anonymous" will be treated as "anonymous" and allowed to log in.
Default value: YES
ascii_download_enable
When enabled, files will be transferred in ASCII mode during user downloads.
Default value: NO
ascii_upload_enable
When enabled, files will be transferred in ASCII mode during user uploads.
Default value: NO
async_abor_enable
When enabled, a special FTP command "async ABOR" will be allowed. This is only needed for abnormal FTP clients. Moreover, this feature is difficult to operate, so it is
disabled by default. However, some clients may hang when canceling a transfer (note from daidong: probably the client becomes unresponsive), and you can only enable this feature to avoid this situation.
Default value: NO
background
When enabled, and if VSFTPD is started in "listen" mode (note from daidong: that is, standalone mode), VSFTPD will place the listening process in the background. However, when accessing VSFTPD, the console will immediately return to SHELL.
Default value: NO
check_shell
Note: This option is only effective for non-PAM structured VSFTPD. If disabled, VSFTPD will not check /etc/shells to determine if local login users have an available SHELL.
Default value: YES
chmod_enable
When enabled, the SITE CHMOD command will be allowed. Note that this can only be used for local users. Anonymous users must never use SITE CHMOD.
Default value: YES
chown_uploads
If enabled, the owner of files uploaded by anonymous users will change to the user specified in chown_username. This is useful for managing FTP and may also benefit security.
Default value: NO
chroot_list_enable
If activated, you must provide a user list; users in the list will be placed in their home directory after logging in, locked in a virtual root (note from daidong: after entering FTP, you can see that the current directory is "/", which is the virtual root. It is the root directory of FTP, not the root directory of the FTP server system). If chroot_local_user is set to YES, its meaning will change slightly.
In this case, users in this list will not be locked in the virtual root.
By default, this list file is /etc/vsftpd.chroot_list, but you can change the default value by modifying chroot_list_file.
Default value: NO
chroot_local_user
If set to YES, local users will be locked (by default) in the virtual root after logging in and placed in their home directory.
Warning:
This configuration item has security implications, especially if users have upload permissions or can use SHELL. Enable it only if you are sure.
Note that this security implication is not only present in VSFTPD; it is actually widely used in all FTP software that aims to lock users in the virtual root.
Default value: NO
connect_from_port_20
This controls whether the server uses port 20 for data transmission. For security reasons, some clients insist on enabling it. Conversely, disabling this option can make VSFTPD more popular.
Default value: NO (but in the sample configuration file, it is enabled, i.e., YES)
deny_email_enable
If activated, you must provide a password EMAIL list for anonymous users (note from daidong: we all know that anonymous users use email addresses as passwords) to prevent anonymous users from logging in with these passwords.
By default, this list file is /etc/vsftpd.banner_emails, but you can change the default value by setting banned_email_file.
Default value: NO
dirlist_enable
If set to NO, all list commands (note from daidong: such as ls) will return a "permission denied" prompt.
Default value: YES
dirmessage_enable
If enabled, users of the FTP server will see a message when they first enter a new directory. By default, it will look for a .message file in this directory, but you can also
change the default value by modifying message_file.
Default value: NO (but in the configuration sample file, it is enabled)
download_enable
If set to NO, download requests will return "permission denied."
Default value: YES
dual_log_enable
If enabled, two LOG files will be generated, the default being /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd format LOG that can be analyzed by general tools.
The latter is a dedicated LOG format for VSFTPD.
Default value: NO
force_dot_files
If activated, even if the client does not use the "a" flag, files and directories starting with a dot (.) will be displayed in the directory resource list. However, "." and ".." will not be displayed. (note from daidong: that is, the current directory and the parent directory in LINUX will not be displayed as ‘.’ or ‘..’).
Default value: NO
force_local_data_ssl
Can only be enabled if ssl_enable is activated. If enabled, all non-anonymous users will be forced to use secure SSL logins to send and receive data over the data line.
Default value: YES
force_local_logins_ssl
Can only be enabled if ssl_enable is activated. If enabled, all non-anonymous users will be forced to use secure SSL logins to send passwords.
Default value: YES
guest_enable
If enabled, all non-anonymous users logging in will be treated as "guests," and their names will be mapped to the name specified in guest_username.
Default value: NO
hide_ids
If enabled, all user and group information in the directory resource list will be displayed as "ftp."
Default value: NO
listen
If enabled, VSFTPD will run in standalone mode, meaning it can start without relying on inetd or similar services. Run the VSFTPD executable once, and then VSFTPD will listen for and handle connection requests by itself.
Default value: NO
listen_ipv6
Similar to the listen parameter, but with one difference: when enabled, VSFTPD will listen to IPV6 sockets instead of IPV4. This setting is mutually exclusive with the listen setting.
Default value: NO
local_enable
Used to control whether local users are allowed to log in. If enabled, normal user accounts in /etc/passwd will be used for login.
Default value: NO
log_ftp_protocol
When enabled, if xferlog_std_format is not activated, all FTP requests and feedback information will be recorded. This is commonly used for debugging.
Default value: NO
ls_recurse_enable
If enabled, "ls -R" will be allowed. This is to avoid a bit of security risk. Because using this command at the top level of a large site will consume a lot of resources.
Default value: NO
no_anon_password
If enabled, VSFTPD will not ask anonymous users for a password. Anonymous users will log in directly.
Default value: NO
no_log_lock
When enabled, VSFTPD will not lock the file when writing to the LOG file. This option is generally not enabled. It is useful for some operating system issues in workspaces, such as when Solaris / Veritas file systems coexist.
Because sometimes it appears to hang (unresponsive) when trying to lock the LOG file. (note from daidong: I don't quite understand this either. So the translation may not be close to the original meaning. The original text is: It exists to workaround
operating system bugs such as the Solaris / Veritas filesystem combination
which has been observed to sometimes exhibit hangs trying to lock log files.)
Default value: NO
one_process_model
If your LINUX kernel is 2.4, you may be able to use a different security model, where one connection uses only one process. It's just a small trick, but it can improve FTP performance. Make sure to enable it only if needed, and also ensure that your
site will have a large number of simultaneous accesses.
Default value: NO
passwd_chroot_enable (note from daidong: read this section yourself, speechless...)
if enabled, along with
.BR chroot_local_user
, then a chroot() jail location may be specified on a per-user basis. Each
user's jail is derived from their home directory string in /etc/passwd. The
occurrence of /./ in the home directory string denotes that the jail is at that
particular location in the path.
Default value: NO
pasv_enable
If you do not want to use passive mode for obtaining data connections, set it to NO.
Default value: YES
pasv_promiscuous
If you want to disable passive mode security checks (this security check ensures that the data connection originates from the same IP address), set it to YES. Enable it only if you are sure you know what you are doing (note from daidong: the original phrase is: Only enable it if you know what you're doing!)
A reasonable use case is: in some secure tunnel configuration environments, or to better support FXP (only enable it then).
Default value: NO
port_enable
If you want to disable obtaining data connections via port mode, please disable it.
Default value: YES
port_promiscuous
If you want to disable port security checks (this check ensures that outgoing data lines only go to clients), please disable it. Confirm before doing so!
Default value: NO
run_as_launching_user
If you want a user to be able to start VSFTPD, you can set it to YES. This is useful when the ROOT user cannot start VSFTPD (note from daidong: it should not mean that the ROOT user does not have permission to start VSFTPD,
but rather due to other reasons, such as security restrictions, cannot start VSFTPD directly as ROOT). Strong warning!! Do not enable this option unless you fully understand what you are doing (daidong: speechless....)!!! Enabling this option carelessly can lead to
very serious security issues, especially when VSFTPD does not have or cannot use virtual root technology to restrict file access (even if VSFTPD is started by ROOT). A foolish workaround is to enable deny_file and set it to {/*,*..*} etc.,
but its reliability cannot compare with virtual root and is not trustworthy.
If this option is enabled, the restrictions of other configuration items will also take effect. For example, non-anonymous login requests, ownership changes of uploaded files, the use of port 20 for connections, and listening ports below 1024 will not work. Other configuration items may also be affected.
Default value: NO
secure_email_list_enable
If you want to only accept anonymous users logging in with specified EMAIL addresses, enable it. This is generally used to access lower security level resources with lower security restrictions without needing virtual users. If enabled, anonymous users cannot log in unless they use the EMAIL specified in email_password_file as their password. The format of this file is one password per line, with no extra whitespace (note from daidong: whitespace, translated as space, not sure if correct).
The default filename is: /etc/vsftpd.email_passwords.
Default value: NO
session_support
This will configure whether VSFTPD attempts to manage login sessions. If VSFTPD manages sessions, it will try to update utmp and wtmp. It will also open a pam session (pam_session), which will remain open until LOGOUT, if PAM is used for authentication.
If you do not need session records, or want VSFTPD to run fewer processes, or make it more popular, you can disable it.
Note: utmp and wtmp are only supported in PAM environments.
Default value: NO
setproctitle_enable
If enabled, VSFTPD will display session status information in the system process list. In other words, the process name will change to the action currently being executed by the VSFTPD session (waiting, downloading, etc.). For security purposes, you can disable this option.
Default value: NO
ssl_enable
If enabled, vsftpd will enable openSSL, supporting secure connections via SSL. This setting controls connections (including logins) and data lines. At the same time, your client must also support SSL.
Note: Be careful when enabling this option. VSFTPD does not guarantee the security of the OpenSSL library. If you enable this option, you must be sure that the OpenSSL library you installed is secure.
Default value: NO
ssl_sslv2
Must activate ssl_enable to enable it. If enabled, connections using the SSL V2 protocol will be allowed. TLS V1 connections will be preferred.
Default value: NO
ssl_sslv3
Must activate ssl_enable to enable it. If enabled, connections using the SSL V3 protocol will be allowed. TLS V1 connections will be preferred.
Default value: NO
ssl_tlsv1
Must activate ssl_enable to enable it. If enabled, connections using the TLS V1 protocol will be allowed. TLS V1 connections will be preferred.
Default value: YES
syslog_enable
If enabled, the system log will replace vsftpd's log output to /var/log/vsftpd.log. The FTPD log tool will not work.
Default value: NO
tcp_wrappers
If enabled, vsftpd will be supported by tcp_wrappers. Incoming connections will be responded to by tcp_wrappers access control. If tcp_wrappers sets the
VSFTPD_LOAD_CONF environment variable, then vsftpd will attempt to call the configuration specified by this variable.
Default value: NO
text_userdb_names
By default, numeric IDs will be displayed in the user and group areas in the file list. You can edit this parameter to make it use text instead of numeric IDs. To ensure FTP performance, this option is disabled by default.
Default value: NO
tilde_user_enable
If enabled, vsftpd will attempt to resolve path names like ~chris/pics (a "~" (tilde) followed by a username). Note that vsftpd sometimes resolves path names "~" and "~/" (where ~ is resolved to the internal login directory).
Tilde user paths will only be resolved when the /etc/passwd file is found under the current virtual root.
Default value: NO
use_localtime
If enabled, vsftpd will display your local time when showing the directory resource list. The default is to display GMT (Greenwich Mean Time). The time displayed by the MDTM FTP command will also be affected by this setting.
Default value: NO
use_sendfile
An internal setting used to test the benefits of using the sendfile() system call on your platform.
Default: YES
userlist_deny
This setting can be validated when userlist_enable is activated. If you set it to NO, then only users explicitly listed in userlist_file can log in.
If denied login, the user will be refused by the system before being asked for a password.
Default value: YES
userlist_enable
If enabled, vsftpd will read the user list from userlist_file. If a user attempts to log in with a username in the file, they will be refused by the system before being asked for a user password.
This will prevent plaintext passwords from being transmitted. See userlist_deny.
Default value: NO
virtual_use_local_privs
If enabled, virtual users will have the same permissions as local users. By default, virtual users have the same permissions as anonymous users, who often have more restrictions (especially write permissions).
Default value: NO
write_enable
This determines whether certain FTP commands are allowed to change the file system. These commands are STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE.
Default value: NO
xferlog_enable
If enabled, a log file will detail the information of uploads and downloads. By default, this file is /var/log/vsftpd.log, but you can specify its default location by changing vsftpd_log_file.
Default value: NO (but in the sample configuration file, this option is enabled)
xferlog_std_format
If enabled, the log file will be written in the standard xferlog format (the format used by wu-ftpd) for easier analysis with existing statistical analysis tools. However, the default format has better readability. By default, the log file is in /var/log/xferlog.
But you can specify a new path by modifying xferlog_file.
Default value: NO
======
Numeric Options
The following are numeric configuration items. These items must be set to non-negative integers. To facilitate umask settings, octal numbers are allowed, in which case the number must start with 0.
accept_timeout
Timeout, in seconds, setting the maximum time for remote users to attempt to establish a connection in passive mode.
Default value: 60
anon_max_rate
Sets the maximum transfer rate allowed for anonymous users, in bytes/second.
Default value: 0 (unlimited)
anon_umask
Sets the permissions for files created by anonymous users. Note: If you want to input an octal value, then the 0 is different from the decimal 0.
Default value: 077
connect_timeout
Timeout. Unit: seconds. Sets the maximum time for remote users to respond to PORT type data connections.
Default value: 60
data_connection_timeout
Timeout, in seconds. Sets the maximum time for data transfer delays. When the time is up, the remote user will be disconnected.
Default value: 300
file_open_mode
Sets the permissions for uploaded files. If you want uploaded files to be executable, the umask should be changed to 0777.
Default value: 0666
ftp_data_port
Sets the connection port in PORT mode (as long as connect_from_port_20 is activated).
Default value: 20
idle_session_timeout
Timeout. Unit: seconds. Sets the maximum time for remote clients between two FTP command inputs. When the time is up, the remote client will be disconnected.
Default value: 300
listen_port
If vsftpd is running in standalone mode, this port setting will listen for FTP connection requests.
Default value: 21
local_max_rate
Sets the maximum transfer speed for locally authenticated users, in bytes/second.
Default value: 0 (unlimited)
local_umask
Sets the permissions for files created by local users. Note: If you want to input an octal value, then the 0 is different from the decimal 0.
Default value: 077
max_clients
If vsftpd is running in standalone mode, this sets the maximum number of clients allowed to connect. Subsequent users will receive an error message.
Default value: 0 (unlimited)
max_per_ip
If vsftpd is running in standalone mode, this sets the maximum number of clients allowed to connect from one IP address. If the maximum limit is exceeded, an error message will be received.
Default value: 0 (unlimited)
pasv_max_port
Specifies the maximum port allocated for passive mode data connections. Can be used to specify a smaller range to accommodate firewalls.
Default value: 0 (use any port)
pasv_min_port
Specifies the minimum port allocated for passive mode data connections. Can be used to specify a smaller range to accommodate firewalls.
Default value: 0 (use any port)
trans_chunk_size
You generally do not need to change this setting. But you can try changing it to something like 8192 to reduce the impact of bandwidth limitations.
Default value: 0 (let vsftpd choose)
===========
STRING Configuration Items
The following are STRING configuration items.
anon_root
Sets a directory that vsftpd will attempt to enter after an anonymous user logs in. If it fails, it will be skipped.
Default value: none
banned_email_file
After deny_email_enable is activated, anonymous users will be denied login if they use the E-MAIL passwords specified in this file.
Default value: /etc/vsftpd.banned_emails
banner_file
Sets a text that will be displayed after the user logs in. If you set ftpd_banner, ftpd_banner will be invalid.
Default value: none
chown_username
Changes the owner of files uploaded by anonymous users. Must set chown_uploads.
Default value: ROOT
chroot_list_file
This item provides a list of local users; users in the list will be placed in the virtual root and locked in their home directory after logging in. This requires the chroot_list_enable item to be enabled.
If the chroot_local_user item is enabled, this list becomes a user list that does not lock users in the virtual root.
Default value: /etc/vsftpd.chroot_list
cmds_allowed
Specifies available FTP commands in a comma-separated manner (post login. USER, PASS, and QUIT are always available commands).
Other commands will be blocked. This is a powerful means of locking down an FTP server. For example: cmds_allowed=PASV,RETR,QUIT
Default value: none
deny_file
This can set a filename or directory name pattern to block access to them under any circumstances. It does not hide them but denies any attempts to perform operations on them (downloading, changing directory levels,
and other impactful operations). This setting is simple and will not be used for strict access control—file system permissions will take precedence. However, this setting is useful for specific virtual user settings.
Especially if a file can be accessed by multiple usernames (possibly through soft links or hard links), then all access names should be denied.
It is recommended to set some important security policies using file system permissions for higher security. For example, deny_file={.mp3,.mov,.private}
Default value: none
dsa_cert_file
This setting specifies the location of the DSA certificate for SSL encrypted connections.
Default value: none (an RSA certificate is sufficient)
email_password_file
After secure_email_list_enable is set, this setting can be used to provide a backup file.
Default value: /etc/vsftpd.email_passwords
ftp_username
This is used to control the username for anonymous FTP. The home directory of this user is the root of the anonymous FTP area.
Default value: ftp
ftpd_banner
A welcome interface will be displayed when a connection first comes in.
Default value: none (the default interface will be displayed)
guest_username
See related setting guest_enable. This setting specifies the name to which guests will be mapped upon entry.
Default: ftp
hide_file
Sets a list of filenames or directory names; resources in this list will be hidden, regardless of whether they have hidden attributes. But if the user knows of its existence,
they will be able to access it fully. Resources in hide_file and those that match the rules specified by hide_file will be hidden. The rules for vsftpd's
regular expressions are simple; for example, hide_file={.mp3,.hidden,hide,h?}
Default value: none
listen_address
If vsftpd is running in standalone mode, the default listening address for the local interface will be replaced by this setting.
A numeric address must be provided.
Default value: none
listen_address6
If vsftpd is running in standalone mode, specify a listening address for IPV6 (if listen_ipv6 is enabled).
An IPV6 formatted address must be provided.
Default value: none
local_root
Sets a directory that vsftpd will attempt to let a local (non-anonymous) user enter after logging in. If it fails, it will be skipped.
Default value: none
message_file
When entering a new directory, this file will be searched for and its contents displayed to the remote user. dirmessage_enable must be enabled.
Default value: .message
nopriv_user
This is the name of the user under which vsftpd runs as a completely unprivileged user. This is a dedicated user, more so than nobody. The user nobody is often used to do important things on some machines.
Default value: nobody
pam_service_name
Sets the name of the PAM service that vsftpd will use.
Default value: ftp
pasv_address
When using the PASV command, vsftpd will respond with this address. A numeric IP address must be provided.
Default value: none (the address will be taken from the incoming connection's socket)
rsa_cert_file
This setting specifies the location of the RSA certificate required for SSL encrypted connections.
Default value: /usr/share/ssl/certs/vsftpd.pem
secure_chroot_dir
This setting specifies an empty directory that does not allow ftp user write access. This directory is used as a secure virtual root when vsftpd does not want the file system to be accessed.
Default value: /usr/share/empty
ssl_ciphers
This setting will select the SSL ciphers used by vsftpd for encrypted SSL connections. For details, see ciphers.
Default value: DES-CBC3-SHA
user_config_dir
This powerful setting allows overriding some configuration items specified in the manual page (on a per-user basis). The usage is simple, best combined with examples. If you change user_config_dir
to /etc/vsftpd_user_conf, then logging in as chris, vsftpd will call the configuration file /etc/vsftpd_user_conf/chris.
Default value: none
user_sub_token
This setting will create home directories for each virtual user based on a template. For example, if the real user's home directory is specified as /home/virtual/$USER through guest_username,
and user_sub_token is set to $USER, then the virtual user fred logging in will be locked in /home/virtual/fred.
Default value: none
userlist_file
When userlist_enable is activated, the system will call the file here.
Default value: /etc/vsftpd.user_list
vsftpd_log_file
This takes effect only when xferlog_enable is set, and xferlog_std_format is not set. This is the name of the generated vsftpd format log file.
dual_log_enable and this setting cannot be enabled simultaneously. If you enable syslog_enable, this file will not be generated, and only a system log will be produced.
Default value: /var/log/vsftpd.log
xferlog_file
This setting specifies the filename for generating wu-ftpd format logs. It only takes effect when xferlog_enable and xferlog_std_format are enabled.
But it cannot be enabled simultaneously with dual_log_enable.
Default value: /var/log/xferlog