====== Information ======

  * vsftpd ((https://security.appspot.com/vsftpd.html))

===== Prerequisites =====

  * [[linux;distros;server;fedora_server|Fedora Server]]

====== Dependencies ======

****

  sudo dnf install 'vsftpd'

====== Firewall ======

  * See [[linux;notes;misc#firewalld|firewalld]]

  * 20/tcp
  * 21/tcp
  * PASV: 40000-50000/tcp

  sudo firewall-cmd --add-port='20/tcp' --permanent && sudo firewall-cmd --add-port='21/tcp' --permanent && sudo firewall-cmd --add-port='40000-50000/tcp' --permanent && sudo firewall-cmd --reload

====== SELinux ======

  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-file_transfer_protocol-booleans
  * https://hostodo.com/portal/knowledgebase/25/Setup-vsftp-with-SELinux.html

  sudo setsebool -P 'ftpd_full_access' 'on'

  sudo setsebool -P 'ftpd_use_passive_mode' 'on'

  sudo grep "SELinux is preventing" /var/log/messages > k.txt

===== Verify =====

****

  getsebool -a | grep 'ftp'

====== Service ======

****

  sudo systemctl enable 'vsftpd' --now

====== Settings ======

===== General =====

  sudo -e '/etc/vsftpd/vsftpd.conf' && sudo systemctl restart 'vsftpd'

<code>
# Custom
pasv_enable=YES
pasv_max_port=50000
pasv_min_port=40000
local_root=/var/ftp
force_dot_files=YES</code>

===== Encryption Support =====

==== Generate Certs ====

  * Country: US
  * State: PA
  * Locality: Charleroi
  * Org Name: Realm of Espionage
  * Org Unit: NAS
  * YOUR Name: x
  * Email: x

  sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout '/etc/ssl/certs/vsftpd.pem' -out '/etc/ssl/certs/vsftpd.pem' && sudo chmod '600' '/etc/ssl/certs/vsftpd.pem'

==== Enable Encryption ====

  * :!: ''ssl_ciphers'' can be set to ''HIGH'' or any supported OpenSSL cipher, but the higher the cipher, the higher the performance hit ((specifically on Oak with a Phenom II X4, ''HIGH'' caps around 60-70MB/s, whereas ''AES128-SHA'' is 70-80MB/s, and no encryption is 100-110MB/s))

  sudo -e '/etc/vsftpd/vsftpd.conf' && sudo systemctl restart 'vsftpd'

<code>
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=YES

ssl_ciphers=AES128-SHA
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem</code>

====== fstab ======

===== UUID =====

  * Use either ''PARTUUID'' (GPT) or ''UUID''

  sudo blkid

===== fstab =====

  sudo mkdir -p '/var/ftp/nas1' && sudo -e '/etc/fstab'

  sudo mkdir -p '/var/ftp/nas2' && sudo -e '/etc/fstab'

<code>
# NAS
PARTUUID=x /var/ftp/nas1 xfs defaults,nofail 0 2
UUID=x /var/ftp/nas2 ntfs defaults,nofail 0 2</code>

  sudo systemctl daemon-reload && sudo mount --all && sync

===== Safe Unmount Externals =====

  sudo udisksctl unmount --force --block-device='/dev/sdb'

  sudo udisksctl power-off --block-device='/dev/sdb'

====== Permissions ======

===== chown =====

  sudo chown --recursive 'espionage724':'espionage724' '/var/ftp/nas1' && sync

  sudo chown --recursive 'espionage724':'espionage724' '/var/ftp/nas2' && sync

===== chmod =====

  sudo chmod --recursive '774' '/var/ftp/nas1' && sync

  sudo chmod --recursive '774' '/var/ftp/nas2' && sync

===== SELinux =====

  sudo restorecon -F -I -R '/var/ftp/nas1' && sync

  sudo restorecon -F -I -R '/var/ftp/nas2' && sync