Information

vsftpd ¹⁾

Prerequisites

Fedora Server

Dependencies

sudo dnf install 'vsftpd'

Firewall

firewalld

20/tcp
21/tcp
PASV: 40000-50000/tcp

sudo firewall-cmd --add-port='20/tcp' --permanent && sudo firewall-cmd --add-port='21/tcp' --permanent && sudo firewall-cmd --add-port='40000-50000/tcp' --permanent && sudo firewall-cmd --reload

SELinux

sudo setsebool -P 'ftpd_full_access' 'on'

sudo setsebool -P 'ftpd_use_passive_mode' 'on'

sudo grep "SELinux is preventing" /var/log/messages > k.txt

Verify

getsebool -a | grep 'ftp'

Service

sudo systemctl enable 'vsftpd' --now

Settings

General

sudo -e '/etc/vsftpd/vsftpd.conf' && sudo systemctl restart 'vsftpd'

# Custom
pasv_enable=YES
pasv_max_port=50000
pasv_min_port=40000
local_root=/var/ftp
force_dot_files=YES

Encryption Support

Generate Certs

Country: US
State: PA
Locality: Charleroi
Org Name: Realm of Espionage
Org Unit: NAS
YOUR Name: x
Email: x

sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout '/etc/ssl/certs/vsftpd.pem' -out '/etc/ssl/certs/vsftpd.pem' && sudo chmod '600' '/etc/ssl/certs/vsftpd.pem'

Enable Encryption

ssl_ciphers can be set to HIGH or any supported OpenSSL cipher, but the higher the cipher, the higher the performance hit ²⁾

sudo -e '/etc/vsftpd/vsftpd.conf' && sudo systemctl restart 'vsftpd'

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=YES

ssl_ciphers=AES128-SHA
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

fstab

UUID

Use either PARTUUID (GPT) or UUID

sudo blkid

fstab

sudo mkdir -p '/var/ftp/nas1' && sudo -e '/etc/fstab'

sudo mkdir -p '/var/ftp/nas1' '/var/ftp/nas2' && sudo -e '/etc/fstab'

# NAS
PARTUUID=x /var/ftp/nas1 ext4 defaults,nofail 0 2
UUID=x /var/ftp/nas2 ntfs defaults,prealloc,windows_names,nofail 0 2

sudo systemctl daemon-reload && sudo mount --all && sync

Safe Unmount Externals

sudo udisksctl unmount --force --block-device='/dev/sdb'

sudo udisksctl power-off --block-device='/dev/sdb'

Permissions

chown

sudo chown --recursive 'espionage724':'espionage724' '/var/ftp/nas1' && sync

sudo chown --recursive 'espionage724':'espionage724' '/var/ftp/nas2' && sync

chmod

sudo chmod --recursive '774' '/var/ftp/nas1' && sync

sudo chmod --recursive '774' '/var/ftp/nas2' && sync

SELinux

sudo restorecon -F -I -R '/var/ftp/nas1' && sync

sudo restorecon -F -I -R '/var/ftp/nas2' && sync

¹⁾

https://security.appspot.com/vsftpd.html

²⁾

specifically on Oak with a Phenom II X4, HIGH caps around 60-70MB/s, whereas AES128-SHA is 70-80MB/s, and no encryption is 100-110MB/s

RoE | Wiki

Table of Contents

Information

Prerequisites

Dependencies

Firewall

SELinux

Verify

Service

Settings

General

Encryption Support

Generate Certs

Enable Encryption

fstab

UUID

fstab

Safe Unmount Externals

Permissions

chown

chmod

SELinux