Index: vsftpd-3.0.5/vsftpd.conf =================================================================== --- vsftpd-3.0.5.orig/vsftpd.conf 2011-12-17 19:24:40.000000000 +0100 +++ vsftpd-3.0.5/vsftpd.conf 2022-02-01 20:12:06.546853199 +0100 @@ -4,23 +4,89 @@ # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # +# If you do not change anything here you will have a minimum setup for an +# anonymus FTP server. +# # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # -# Allow anonymous FTP? (Beware - allowed by default if you comment this out). -anonymous_enable=YES -# -# Uncomment this to allow local users to log in. -#local_enable=YES +# ################ +# General Settings +# ################ # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=NO +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +nopriv_user=ftpsecure +# +# You may fully customise the login banner string: +#ftpd_banner=Welcome to blah FTP service. +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +#ls_recurse_enable=YES +# +# You may specify a file of disallowed anonymous e-mail addresses. Apparently +# useful for combatting certain DoS attacks. +#deny_email_enable=YES +# (default follows) +#banned_email_file=/etc/vsftpd.banned_emails +# +# If enabled, all user and group information in +# directory listings will be displayed as "ftp". +#hide_ids=YES +# +# ####################### +# Local FTP user Settings +# ####################### +# +# Uncomment this to allow local users to log in. +local_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +#chroot_local_user=YES +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# The maximum data transfer rate permitted, in bytes per second, for +# local authenticated users. The default is 0 (unlimited). +#local_max_rate=7200 +# +# ########################## +# Anonymus FTP user Settings +# ########################## +# +# Allow anonymous FTP? (Beware - allowed by default if you comment this out). +anonymous_enable=YES +# +# The maximum data transfer rate permitted, in bytes per second, for anonymous +# authenticated users. The default is 0 (unlimited). +#anon_max_rate=7200 +# +# Anonymous users will only be allowed to download files which are +# world readable. +anon_world_readable_only=YES +# +# Default umask for anonymus users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +#anon_umask=022 +# # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. @@ -30,15 +96,9 @@ anonymous_enable=YES # new directories. #anon_mkdir_write_enable=YES # -# Activate directory messages - messages given to remote users when they -# go into a certain directory. -dirmessage_enable=YES -# -# Activate logging of uploads/downloads. -xferlog_enable=YES -# -# Make sure PORT transfer connections originate from port 20 (ftp-data). -connect_from_port_20=YES +# Uncomment this to enable anonymus FTP users to perform other write operations +# like deletion and renaming. +#anon_other_write_enable=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not @@ -46,24 +106,51 @@ connect_from_port_20=YES #chown_uploads=YES #chown_username=whoever # +# ############ +# Log Settings +# ############ +# +# Log to the syslog daemon instead of using an logfile. +syslog_enable=YES +# +# Uncomment this to log all FTP requests and responses. +#log_ftp_protocol=YES +# +# Activate logging of uploads/downloads. +#xferlog_enable=YES +# # You may override where the log file goes if you like. The default is shown # below. -#xferlog_file=/var/log/vsftpd.log +# +#vsftpd_log_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # +# You may override where the log file goes if you like. The default is shown +# below. +#xferlog_file=/var/log/vsftpd.log +# +# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log. +#dual_log_enable=YES +# +# Uncomment this to enable session status information in the system process listing. +#setproctitle_enable=YES +# +# ################# +# Transfer Settings +# ################# +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # -# It is recommended that you define on your system a unique user which the -# ftp server can use as a totally isolated and unprivileged user. -#nopriv_user=ftpsecure -# # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. @@ -77,41 +164,46 @@ connect_from_port_20=YES # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. -#ascii_upload_enable=YES +ascii_upload_enable=YES #ascii_download_enable=YES # -# You may fully customise the login banner string: -#ftpd_banner=Welcome to blah FTP service. -# -# You may specify a file of disallowed anonymous e-mail addresses. Apparently -# useful for combatting certain DoS attacks. -#deny_email_enable=YES -# (default follows) -#banned_email_file=/etc/vsftpd.banned_emails -# -# You may specify an explicit list of local users to chroot() to their home -# directory. If chroot_local_user is YES, then this list becomes a list of -# users to NOT chroot(). -# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that -# the user does not have write access to the top level directory within the -# chroot) -#chroot_local_user=YES -#chroot_list_enable=YES -# (default follows) -#chroot_list_file=/etc/vsftpd.chroot_list +# Set to NO if you want to disallow the PASV method of obtaining a data +# connection. +#pasv_enable=NO # -# You may activate the "-R" option to the builtin ls. This is disabled by -# default to avoid remote users being able to cause excessive I/O on large -# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume -# the presence of the "-R" option, so there is a strong case for enabling it. -#ls_recurse_enable=YES +# PAM setting. Do NOT change this unless you know what you do! +pam_service_name=vsftpd # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. -listen=YES +listen=NO # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! -#listen_ipv6=YES +listen_ipv6=YES +# +# Set to ssl_enable=YES if you want to enable SSL +ssl_enable=NO +# +# Limit passive ports to this range to assis firewalling +pasv_min_port=30000 +pasv_max_port=30100 + +### security features that are incompatible with some other settings. ### + +# isolate_network ensures the vsftpd subprocess is started in own network +# namespace (see CLONE_NEWNET in clone(2)). It however disables the +# authentication methods needs the network access (LDAP, NIS, ...). +#isolate_network=NO + +# seccomp_sanbox add an aditional security layer limiting the number of a +# syscalls can be performed via vsftpd. However it might happen that a +# whitelist don't allow a legitimate call (usually indirectly triggered by +# third-party library like pam, or openssl) and the process is being killed by kernel. +# +# Therefor if your server dies on common situations (file download, upload), +# uncomment following line and don't forget to open bug at +# https://bugzilla.novell.com +#seccomp_sandbox=NO