Difference between revisions of "Setup vsftp with SELinux"
(→Configure IPTables for ftp) |
(→Configure IPTables for ftp) |
||
Line 63: | Line 63: | ||
/sbin/iptables -I INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT | /sbin/iptables -I INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
/sbin/iptables -I INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT | /sbin/iptables -I INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
− | /etc/init. | + | /etc/init.d/iptables save |
Revision as of 19:55, 11 April 2014
Contents
Howto Setup vsftp with SELinux
Vsftpd is a fast and secure FTP server. Installing an FTP server can assist you with uploading files to your droplet. This tutorial describes how to install and set up vsftpd on CentOS 6.
The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.
Step One: Install vsftpd with yum
Since vsftpd is included in the default yum repo's we will install this with yum.
yum install vsftpd -y
Once the files finish downloading, vsftpd will be on your server. Generally speaking, the server is already configured with a reasonable amount of security. However, it does provide access to anonymous users. We will not be needing the anonymous users, so we must disable this feature.
vim /etc/vsftpd/vsftpd.conf
To disable anonymous users with vsftpd adjust the following line to say NO.
anonymous_enable=NO
To enable local users to use vsftpd, you will need to change the following values.
chroot_local_user=YES
Now you will want to start the service and enable to auto start on bootup
service vsftpd restart
and
chkconfig vsftpd on
Configure SELinux for FTP
Lets first check and see what the SELinux options are and what the default values are.
getsebool -a | grep ftp
You should see something like the following
allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
You will need to adjust the ftp_home_dir option and ftpd_use_passive_mode
setsebool -P ftp_home_dir on setsebool -P ftpd_use_passive_mode on
Configure IPTables for ftp
By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20.
/sbin/iptables -I INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -I INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT /etc/init.d/iptables save