Difference between revisions of "Setup vsftp with SELinux"
(→Configure IPTables for ftp) |
(→Configure IPTables for ftp) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 61: | Line 61: | ||
By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20. | By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20. | ||
− | /sbin/iptables - | + | Allow FTP connections @ port 21 |
− | /sbin/iptables - | + | /sbin/iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT |
+ | /sbin/iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
+ | |||
+ | Allow Active FTP Connections | ||
+ | /sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT | ||
+ | |||
+ | Allow Passive FTP Connections | ||
+ | /sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | Now save them | ||
+ | |||
/etc/init.d/iptables save | /etc/init.d/iptables save |
Latest revision as of 20:27, 11 April 2014
Contents
Howto Setup vsftp with SELinux
Vsftpd is a fast and secure FTP server. Installing an FTP server can assist you with uploading files to your droplet. This tutorial describes how to install and set up vsftpd on CentOS 6.
The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.
Step One: Install vsftpd with yum
Since vsftpd is included in the default yum repo's we will install this with yum.
yum install vsftpd -y
Once the files finish downloading, vsftpd will be on your server. Generally speaking, the server is already configured with a reasonable amount of security. However, it does provide access to anonymous users. We will not be needing the anonymous users, so we must disable this feature.
vim /etc/vsftpd/vsftpd.conf
To disable anonymous users with vsftpd adjust the following line to say NO.
anonymous_enable=NO
To enable local users to use vsftpd, you will need to change the following values.
chroot_local_user=YES
Now you will want to start the service and enable to auto start on bootup
service vsftpd restart
and
chkconfig vsftpd on
Configure SELinux for FTP
Lets first check and see what the SELinux options are and what the default values are.
getsebool -a | grep ftp
You should see something like the following
allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
You will need to adjust the ftp_home_dir option and ftpd_use_passive_mode
setsebool -P ftp_home_dir on setsebool -P ftpd_use_passive_mode on
Configure IPTables for ftp
By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20.
Allow FTP connections @ port 21
/sbin/iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
Allow Active FTP Connections
/sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
Allow Passive FTP Connections
/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
Now save them
/etc/init.d/iptables save