Setup vsftp with SELinux

From Brian Nelson Ramblings
Revision as of 20:27, 11 April 2014 by Brian (Talk | contribs) (Configure IPTables for ftp)

Jump to: navigation, search

Howto Setup vsftp with SELinux

Vsftpd is a fast and secure FTP server. Installing an FTP server can assist you with uploading files to your droplet. This tutorial describes how to install and set up vsftpd on CentOS 6.

The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.

Step One: Install vsftpd with yum

Since vsftpd is included in the default yum repo's we will install this with yum.

yum install vsftpd -y

Once the files finish downloading, vsftpd will be on your server. Generally speaking, the server is already configured with a reasonable amount of security. However, it does provide access to anonymous users. We will not be needing the anonymous users, so we must disable this feature.

vim /etc/vsftpd/vsftpd.conf

To disable anonymous users with vsftpd adjust the following line to say NO.

anonymous_enable=NO

To enable local users to use vsftpd, you will need to change the following values.

chroot_local_user=YES

Now you will want to start the service and enable to auto start on bootup

service vsftpd restart

and

chkconfig vsftpd on

Configure SELinux for FTP

Lets first check and see what the SELinux options are and what the default values are.

getsebool -a | grep ftp

You should see something like the following

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

You will need to adjust the ftp_home_dir option and ftpd_use_passive_mode

setsebool -P ftp_home_dir on
setsebool -P ftpd_use_passive_mode on

Configure IPTables for ftp

By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20.

Allow FTP connections @ port 21

/sbin/iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow Active FTP Connections

/sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

Allow Passive FTP Connections

/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

Now save them

/etc/init.d/iptables save