vsftpd

vsftpd + virtual users

/etc/pam.d/vsftpd
#%PAM-1.0
auth    required        pam_userdb.so   db=/etc/vsftpd/virtual_users
account required        pam_userdb.so   db=/etc/vsftpd/virtual_users
session required        pam_loginuid.so
/etc/vsftpd/vsftpd.conf
listen=YES
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50100
port_enable=YES
#pasv_address=172.16.0.100
one_process_model=no
tcp_wrappers=YES
ftp_enable=yes
ftpd_banner=Welcome to Microsoft IIS 5.0 FTP Server!
pam_service_name=vsftpd
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=ftp
virtual_use_local_privs=YES
write_enable=YES
user_sub_token=$USER
local_root=/data/ftp/$USER
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES
local_umask=022
seccomp_sandbox=NO
xferlog_enable=YES
/etc/vsftpd/users
user1
user1password
user2
user2password
make virt users file & reload
db_load -T -t hash -f /etc/vsftpd/users /etc/vsftpd/virtual_users.db
chmod 600 /etc/vsftpd/users /etc/vsftpd/virtual_users.db
service vsftpd restart
iptables
-A INPUT -s 172.16.0.0/24 -p icmp -j ACCEPT
-A INPUT -s 172.16.0.0/24 -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -s 172.16.0.0/24 -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -s 172.16.0.0/24 -m tcp -p tcp --dport 50000:50100 -j ACCEPT

vsftpd 3.0.x + TLS\SSL
listen=YES
listen_port=990
ftp_data_port=989
pasv_min_port=50001
pasv_max_port=50091
connect_from_port_20=YES

local_enable=YES
anonymous_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES
dirmessage_enable=YES
ftpd_banner=Welcome to Microsoft IIS 5.0 FTP Server!
ftp_enable=yes
hide_ids=YES
http_enable=no
local_umask=022
one_process_model=no
pam_service_name=vsftpd
tcp_wrappers=YES
userlist_enable=YES
userlist_deny=NO
write_enable=YES
xferlog_enable=YES

ssl_enable=YES
implicit_ssl=YES
allow_anon_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

# openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
# - сертификат на 10 лет
/etc/vsftpd/ftpusers - список пользователей, которым безусловно запрещен доступ
/etc/vsftpd/user_list - список, кому разрешен доступ (при userlist_deny=NO)

Конгфиг vsftpd 2.3.x
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to Microsoft IIS 5.0 FTP Server!
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
convert_charset_enable=1
local_charset=UTF8
remote_charset=WIN1251
double_377=0
anti_bruteforce=1
anti_bruteforce_banner=Bruteforce detected. Bill Gates bans you! Bye bye!
http_enable=no
ftp_enable=yes
http_browse=no
# fix # 500 OOPS: vsftpd: security: `one_process_model` is anonymous only
one_process_model=no
# fix # 500 OOPS: vsftpd: refusing to run with writables root inside chroot()
allow_writable_root=yes