🌐 🇵🇱 Polski · 🇬🇧 EN
After configuring SELinux, you should also set up a basic level of security for the vsftpd service. FTP supports two types of file transfers. The first type, known as active, is where users connect via port 20. The second type, known as passive, allows for defining a port above 1024. Since the administrator decides which type of connection to choose, they must set the appropriate ports and open traffic in the firewall accordingly. Returning to the previous chapter, we had the connect_from_port_20 parameter set to "YES", which means that by default, the FTP service uses the active connection type.
Let's look at other options that allow for improving FTP service security. The user_list_enable parameter is set to "YES" by default, which allows the vsftpd service to check the /etc/vsftpd/user_list file. If we use this option along with the userlist_deny parameter, all users included in this file will be denied access to the system via FTP. If there is no need to use this functionality, I suggest setting the parameter to userlist_deny = NO. Now, all users who are to have the ability to use the FTP service must be included in the /etc/vsftpd/user_list file; others will not be granted access.
Contents of the /etc/vsftpd/user_list file
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
Settings in the file can be implemented very quickly by adding or removing a given user from the list.
Comments