banner_file= filename

Configures a file that contains a banner message that will be sent to clients when they connect to the server.

ascii_upload_enable= NO and ascii_download_enable= NO

FTP has the ability to automatically change end-of-line characters to compensate for differences between Linux/Unix, Windows, and Macintosh computers using ASCII mode. The author of vsftpd , Chris Evans, considers this to be a bug in the protocol rather than a feature, and it is true that ASCII mode has mangled many, many binary files. If you want to use ASCII mode, enable these options.

ls_recurse_enable= NO

Controls the use of recursive directory listings. Some very nice clients, such as ncftp , assume that this is enabled.

use_localtime= NO

Enables the display of times in the local time zone instead of GMT.

You can restrict FTP access to specific local users by adding their usernames into the file /etc/vsftpd/ftpusers or /etc/vsftpd/user_list .

FTP is a disaster from a security perspective, since transmitted data (including the username and password) are sent in plain text and can be intercepted by anyone snooping on the network. Nonetheless, it's a useful protocol for the public download of large files.

vsftp was designed from the ground up to be as secure as possible because many of the preceding FTP servers were notoriously insecure. It uses simple code along with techniques such as changing the root directory ( chroot ) to limit the damage that can be caused if the server is compromised.

FTP is a very old protocol, so old, in fact, that in its original form, it predates TCP/IP! In order to work around some network transport limitations, traditional FTP uses two connections between the client and the server: one for data and one for controlling commands and responses. The control connection originates at the client, and the data connection originates at the server. For years this architecture has caused headaches in firewall configuration.

FTP also supports passive (PASV) operation, which uses a single connection for both control and data. Almost all modern client programs support passive operation as the default mode of operation, as an automatic fallback option, or as a manually configured option.

vsftpd logs data transfers in the file /var/log/xferlog .

There are two types of secure FTP:

SFTP

An FTP extension to the secure shell ( SSH) protocol. This is installed by default on Fedora systems as part of the SSH service; the command name is sftp . SSH also provides secure copy ( scp ), which is in many cases more convenient than SFTP.

FTPS

FTP over the Secure Socket Layer (SSL). SSL is a general encryption layer that can be used to protect many types of connections, including HTTP, IMAP, and POP3 (which are known as HTTPS, IMAPS, and POP3S when used with SSL). I recommend the use of SFTP over FTPS, but vsftpd is capable of handling FTPS connections if security certificates are installed; refer to the vsftpd documentation for details.

 The manpages for vsftpd , vsftpd.conf , and ftp

 The manpages for sshd , scp , and sftp

 RFC 959: http://www.ietf.org/rfc/rfc0959.txt

Fedora provides the Webalizer tool for analyzing Apache and vsftp logfiles, but the default configuration works only with the default Apache virtual host. With a few minutes of configuration, Webalizer can analyze the logfiles off all of your Apache virtual hosts as well as your vsftp server.

The default configuration for Webalizer analyzes the default Apache logfile at 4:02 a.m. each day, as long as that logfile is not empty. The results can be read by using a browser on the same machine and accessing http://localhost/usage/ , which displays the report page. A sample report page is shown in Figure 7-30 .

Figure 7-30. Webalizer web usage report

To configure Webalizer to analyze your virtual host logfiles each day, create the file /etc/cron.daily/00webalizer-vhosts :

#! /bin/bash

# update access statistics for virtual hosts

CONF=/etc/httpd/conf/httpd.conf

for NAME in $(sed -n "s=^[^#]*CustomLog logs/\([^ ]*\)-.*=\1=p" $CONF)

do

 mkdir /var/www/usage/$NAME

 chmod a+rx /var/www/usage/$NAME

 LOG=/var/log/httpd/${NAME}-access_log

 if [ -s $NAME ]

 then

  exec /usr/bin/webalizer -Q -o /var/www/usage/$NAME $LOG

 fi

done 

Make this file readable and executable by root :

# chmod u+rx /etc/cron.daily/00webalizer-vhosts

Next, edit /etc/webalizer.conf and place a pound-sign character ( # ) at the start of the HistoryName and IncrementalName lines to comment them out:

# HistoryName /var/lib/webalizer/webalizer.hist

...(Lines snipped)...

# IncrementalName /var/lib/webalizer/webalizer.current

This will ensure that a separate analysis history is maintained for each virtual host.

The virtual host logfiles will be analyzed every morning at 4:02 a.m., and the reports will be accessible at http://localhost/usage/<virtualhostname> .

To analyze the vsftp logfile each day, create the file /etc/cron.daily/00webalizer-ftp :

#! /bin/bash

# update access statistics for ftp

if [ -s /var/log/xferlog ]; then