Racker Hacker

There may be some situations where you want to encrypt FTP traffic with SSL certificates rather than using SFTP with SSH. Using vsftpd with SSL encryption is quite easy, and here’s how it’s done:

First, you’ll need to make a new self-signed SSL certificate (if you don’t have a key and certificate available already):

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt

Once you have the key and certificate made, you’ll need to concatenate them into a PEM file:

# cat server.key > /etc/vsftpd/server.pem
# cat server.crt >> /etc/vsftpd/server.pem

Now, simply adjust the vsftpd configuration file to enable SSL encryption:

ssl_enable=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/server.pem

Once that’s complete, restart vsftpd and you will be able to connect to your FTP server using SSL/TLS encryption.

Further Reading:
Manpage of vsftpd.conf

If you find yourself with the ever-so-peculiar 500 OOPS error from vsftpd when you attempt to login over SSH, there could be a few different things at play. Generally, this is the type of error you will get:

500 OOPS: cannot change directory:/home/someuser
500 OOPS: child died

You can search for a solution in this order

Home Directory
Does the user’s home directory even exist? Check /etc/passwd for the current home directory for the user and see what’s set:

# grep someuser /etc/passwd
someuser:x:10001:2524::/var/www/someuser:/bin/bash

In this case, does /var/www/someuser exist? If it doesn’t, fix that and then move onto the next solution if you’re still having problems.

File/Directory Permissions
Be sure that the user that you are logging in as actually has permissions to be in the directory. This affects users that have home directories of /var/www/html because the execute bit normally isn’t set for the world on /var/www or /var/www/html. Make sure that the appropriate permissions and ownerships are set, and this should help eliminate the issue.

SELINUX
If SELINUX is rearing its ugly head on the server, this can be a problem. Check your current SELINUX status and disable it if necessary:

# setenforce
Enforcing
# setenforce 0

Try to login over FTP again and you should have a success. If you want to turn off SELINUX entirely, adjust /etc/sysconfig/selinux (RHEL4) or /etc/selinux/config (RHEL5).

If you can’t see hidden files in proftpd (the files beginning with a dot, like .htaccess), you can enable the option in your client. However, you can force the files to be displayed in almost all clients with a server wide variable in your proftpd.conf:

ListOptions -a

Make sure to restart proftpd afterwards and re-connect to the FTP server to see the changes.

To enable SSL/TLS support in proftpd, add the following to the proftpd.conf file:

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/ftpd/tls.log
    TLSProtocol TLSv1
    TLSRequired off
    TLSRSACertificateFile /usr/share/ssl/certs/server.crt
    TLSRSACertificateKeyFile /usr/share/ssl/private/server.key
    TLSCACertificateFile /usr/share/ssl/certs/cacert.crt
    TLSVerifyClient off
    TLSRenegotiate required off
</IfModule>

To require SSL/TLS on all connections, change TLSRequired to on. Of course, replace the certificate, key, and CA certificate (if applicable) to the correct files on your system.

Once you’re all done, make sure to restart proftpd to activate the changes.

To add a chrooted FTP user outside of Plesk properly, you need to:

• Create the user with the home directory as the root of what they can access
• Give the user a password
• Make their primary group psacln
• Add them to the psaserv group as well

# useradd username -d /var/www/html/website/slideshow/
# echo "password" | passwd username --stdin
Changing password for user username.
passwd: all authentication tokens updated successfully.
# usermod -g psacln username
# usermod -G psaserv username
# lftp username:password@localhost
lftp username@localhost:/> cd ..
lftp username@localhost:/>

A really really strange issue randomly appears with ProFTPD and Plesk occasionally. On the filesystem, a file will have a correct creation/modification date, but then when you view it over FTP, it’s always off by the amount of hours you differ from GMT.

For example, if the server is on Central Time, all of the files will seem to be created 6 hours after they were really created. The filesystem will show something like 10AM, but the FTP client will say 4PM. Luckily, there is a fix!

Add the following to your /etc/proftpd.conf file and you should be good to go:

TimesGMT off
SetEnv TZ :/etc/localtime

If you need to enable SSL in ProFTPD, try this out:

<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSVerifyClient off
</IfModule>

So you have multiple users that need to read and write to certain files on the filesystem? This can be done with vsftpd or proftpd quite easily. Let’s say you have users called ann, bill and carl and they need to manage files in /var/www/html. Here’s the steps:

For vsftpd, change the umask for files created by FTP users. Open the vsftpd.conf file and edit the following:

     local_umask = 077     <-- old
     local_umask = 022     <-- new

For proftpd, change the umask for files created by FTP users. Open the proftpd.conf file and edit the following:

     Umask 022

This makes sure that new files are chmodded as 775 (full read/write for users/group, but only read for everyone else).

Next, create a new group. We will call ours “sharedweb”:

     groupadd sharedweb

Now, put the users into that group by adding them in /etc/group:

     sharedweb:*:##:ann,bill,carl

Modify the users so that their primary group is sharedweb. If you forget this step, when they make new FTP files, they will be owned by each user’s primary group (sometimes named the same as the user on some systems) and the permissions will be completeld hosed.

     usermod -g ann sharedweb
     usermod -g bill sharedweb
     usermod -g carl sharedweb

Restart vsftpd to pick up the new configuration and your users should be able upload, delete, and edit each other’s files.