Wednesday, June 16, 2010

Hardening guide for VSFTPD on RHEL 5.4

Blog Has Moved

Link to the same post in the new blog: Hardening guide for VSFTPD on RHEL 5.4

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase
1. Login to the server using Root account.
2. Install from the RHEL 5.4 DVD the following RPM:
rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
3. Create a group for FTP users:
groupadd ftp-users
4. Create folder for the FTP:
mkdir -p /ftp
5. Change ownership and permissions on the FTP folder:
chown root:ftp-users /ftp
chmod 777 -R /ftp

6. Example of user creation:
useradd -g ftp-users -d /ftp user1
passwd user1
7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
Change from:
anonymous_enable=YES
To:
anonymous_enable=NO

Change from:
xferlog_std_format=YES
To:
xferlog_std_format=NO

Change from:
#tftpd_banner=Welcome to blah FTP service.
To:
tftpd_banner=Secure FTP server

Add the lines bellow:
local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem

8. Run the command bellow to create VSFTP SSL key:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
10. Run the command bellow to manually start the VSFTP service:
/etc/init.d/vsftpd start
11. Run the command bellow to configure the VSFTP to start at server startup:
chkconfig vsftpd on

Labels: , , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home