Ubuntu vsftp安全策略

Ubuntu vsftpd Security Strategies

1. Install vsftpd

First, update the package index and install vsftpd—the default FTP server for Ubuntu—using:

sudo apt update && sudo apt install vsftpd -y

This ensures you have the latest stable version with security patches.

2. Basic Configuration (/etc/vsftpd.conf)

Edit the configuration file to enforce core security settings:

Disable Anonymous Access: Anonymous logins pose a major risk; disable them to prevent unauthorized file access.
```
anonymous_enable=NO
```
Allow Local Users: Permit only system users (authenticated via /etc/shadow) to log in.
```
local_enable=YES
```
Enable Write Permissions: Allow users to upload files (adjust based on needs; restrict for read-only servers).
```
write_enable=YES
```
Restrict to Home Directories (Chroot Jail): Prevent users from browsing other system directories by confining them to their home folders. Use allow_writeable_chroot to avoid permission errors when uploading files.
```
chroot_local_user=YES
allow_writeable_chroot=YES
```
Passive Mode & Port Range: Passive mode is more firewall-friendly. Define a narrow port range (e.g., 50000–50100) to reduce exposure.
```
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50100
```

These settings form the foundation of vsftpd hardening.

3. SSL/TLS Encryption

Encrypt data in transit to prevent eavesdropping. Generate a self-signed certificate (or use a trusted CA-signed one) and configure vsftpd to enforce TLS:

Generate Certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Configure TLS: In /etc/vsftpd.conf, enable SSL and disable insecure protocols (SSLv2/SSLv3).

ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Clients must use FTPS (FTP over SSL/TLS) to connect.

4. User Access Control

Limit access to trusted users via whitelisting:

Create a User List: Add allowed users to /etc/vsftpd.user_list (one per line).

echo "ftpuser1" | sudo tee -a /etc/vsftpd.user_list
echo "ftpuser2" | sudo tee -a /etc/vsftpd.user_list

Configure Whitelist: In /etc/vsftpd.conf, enable the list and deny all non-listed users.
```
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
```

For stricter control, place users in a chroot list (/etc/vsftpd.chroot_list) to ensure they cannot access other directories.

5. Firewall Configuration (UFW)

Use UFW to restrict access to FTP ports:

Allow Control Port (21): For FTP commands.
```
sudo ufw allow 21/tcp
```
Allow Passive Mode Ports: For data transfer (adjust range to match pasv_min_port/pasv_max_port).
```
sudo ufw allow 50000:50100/tcp
```
Enable UFW:
```
sudo ufw enable
```

Verify rules with sudo ufw status verbose.

6. Logging and Monitoring

Enable detailed logs to detect suspicious activity (e.g., failed logins, large file transfers):

xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
syslog_enable=YES

Regularly review logs using:

sudo tail -f /var/log/vsftpd.log

Logs help identify and respond to potential attacks (e.g., brute-force attempts).

7. Additional Security Measures

Keep Software Updated: Regularly update vsftpd and the system to patch vulnerabilities.
```
sudo apt update && sudo apt upgrade -y
```
Use Strong Passwords: Enforce complex passwords for FTP users (e.g., mix of uppercase, lowercase, numbers, symbols).
Avoid Running as Root: Ensure vsftpd runs as a non-root user (default is vsftpd; verify with ps aux | grep vsftpd).
Consider Alternatives: For stronger security, use SFTP (via OpenSSH) instead of FTP. SFTP encrypts both credentials and data by default and requires no additional configuration.

By implementing these strategies, you can significantly enhance the security of your Ubuntu vsftpd server and protect against common FTP vulnerabilities.