Voici le fichier exemple /etc/vsftpd.conf livré à l'installation :
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. #chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES
listen=NO | Mode autonome |
---|---|
listen_ipv6=YES | écoute sur les sockets IPv6 |
anonymous_enable=NO | pas de connexion anonyme |
local_enable=YES | connexion autorisée pour les utilisateurs locaux |
dirmessage_enable=YES | messages envoyés aux utilisateurs distants quand ils pénètrent dans un répertoire |
use_localtime=YES | fuseau horaire local |
xferlog_enable=YES | journalisation des envois/téléchargements |
connect_from_port_20=YES | S'assurer que les transferts proviennent du port 20 (ftp-data) |
secure_chroot_dir=/var/run/vsftpd/empty | répertoire vide inaccessible en écriture par l'utilisateur ftp. Ce répertoire sert de prison chroot sécurisée quand vsftpd ne demande pas d'accès au système de fichiers |
pam_service_name=vsftpd | nom du service PAM que vsftpd utilisera |
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | certificat RSA à utiliser pour les connexions cryptées SSL |
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | clé privée RSA à utiliser pour les connexions cryptées SSL. Si cette option n'est pas définie, la clé privée est dans le même fichier que le certificat. |
ssl_enable=NO | avec OpenSSL, vsftpd prendra en charge les connexions via SSL. N'activez cette option que si vous en avez besoin. vsftpd ne peut garantir la sécurité des bibliothèques OpenSSL. |
Les autres réglages ont leurs valeurs par défaut.
; anon_mkdir_write_enable=
; anon_other_write_enable=
; anon_umask=
; anon_upload_enable=
; chown_uploads=
; chown_username=
; connect_from_port_20=
; chroot_list_enable=
; chroot_list_file=
; chroot_local_user=
; data_connection_timeout=
; dirmessage_enable=
; ftpd_banner=
; guest_enable=
; guest_username=
; idle_session_timeout=
; listen=
; listen_ipv6=
; local_enable=
; local_umask=
; max_clients=
; max_per_ip=
; nopriv_user=
; pam_service_name=
; rsa_cert_file=
; rsa_private_key_file=
; secure_chroot_dir=
; ssl_enable=
; use_localtime=
; user_config_dir=
; write_enable=
; xferlog_enable=
; xferlog_file=
; xferlog_std_format=
; allow_writeable_chroot=
===== Exemple de fichier =====
# On désactive les connexions anonymes # et on active les non-anonymes # (c'est le cas des utilisateurs virtuels) anonymous_enable=NO local_enable=YES # Pour des raisons de sécurité, on interdit toute action d'écriture : #write_enable=NO #anon_upload_enable=NO #anon_mkdir_write_enable=NO #anon_other_write_enable=NO # "guest_enable" active les utilisateurs virtuels # "guest_username" fait correspondre # tous les utilisateurs virtuels # à l'utilisateur d'Apache 2 guest_enable=YES guest_username=www-data nopriv_user=www-data # On définit les droits par défaut # des fichiers uploadés anon_umask=022 local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES connect_from_port_20=YES chown_uploads=YES chown_username=www-data idle_session_timeout=600 data_connection_timeout=120 ftpd_banner=Bienvenue sur le serveur FTP de ... ! # On enferme les utilisateurs virtuels dans leur dossier chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list allow_writeable_chroot=YES # On définit le nombre maximum de sessions à 100 # On définit le nombre maximum de sessions par IP à 5 max_clients=100 max_per_ip=5 #################################### # Debian customization # # (ou adoptons la Debian attitude) # #################################### secure_chroot_dir=/var/run/vsftpd # Utilisation de PAM pour l'authentification pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key #ssl_enable=NO # Configuration par utilisateur user_config_dir=/etc/vsftpd/users.conf
===== Les options =====
listen=YES
; listen_ipv6 (défaut = NO)
#listen_ipv6=NO
; listen_port (défaut = 21)
#listen_port=21
; ftp_data_port (défaut = 20)
#ftp_data_port=20
; max_clients (défaut = 0 → pas de limite)
max_clients=4
; max_per_ip (défaut = 0 → pas de limite)
max_per_ip=1
; nopriv_user
nopriv_user=ftpsecure
; background (défaut
#background=NO
; check_shell (défaut
#check_shell=YES
; connect_from_port_20 (défaut
#connect_from_port_20=NO
; one_process_model (défaut
#one_process_model=NO
; run_as_launching_user (défaut
A n'activer que si on sait ce que l'on fait. Peut créer des grands problèmes de sécurité. En particulier, cela empêche d'utiliser chroot pour limiter les accès
#run_as_launching_user=NO
; tcp_wrappers (défaut
#tcp_wrappers=NO
; listen_address (défaut
#listen_address=
; listen_address6 (défaut
#listen_address6=
==== Options de connexion ====
#pasv_enable=YES
; pasv_max_port (défaut = 0 ⇒ pas de limite)
pasv_max_port=2020
; pasv_min_port (défaut = 0 ⇒ pas de limite)
pasv_min_port=2020
; pasv_address (défaut = “”)
pasv_address=217.217.36.25
; pasv_promiscuous (défaut = NO)
#pasv_promiscuous=NO
; accept_timeout (défaut = 60)
#accept_timeout=60
=== Mode PORT ===
port_enable=NO
; ftp_data_port (défaut = 20)
port de données
ftp_data_port=2020
; connect_from_port_20 (défaut = NO)
#connect_from_port_20=NO
; port_promiscuous (défaut = NO)
#port_promiscuous=NO
; connect_timeout (défaut = 60)
#connect_timeout=60
=== Autres options ===
#data_connect_timeout=300
==== Cryptage des connexions ====
Cette option spécifie l'emplacement du certificat RSA à utiliser pour les connexions cryptées SSL.
ssl_enable=YES
; ssl_tlsv1
ssl_tlsv1=YES
; ssl_sslv2
ssl_sslv2=NO
; ssl_sslv3
ssl_sslv3=NO
; ssl_ciphers
ssl_ciphers=DES-CBC3-SHA
; dsa_cert_file
dsa_cert_file=/etc/ssl/certs/vsftpd.pem
; rsa_cert_file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
; force_local_data_ssl
force_local_data_ssl=YES
; force_local_logins_ssl
force_local_logins_ssl=YES
==== Gestion des logs ====
dual_log_enable=YES
; vsftpd_log_file (défaut = /var/log/vsftpd.log)
#vsftpd_log_file=/var/log/vsftpd.log
; syslog_enable (défaut = NO)
#syslog_enable=NO
=== xferlog ===
xferlog_enable=YES
; xferlog_file (défaut = /var/log/xferlog)
#xferlog_file=/var/log/xferlog
; xferlog_std_format (défaut =NO)
xferlog_std_format=YES
; log_ftp_protocol (défaut = NO)
#log_ftp_protocol=NO
=== Options non définies ===
==== Utilisateurs anonymes ====
anonymous_enable=NO
; allow_anon_ssl
allow_anon_ssl=NO
; no_anon_password (défaut = NO)
no_anon_password=YES
; deny_email_enable (défaut = NO)
#deny_email_enable=NO
; banned_email_file (défaut = /etc/vsftpd.banned_emails)
#banned_email_file=/etc/vsftpd.banned_emails
; secure_email_list_enable
secure_email_list_enable=NO
; email_password_file
#email_password_file=/etc/vsftpd.email_passwords
; anon_root (pas de valeur par défaut)
anon_root=/var/ftp
; ftp_username (défaut = ftp)
#ftp_username=ftp
; (défaut = NO)
#anon_mkdir_write_enable=NO
; anon_other_write_enable
anon_other_write_enable=NO
; anon_upload_enable (défaut = NO)
#anon_upload_enable=NO
!!
; chown_uploads (défaut = NO)
chown_uploads=YES
; chown_username (défaut = root)
chown_username=ftp
; anon_world_readable_only (défaut = YES)
#=YES
==== Utilisateurs locaux ====
local_enable=YES
; local_root (pas de valeur par défaut)
local_root=/var/ftp
; local_umask (défaut = 022)
local_umask=007
; local_max_rate (défaut
local_max_rate=0
=== Chroot des utilisateurs locaux ===
chroot_local_user=YES
; chroot_list_enable (défaut = NO)
#chroot_list_enable=NO
; chroot_list_file (défaut = /etc/vsftpd.chroot_list)
#chroot_list_file=/etc/vsftpd.chroot_list
; passwd_chroot_enable (défaut = NO)
#passwd_chroot_enable=NO
==== Options FTP ====
ftpd_banner=Welcome to the %%ftp.nuts.fr%% FTP service
.
; banner_file
#banner_file=
; dirmessage_enable (défaut = YES, .message)
#dirmessage_enable=YES ; message_file : Fichier <code>#message_file=.message
; dirlist_enable (défaut = YES)
#dirlist_enable=YES
; ls_recurse_enable
ls_recurse_enable=YES
; text_userdb_names (défaut = NO)
text_userdb_names=YES
; download_enable (défaut = YES)
#download_enable=YES
; write_enable (défaut = YES)
#write_enable=YES
; file_open_mode
file_open_mode=0666
; ascii_upload_enable
ascii_upload_enable=YES
; ascii_download_enable
ascii_download_enable=YES
=== Options non définies ===
#async_abor_enable=YES
; force_dot_files
#force_dot_files=NO
; hide_ids
#hide_ids=NO
; tilde_user_enable
#tilde_user_enable=NO
; use_localtime
#use_localtime=NO
; cmds_allowed
#cmds_allowed=
; deny_file
#deny_file=
; hide_file
#hide_file=
== Debian customization ==
# Some of vsftpd's settings don't fit the Debian filesystem layout by # default. These settings are more Debian-friendly. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd