Setup vsftp with SELinux

Howto Setup vsftp with SELinux

Vsftpd is a fast and secure FTP server. Installing an FTP server can assist you with uploading files to your droplet. This tutorial describes how to install and set up vsftpd on CentOS 6.

The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.

Step One: Install vsftpd with yum

Since vsftpd is included in the default yum repo's we will install this with yum.

yum install vsftpd -y

Once the files finish downloading, vsftpd will be on your server. Generally speaking, the server is already configured with a reasonable amount of security. However, it does provide access to anonymous users. We will not be needing the anonymous users, so we must disable this feature.

vim /etc/vsftpd/vsftpd.conf

To disable anonymous users with vsftpd adjust the following line to say NO.

anonymous_enable=NO

To enable local users to use vsftpd, you will need to change the following values.

chroot_local_user=YES

Now you will want to start the service and enable to auto start on bootup

service vsftpd restart

and

chkconfig vsftpd on

Configure SELinux for FTP

Lets first check and see what the SELinux options are and what the default values are.

getsebool -a | grep ftp

You should see something like the following

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

You will need to adjust the ftp_home_dir option and ftpd_use_passive_mode

setsebool -P ftp_home_dir on
setsebool -P ftpd_use_passive_mode on

Configure IPTables for ftp

By default iptables only allows connections from port 22. This means that we will have to open port 21 and 20.

Allow FTP connections @ port 21

/sbin/iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow Active FTP Connections

/sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

Allow Passive FTP Connections

/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

Now save them

/etc/init.d/iptables save
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

What do I do if my VPS is offline or down?

Your VPS may be down or offline for a variety of reasons. In this article, we'll show you how to...

What kind of IPv6 support do you have?

Since OBHost operates out of multiple locations and datacenters, our IPv6 support varies per...

Setup Nginx PHP FPM Percona Mysql

Setup Nginx + php-fpm + Percona Mysql LEMP stack is a group of open source software to get web...

MySQL - Check Which Query is Consuming Resources

MySQL - Checking Which Query is Consuming Resources   Have you ever wondered which...

OpenVPN Tutorial For Debian/Ubuntu on OpenVZ

What is OpenVPN?OpenVPN is a reliable and well tested VPN solution that is able to run over a...