Linux Internet Web Server and Domain Configuration Tutorial

Posted in How To's by Shafkat Shahzad, M.Sc - Senior Technical Content Manager on April 18th, 2009

The tutorial will cover the Linux server configuration necessary to create a web site. The Apache web server, FTP server and DNS configuration are covered. The Apache web server is required to serve the web pages, the FTP server is required for users to upload content and the DNS server is required to resolve the domain names so that a URL entered into a web browser will point to your web server and properly serve the correct pages. The configurations presented will include virtual hosting which will allow a single Linux server to support multiple web site domains.

Prerequisites:
It is important to note the Prerequisites. This tutorial also assumes that a computer has Linux installed and running. A connection to the internet is also assumed. A connection of 128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k modem will work but the results will be mediocre at best. The tasks must also be performed with the root user login and password.

Software Prerequisites:
The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all required. One can use the rpm command to verify installation:
• Fedora Core 1+, Red Hat Enterprise 4, CentOS 4:
rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
RPMs added FC2+: system-config-httpd
RPMs added FC3+: httpd-suexec
• Red Hat 9.0
rpm -q httpd bind xinetd vsftpd
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11+) or install from source.
• Red Hat 8.0
rpm -q httpd bind xinetd wu-ftpd
• Red Hat 7.x:
rpm -q apache bind inetd wu-ftpd
Use wu-ftpd version 2.6.2 or later to avoid security problems.
• SuSE 9.3:
rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
Note: The apache2-MPM is a generic term for Apache installation options for “Multi-Processing Modules (MPM)s “prefork” or “worker”. If you try and only install apache2 you will get the following error:
apache2-MPM is needed by apache2-2.0.53-9
Also see Apache.org: MPMs
• Ubuntu (dapper 6.06/hardy 8.04) / Debian:
apt-get install apache2
apt-get install apache2-common
apt-get install apache2-mpm-prefork
apt-get install apache2-utils
apt-get install bind9
apt-get install vsftpd
One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial for more info.

Apache HTTP Web server configuration:
This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of Linux HTTP servers for a list of other web servers for the Hyper Text Transport Protocol.
The Apache configuration file is: /etc/httpd/conf/httpd.conf
Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:
• Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/
• Red Hat 6.x and older: /home/httpd/html/
• Suse 9.x: /srv/www/htdocs/
• Ubuntu (dapper 6.06/hardy 8.04) / Debian: /var/www/html
The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.
Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:
• Virtual hosts: One IP address but multiple domains - “Name based” virtual hosting.
• Multiple IP based virtual hosts: One IP address for each domain - “IP based” virtual hosting.
The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/.
[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html
[Potential Pitfall] When creating new “Directory” configuration directives, I found that placing them by the existing “Directory” directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the “Directory” statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new “Directory” statements near the end of the file just before the “VirtualHost” statements.
For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.
Files used by Apache:
• Start/stop/restart script:
o Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
o SuSE 9.3: /etc/init.d/apache2
o Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
• Apache main configuration file:
o Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
o SuSE: /etc/apache2/httpd.conf
(Need to add directive: ServerName host-name)
o Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
• Apache suplementary configuration files:
o Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
o SuSE: /etc/apache2/conf.d/component.conf
o Ubuntu (dapper 6.06/hardy 8.04) / Debian:
 Virtual domains: /etc/apache2/sites-enabled/domain
(Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on)
 Additional configuration directives: /etc/apache2/conf.d/
 Modules to load: /etc/apache2/mods-available/
(Soft link to /etc/apache2/mods-enabled/ to turn on)
 Ports to listen to: /etc/apache2/ports.conf
• /var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig –add httpd. See Linux Init Process Tutorial for a more complete discussion.
Also Apache control tool: /usr/sbin/apachectl start
Apache Control Command: apachectl:
Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directive

Directive description.
It is a good idea to know the description of the directive.

start
Start the Apache httpd daemon. Gives an error if it is already running.
stop
Stops the Apache httpd daemon.
graceful
Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted.
restart
Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn’t die.
status
Displays a brief status report.
fullstatus
Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
Configtest-t
Run a configuration file syntax test.

Apache Configuration Files:
• /etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
• /etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
• /etc/sysconfig/httpd: Holds environment variables used when starting Apache.
Basic settings: Change the default value for ServerName www.
Giving Apache access to the file system: It is prudent to limit Apache’s view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.
Deny access completely to file system root (”/”) as the default:

Options None
AllowOverride None

Grant access to a user’s directory:

AllowOverride None
order allow,deny
allow from all
Options Indexes Includes FollowSymLinks

OR
use the statement UserDir public_html which does this by default for every user account at $HOME/public_html. Change to a comment (add “#” at beginning of line) from Fedora Core default UserDir disable.
Also use SELinux command: setsebool httpd_enable_homedirs true
File permissions: The Apache web server daemon must be able to read your web pages in order to feed thier contents to the network. Use an appropriate umask and file protection. This works: chmod ugo+r -R public_html
One may also use groups to control permisions. See the YoLinux tutorial on managing groups.
[Potential Pitfall]: If the Apache web server can not access the file you will get the error “403 Forbidden” “You don’t have permission to access file-name on this server.” Note the default permissions on a user directory when first created with “useradd” are:
drwx—— 3 userx userx
You must allow the web server running as user “apache” to access the directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx
drwxr-xr-x 3 userx userx
SELinux security contexts:
Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -Z
The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):
SELINUX=disabled

or using the command setenforce 0 to temporarily disable SELinux until the next reboot.
When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).
Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:
• -R: Recursive. Files and directories in current directory and all subdirectories.
• -h: Affect symbolic links.
• -t: Specify type of security context.
Use the following security contexts:
Context type descrioton
httpd_sys_content_t
Used for static web content. i.e. HTML web pages.
httpd_sys_script_exec_t
Use for executable CGI scripts or binary executables.
httpd_sys_script_rw_t
CGI is allowed to alter/delete files of this context.
httpd_sys_script_ra_t
CGI is allowed to read or append files of this context.
httpd_sys_script_ro_t
CGI is allowed to read files and directories of this context
Set the following options: setsebool httpd-option true
(or set to false)
Policy Description
httpd_enable_cgi
Allow httpd cgi support.
httpd_enable_homedirs
Allow httpd to read home directories.
httpd_ssi_exec
Allow httpd to run SSI executables in the same domain as system CGI scripts.
Then restart Apache:
• Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
• Red Hat/Fedora: service httpd restart
The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans
Virtual Hosts:
The Apache web server allows one to configure a single computer to represent multiple websites as if they were on separate hosts. There are two methods available and we describe the configuration of each. Choose one method for your domain:
• Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
• IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.
Configuring a “name based” virtual host:
A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)

NameVirtualHost XXX.XXX.XXX.XXX

ServerName www.your-domain.com - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/…)
ServerAlias your-domain.com - Allows requests by domain name without the “www” prefix.
ServerAdmin user1@your-domain.com
DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log

Important note
It is important to note following
• You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX
NameVirtualHost 192.168.XXX.XXX


..
• Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
• http://www.domain-name.com and http://domain-name.com.
• Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.

… This part remains the same
..

# Add a VirtualHost definition for what was once the default.

ServerName www.your-domain.com
ServerAlias your-domain.com
ServerAdmin user1@your-domain.com
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log


..
• Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache “Redirect”.
# Add a VirtualHost definition to forward to your primary URL

ServerName your-domain.com
ServerAlias other-domain.com
ServerAlias www.other-domain.com
Redirect permanent / http://www.your-domain.com.com/


..
• When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a “NameVirtualHost” for each IP address.
After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)
Apache virtual domain configuration with Ubuntu Dapper/Hardy:
Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/.
Example: /etc/apache2/sites-available/supercorp

ServerName supercorp.com
ServerAlias www.supercorp.com
ServerAdmin webmaster@localhost

DocumentRoot /home/supercorp/public_html/home

Options FollowSymLinks
AllowOverride None

Options Indexes FollowSymLinks MultiViews
IndexOptions SuppressLastModified SuppressDescription
AllowOverride All
Order allow,deny
allow from all

ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all

ErrorLog /var/log/apache2/supercorp.com-error.log

# Possible values include: debug, info, notice, warn, error,
# crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/supercorp.com-access.log combined
ServerSignature On

Enable domain:
• Create soft link:
o Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
o Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
• Restart Apache:
o apache2ctl graceful
or
o /etc/init.d/apache2 restart
or
o /etc/init.d/apache2 reload
Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.
Configuring an “IP based” virtual host:
One may assign multiple IP addresse to a single network interface. See the YoLinux networking tutorial: Network Aliasing. Each IP address may then be it’s own virtual server and individual domain. The downside of the “IP based” virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.

NameVirtualHost * - Indicates all IP addresses

ServerAdmin user0@default-domain.com
DocumentRoot /home/user0/public_html

ServerAdmin user1@domain-1.com
DocumentRoot /home/user1/public_html

ServerAdmin user1@domain-2.com
DocumentRoot /home/user2/public_html

The default block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL’s.
CGI: (Common Gateway Interface)
CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:
• ScriptAlias:
o Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”
o Red Hat 6.x and older: ScriptAlias /cgi-bin/ “/home/httpd/cgi-bin/”
o Suse 9.x: ScriptAlias /cgi-bin/ “/srv/www/cgi-bin/”
o Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ “/usr/lib/cgi-bin/”
or
• Options +ExecCGI:

Options +ExecCGI

The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd daemon is being run.
Configuring CGI To Run With User Privileges:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

NameVirtualHost XXX.XXX.XXX.XXX

ServerName node1.your-domain.com - Allows requests by domain name without the “www” prefix.
ServerAlias your-domain.com www.your-domain.com - CNAME (alias www) specified in Bind configuration file (/var/named/…)
ServerAdmin user1@your-domain.com
DocumentRoot /home/user1/public_html/your-domain.com
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log

SuexecUserGroup user1 user1

Options +ExecCGI +Indexes
AddHandler cgi-script .cgi

ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
ErrorDocument 404 /Error404-missing.html
Create the file Error404-missing.html in your “DocumentRoot” directory.
PHP:
If the appropriate php, perl and httpd RPM’s are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):
• php: HTML-embedded scripting language
• php-pear: PEAR is a framework and distribution system for reusable PHP components.
• php-mysql: MySQL database support.
• php-ldap: Lightweight Directory Access Protocol (LDAP) support
Apache configuration:
Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

DirectoryIndex index.html index.htm index.php

PHP Configuration File:
• RHEL4 - PHP 4.3: /etc/php.ini
• Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini
[PHP]
engine = On


display_errors = Off
include_path = “.:/php/includes”


memory_limit = 32M ; Default is typically 8MB which is too low.

[MySQL]


mysql.default_host = superserver ; Hostname of the computer
mysql.default_user = dbuser

Note that changes will not take effect until the apache web server daemon is restarted.
Test you PHP capabilities with this test file: /home/user1/public_html/test.php

OR (older format)

Test: http://localhost/~user1/test.php

Running Multiple instances of httpd:
The Apache web server daemon (httpd) can be started with the command line option “-f” to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card). Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.

Apache Man Pages:
• httpd - Apache Hypertext Transfer Protocol Server
• apachectl - Apache HTTP Server Control Interface
• ab - Apache HTTP server benchmarking tool
• htdigest - manage user files for digest authentication
• htpasswd - Manage user files for basic authentication
• logresolve - Resolve IP-addresses to hostnames in Apache log files
• rotatelogs - Piped logging program to rotate Apache logs
Apache Red Hat / Fedora Core GUI configuration:
GUI configuration tool:
• Fedora Core 2/3/4: /usr/bin/system-config-httpd
• Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd
Adding web site login and password protection: See the YoLinux tutorial on web site password protection.
Log file analysis:
Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.
• Analog - Also see Report Magic for Analog
• Webalizer
• AWStats - (requires PERL)
Web site statistic services:
• eXTReMe Tracking
Load testing your server:
• PureLoad - JAVA load testing and reporting tool.
• WebPerformance Trainer - Load Testing Tools.
Apache Links:
• CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
• Thumbprint - CGI for viewing a directory of images as thumbnails
• WWWThreads.org - Commercial product - Advanced Web Conferencing Software
• Configuring https (mod_ssl):
o Mod_SSL.org: Home Page
o Mod_SSL.org: Mod_SSL HowTo
o Mod_SSL.org: Steps to create SSL server certificate
o https configuration

Log file analysis using Analog:
Installation:
• Red Hat / Fedora: yum install analog
• Ubuntu / Debian: apt-get install analog
Configuration file: /etc/analog.cfg

LOGFILE /var/log/httpd/yourdomain.com-access_log* http://www.yourdomain.com
UNCOMPRESS *.gz,*.Z “gzip -cd”
SUBTYPE *.gz,*.Z
#
OUTFILE /home/user1/public_html/analog/Report.html
#
HOSTNAME “YourDomain.com”
HOSTURL http://www.yourdomain.com

….

..

REQINCLUDE pages # Request page stats only
ALL ON
LANGUAGE US-ENGLISH

One can view the settings which be used with your configuration file (also good for debugging): analog -settings
Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog
Log file location:
• Red Hat / Fedora: /var/log/httpd/
• Ubuntu / Debian: /var/log/apache2/
The Directive ALL ON turns on all of the following:

Analog Directive Description
MONTHLY ON
one line for each month
WEEKLY ON
one line for each week
DAILYREP ON
one line for each day
DAILYSUM ON
one line for each day of the week
HOURLYREP ON
one line for each hour of the day
GENERAL ON
the General Summary at the top
REQUEST ON
which files were requested
FAILURE ON
which files were not found
DIRECTORY ON
Directory Report
HOST ON
which computers requested files
ORGANISATION ON
which organisations they were from
DOMAIN ON
which countries they were in
REFERRER ON
where people followed links from
FAILREF ON
where people followed broken links from
SEARCHQUERY ON
the phrases and words they used…
SEARCHWORD ON
…to find you from search engines
BROWSERSUM ON
which browser types people were using
OSREP ON
and which operating systems
FILETYPE ON
types of file requested
SIZE ON
sizes of files requested
STATUS ON
number of each type of success and failure

Cron job to handle multiple domains: /etc/cron.daily/analog
#!/bin/sh
cp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg
/usr/bin/analog
cp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg
/usr/bin/analog


Measuring Web Server Performance:
Web performance benchmarking tool httperf. Httperf sends requests to the web server at a specified rate and gathers stats. Increase till one finds the saturation point.
Installation:
• Debian: apt-get install httperf
Example useage:
• Print performance stats for home page of yourdomain.com: httperf –hog –server www.yourdomain.com
• Create 100 connections at a rate of 10/sec: httperf –hog –server http://www.yourdomain.com/ –num-conn 100 –rate 10 –timeout 5
• Generate 10 sessions at a rate of i seesion/sec every 2 seconds: httperf –hog –ser=www –wsess=10,5,2 –rate 1 –timeout 5
httperf command line options:
Commands and their descriptions
–hog
Use as many TCP ports as necessary to generate stats (else limited to port 1024-5000)
–num-calls
Session oriented workloads.
–max-connections=#
Limit the number of connections to that specified.
–num-calls=#
Specify the number of calls to issue on each connection before closing it.
–server host-name
Default localhost. Specify IP address of host name.
–wsess=N1,N2,X
Specify session where
N1: number of sessions
N2: number of calls per session
X: delay between calls (sec)
–timeout
Stop if there is no response within timeout period.

FTPd and FTP user account configuration
Many FTP programs exist. This example covers the popular vsftpd (Red Hat default 9.0, Fedora Core, Suse) and wu-ftpd (Washington University) program which comes standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system). (RPM: wu-ftpd) There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse), etc …
FTPd configuration tutorials:
• # vsFTPd: Configuration
• # WU-FTPd: Configuration
• # FTP Clients: Links
vsFTPd and FTP user account configuration
The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recomended FTP daemon for use on FTP servers.
Enable vsftpd:
• Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig –add vsftpd
• SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
• Ubuntu (dapper/hardy) / Debian:
o Install: apt-get install vsftpd
o VsFTPd is a stand alone service.
 Start: /etc/init.d/vsftpd start
 Stop: /etc/init.d/vsftpd stop
 Restart: /etc/init.d/vsftpd restart
(Use this command after making configuration file changes)

Configuration files:
• vsFTPd configuration file:
o Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
o S.u.S.e. / Ubuntu (dapper/hardy) / Debian: /etc/vsftpd.conf
Default for Fedora Core 3:
anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp

local_enable=YES - Uncomment this to allow local users to log in with FTP.

write_enable=YES - Uncomment this to enable any form of FTP write or upload command.

local_umask=022 - Default is 077. Umask 022 is used by most other ftpd’s.

#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to upload files.
Requires the above global write enabled. Directory must also be writable by user.
#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES - Activate directory messages.
Messages given to remote users when they enter certain directories
xferlog_enable=YES - Activate logging of uploads/downloads.
connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)
#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log
xferlog_std_format=YES - Output to log file in standard ftpd xferlog format
#idle_session_timeout=600 - Set timing out for an idle session.
#data_connection_timeout=120- Set timing out for an idle data connection. Port 20
#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
#async_abor_enable=YES
#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. Disables command “ascii” and “SIZE /big/file”.
#ascii_download_enable=YES
#ftpd_banner=Welcome to YoLinux - Customize the login banner string.
#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails (default)
#chroot_list_enable=YES- List users chroot()’d to their home directory. If “NO”, list users not chroot()’d.
#chroot_list_file=/etc/vsftpd.chroot_list (default)
ls_recurse_enable=YES- Allow “ls -R” recursive directory list. Default is disabled.
pam_service_name=vsftpd
userlist_enable=YES - (Default) Deny users specified in file /etc/vsftpd.user_list If “userlist_enable=NO” then allow specified users.
#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

listen=YES - Enable for standalone mode as opposed to an xinetd service.
tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)
[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:
directive=XXX # comment
vsftp.conf man page
• Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2

user-n
• If userlist_enable=NO, then specify users not to be chroot’d..
• Specify list of users: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
root
bin
daemon
adm
lp
sync
shutdown
halt

• If userlist_enable=NO, then specify valid users.
• PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
• This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files.
• File: /etc/vsftpd.ftpusers
root
bin
daemon
adm
lp
sync
shutdown
halt

• Logrotate configuration file: /etc/logrotate.d/vsftpd.log
/var/log/xferlog {
# ftpd doesn’t handle SIGHUP properly
nocompress
missingok
}
Sample vsFTPd configurations:
• Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf
# Access rights
anonymous_enable=YES - Turn on anonymous FTP
chown_uploads=YES - Uploaded files owned by an assigned user
chown_username=ftp - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
• Anonymous logins use the login name “anonymous” and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.
• Web hosting configuration: /etc/vsftpd/vsftpd.conf
# Access rights
anonymous_enable=NO
local_enable=YES - Allow users to ftp to their home directories
write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO - Don’t remap user name
ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string.
chroot_local_user=YES - Limit user to browse their own directory only
chroot_list_enable=YES - Enable list of system / power users
chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES - Message greeting held in file .message or specify with message_file=…
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
• Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2

user-n
• If userlist_enable=NO, then specify users not to be chroot’d..
• [Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.
• File: .message
A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score (”_”), dash (”-”) or period (”.”) only.
The file name may not begin with a period or dash.
Test if vsftp is listening: netstat -a | grep ftp
[root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
WU-FTPd and FTP user account configuration:
There are three kinds of FTP logins that wu-ftpd provides:
• anonymous FTP - one logs in with the username ‘anonymous’
• real FTP - log in with a real username and password and has access to the entire disk structure.
• guest FTP - one logs in with a real user name and password, but the user is chroot’ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don’t have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.
This tutorial covers “guest” FTP configuration.
The file /etc/ftpaccess controls the configuration of ftp.
# Don’t allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-

class all real,guest *
email webmaster@your-domain.com
loginfails 5

readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*

compress yes all
tar yes all
chmod no guest,anonymous
delete no anonymous # delete files permission?
overwrite no anonymous # overwrite files permission?
rename no anonymous # rename files permission?
delete yes guest # delete files permission?
overwrite yes guest # overwrite files permission?
rename yes guest # rename files permission?
umask no guest # umask permission?

log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

passwd-check rfc822 warn

# Must also create message file /etc/pathmsg of the guest directory.
# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
limit all 2
noretrieve passwd .htaccess core - Do not allow users to download files of these names
limit-time * 20
byte-limit in 5000 - Limit file size
guestuser * - Set system user default to be categorized as a “guest”. A “real” user can roam the system. Guestuser is chrooted.
realgroup regularuserx regularusery - Assign real user privileges to members of groups “regularuserx” and “regularusery”.
Visibility of the whole file system and subject to regular UNIX file permissions
realuser user4 - Assign real user privileges to user id “user4″.

restricted-uid user1 user2 user3 - Restricts FTP to the specified directories
guest-root /home/user1/public_html user1
guest-root /home/user2/public_html user2
guest-root /home/user3/public_html user3

Important note
• user1, user2 and user3 refer to login accounts. Use the appropriate login name.
• The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:
class all real,guest,anonymous *
• GUI FTP configuration tools:
o /usr/bin/kwuftpd
o /sbin/linuxconf
(Note: Linuxconf is no longer included with Red Hat 7.3 and later)

Bookmark Us
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • MisterWong
  • Netvouz
  • Reddit
  • Slashdot
  • Spurl
  • StumbleUpon
  • Technorati
  • Wists

Leave a Comment