[Ubuntu-BR] Vsftpd

Quarta Março 2 19:42:52 UTC 2011

Alem da configuraçao de uma olhada nas listas de segurança saiu um CVE
com falha de segurança sobre vsftp ha 1 ou 2 dias atras. Se voce vai
usa-lo e interessante ver isso tambem.

2011/3/2, Flávio Barros <flaviobarros em gmail.com>:
> Muito obrigado.
>
> Em 2 de março de 2011 12:04, Ivan Brasil Fuzzer
> <ivan em fuzzer.com.br>escreveu:
>
>> Segue abaixo o arquivo de configuração onde eu deixo o home(apenas o home)
>> de cada usuário disponível para acesso.
>>
>>
>> # Example config file /etc/vsftpd.conf
>> #
>> # The default compiled in settings are fairly paranoid. This sample file
>> # loosens things up a bit, to make the ftp daemon more usable.
>> # Please see vsftpd.conf.5 for all compiled in defaults.
>> #
>> # READ THIS: This example file is NOT an exhaustive list of vsftpd
>> options.
>> # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
>> # capabilities.
>> #
>> #
>> # Run standalone?  vsftpd can run either from an inetd or as a standalone
>> # daemon started from an initscript.
>> listen=YES
>> #
>> # Run standalone with IPv6?
>> # Like the listen parameter, except vsftpd will listen on an IPv6 socket
>> # instead of an IPv4 one. This parameter and the listen parameter are
>> mutually
>> # exclusive.
>> #listen_ipv6=YES
>> #
>> # Allow anonymous FTP? (Beware - allowed by default if you comment this
>> out).
>> anonymous_enable=NO
>> #
>> # Uncomment this to allow local users to log in.
>> local_enable=YES
>> #
>> # Uncomment this to enable any form of FTP write command.
>> write_enable=YES
>> #
>> # Default umask for local users is 077. You may wish to change this to
>> 022,
>> # if your users expect that (022 is used by most other ftpd's)
>> local_umask=000
>> #
>> # Uncomment this to allow the anonymous FTP user to upload files. This
>> only
>> # has an effect if the above global write enable is activated. Also, you
>> will
>> # obviously need to create a directory writable by the FTP user.
>> #anon_upload_enable=YES
>> #
>> # Uncomment this if you want the anonymous FTP user to be able to create
>> # new directories.
>> #anon_mkdir_write_enable=YES
>> #
>> # Activate directory messages - messages given to remote users when they
>> # go into a certain directory.
>> dirmessage_enable=YES
>> #
>> # Activate logging of uploads/downloads.
>> xferlog_enable=YES
>> #
>> # Make sure PORT transfer connections originate from port 20 (ftp-data).
>> connect_from_port_20=YES
>> #
>> # If you want, you can arrange for uploaded anonymous files to be owned by
>> # a different user. Note! Using "root" for uploaded files is not
>> # recommended!
>> #chown_uploads=YES
>> #chown_username=whoever
>> #
>> # You may override where the log file goes if you like. The default is
>> shown
>> # below.
>> #xferlog_file=/var/log/vsftpd.log
>> #
>> # If you want, you can have your log file in standard ftpd xferlog format
>> #xferlog_std_format=YES
>> #
>> # You may change the default value for timing out an idle session.
>> #idle_session_timeout=600
>> #
>> # You may change the default value for timing out a data connection.
>> #data_connection_timeout=120
>> #
>> # It is recommended that you define on your system a unique user which the
>> # ftp server can use as a totally isolated and unprivileged user.
>> #nopriv_user=ftpsecure
>> #
>> # Enable this and the server will recognise asynchronous ABOR requests.
>> Not
>> # recommended for security (the code is non-trivial). Not enabling it,
>> # however, may confuse older FTP clients.
>> #async_abor_enable=YES
>> #
>> # By default the server will pretend to allow ASCII mode but in fact
>> ignore
>> # the request. Turn on the below options to have the server actually do
>> ASCII
>> # mangling on files when in ASCII mode.
>> # Beware that on some FTP servers, ASCII support allows a denial of
>> service
>> # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
>> # predicted this attack and has always been safe, reporting the size of
>> the
>> # raw file.
>> # ASCII mangling is a horrible feature of the protocol.
>> #ascii_upload_enable=YES
>> #ascii_download_enable=YES
>> #
>> # You may fully customise the login banner string:
>> #ftpd_banner=Welcome to blah FTP service.
>> #
>> # You may specify a file of disallowed anonymous e-mail addresses.
>> Apparently
>> # useful for combatting certain DoS attacks.
>> #deny_email_enable=YES
>> # (default follows)
>> #banned_email_file=/etc/vsftpd.banned_emails
>> #
>> # You may restrict local users to their home directories.  See the FAQ for
>> # the possible risks in this before using chroot_local_user or
>> # chroot_list_enable below.
>> chroot_local_user=YES
>> #
>> # You may specify an explicit list of local users to chroot() to their
>> home
>> # directory. If chroot_local_user is YES, then this list becomes a list of
>> # users to NOT chroot().
>> #chroot_list_enable=YES
>> # (default follows)
>> #chroot_list_file=/etc/vsftpd.chroot_list
>> #
>> # You may activate the "-R" option to the builtin ls. This is disabled by
>> # default to avoid remote users being able to cause excessive I/O on large
>> # sites. However, some broken FTP clients such as "ncftp" and "mirror"
>> assume
>> # the presence of the "-R" option, so there is a strong case for enabling
>> it.
>> #ls_recurse_enable=YES
>> #
>> #
>> # Debian customization
>> #
>> # Some of vsftpd's settings don't fit the Debian filesystem layout by
>> # default.  These settings are more Debian-friendly.
>> #
>> # This option should be the name of a directory which is empty.  Also, the
>> # directory should not be writable by the ftp user. This directory is used
>> # as a secure chroot() jail at times vsftpd does not require filesystem
>> # access.
>> secure_chroot_dir=/var/run/vsftpd
>> #
>> # This string is the name of the PAM service vsftpd will use.
>> pam_service_name=vsftpd
>> #
>> # This option specifies the location of the RSA certificate to use for SSL
>> # encrypted connections.
>> #rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
>> #
>> # This option specifies the location of the RSA key to use for SSL
>> # encrypted connections.
>> rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
>>
>>
>>
>>
>>
>>
>> Em 02-03-2011 12:49, Fábio Rabelo escreveu:
>>
>>  Boa tarde ...
>>>
>>> Eu tentei exatamente a mesma coisa que o Sr. está propondo a algum tempo
>>> atrás, e não consegui tb .
>>>
>>> Desde então estabeleci uma norma pessoal :
>>>
>>> Se eu quero ftp anônimo, uso o Vsftp .
>>>
>>> Se eu quero ftp autenticado, uso o Proftpd .
>>>
>>>
>>> Fábio Rabelo
>>>
>>>
>>>
>>> Em 2 de março de 2011 12:40, Flávio Barros<flaviobarros em gmail.com
>>> >escreveu:
>>>
>>>  Bom dia.
>>>>
>>>> Alguém sabe como configuro para que cada usuário tenha um diretório home
>>>> específico ?
>>>> Por exemplo:
>>>> Usuários: maria, jose -->  /suporte
>>>> Usuários: joao -->  /sistemas
>>>>
>>>> Com o proftpd eu sei como faz mas com o Vsftpd não.
>>>>
>>>> --
>>>> Desde já agradeço,
>>>> +++
>>>> Flávio de Oliveira Barros
>>>> Manaus - Amazonas - Brasil
>>>>
>>>> Copiar é bom!
>>>> Seja Legal
>>>> Use Software Livre
>>>> Ubuntu User number is # 28558
>>>> Linux Registered User# 278223
>>>> --
>>>> Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece
>>>>
>>>> Lista de discussão Ubuntu Brasil
>>>> Histórico, descadastramento e outras opções:
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-br
>>>>
>>>>
>> --
>> Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece
>>
>> Lista de discussão Ubuntu Brasil
>> Histórico, descadastramento e outras opções:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-br
>>
>
>
>
> --
> Desde já agradeço,
> +++
> Flávio de Oliveira Barros
> Manaus - Amazonas - Brasil
>
> Copiar é bom!
> Seja Legal
> Use Software Livre
> Ubuntu User number is # 28558
> Linux Registered User# 278223
> --
> Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece
>
> Lista de discussão Ubuntu Brasil
> Histórico, descadastramento e outras opções:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-br
>

-- 
Enviado do meu celular