############################################################################# # # BOOLEAN OPTIONS # ############################################################################# # Only applies if ssl_enable is active. If set to YES, anonymous users will # be allowed to use secured SSL connections allow_anon_ssl=NO # If set to YES, anonymous users will be permitted to create new directories # under certain conditions. For this to work, the option write_enable must be # activated, and the anonymous ftp user must have write permission on the parent directory. anon_mkdir_write_enable=YES # If set to YES, anonymous users will be permitted to perform write operations # other than upload and create directory, such as deletion and renaming. This # is generally not recommended but included for completeness. anon_other_write_enable=YES # If set to YES, anonymous users will be permitted to upload files under certain # conditions. For this to work, the option write_enable must be activated, and # the anonymous ftp user must have write permission on desired upload locations. anon_upload_enable=YES # When enabled, anonymous users will only be allowed to download files which # are world readable. This is recognising that the ftp user may own files, # especially in the presence of uploads. anon_world_readable_only=YES # Controls whether anonymous logins are permitted or not. If enabled, both # the usernames ftp and anonymous are recognised as anonymous logins. anonymous_enable=YES # When enabled, ASCII mode data transfers will be honoured on downloads. ascii_download_enable=NO # When enabled, ASCII mode data transfers will be honoured on uploads. ascii_upload_enable=NO # When enabled, a special FTP command known as "async ABOR" will be enabled. # Only ill advised FTP clients will use this feature. Additionally, this feature # is awkward to handle, so it is disabled by default. Unfortunately, some FTP # clients will hang when cancelling a transfer unless this feature is available, # so you may wish to enable it. async_abor_enable=YES # When enabled, and vsftpd is started in "listen" mode, vsftpd will background # the listener process. i.e. control will immediately be returned to the shell # which launched vsftpd. background=YES # Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, # vsftpd will not check /etc/shells for a valid user shell for local logins. check_shell=NO # When enables, allows use of the SITE CHMOD command. NOTE! This only applies to # local users. Anonymous users never get to use SITE CHMOD. chmod_enable=YES # If enabled, all anonymously uploaded files will have the ownership changed to # the user specified in the setting chown_username. This is useful from an # administrative, and perhaps security, chown_uploads=YES chown_group=YES # If activated, you may provide a list of local users who are placed in a # chroot() jail in their home directory upon login. The meaning is slightly # different if chroot_local_user is set to YES. In this case, the list becomes # a list of users which are NOT to be placed in a chroot() jail. By default, # the file containing this list is /etc/vsftpd.chroot_list, but you may # override this with the chroot_list_file setting. chroot_list_enable=NO # If set to YES, local users will be (by default) placed in a chroot() jail # in their home directory after login. Warning: This option has security # implications, especially if the users have upload permission, or shell # access. Only enable if you know what you are doing. Note that these security # implications are not vsftpd specific. They apply to all FTP daemons which # offer to put local users in chroot() jails. chroot_local_user=YES # This controls whether PORT style data connections use port 20 (ftp-data) on # the server machine. For security reasons, some clients may insist that this # is the case. Conversely, disabling this option enables vsftpd to run with # slightly less privilege. connect_from_port_20=YES # If activated, you may provide a list of anonymous password e-mail responses # which cause login to be denied. By default, the file containing this list is # /etc/vsftpd.banned_emails, but you may override this with the banned_email_file # setting. deny_email_enable=NO # If set to NO, all directory list commands will give permission denied. dirlist_enable=YES # If enabled, users of the FTP server can be shown messages when they first enter # a new directory. By default, a directory is scanned for the file .message, but # that may be overridden with the configuration setting message_file. dirmessage_enable=YES # If set to NO, all download requests will give permission denied. download_enable=YES # If enabled, two log files are generated in parallel, going by default to # /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd style # transfer log, parseable by standard tools. The latter is vsftpd's own # style log. dual_log_enable=YES # If activated, files and directories starting with . will be shown in # directory listings even if the "a" flag was not used by the client. # This override excludes the "." and ".." entries. force_dot_files=NO # Only applies if ssl_enable is activated. If activated, all non-anonymous # logins are forced to use a secure SSL connection in order to send and receive # data on data connections. force_local_data_ssl=NO # Only applies if ssl_enable is activated. If activated, all non-anonymous # logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=NO # If enabled, all non-anonymous logins are classed as "guest" logins. A guest # login is remapped to the user specified in the guest_username setting. guest_enable=NO # If enabled, all user and group information in directory listings will be # displayed as "ftp". hide_ids=YES # If enabled, vsftpd will run in standalone mode. This means that vsftpd must # not be run from an inetd of some kind. Instead, the vsftpd executable is run # once directly. vsftpd itself will then take care of listening for and handling # incoming connections. listen=YES # Like the listen parameter, except vsftpd will listen on an IPv6 socket instead # of an IPv4 one. This parameter and the listen parameter are mutually exclusive. listen_ipv6=NO # Controls whether local logins are permitted or not. If enabled, normal user # accounts in /etc/passwd may be used to log in. local_enable=YES # When enabled, all FTP requests and responses are logged, providing the option # xferlog_std_format is not enabled. Useful for debugging. log_ftp_protocol=NO #YES # When enabled, this setting will allow the use of "ls -R". This is a minor # security risk, because a ls -R at the top level of a large site may consume # a lot of resources. ls_recurse_enable=NO # When enabled, this prevents vsftpd from asking for an anonymous password - # the anonymous user will log straight in. no_anon_password=NO # When enabled, this prevents vsftpd from taking a file lock when writing to # log files. This option should generally not be enabled. It exists to workaround # operating system bugs such as the Solaris / Veritas filesystem combination # which has been observed to sometimes exhibit hangs trying to lock log files. no_log_lock=NO # If you have a Linux 2.4 kernel, it is possible to use a different security # model which only uses one process per connection. It is a less pure security # model, but gains you performance. You really don't want to enable this unless # you know what you are doing, and your site supports huge numbers of # simultaneously connected users. one_process_model=NO # If enabled, along with chroot_local_user , then a chroot() jail location may # be specified on a per-user basis. Each user's jail is derived from their home # directory string in /etc/passwd. The occurrence of /./ in the home directory # string denotes that the jail is at that particular location in the path. passwd_chroot_enable=NO # Set to NO if you want to disallow the PASV method of obtaining a data connection. pasv_enable=YES # Set to YES if you want to disable the PASV security check that ensures the # data connection originates from the same IP address as the control connection. # Only enable if you know what you are doing! The only legitimate use for this # is in some form of secure tunnelling scheme, or perhaps to facilitate FXP support. pasv_promiscuous=NO # Set to NO if you want to disallow the PORT method of obtaining a data connection. port_enable=YES # Set to YES if you want to disable the PORT security check that ensures that # outgoing data connections can only connect to the client. Only enable if you # know what you are doing! port_promiscuous=NO # Set to YES if you want vsftpd to run as the user which launched vsftpd. This # is useful where root access is not available. MASSIVE WARNING! Do NOT enable # this option unless you totally know what you are doing, as naive use of this # option can create massive security problems. Specifically, vsftpd does not / # cannot use chroot technology to restrict file access when this option is set # (even if launched by root). A poor substitute could be to use a deny_file # setting such as {/*,*..*}, but the reliability of this cannot compare to # chroot, and should not be relied on. If using this option, many restrictions # on other options apply. For example, options requiring privilege such as # non-anonymous logins, upload ownership changing, connecting from port 20 and # listen ports less than 1024 are not expected to work. Other options may be # impacted. run_as_launching_user=NO # Set to YES if you want only a specified list of e-mail passwords for anonymous # logins to be accepted. This is useful as a low-hassle way of restricting # access to low-security content without needing virtual users. When enabled, # anonymous logins are prevented unless the password provided is listed in the # file specified by the email_password_file setting. The file format is one # password per line, no extra whitespace. The default filename is # /etc/vsftpd.email_passwords. secure_email_list_enable=NO # This controls whether vsftpd attempts to maintain sessions for logins. If # vsftpd is maintaining sessions, it will try and update utmp and wtmp. It will # also open a pam_session if using PAM to authenticate, and only close this upon # logout. You may wish to disable this if you do not need session logging, and # you wish to give vsftpd more opportunity to run with less processes and / or # less privilege. NOTE - utmp and wtmp support is only provided with PAM enabled # builds. session_support=NO # If enabled, vsftpd will try and show session status information in the system # process listing. In other words, the reported name of the process will change # to reflect what a vsftpd session is doing (idle, downloading etc). You probably # want to leave this off for security purposes. setproctitle_enable=NO # If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support # secure connections via SSL. This applies to the control connection (including # login) and also data connections. You'll need a client with SSL support too. # NOTE!! Beware enabling this option. Only enable it if you need it. vsftpd can # make no guarantees about the security of the OpenSSL libraries. By enabling # this option, you are declaring that you trust the security of your installed # OpenSSL library. ssl_enable=NO # Only applies if ssl_enable is activated. If enabled, this option will permit # SSL v2 protocol connections. TLS v1 connections are preferred. ssl_sslv2=NO # Only applies if ssl_enable is activated. If enabled, this option will permit # SSL v3 protocol connections. TLS v1 connections are preferred. ssl_sslv3=NO # Only applies if ssl_enable is activated. If enabled, this option will permit # TLS v1 protocol connections. TLS v1 connections are preferred. ssl_tlsv1=YES # If enabled, then any log output which would have gone to /var/log/vsftpd.log # goes to the system log instead. Logging is done under the FTPD facility. syslog_enable=NO # If enabled, and vsftpd was compiled with tcp_wrappers support, incoming # connections will be fed through tcp_wrappers access control. Furthermore, # there is a mechanism for per-IP based configuration. If tcp_wrappers sets # the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will # try and load the vsftpd configuration file specified in this variable. tcp_wrappers=NO # By default, numeric IDs are shown in the user and group fields of directory # listings. You can get textual names by enabling this parameter. It is off # by default for performance reasons. text_userdb_names=NO # If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. # a tilde followed by a username. Note that vsftpd will always resolve the # pathnames ~ and ~/something (in this case the ~ resolves to the initial # login directory). Note that ~user paths will only resolve if the file # /etc/passwd may be found within the _current_ chroot() jail. tilde_user_enable=NO # If enabled, vsftpd will display directory listings with the time in your # local time zone. The default is to display GMT. The times returned by the # MDTM FTP command are also affected by this option. use_localtime=YES # An internal setting used for testing the relative benefit of using the # sendfile() system call on your platform. use_sendfile=YES # This option is examined if userlist_enable is activated. If you set this # setting to NO, then users will be denied login unless they are explicitly # listed in the file specified by userlist_file. When login is denied, the # denial is issued before the user is asked for a password. userlist_deny=NO # If enabled, vsftpd will load a list of usernames, from the filename given # by userlist_file. If a user tries to log in using a name in this file, # they will be denied before they are asked for a password. This may be useful # in preventing cleartext passwords being transmitted. See also userlist_deny. userlist_enable=NO # If enabled, virtual users will use the same privileges as local users. # By default, virtual users will use the same privileges as anonymous users, # which tends to be more restrictive (especially in terms of write access). virtual_use_local_privs=NO # This controls whether any FTP commands which change the filesystem are # allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE # and SITE. write_enable=YES # If enabled, a log file will be maintained detailling uploads and downloads. # By default, this file will be placed at /var/log/vsftpd.log, but this # location may be overridden using the configuration setting vsftpd_log_file. xferlog_enable=NO # If enabled, the transfer log file will be written in standard xferlog format, # as used by wu-ftpd. This is useful because you can reuse existing transfer # statistics generators. The default format is more readable, however. The # default location for this style of log file is /var/log/xferlog, but you # may change it with the setting xferlog_file. xferlog_std_format=NO ############################################################################# # # NUMERIC OPTIONS # ############################################################################# # The timeout, in seconds, for a remote client to establish connection with # a PASV style data connection. accept_timeout=60 # The maximum data transfer rate permitted, in bytes per second, for anonymous # clients. anon_max_rate=0 # The value that the umask for file creation is set to for anonymous users. # NOTE! If you want to specify octal values, remember the "0" prefix otherwise # the value will be treated as a base 10 integer! anon_umask=0000 # The file mode to force for chown()ed anonymous uploads. chown_upload_mode=0666 # The timeout, in seconds, for a remote client to respond to our PORT style # data connection. connect_timeout=60 # The timeout, in seconds, which is roughly the maximum time we permit data # transfers to stall for with no progress. If the timeout triggers, the # remote client is kicked off. data_connection_timeout=300 # The permissions with which uploaded files are created. Umasks are applied # on top of this value. You may wish to change to 0777 if you want uploaded # files to be executable. file_open_mode=0666 # The port from which PORT style connections originate (as long as the poorly # named connect_from_port_20 is enabled). ftp_data_port=20 # The timeout, in seconds, which is the maximum time a remote client may # spend between FTP commands. If the timeout triggers, the remote client # is kicked off. idle_session_timeout=300 # If vsftpd is in standalone mode, this is the port it will listen on for # incoming FTP connections. listen_port=21 # The maximum data transfer rate permitted, in bytes per second, for local # authenticated users. local_max_rate=0 # The value that the umask for file creation is set to for local users. # NOTE! If you want to specify octal values, remember the "0" prefix # otherwise the value will be treated as a base 10 integer! local_umask=0002 # If vsftpd is in standalone mode, this is the maximum number of clients # which may be connected. Any additional clients connecting will get an # error message. max_clients=0 # If vsftpd is in standalone mode, this is the maximum number of clients # which may be connected from the same source internet address. A client # will get an error message if they go over this limit. max_per_ip=4 # The maximum port to allocate for PASV style data connections. Can be # used to specify a narrow port range to assist firewalling. pasv_max_port=11023 # The minimum port to allocate for PASV style data connections. Can be # used to specify a narrow port range to assist firewalling. pasv_min_port=10000 # You probably don't want to change this, but try setting it to something # like 8192 for a much smoother bandwidth limiter. trans_chunk_size=0 ############################################################################# # # STRING OPTIONS # ############################################################################# # This option represents a directory which vsftpd will try to change into after # an anonymous login. Failure is silently ignored. anon_root=/mnt/Services/ftp-root # This option is the name of a file containing a list of anonymous e-mail # passwords which are not permitted. This file is consulted if the option # deny_email_enable is enabled. banned_email_file=/etc/vsftpd/banned_emails # This option is the name of a file containing text to display when someone # connects to the server. If set, it overrides the banner string provided by # the ftpd_banner option. #banner_file= # This is the name of the user who is given ownership of anonymously uploaded # files. This option is only relevant if another option, chown_uploads, is set. chown_username=samba # The option is the name of a file containing a list of local users which will # be placed in a chroot() jail in their home directory. This option is only # relevant if the option chroot_list_enable is enabled. If the option # chroot_local_user is enabled, then the list file becomes a list of users to # NOT place in a chroot() jail. chroot_list_file=/etc/vsftpd/chroot_list # This options specifies a comma separated list of allowed FTP commands (post # login. USER, PASS and QUIT are always allowed pre-login). Other commands are # rejected. This is a powerful method of really locking down an FTP server. # Example: cmds_allowed=PASV,RETR,QUIT #cmds_allowed= # This option can be used to set a pattern for filenames (and directory names # etc.) which should not be accessible in any way. The affected items are not # hidden, but any attempt to do anything to them (download, change into # directory, affect something within directory etc.) will be denied. This option # is very simple, and should not be used for serious access control - the # filesystem's permissions should be used in preference. However, this option # may be useful in certain virtual user setups. In particular aware that if a # filename is accessible by a variety of names (perhaps due to symbolic links # or hard links), then care must be taken to deny access to all the names. # Access will be denied to items if their name contains the string given by # hide_file, or if they match the regular expression specified by hide_file. # Note that vsftpd's regular expression matching code is a simple implementation # which is a subset of full regular expression functionality. Because of this, # you will need to carefully and exhaustively test any application of this option. # And you are recommended to use filesystem permissions for any important security # policies due to their greater reliability. Example: deny_file={*.mp3,*.mov,.private} #deny_file= # This option specifies the location of the DSA certificate to use for SSL encrypted # connections. #dsa_cert_file= # This option can be used to provide an alternate file for usage by the # secure_email_list_enable setting. #email_password_file= # This is the name of the user we use for handling anonymous FTP. The home # directory of this user is the root of the anonymous FTP area. #ftp_username=ftp # This string option allows you to override the greeting banner displayed by # vsftpd when a connection first comes in. #ftpd_banner=Welcome to blah FTP service. # See the boolean setting guest_enable for a description of what constitutes a # guest login. This setting is the real username which guest users are mapped to. #guest_username=ftp # This option can be used to set a pattern for filenames (and directory names # etc.) which should be hidden from directory listings. Despite being hidden, # the files / directories etc. are fully accessible to clients who know what # names to actually use. Items will be hidden if their names contain the string # given by hide_file, or if they match the regular expression specified by # hide_file. Note that vsftpd's regular expression matching code is a simple # implementation which is a subset of full regular expression functionality. # Example: hide_file={*.mp3,.hidden,hide*,h?} #hide_file= # If vsftpd is in standalone mode, the default listen address (of all local # interfaces) may be overridden by this setting. Provide a numeric IP address. #listen_address= # Like listen_address, but specifies a default listen address for the IPv6 # listener (which is used if listen_ipv6 is set). Format is standard IPv6 # address format. #listen_address6= # This option represents a directory which vsftpd will try to change into # after a local (i.e. non-anonymous) login. Failure is silently ignored. #local_root= # This option is the name of the file we look for when a new directory is # entered. The contents are displayed to the remote user. This option is # only relevant if the option dirmessage_enable is enabled. #message_file=.message # This is the name of the user that is used by vsftpd when it wants to be # totally unprivileged. Note that this should be a dedicated user, rather # than nobody. The user nobody tends to be used for rather a lot of # important things on most machines. #nopriv_user=share # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # Use this option to override the IP address that vsftpd will advertise in # response to the PASV command. Provide a numeric IP address. #pasv_address= # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. #rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. #secure_chroot_dir=/usr/share/empty # This option can be used to select which SSL ciphers vsftpd will allow for # encrpyted SSL connections. See the ciphers man page for further details. # Note that restricting ciphers can be a useful security precaution as it # prevents malicious remote parties forcing a cipher which they have found # problems with. #ssl_ciphers=DES-CBC3-SHA # This powerful option allows the override of any config option specified # in the manual page, on a per-user basis. Usage is simple, and is best # illustrated with an example. If you set user_config_dir to be # /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd # will apply the settings in the file /etc/vsftpd_user_conf/chris for the # duration of the session. The format of this file is as detailed in this # manual page! PLEASE NOTE that not all settings are effective on a per-user # basis. For example, many settings only prior to the user's session being # started. Examples of settings which will not affect any behviour on a # per-user basis include listen_address, banner_file, max_per_ip, # max_clients, xferlog_file, etc. user_config_dir=/etc/vsftpd/user_config/ # This option is useful is conjunction with virtual users. It is used to # automatically generate a home directory for each virtual user, based on # a template. For example, if the home directory of the real user specified # via guest_username is /home/virtual/$USER, and user_sub_token is set to # $USER, then when virtual user fred logs in, he will end up (usually # chroot()'ed) in the directory /home/virtual/fred. This option also # takes affect if local_root contains user_sub_token. #user_sub_token= # This option is the name of the file loaded when the userlist_enable option # is active. #userlist_file=/etc/vsftpd/user_list # This option is the name of the file to which we write the vsftpd style log # file. This log is only written if the option xferlog_enable is set, and # xferlog_std_format is NOT set. Alternatively, it is written if you have # set the option dual_log_enable. One further complication - if you have # set syslog_enable, then this file is not written and output is sent to # the system log instead. #vsftpd_log_file=/var/log/vsftpd.log # This option is the name of the file to which we write the wu-ftpd style # transfer log. The transfer log is only written if the option xferlog_enable # is set, along with xferlog_std_format. Alternatively, it is written if you # have set the option dual_log_enable. #xferlog_file=/var/log/vsftpd.log convert_charset_enable=1 local_charset=UTF8 remote_charset=WIN1251 double_377=0 pasv_addr_rules=/etc/vsftpd/pasv_rules