HomeCentos 6vsftpd, ftps and fail2ban

vsftpd, ftps and fail2ban

Software Effect Enterprises, Inc Posted on by

Install needed packages:
yum -y install vsfptd fail2ban

Create ssl certificate
/usr/bin/openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Edit the /etc/vsftpd/vsftpd.conf file

# Turn on SSL
ssl_enable=YES

# Allow anonymous users to use secured SSL connections
allow_anon_ssl=NO

# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=no

# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=no

# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES

# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO

# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO

# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem

require_ssl_reuse=NO

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=002

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=no

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list

pam_service_name=vsftpd

userlist_enable=YES

listen=YES

tcp_wrappers=YES

pasv_max_port=4040

pasv_min_port=4000
#######end of vsftpd.conf###############

 

Edit /etc/sysconfig/iptables and add the lines:

-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 4000:4040 -j ACCEPT

edit /etc/fail2ban/jail.conf and edit the following lines:

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
#           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
#259200 = 3 days
bantime  = 259200

 

create an empty log file

touch /var/log/vsftpd.log

Set up the services:
service iptables restart
chkconfig vsftpd on
service vsftpd start
chkconfig fail2ban on
service fail2ban start

 

Comments are closed.