Detailed analysis of compiling and installing vsFTP 3.0.3

Vulnerability Details

VSFTP is a set of FTP server software used on Unix-like systems released based on GPL. The software supports virtual users, two authentication methods (PAP or xinetd/tcp_wrappers), bandwidth limitation, etc.

A security vulnerability exists in VSFTP because the program does not properly handle the 'deny_file' option. A remote attacker could exploit this vulnerability to bypass access restrictions.

The following products and versions are affected: VSFTP 3.0.2 and earlier versions, OpenSUSE 13.1 and 13.2 versions.

Affected Products

Vsftpd Vsftpd 3.0.2

• There are generally three ways to log in to FTP:
• Anonymous user mode: In the default installation, the system only provides anonymous user access. You only need to enter the user anonymous/ftp and use your email as the password to log in.
• Local user mode: The user name in /etc/passwd is used as the authentication method.
• Virtual user mode: supports saving user names and passwords in files or databases, and mapping logged-in users to specified system accounts (/sbin/nologin) to access resources. These virtual users are FTP users.
• Experimental environment: CentOS 7.5 192.168.2.3
• Firewalld, iptables and SElinux are all disabled
• The following experiment uses a virtual user based on PAM. You need to use yum to install the PAM components first:
• Need to use epel source
• yum -y install epel-release && yum -y install pam pam-devel db4-utils
• In the default configuration, vsftpd needs to use the nobody user.
• Download from the official website https://www.linuxfromscratch.org/blfs/view/svn/server/vsftpd.html
• wget https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
• tar xf vsftpd-3.0.3.tar.gz
• cd vsftpd-3.0.3/

• There is no configure file in the source package of vsftpd, so compile and install it directly
• make clean && make -j 4 && make install
• If an error occurs during compilation
• /usr/bin/ld: cannot find -lcap
• Find the .so file
• find / -name "*libcap.so*"
• /usr/lib64/libcap.so.2.22
• /usr/lib64/libcap.so.2
• ln -sv /usr/lib64/libcap.so.2 /usr/lib64/libcap.so

• Default configuration:
• Default configuration:
• Main program file: /usr/local/sbin/vsftpd
• Main configuration file: /etc/vsfptd.conf
• PAM authentication file: /etc/pam.d/vsftpd
• Anonymous user home directory: /var/ftp
• Download directory for anonymous users: /var/ftp/pub
• There are two main security principles of vsftpd:
• Only virtual users are allowed to log in, and local users and anonymous users are disabled.
• Running with root privileges is not allowed.
• Create a directory to store configuration files
• mkdir /etc/vsftpd
• Copy the new configuration file to the /etc/vsftpd directory

Create users and shared directories and directory permissions

• Create a plain text file for the virtual user password and use the db4-utils component installed earlier to generate a password authentication file:
• vim /etc/vsftpd/access.txt
  

zhangsan #Username
123456 #password
lisi
123456 usage

• The db4-utils component installed earlier generates the password authentication file:
• db_load -T -t hash -f /etc/vsftpd/access.txt /etc/vsftpd/access.db

• Edit the PAM authentication file for vsftpd:
• vim /etc/pam.d/vsftpd
  

auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/access
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/access

• Edit the main configuration file /etc/vsftpd/vsftpd.conf
• cp /etc/vsftpd/vsftpd.conf{,.bak}
• vim /etc/vsftpd/vsftpd.conf
• #Disallow anonymous users

anonymous_enable=NO
local_enable=YES
write_enable=YES

#Do not start the lock user list. All users will be locked and not allowed to access the parent directory. They are only allowed to access their home directory. chroot_local_user=YES
chroot_list_enable=NO

#Start log
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/etc/vsftpd/vsftpd.log

# Enable virtual user guest_enable=YES
#FTP virtual user corresponding to the system user guest_username = vsftpd
#PAM authentication file /etc/pam.d/vsftpd
pam_service_name=vsftpd

virtual_use_local_privs=YES 

Write the vsftpd startup script: /etc/init.d/vsftpd

#!/bin/bash
#
# vsftpd This shell script takes care of starting and stopping
# standalone vsftpd.
#
# chkconfig: -60 50
# description: Vsftpd is a ftp daemon, which is the program
# that answers incoming ftp service requests.
# processname: vsftpd
# config: /etc/vsftpd/vsftpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -x /usr/local/sbin/vsftpd ] || exit 0
RETVAL=0
prog="vsftpd"
start() {
        # Start daemons.
        if [ -d /etc/vsftpd ] ; then
                for i in `ls /etc/vsftpd/*.conf`; do
                        site=`basename $i .conf`
                        echo -n $"Starting $prog for $site: "
                        /usr/local/sbin/vsftpd $i &
                        RETVAL=$?
                        [ $RETVAL -eq 0 ] && {
                           touch /var/lock/subsys/$prog
                           success $"$prog $site"
                        }
                        echo
                done
        else
                RETVAL=1
        fi
        return $RETVAL
}
stop() {
        # Stop daemons.
        echo -n $"Shutting down $prog: "
        killproc $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        return $RETVAL
}
# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart|reload)
        stop
        start
        RETVAL=$?
        ;;
  condrestart)
        if [ -f /var/lock/subsys/$prog ]; then
            stop
            start
            RETVAL=$?
        fi
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status}"
        exit 1
esac
exit $RETVAL 

Add execution permissions

• Modify the file /etc/xinetd.d/vsftpd to start vsftpd without using the xinetd daemon
• sed -in 's/disable.*=.*/disable = yes/g' /etc/xinetd.d/vsftpd
• sed -in 's/disable.*=.*/disable = yes/g' /etc/xinetd.d/vsftpdn

• Start vsftpd
• servicevsftpd start

Login test

• Start the machine and restart the test
• chkconfig vsftpd on

The above is the detailed content of compiling and installing vsFTP 3.0.3. For more information about compiling and installing vsFTP 3.0.3, please pay attention to other related articles on 123WORDPRESS.COM!