Red Hat Enterprise Linux 5 Administration Unleashed

Transferring Files with FTP 391TABLE 19.2 ContinuedDefaultvsftpd Directive Value Descriptionanon_max_rate O Maximum transfer rate allowed for anonymoususers, in bytes per second. If set to 0,the maximum rate is unlimited.anon_umask 077 Umask value for files created by anonymoususers.anon_root (no default) Default directory for anonymous users.banned_email_file /etc/vsftpd/ If deny_email_enable is set to YES, thisbanned_ file contains the list of email passwords deniedemails FTP login.email_password_file /etc/vsftpd/ If secure_email_list_enable is set to YES,email_ this file contains all the email passwordspasswords allowed FTP login.chown_username root If chown_uploads is set to YES, all filesuploaded by an anonymous user are ownedby this user.Allowing FTP ConnectionsTo deny specific users access to the FTP server, add their usernames to the /etc/vsftpd/ftpusers file. By default, system users such as root and nobody are included in this list.The /etc/vsftpd/user_list file is also used to allow or deny access to specific users. Ifthe userlist_enable directive in /etc/vsftpd/vsftpd.conf is set to YES, the/etc/vsftpd/user_list file is read to determine if a user is allowed FTP access. If theuserlist_deny is set to YES (the default), users listed in /etc/vsftpd/user_list aredenied access before they are asked for a password. If userlist_deny is set to NO, onlyusers explicitly listed in the /etc/vsftpd/user_list file are allowed access.FTP uses two ports, 20 and 21. By default, the FTP server listens for requests on port 21.After a connection is established, the client sends commands to the server on port 21.However, port 20 is used when the server sends data back to the client. If a firewall existson the client, be sure to allow connections on port 20 so data can be sent to it.If custom IPTables rules are being used, refer to Chapter 24, “Configuring a Firewall,” fordetails on how to allow these ports. If FTP clients connect in passive mode and the serverhas IPTables active, the ip_conntrack_ftp kernel module must be loaded on the FTP server.It can be added to the IPTABLES_MODULES directive in /etc/sysconfig/iptables-config.19If using a default security level in Red Hat Enterprise Linux, use the Security LevelConfiguration tool. Start it by selecting Administration, Security Level and Firewallfrom the System menu on the top panel of the desktop or by executing the systemconfig-securitylevelcommand. Enter the root password when prompted if running asa user. On the Firewall Options tab, check the FTP service in the Trusted services sectionas shown in Figure 19.1. Click OK to enable the changes.