Improving Linux FTP Server Security with vsftpd and AppArmor
vsftpd (Very Secure FTP Daemon) is the foundation of a secure FTP server. Start by disabling anonymous access (anonymous_enable=NO) to prevent unauthorized users from logging in. Restrict local users to their home directories using chroot_local_user=YES (combined with allow_writeable_chroot=YES to avoid permission issues)—this limits users to their own files and prevents system-wide access. Enable SSL/TLS encryption (ssl_enable=YES, force_local_data_ssl=YES, force_local_logins_ssl=YES) to protect data in transit from eavesdropping. Use strong passwords for all FTP accounts and consider implementing a user list (userlist_enable=YES, userlist_deny=NO) to control which users can log in. For passive mode, restrict port ranges (pasv_enable=YES, pasv_min_port=50000, pasv_max_port=50010) to reduce exposure to unauthorized connections.
AppArmor (Application Armor) is a mandatory access control (MAC) system that limits vsftpd’s access to only necessary files and directories. First, enforce the default vsftpd profile:
sudo aa-enforce /etc/apparmor.d/usr.sbin.vsftpd
Customize the profile to restrict vsftpd’s permissions further. For example, deny access to sensitive system directories (e.g., /etc/, /root/) and limit file operations to the user’s home directory. Use aa-logprof to analyze vsftpd logs and refine the profile based on actual usage—this ensures the profile is neither too permissive nor too restrictive. Regularly review and update the profile to adapt to changes in the server environment.
vsftpd’s built-in security features (e.g., chroot, SSL) reduce the attack surface, while AppArmor adds an additional layer of protection by enforcing strict access controls. For instance, even if a vulnerability in vsftpd allows an attacker to execute arbitrary code, AppArmor prevents them from accessing critical system files outside the user’s home directory. This layered approach significantly lowers the risk of a successful breach.
ufw or firewalld to allow only necessary FTP ports (21/tcp for control, 50000-50010/tcp for passive mode) and block all other incoming traffic.xferlog_enable=YES, log_ftp_protocol=YES) and use tools like fail2ban to automatically block suspicious IP addresses (e.g., multiple failed login attempts).