################################################################################
# Name: secure_vsftpd.conf
# Desc: vsftpd configuration file -- secure channel template (ssl)
# NOTE: Configured for use by the Reporter 10.x appliance.
# INFO:
#    The default compiled in settings are fairly paranoid.
#    -- Please see the vsftpd.conf.5 manual page for all compiled in defaults.
#    This file is NOT an exhaustive list of vsftpd options.
#    -- Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd c                                apabilities.
################################################################################
#
# daemon options
listen=YES
session_support=NO
#
# login options and access controls
anonymous_enable=NO
ftpd_banner=Welcome to the Reporter FTPS service.
local_enable=YES
pam_service_name=vsftpd
tcp_wrappers=YES
#...valid user must be in the list
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd/secure_user_list
userlist_log=YES
#
# anonymous user options
ftp_username=no_anonymous_ftp_user
#
# umask and permission modes
# (restrict to minimal access including few execution bits)
anon_umask=007
local_umask=007
file_open_mode=0660
chown_upload_mode=0660
#
# local user options
chmod_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/secure_chroot_list
chroot_local_user=NO
guest_enable=YES
guest_username=rpt_data
local_root=/data/bluecoat/accesslogs
#local_umask=022
passwd_chroot_enable=NO
allow_writeable_chroot=YES
#
# directory options
dirlist_enable=YES
dirmessage_enable=NO
hide_ids=YES
use_localtime=NO
#
# file transfer options
download_enable=YES
write_enable=YES
#
# logging options
dual_log_enable=NO
log_ftp_protocol=NO
syslog_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
#
# other options
delete_failed_uploads=YES
ls_recurse_enable=YES
reverse_lookup_enable=YES
virtual_use_local_privs=YES
#
# network options
accept_timeout=60
connect_from_port_20=YES
connect_timeout=60
data_connection_timeout=300
#ftp_data_port=989
idle_session_timeout=300
#listen_address=
#listen_port=990
max_clients=10
#pasv_address=
pasv_enable=YES
#pasv_max_port=30029
#pasv_min_port=30020
pasv_promiscuous=NO
port_enable=YES
#
# general ssl configuration (use ONLY SSL)
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
implicit_ssl=NO
#...additional ssl configuration
debug_ssl=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
require_ssl_reuse=NO
strict_ssl_read_eof=NO
strict_ssl_write_shutdown=NO
ssl_ciphers=HIGH:!ADH:!aNULL:!eNULL:!EXP:!DES:!3DES:@STRENGTH
#...cert configuration
require_cert=NO
ssl_request_cert=NO
validate_cert=NO
ca_certs_file=/encrypted-data/bluecoat/clp/etc/pki/trust/browser-trusted.pem
rsa_cert_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
rsa_private_key_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
#
# pasv min/max ports and actual data/command (listen) ports are appended here
# secure pasv port range
pasv_min_port=9000
pasv_max_port=9020
# command and data ports
ftp_data_port=20
listen_port=26
force_local_logins_ssl=YES
implicit_ssl=NO
#...additional ssl configuration
debug_ssl=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
require_ssl_reuse=NO
strict_ssl_read_eof=NO
strict_ssl_write_shutdown=NO
ssl_ciphers=HIGH:!ADH:!aNULL:!eNULL:!EXP:!DES:!3DES:@STRENGTH
#...cert configuration
require_cert=NO
ssl_request_cert=NO
validate_cert=NO
ca_certs_file=/encrypted-data/bluecoat/clp/etc/pki/trust/browser-trusted.pem
rsa_cert_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
rsa_private_key_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
#
# pasv min/max ports and actual data/command (listen) ports are appended here
# secure pasv port range
pasv_min_port=9000
pasv_max_port=9020
# command and data ports
ftp_data_port=20
listen_port=2yslog_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
#
# other options
delete_failed_uploads=YES
ls_recurse_enable=YES
reverse_lookup_enable=YES
virtual_use_local_privs=YES
#
# network options
accept_timeout=60
connect_from_port_20=YES
connect_timeout=60
data_connection_timeout=300
#ftp_data_port=989
idle_session_timeout=300
#listen_address=
#listen_port=990
max_clients=10
#pasv_address=
pasv_enable=YES
#pasv_max_port=30029
#pasv_min_port=30020
pasv_promiscuous=NO
port_enable=YES
#
# general ssl configuration (use ONLY SSL)
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
implicit_ssl=NO
#...additional ssl configuration
debug_ssl=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
require_ssl_reuse=NO
strict_ssl_read_eof=NO
strict_ssl_write_shutdown=NO
ssl_ciphers=HIGH:!ADH:!aNULL:!eNULL:!EXP:!DES:!3DES:@STRENGTH
#...cert configuration
require_cert=NO
ssl_request_cert=NO
validate_cert=NO
ca_certs_file=/encrypted-data/bluecoat/clp/etc/pki/trust/browser-trusted.pem
rsa_cert_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
rsa_private_key_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
#
# pasv min/max ports and actual data/command (listen) ports are appended here
# secure pasv port range
pasv_min_port=9000
pasv_max_port=9020
# command and data ports
ftp_data_port=20
listen_port=21
syslog_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
#
# other options
delete_failed_uploads=YES
ls_recurse_enable=YES
reverse_lookup_enable=YES
virtual_use_local_privs=YES
#
# network options
accept_timeout=60
connect_from_port_20=YES
connect_timeout=60
data_connection_timeout=300
#ftp_data_port=989
idle_session_timeout=300
#listen_address=
#listen_port=990
max_clients=10
#pasv_address=
pasv_enable=YES
#pasv_max_port=30029
#pasv_min_port=30020
pasv_promiscuous=NO
port_enable=YES
#
# general ssl configuration (use ONLY SSL)
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
implicit_ssl=NO
#...additional ssl configuration
debug_ssl=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
require_ssl_reuse=NO
strict_ssl_read_eof=NO
strict_ssl_write_shutdown=NO
ssl_ciphers=HIGH:!ADH:!aNULL:!eNULL:!EXP:!DES:!3DES:@STRENGTH
#...cert configuration
require_cert=NO
ssl_request_cert=NO
validate_cert=NO
ca_certs_file=/encrypted-data/bluecoat/clp/etc/pki/trust/browser-trusted.pem
rsa_cert_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
rsa_private_key_file=/encrypted-data/bluecoat/clp/etc/pki/certs/default.p8
#
# pasv min/max ports and actual data/command (listen) ports are appended here
# secure pasv port range
pasv_min_port=9000
pasv_max_port=9020
# command and data ports
ftp_data_port=20
listen_port=21